svchost.exe problem using PerfectDisk

Hello all. I’m trying out Comodo in the hopes I can dump the no-longer supported Sygate firewall I have been using, but I’m having an issue I seem unable to overcome. Perhaps someone here can help me find out what the heck I’m doing wrong…

First off, I’m a Windows server administrator for an international, multi-billion dollar company. The only reason I say that is so you know that I’m not new at this stuff, and you don’t have to give me “Firewall for Dummies” instructions. :slight_smile:

I’m using a Dell laptop running XP with SP2, fully patched, and CPF 2.4.18.184. I have AVG anti-virus, and my connection is wireless LAN (54mb/g).

CPF is working fine, and has been since I installed it about a month ago. But there’s one problem application; the PerfectDisk Command Center (CC for short). PerfectDisk is a commercial disk defragmentation program, and the CC is the management interface that allows you to view, report, configured, manage, etc the functions of PerfectDisk on all the servers it’s installed on. The CC is loaded onto my laptop, and it communicates with a SQL database on a server in our datacenter.

The communication between my laptop and the SQL database appears to work fine, because I can watch it make all the connections using the Activity log. The problem occurs when the CC on my laptop tries to communicate with PerfectDisk installed on a server in the datacenter. When that happens the Activity Log shows the following error:

Date/Time :2007-11-16 13:38:58
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:10.4.100.3: :ms-rpc(135))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 10.4.100.3::ms-rpc(135)
{NOTE: Destination changes each time, and accurately refelcts the server CC is trying to connect to}

I have my first Network Monitor rule configured like this: Allow TCP or UDP In or Out from IP [any] to IP [any] where source port is [any] and destination port is [any]

I have the Application Control rule for svchost.exe configured like this: svchost.exe Destination [any] port 135 TCP In/Out Allow

Since the Activity Log was saying TCP port 135 was being blocked I thought that rule would be sufficient, but I still got the same error. So I then set svchost.exe to this: svchost.exe Destination [any] port [any] TCP/UDP In/Out Allow

Even set that way – with all IP’s and ports (TCP and UDP) open for svchost.exe – I still get the exact same error. If I turn off the Network Control rules and leave the Application Control rules on the problem still exists. If I turn off the Application Control rules and turn on the Network Control rules the problem goes away, which strongly implies the issue is with the svchost.exe rule itself.

In my local System Event Log I see the following error every time the CC tries to connect with a remote server: DCOM was unable to communicate with the computer SERVERNAME using any of the configured protocols. {NOTE: SERVERNAME changes each time, and does properly name the server it was trying to connect to}

PerfectDisk and the CC use 4 .exe files – PDAgent.exe, PDConsole.exe, PDUiConsole.exe and PerfectDisk.exe. In the Application Monitor I have them all setup as follows: Range 10.0.0.0 - 10.255.255.255 port [any] TCP/UDP In/Out Allow {all our intenal IP addresses are in the 10.* range}

I’m obviously missing something, but to me it appears as though I have svchost.exe setup so that TCP port 135 traffic should be allowed (actually, I have it too wide open IMHO, and would rather restrict it to port 135 only). Can anyone spot what I’m doing wrong? Why can’t svchost.exe communicate using TCP port 135?

Any help would be greatly appreciated. TIA…

P.S. one other strange thing is happening; when I click on the Updater button in the top right corner of the main window I get a popup that says I need to be an administrator in order to run that function. My network ID, which I logged in with, is in the local administrators group, so that’s not the problem. Has anyone else had that happen to them? If so, how do you get around it?

Hi Jim, welcome to the forums.

Sorry, I’m a bit busy at the moment (+ its fairly late where I live) & cannot assist… but, I just had to address one point of your email (because it is so important)…

I have my first Network Monitor rule configured like this: Allow TCP or UDP In or Out from IP [any] to IP [any] where source port is [any] and destination port is [any]

This rule is wrong. I most strongly suggest you alter it to OUT only. Allowing all inbound TCP & UDP traffic from anywhere to anything is, in effect, negating your firewall for all inbound TCP/UDP traffic. This rule is accepting (allowing) all inbound non-ICMP traffic, if it is unsolicited or not. Of course, this might not be so much of an issue if you have a hardware firewall (router, etc…) that is blocking unsolicited connection attempts. But, that rule is still way too open for the 1st rule in the Network Monitor.

edit

Sorry to ask guys{im pretty new to computing} ??? but from reading the forums,i get the impression svchost.exe is part of the windows program and “SAFE”.If this where the case why would your CC program with its own .exe parts be using svchost.exe ?

Just ignore this if i`m being too green,but ya gotta start somewhere.lol.

cheers matty

Thanks for the tip. I guess I’m a bit more familiar with the way Sygate works, which is all traffic is allowed on the network level and the firewall rules are port and application specific. In other words, it starts out not trusting anything at all, and then it builds a list of port and application exceptions through usage. Even though it might sound as though your network connection is “open” the only things allowed in or out are in the rules (I’m probably not explaining that clearly, because it sounds like every other firewall). Regardless, I tried applying that same idea to Comodo but apparently that’s not the correct way of doing it, so I’m going to rethink this.

Reversing my logic, and disallowing everything but what ports I need (disregarding applications/services for now), makes me come up with a list something like this (using port information obtained from List of TCP and UDP port numbers - Wikipedia):

Port Protocol Used By

20,21 TCP FTP
25 TCP/UDP SMTP
42,1512 TCP/UDP WINS
53 TCP/UDP DNS
67,68 UDP DHCP
80 TCP HTTP
88,464,543 TCP/UDP Kerberos
109,110,995 TCP POP3
135,530 TCP/UDP RPC
137,138,139 TCP/UDP NetBIOS
143,993 TCP/UDP IMAP4
156,1433,1434 TCP/UDP SQL
161 TCP/UDP SNMP
389,636 TCP/UDP LDAP
443 TCP HTTPS
445 TCP AD
525 UDP Timeserver
593,1026,1029 TCP/UDP DCOM
902,904,8222,8333 TCP/UDP VMware
1352 TCP Lotus Notes
1494 TCP Citrix ICA Client
1533 TCP Lotus SameTime
3389 TCP RDP
5500,5800,5900 TCP VNC
33434 TCP/UDP tracert

That seems like an awful lot of individual rules to create, especially since you can’t name the rules to make it more clear what each one is. And I imagine creating all those rules isn’t the best way to do this either, so that makes me ask; exactly what is the proper method to setup Comodo? Is it to deny all traffic and create separate rules for everything? Is there a better way?

matty: Yes, SVCHOST.EXE should be allowed when using CFP 2.4 and it is, generally, SAFE (as far as CFP 2.4 can take it… see below). Blocking SVCHOST will break Windows components such as Window Update, Time Sync and a good few more.

Jim: I have another suggestion. The new CFP 3 is due out very soon (maybe today, US Eastern time). You can name rules in CFP 3. Rules are more highly configurable. Port sets are possible. And much more. SVCHOST becomes much easier to control in CFP 3. CFP 3 has full blown HIPS (Host Intrusion Protection System). My suggestion is to wait & try CFP 3. Or we could tackle the current issue. Your call, I only suggest it since you might have to resolve the issue in CFP 3 as well. edit:… and then again, it might just… well… work in CFP 3. :slight_smile:

Thanks for the info kail[much appreciated] hope jim sorts his problem out.Do you think i should go for cpf 3 or stick with 2.4 for a bit till i can understand what all the systems do?

P.s. i`ve learnt more from this forum than than all tothers put together{some forums have no time for newbies] so thanks to all moderators for there output.

cheers Matty (:CLP)

win xp pro sp2 / avira classic / comodo cpf 2.4 /comodo boclean/spybot s+d

Hi Matty

Yes, I do. And for 2 reasons. CFP 3 is easier to use (Comodo have added an interesting new feature to keep it… well… fairly quiet) & since you’re still learning CFP 2.4… why bother? There is no point learning stuff (CFP 2.4 stuff) that you’re not going to be using for that long. Assuming… you have the right OS? XP & Vista. The W2k version will come later. you do. ;D

PS Thanks on the output, and I’m sure that all Mods will appreciate your kind words. :slight_smile:

The CFP 3 final has been released…

http://www.personalfirewall.comodo.com/download_firewall.html

Oh great, just as I start to learn the V2 program I have to begin all over again with V3. ;D

Okay, I will download the new version and try it out. Does it replace V2, or should I manually uninstall that first?

hiya jim,ive just deleted v2{which you have to before installing v3} and i think you will be in for a nice suprise as it seems to suss out what your doing as your doing it.Good luck i know im gonna need some