-solved-

BrokenSoul · June 11, 2007, 12:46pm

-solved-

system · June 11, 2007, 1:03pm

that’s been the main controversy and subject in threads during the beta testing phase of CFP 2.4 a couple of months ago. Don’t worry about that. There’s no threat at all, that’s a “normal” alert, called by the dev team at the time an “opportunity popup”. Nobody really understood what it was for (lol), since it could relate a threat, that 100 % of the time was no threat at all. It just describes a scenario that “could” happen…if malware components were involved, which hardly happens.

system · June 11, 2007, 1:03pm

Although I don’t know the exact explanation to your case, I recommend this site to most ;D: ** FAQs/Threads - Read Me First **:

[b]OLE Automation Alerts[/b] https://forums.comodo.com/index.php/topic,4728.msg35532.html#msg35532 https://forums.comodo.com/index.php/topic,4875.msg36088.html#msg36088 https://forums.comodo.com/index.php/topic,5207.msg38857.html#msg38857

kail · June 11, 2007, 1:15pm

I think SVCHOST using UDP Port 123 is probably NNTP (ie. time synchronization). But, I think that event should only use SERVICES (parent) - SVCHOST (child) using UDP Port 123. I’m not sure where EXPLORER.EXE is involved… unless that just got named because its a main parent process.

Bottom line: As long as the IP used by this event (probably MS) is nothing iffy, then IMHO this is a safe action.

kail · June 11, 2007, 3:19pm

Hi BrokenSoul

OK. I cannot remember any instances where EXPLORER.EXE uses SVCHOST.EXE. SVCHOST is usually used exclusively by SERVICES.EXE (because that is what it is for… SVCHOST is SERVICES Internet gateway).

I know its in German but can you post CFPs Log entry for this event. CFPs Log (Activity tab) can exported to an HTML file (right click Log), you can then open the HTML file in your default browser & use a simple Copy ‘n’ Paste to post here. Remember to mask any private IP numbers (no need to mask LAN IPs), thanks.

Little_Mac · June 11, 2007, 3:58pm

OK. I cannot remember any instances where EXPLORER.EXE uses SVCHOST.EXE. SVCHOST is usually used exclusively by SERVICES.EXE (because that is what it is for.. SVCHOST is SERVICES Internet gateway).

I've seen it, specifically for the time update. It's been a while, though.

Once I allowed svchost.exe with parent of services.exe to connect to port 123 for that purpose, it’s been fine. It seemed (to me) that the other parent interaction occurred only when the svchost/services combo wasn’t specifically allowed to connect; seems it tried a different combination in order to try to get through. Just my impression, though.

LM

kail · June 11, 2007, 5:37pm

Thanks BrokenSoul.

Not sure about the answer to your question at this point. We’ll have a better idea once we understand more about what happened.

So, assuming I’m reading this right (I don’t read/speak German) EXPLORER used OLE on SVCHOST. Is that correct or is it the other way around?

Edit: Also is 192.168.x.x::ntp(123) your system or another item (system, router, etc…) on the LAN?

kail · June 12, 2007, 2:28pm

Both correct? I’m a bit confused, please confirm.

That CFP message says that EXPLORER used OLE on SVCHOST and SVCHOST used OLE on EXPLORER?

And… you have a LAN with other PCs, a router that has its on LAN IP & your PC is 192.168.x.x::ntp(123) as cited in CFPs message.