So I’ve been following along with this thread (after posting a similar problem just a few days ago here: https://forums.comodo.com/help/numerous_medium_network_monitor_logs_inbound_outbound_policy_violations-t14432.0.html).
Although I must admit I don’t quite fully understand all the more technical points of this discussion, here are my own personal observations up till now.
These are the 3 logs I get every time I log on:
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.22
Reason: Network Control Rule ID = 7
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = ROUTER SOLICITATION)
Protocol:ICMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.2
Message: ROUTER SOLICITATION
Reason: Network Control Rule ID = 7
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.249.64.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 7
Network Control Rule #7. Block and Log IP IN/OUT from IP [ANY] to IP [ANY] where IPPROTO is ANY
I have no problem connecting to the internet, but these continual logs are concerning me. Additionally, in the connections section of the ACTIVITY screen in CPF, SVCHOST.exe is always connected as follows:
svchost.exe Protocol: UDP In/Out Source (IP : Port): 0.0.0.0 : 68 Destination (IP : Port): 255.255.255.255 : 67 Bytes In: ~200kb Bytes Out: ~1kb
The bytes in only gets as high as 200+ kb - nowhere near as big as 22mb described in this original post by housiemousie2. Is this normal for svchost.exe to be constantly connected and for the source IP to be 0.0.0.0 : 68 ?
After reading this post , I tried blocking 10.x.x.x as per the instructions earlier in this post. While it stopped the Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68)) log, the two other logs remained. 8 minutes after bootup, I started getting numerous other Inbound Policy Violations (17 within a 2 second timeframe):
14 of these:
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol: ICMP Incoming
Source: 125.129.53.xx (where the last two digits of this address changes for each log entry)
Destination: 99.250.xx.xx (my IP)
Message: PORT UNREACHABLE
followed by 3 of these:
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE)
Protocol: ICMP Incoming
Source: 125.129.53.xx (where the last two digits of this address changes for each log entry)
Destination: 99.250.xx.xx (my IP)
Message: HOST UNREACHABLE
After getting these log entries, I deleted the new Network Rule so once again, I get the original three log entries whenever I log in.
Is this activity (especially the svchost.exe activity) normal? Should I be creating a new rule to allow the IP boot process to be completed?
Thanks everyone. Sorry for the length…