Some questions from a new user (system, svchost.exe, creating rules)

Hi!
I’ve started using Comodo Firewall recently. First of all I’d like to say thanks for the Comodo team to developing this product.

Here’re some of the questions I’ve got when configuring Comodo’s rules. I’ll appreciate your responce and help. I’m not very profound user. That’s why I’m giving probably quite long description. Please excuse me for that.

  1. The first question is about WinXP’s system applications.
    When I installed Comodo, it appeared in Network Security Policy that there were two such applications System and Windows Updater. They were allowed by dedault.
    On the forums I’ve seen the discussion of this topic (unfortunately haven’t marked it as borkmark so can’t find it right now, I remeberd it was closed with the reopen offer via pm). Its main conclusion was that it’s ok to allow these applications as they are core part of WinXP.

Experimenting I found out that when blocking all allowed rules for “System” everything works fine. But for correct connection to internet windows updater is required to be allowed in and out.

Somehow there wasn’t svchost.exe on the list at that moment, as I remember. I was surprised because in my previous (Outpost) firewall it was svchost.exe but not system and WinUpdater that needed being allowed. I thought may be Comodo interprets it differently as far as internet works ok. Anyway svchost.exe is widely discussed here so obviously the reason is different.

But more strange thing happend just yesterday. Somehow Comodo cleared the whole application list in Network Security Policy. And as it is in training mode, it started asking again about all applications. The most surprising is that now System and Windows Updater are not in this list but svchost.exe is.

So how could such a change (system+winUpd - Svchost) happen?

  1. Now, about svchost.exe. There are several topics regarding it. And the main advice is as follows (suggested by sanctuary24 on August 18, 2007, 08:41:30AM)
    Application: C:\Windows\system32\svchost.exe
    Parent: C:\Windows\system32\services.exe
    Protocol: UDP/TCP
    Direction: In/out
    Source Ports: 53,67,68,80,443

Then I found Ragwing Reborn’s opinion that allowing only ports 53,67,68 for svchost.exe is enough.

So, please, explain, if I create rules for each of these source ports what should I set in destination ports? The same ports? E.g. 53 for 53, 67 for 67 and 68 for 68?

And is it really needed to allow IN access for these ports?
Actually I want to block svchost as much as possible although I know it’s a core WinXP service and it’s safe.

  1. When making a rule and allowing source port 53, 67 and 68 do I have to create separate rules for each port as it is only “single port”, “port range” or “set of ports” neither of which allows to set these three ports in one rule.

  2. I’ve read on the forums here that there’ve been no Comodo backup settings yet and the only way to make backups is to use a script. So, is it the same for the latest version or such setting has been created? It seems worth making backups incase Comodo’s apps list is cleared one more time.

Thanks for your response and help!

Almost sounds like your install is corrupt. I have Comodo on both my laptop and desktop and never have my entires disappeared. Here is my svchost and system settings. They have been this way and never disappear.
BTW you arent using Windowblinds are you? Previous versions of Windowsblinds caused Comodo to not show anything.

[attachment deleted by admin]

I am running Vista, but a few comments.

  1. svchost.exe is actually one of the programs buried in Windows Updater. I don’t have any rules for svchost and all works fine. Don’t know how you got cleared, but if WU goes away, you will need to explicitly allow svchost. You can also expect Windows Operating System to show up as being blocked along the way, and may need to add rules for that eventually. Probably a corrupt installation if things disappear though; may be worth a reinstall.
  2. As far as ports, you often have no control over the source-Windows selects source ports sort of randomly for you. Port 53 is the port you will address on your DNS server, but can come from any port; port 68 is your source port for DHCP requests to port 67, but these normally show up as DHCP broadcasts from IP 0.0.0.0 to 255.255.255.255. You wll get back an ack (also broadcast) from your router IP port 67 to your port 68. So letting source port and IP be “any” usually avoids confusion. When you get things working, you can refine them later. Ports 80 and 443, BTW, are your http browser ports and can be the destination of any random source port. You may also get incoming from them to any port.
  3. You are better off making separate rules, since some are sources, some are destinations, some have port onstraints, some are broadcast, some have known IPs, …
  4. If you are using CFP3, you can go to miscellaneous/manage my configuration and export your current settings, reimport them again if you have a problem.
    Try setting up CFP3 modes as training first, and you should a working set of rules. Then you can go in and refine themas you get experience with the rirewall and the things being logged. :slight_smile:

Thanks for your responce!

No, Vettetech, I don’t use windowsblinds.
You have svhost, system winupdater on the same time… Wierd why don’t I.
By saying Comodo’s install is corrupt you mean it may be risky to use it becuase if it has some corruption it may not block was is required and my PC may be vulnerable? Or if nothing more of that wierd king happens it’s ok to continue use it without reinstall?

sded thanks for your detailed answer. I’ll try to figure out about the ports though I feel a bit doubtful about allowing IN access for Svchost.
I’ll be using configuration backups for being ready for new surprises… :SMLR

As far as in for svchost, I don’t have any explicit inbound rules. The incoming DNS and such are handled via the SPI rules, and are allowed automatically in response to your outgoing requests, as in NAT. You only need to add them if something you need for operation shows up as being blocked because of your configuration. Inbound connections support things like P2P, Skype, active FTP, but usually not via svchost.

Try doing a complete uninstall and reinstall.