Suspicious iexplore

Well… trust me. It changes (Admins & Mods can see the user’s IP address) & that is a good thing, since you (specifically) cannot be targeted. There are programs that will reveal your Internet IP address as well… but, you can also go to IP Tools… your IP will be in the top right-hand corner.

Nope, I don’t think you’re at risk. Your system might be provoking the connection attempts… which is possible if you have windows file-sharing enabled or something. Do you?

You should also be aware that both Limewire & MSN Messenger expose your PCs presence on the Net by revealing its IP number… both apps need to do this to work, nothing wrong with it & CFP will protect you from any subsequent connection attempts anyway.

Log: No, it doesn’t do that. Something to try… disconnect from the Net & change the Log size to 25MB. Right click CFPs systray icon & select Exit (CFP will ask for confirmation, say yes). Once CFP has exited reboot & see if that changes the size.

Hi mate I have just updated with Windows update and these pop ups are coming up are they genuine connections? The reason I’m not sure is that when I choose block the web pages fail to load, but I thought it would be more likly that it would say your cryptographic signature has changed seeing as Internet Explorer received an update and I’m a bit confused

Is it better to have check other NDIS protocols selected or is it secure without the need to enable it?

[attachment deleted by admin]

I cannot tell from the screen shot & I really need to see the other IE messages as well. Can you post the Log text as you did before. Also want did WU update?

NDIS: Normally you don’t need to do this… unless CFPs summary page is showing high levels of “Other” protocols. It is technically possible (although very rare… I’ve never personally seen it) for a Trojan to use its own protocol & attempt to avoid firewall detection. The down-side to doing this is that it makes CFP work a lot harder & can cause performance issues, especially when using file-sharing/P2P apps. So, I’d say… leave it alone unless you getting Other protocols showing up in CFPs Summary.

Date/Time :2007-08-15 14:56:35Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (iexplore.exe)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\WINDOWS\explorer.exeProtocol: TCP OutDestination: 127.0.0.1::12080Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-15 14:47:54Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.72.12.139::dhcp(68)Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-15 14:47:54Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.72.12.139::ntp(123)Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications

Date/Time :2007-08-15 14:44:18Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (wmplayer.exe)Application: C:\Program Files\Windows Media Player\wmplayer.exeParent: C:\WINDOWS\explorer.exeProtocol: TCP OutDestination: 207.46.210.107::http(80)Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Windows Media Player\wmplayer.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-15 14:40:44Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.72.74.137::dhcp(68)Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Updates were to Windows media player, internet explorer and some other stuff

OK. Since IE was updated we would expect CFP to prompt for it again. And SERVICES/SVCHOST is probably because one or more of the Components (DLLs, etc…) used by them has also been updated because of the WU. You should also expect prompts for Windows Media Player (WMP) & whatever else was updated, the next time you use it/them.

But, all looks OK to me.

I will allow them, I just worry because if you allow w/remember then the only way to undo it is to remve Internet explorer and relearn everything under that parent program, do you know if they improving the way you add / remove rules from parent applications?

You only need to worry when you get a load of alerts like this & you know that you haven’t updated anything. That’s suspicious.

The new version, CFP 3 (currently in Beta testing), is much improved & completely different in this regard.

Could the inbound policy violation be triggered by a something such as a system process sending out something like what you said above and if so what process could be triggering it?

ps when it says medium alert does that mean it has blocked what is logged?

I recall that there can be green alerts what triggers them all mine are high and medium

Yes, it is possible. But, that doesn’t mean its happening (you’d need to use a packet sniffer, eg Wireshark to test that)… Also it really depends on what your system is running & what you’ve previously authorised. By default CFP will only allow outbound connections without an alert for Comodo white-listed or user created trusted applications. Nothing else is allowed out without your specific approval.

Medium Alert? Well… for these CFP would have deferred to you (subject to the above). You would have been asked to Allow or Block the action (remembered or not). This would generate Application and/or Component Monitor rules. Any subsequent communications of the same type/method for that program would then be tested against those rules. Any resulting blocks would be listed as having a “Reporter” of “Application Monitor” or “Component Monitor”, depend on where the block rule is located.

Thanks for the help mate could you just let me know if you think these are genuine as a lot of attempts by scvhost.exe have been logged and I dont know how to tell if they are windows update things or not?

Date/Time :2007-08-17 13:16:19Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.75.240.33::dhcp(68)Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-17 13:16:19Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP InDestination: 79.75.240.33::ntp(123)Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-17 10:05:36Severity :HighReporter :Application MonitorDescription: Application Access Denied (svchost.exe:65.55.200.157: :http(80))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 65.55.200.157::http(80)

Date/Time :2007-08-17 10:05:35Severity :HighReporter :Application MonitorDescription: Application Access Denied (svchost.exe:213.200.110.95: :http(80))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 213.200.110.95::http(80)

Date/Time :2007-08-17 10:05:35Severity :HighReporter :Application MonitorDescription: Application Access Denied (svchost.exe:213.200.110.96: :http(80))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 213.200.110.96::http(80)

Date/Time :2007-08-17 10:05:35Severity :HighReporter :Application MonitorDescription: Application Access Denied (svchost.exe:8.12.199.126: :http(80))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 8.12.199.126::http(80)

Date/Time :2007-08-17 10:05:35Severity :HighReporter :Application MonitorDescription: Application Access Denied (svchost.exe:4.23.54.126: :http(80))Application: C:\WINDOWS\system32\svchost.exeParent: C:\WINDOWS\system32\services.exeProtocol: TCP OutDestination: 4.23.54.126::http(80)Date/Time :2007-08-17 10:05:18

Hi

Sorry for the delay.

The first 2 are Net control stuff & time synch, both going to Tiscali. NTP is OK (just making sure the time is correct), but if you’re blocking DHCP then you should have connection problems (no/invalid Internet IP)… this implies that you may not need it. Check with Tiscali to see if you do need/use DHCP.

3rd: Hotmail. Which I suspect you use… something is probably trying to check to see if you have email.

4th & 5th: Both Akamai Technologies & Tiscali. Can’t guess, ask Tiscali. Unlikely to be anything bad.

6th & 7th: Both Level 3 Communications, Inc., unlikely to be anything bad. Depends on your usage (applications & hardware).

Note: You should never really block the SERVICES/SVCHOST relationship… doing so will break Windows Components such as Windows Update.

BTW What is CFPs Alert Level set to?

Its set to Low

I caught the processes in the act and posted a screenshot (if you could see if there genuine I’d be greatful), Also someone on this forum suggested making a rule for Svchost.exe he said make a rule for it on certain ports is this correct (see below)

So create a rule like this:
Application: C:\Windows\system32\svchost.exe
Parent: C:\Windows\system32\services.exe
Protocol: UDP/TCP
Direction: In/out
Source Ports: 53,67,68,80,443

[attachment deleted by admin]

That ‘someone’ was me, I think :wink:

Service overview and network port requirements - Windows Server | Microsoft Learn - There you can see all ports used by Windows services.

I’ll give you some information from it about the ports in your log:
Port 53 is for DNS, 67 and 68 is for DHCP, 80 is for http, 443 is for https and 123 is for Windows time synchronization, since I don’t use it you might want to add it to your application rule.

Ragwing

So are they genuine mate the ones I’ve allowed on that screenshot?

I think I allowed another one but I cant remember what port it was, they could do with adding these connections to the whitelist as for people like me it confuses and worries me

Is there no way of viewing what you have permitted to double check and if I make a rule like you said does it overwrite another rule that I previously made that refers to the same port?

What I don’t get is that if you allow that port what is stopping people using it for malicious purposes if they know people will leave it open for windows update or something?

From what I see, yes.

Yes they should, I’ve suggested it. But not sure CPF 2.4 will add the rules if you scan for known applications.

It should be in application monitor.

No, it won’t overwrite rules for same port by another application.

Ragwing

for some reason scvhost.exe is not under application monitor, yet I permitted it ???

I have something that came up I think it was svchost again but the destination was 255.255.255.255:67 whats that mate?

(Thanks for the help)

I think it’s related to DHCP.
DHCP is how your computer obtain the IP address.
When you boot your computer on a network, first thing it’ll do is to request an IP address from the DHCP server (if yuu don’t use a static one), like this:

0.0.0.0:67 → 255.255.255.255:68

Or something like that. Hope this answers your second question.
About your first question, I don’t have any clue why it’s not there.

Ragwing