Svchost.exe in Comodo 2.4

zzas · January 18, 2008, 12:21pm

Hello

first, I do not understand much about firewalls so you will excuse me. I uninstalled version 3 since it was way too much for me. I installed version 2.4.18.184
I installed it out of the box. Only rules I created reading this forum was for utorrent and emule.
I allowed every pop up.

My question after reading lots of questions here is this:

svchost.exe is not listed in any place except in Connections Udp In/out 255.255.255.255.67 and it goes up to 900.000 Bytes in??? Bytes out : 1043
sometimes I see system.exe listed in Connections but after a while it dissappears.
In the Summary windows svchost.exe shows 100% and it slows down if I open for instance: utorrent but when closing it ( or any other app) it goes up again
In Network Monitor I see 9 rules created. Number 9 says Block and Log IP in or Out From Ip any
where IPPROTO is any. The rest of the rules are in green showing Allow.

No problems to surf the net, or anything. My question is if this is NORMAL or I am missing something. I have 6 megas connection zru a modem (cablemodem). No router, no any other software running for spyware.

Thanks! (:NRD)

PS: please answer in no technical way. I will never understand. Just tell me ( if there’s any) what to do or add or delete or uncheck (:LGH)

Frankster · January 18, 2008, 12:35pm

Hi zzas!

No need to worry at all…

svchost.exe is used for more than one task, one task is to manage the network partly; so this behaviour is normal.
system.exe is a system process that is used to account processor time (for putting it short); also normal behaviour.
see 2) - it’s also normal.
The last (red) rule is the most important, because it protects you from all the rest of network traffic junk that made it to this rule. In other words: thats blocking the evil network traffic.

Hope that helps…

zzas · January 18, 2008, 12:42pm

hi Frankster and thanks for your reply. It takes my attention how svchost.exe goes up and up and up…and one more thing…in Application Monitor appear System as Allowed with Destination Any,
Port Any, Udp Out.

It also appear cpfupdate.exe as allowed ( updates for comodo right? can I finish this thing or from where?

last, in Activity-Logs it only appears Network Monitor Inbound Policy Violation TCP incoming and I see there are different IPs to different ports (?)

thanks again!!!

brucine · January 18, 2008, 1:27pm

system and svchost are not reliable in any circumstances, and should not be globally allowed.

as it was said, both of them can involve child processes and can, even wouldn’t it be the case, ask for communications on unwanted ports.

my opinion is to first secure these processes, allowing them for every protocol and direction in the LAN zone if it exists and for the localhost at 127.0.0.1.

afterwards, everyone needs, depending on what he is doing, to ask himself if the CPF demand is legitimate or is not: as a basic exemple, there’s no reason (and it is very insecure) to allow any of these applications for the ports 135 to 139 on the WAN.

zzas · January 18, 2008, 1:35pm

hi Brucine, thanks for your answer…now since I assume you do not speak spanish (:WIN) could you tell me in plain english if I am doing or setting something wrong according to what I posted?

I wish I understood technical issues but unfortunately I just …never mind. Please! and thanks for your time

:■■■■

brucine · January 18, 2008, 4:54pm

Well, not sure it will be so easy: you seem to be a spanish native, i am a french one…

Moreover, i don’t understand anything to p2p (and i do not want to change anything about it; i just use limewire from time to time, and i didn’t find either any valuable stuff to download with it or clear firewall rules to apply: i just allow everything TCP and UDP out while i am connected, and block it as soon as i am done).

Speaking of svchost, i have, at the moment speaking, 2 ocurrences in the task monitor for 14000+4000 KO, but no ocurrence whatsoever of it being blocked in CPF (it is CPF allowed only for my LAN, 192.168.0.x).

255.255.255.255 is a universal broadcast adress while 67 is a DHCP port: i am no networking wizard, but that seems to mean that your machine would look for something everywhere it can on the web (which is not such an “abnormal” behaviour with p2p).

It would be fine, if it is possible, first to give your PC a fixed unroutable ip (something like 192.168.0.1, have in such circumstance the LAN adress of your cable modem be coherent like 192.168.0.10), as it would keep the whole to search a DHCP assignation (clearly, a variable ip for your pc) for every session.

In second place, you didn’t tell anyone what services are launched with your PC: take a look at them (task manager and services), don’t some of them deserve to be deactivated?
Some softwares spend all their time (and yours) updating you don’t know what every hour: check for their parameters.

Take also a look in the “run” and “runonce” sections of your register; anything starting that should not?

Your networking rule seems strange to me: you definitely cannot block any ip; you need those of your isp for your browser, udp out 53, to allow your browser for any ip tcp out, 80 and 443, your mail client tcp out 110 and udp out 53.

To start, you can block mstask for any wan port, svchost and system for wan ports 135 to 139… and just stay to it: every single other rule will come naturally when you “do something”.

Last, but not least, the behaviour you are describing lets think, as i already wrote, of programs starting without your awareness, either superfluous services not desactivated, either trojan/spy malware.

zzas · January 18, 2008, 5:06pm

brucine, my french friend, I thank you so much for your time and explanation. I had to uninstall it since the svchost.exe was up to 2 MB ??? and going up, so something was wrong. What I did was clean everything and install version 3…276.

Seems to be working smoothy. If I see ( I hope my brain allows me) something weird I’ll post back.

But honestly, I thank you again for your time and patience.

best regards