svchost.exe acting up

Recently I got a request from svchost.exe to connect from my default gateway (192.168.1.1) to my computers local IP (192.168.1.4) through UDP from source port 67 to destination port 68, I blocked it with COMODO but I would like to know if I should allow it, or if I should be worried etc.

|Application: C:\Windows\System32\svchost.exe | Target: In | Protocol: UDP | Source IP 192.168.1.1 | Source Port: 67 | Destination IP: 192.168.1.4 | Destination Port: 68|

Thanks in advance.

-Darkchaos

Based on the ports and the fact that it’s between your gateway and your PC, it looks to be normal DHCP traffic, you can read about it here: http://www.linklogger.com/UDP67_68.htm

Edit: However I do not know if svchost.exe is supposed to do this or not, so you might want to wait for someone else to confirm that.

As Sanya suggested, this is DHCP traffic, however, it shouldn’t be necessary for your DHCP server to make explicit inbound connections to your DHCP client. What are you firewall rules and your router settings for DHCP?

Well, I’m not sure… Is DHCP my IP/DNS Settings? if so, my router is set to get my IP Dynamically from my ISP, my DNS is set to OpenDNS (208.67.222.222) as far as firewall rules, I’m not sure.

If that information isn’t correct, could you please tell me where to find the correct info?

Thanks again,

-Darkchaos

The DHCP within a home network is when your router assigns an IP-address and DNS to your computer and other devices that requests an IP from the router.

As Sanya mentioned, your router will receive your public IP address from your ISP and then usually allocates private (192.168.x.x) IP addresses to devices on your LAN. Within the router settings there is usually some way to control this allocation. If you’re not sure please indicate the make and model of router. The DNS settings are not of concern with this situation. Also, when accessing the router, it’s probably worth checking the logs, if any.

If that information isn't correct, could you please tell me where to find the correct info?

Thanks again,

-Darkchaos

You haven’t mentioned which version of CIS your using, but if you look under firewall you’ll find settings and application/global rules. It’s probably worth posting screen shots of these.

Well, my router is a netgear WNDR3400v2, and I’m running Comodo Firewall v. 6.0.260739.2674

I’ve attached some screenshots below.

As I suspected, there’s nothing untoward in the firewall settings and the router configuration is quite basic. My best guess is that the Netgear supports the dynamic client reconfiguration extension. This is where the server sends a message to the client to force it to renew it’s IP address. Has this happened many times?

Hm nope, this is the first time that COMODO has asked to allow svchost.exe, but I’ve only had it installed for about a month or two tops.

For now, I’d just keep an eye on things. The connection, as stated above, is using standard DHCP protocols and ports and it’s originating at a trusted source. Unfortunately, if the connection only happens rarely, it’s difficult to trace the cause.