thanks for all your help in my recent posts, i’m slowly but surely getting the hang of this new firewall…
i’ve just been considered about a few things at start up though… i allow svchost.exe to accept
explorer.exe
ndstray.exe
ifrmwrk.exe
&&
zcfgsvc.exe
once i accept theses… i always get high suspicious behaviour alerts, am i not supposed to be accepting these?
here is what they look like:
Date/Time :2008-01-24 11:59:02
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 24.189.214.200
Destination: 224.0.0.22
Reason: Network Control Rule ID = 5
Date/Time :2008-01-24 11:59:02
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = ROUTER SOLICITATION)
Protocol:ICMP Outgoing
Source: 24.189.214.200
Destination: 224.0.0.2
Message: ROUTER SOLICITATION
Reason: Network Control Rule ID = 5
Date/Time :2008-01-24 11:58:57
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.
Date/Time :2008-01-24 11:58:57
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 24.189.214.200::1029
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.
oh, one more thing… sometimes i get UDP Port Scan high suspicious alerts, but it says attack has been blocked temporary, what does UDP do… and is it something i should worry about?
thanks so much!