Strange Alarms, What to do when I get them

I,m getting all these alarms that I don’t understand. Its like one program is using another to do something and that’s a bad thing. I’ve attached the list of alarms. THere are a bunch of them that are high risk… When I say NO to them my internet link shuts down…

[attachment deleted by admin]

ate/Time :2006-12-02 15:00:59
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe

This i know to be safe as i to have gotten this message since way way back when CPF started its OLE protection i usually get it on boot up or right after connecting to the web and "just to make sure it was good i even did a total reformat on my test pc and then fully upgraded SP2 and then instaled CPF and still got the message when ever i connected to the web through my dialup modem…but thankfully i dont get near as many as before with the latest beta…and like you if i click deny i loose all internet connection

I can see that you use a router, so I wonder if you have made a trusted zone?
If not, go to security/tasks and run the wizard (define a new trusted network).

This is windows components that you must allow, or you will loose you connection.
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe

addresses with and and so, is for IGMP, multicast.
It’s probably your router that send them out. If you don’t use streaming audio/video on your network, check if you can turn it off in your router.
It does seem like MSN messenger is trying to send audio/video or info about it on your network.
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Details: C:\Program Files\Messenger\msmsgs.exe
If you want it to work, you can make a rule for IGMP in network monitor.
If you don’t know how, just ask here and i will help you.

Hello gfreed,

this one:

Date/Time :2006-12-02 15:05:31
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In

you definitely need to allow and, if not already done, create a “Network Monitor” rule for this, otherwise you will never get a legitimate ip address assigned to your machine via your router. I have screenshots below for both the Network Monitor and Application Monitor (svchost.exe) rules that should work.

[attachment deleted by admin]

LOL! we posted @ the same time AOwL. Well, between the two of us, I’m sure we can get gfreed back in business :slight_smile:


Ok, I saw the message from “cprtech” and created a “Network Monitor” rule and they have been entered like you said they should be… I found that the Network Monitor rule was already in place only with the full range of addresses and ports.

Now according to AOwL he wanted me to do the same thing PLUS he wants me to do something with “multi-cast” Basically with this machine all I do is multicast… What may help is me telling you what kind of device this machine is talking to. I have a wireless modem by EWIRE model 2700hg-d. This is what Quest set me up with when I got DSL…

I need to be able to to audio\video, I also do msmsgs. So I probably need to make a rule for that too. So I need too make new Network Monitor Rules for these things.

I’m trying to understand what is going on here… It seems like we have two sets of rule making setups, Application and Network monitoring rules… The first Application monitoring seems to be something I would use to set up a rule to allow an application to utilize particular IPs and ports. Its kind of like and association, application X will be associated with IP Y and Port Z… Network monitoring is different in that you specify a Zone Name (and that can be anything) and then you simply open IP(s) or Port(s) but there is no association with anything. The protocol setting seems to be the most important factor in this function.

I want to be able to figure out what to do when I get stuff like this:

Date/Time :2006-12-02 13:32:24
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (IEXPLORE.EXE)
Application: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Details: C:\Program Files\a-squared Free\a2free.exe has modified the the User interface of C:\Program Files\Internet Explorer\IEXPLORE.EXE by sending special Window messages…

This seems to be saying that the a2free.exe is messing with IE? Strange!

So I will need help in setting up the IGMP and MsnMsgr rules!
What I’m wondering is when those POPups happen asking permission to do one thing or another when I answer Allow, doesn’t this set up the rules for me? I keep getting all kind of strange popups

Date/Time :2006-12-02 23:47:34Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (IEXPLORE.EXE)Application: C:\Program Files\Internet Explorer\IEXPLORE.EXEParent: C:\WINDOWS\explorer.exeProtocol: UDP OutDestination: C:\Program Files\ZipGenius 6\zipgenius.exe has modified the the User interface of C:\Program Files\Internet Explorer\IEXPLORE.EXE by sending special Window messages…

Now what I think this is telling me is that “ZipGenius.exe” messed with IE… Ok its like all kinds of programs mess with IE… It seems that every app that messes with any other app gets flagged…

So do I have to make a rule on this? I answered the pop up allow although I have no idea why Zipgenius would be doing anything at this time… I’ve been using this program for gee maybe 5 years or more… No one has ever said it had SpyWare in it or anything…

So I’m ready to learn how this all works, its interesting and I’ve got the time!

Thanks again!!!

The two alerts shown above don’t actually indicate spyware. All CPF is telling you is that something is messing with IE - not whether it’s good or bad. In the case of special windows messages, just have a think of all the things that can integrate into IE - Acrobat, Spyware scanners, HTML checkers- the list goes on. To deliver these added features, valid apps have to have a way to talk to IE. The a-squared one, for example, is probably an updater that is using IE for web transport (HTTP - port 80).

The application monitor rules determine WHAT is allowed out and its preferences. The network monitor determines HOW data is allowed out. The two work in conjunction with each other to ensure that only allowed apps can come out and play and how they can get out.

It’s reassuring to read that you’re prepared to learn. Nothing, but nothing, beats an educated guess. LOL. Seriously, learning what it normal and what is expected behaviour is the key to seeing, appreciating and understanding when things are not quite what they should be.

Have a rummage around the forums. The FAQs are quite good and there is a growing knowledge base at On top of this, there’s a great bunch of users here on the forums and they’re only too willing, workload and private lives permitting, to help out.

Hope this helps,
Ewen :slight_smile:

A couple of simple network monitor rules for IGMP.

Network monitor works like a router, so you have to “forward” port(s),
like you do in a router, for apps like Torrent/P2P.

Go to Network monitor (security/network monitor).
Right click on your top rule and add/add after.
Do these settings for your IGMP.

Action : Allow
Protocol : IP
Direction : In
Source IP : Any
Destination IP : Zone
IP Details : IGMP

Action : Allow
Protocol : IP
Direction : Out
Source IP : Zone
Destination IP : Any
IP Details : IGMP

If it doesn’t seem to work, restart CF or reboot your PC.

Always remember to place your allow rules you make, above the default block rule.
Network monitor reads the rules from the top to the bottom.

Also check the log in activity/logs and try to see which rule that blocks your app.

Ok, I doen’t get tons of alarms anymore! What does Zone mean?
I’m also looking at Network monitor. Some of the rules were in Network monitor when I first setup the program…

One rule I don’t understand. Protocal- Tcp/Udp, SourceIP- any, DestinationIP- any, SourcePort- any, DestinationPort- any.

I don’t know where this came from but wouldn’t this rule open all the IPs and Ports for TCP\UDP. Isn’t this a bad thing?

Just wondering!


If you have a router/network, you should create a trusted zone.
It creates rules in network monitor, so your network works.
Go to security/tasks and click on “define a new trusted network”.
Just click ok on everything, and it should work.

That is just for OUT, and it’s supposed to be there.