svchost.exe problems [Resolved]

In a new installation of CFW, the application monitor has recorded in the log greater than
thirty high severity notices in the last 12 hours, along with many medium warnings. They mostly
all relate to “application access denied( svchost.exe:x.x.x.x : : http(80)” or to specific ports. scvhost.exe
is in it’s proper location in system32 and Process Explorer doesn’t appear unusual in the monitoring
of the services.exe processes. I presume(?) that the application is performing legitimate processes.
How can I allow svchost.exe to function normally? A rule placed in application control allowing unlimited
activity doesn’t work. Thanks for any help.

goby,

You can do two things that should help with svchost.exe…

Go to Security/Advanced/Miscellaneous, and check the 2nd box, “Do not show alerts for applications certified by Comodo.” OK.

Then go to Security/Tasks/Scan for Known Applications. Follow the prompts, reboot when finished.

See if that doesn’t clear up that issue for you.

LM

The box has been checked and during troublechecking previously, the application scan was run
without any input from the wizard other than a finish indication. A subsequent reboot produced no
change in svchost.exe malactivity. Is it possible that an errant application is causing the problem?

You can try the following:

First, open your Application Monitor, and just check to make sure that there’s not a “Block” entry for svchost.exe…

If there isn’t, go to Security/Advanced/Miscellaneous, and move the Alert Frequency slider to High or Very High. Click OK, reboot.

When you log back in to Windows, you’ll get a number of alerts for svchost.exe with services.exe as the parent, to connect out. You may select “Remember” and Allow the connection to occur. This will automatically create rules to allow svchost to connect, and should give you a baseline to work from.

There will be other alerts for things like the Windows queuing service, etc. You can allow the others without “remember” so as not to create a bunch of rules you may not want. After svchost.exe is in the application monitor, you can go back and turn the alert frequency down to Medium or Low. Then if you want, you can edit the svchost.exe application rule(s) and remove the IP-specific information that will be present (or leave it…).

LM

LM

So far the advice you have provided seems to have solved the problem.
Only an initial “suspicious behavior” has been logged with no further
activity. Svcchost.exe activity appears in application traffic but
has not appeared in the application monitor. Should I expect the
application to automatically be added? Why doesn’t manual addition
of svchost.exe to the application monitor function? Are not manual
additions of applications to the monitor allowed?

Goby

Goby,

What’s the log entry for the suspicious behavior? That may shed some light on what happened in the first place.

Regarding why adding a rule manually didn’t work, I don’t have a quick answer for you. It should work, yes. A reboot after adding it might be needed (some say it is, some say it isn’t; I tend to do so just to make sure). If there was block already in place, adding an allow isn’t going to help, until the block is removed.

For svchost.exe appearing in traffic but not in app mon, that’s probably due to the “do not show alerts for applications certified by comodo” in conjunction with having scanned for known applications. I think that in that scenario, while it creates permissions for the “safelist” applications, it may not add the system processes to the application monitor. It will add known applications like MSIMN.exe (outlook express) and IExplorer.exe (internet explorer), but not svchost.exe.

At any rate, I’m glad it’s working so far, now. Hopefully that will continue, and you’ll have no more difficulties.

LM

LM

I have had no further log entries since having another ■■■■■ at allowing svchost.exe activity.
The first and only entry, “high severity” warning, which I also saw originally is: “application Behavior analysis” “suspicious behavior(svchost.exe)”. The system is functioning normally. Spybot and spycop
scans are negative.

Goby

There should be some details there, such as:

Date/Time :2007-03-07 13:37:07
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (firefox.exe)
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 85.91.228.149::http(80)
Details: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE has modified the the User interface of C:\Program Files\Mozilla Firefox\firefox.exe by sending special Window messages.

I just want to make sure that we’re covering all the bases. Not that I think there’s something bad going on, just to make sure we’ve thoroughly covered everything that needs to be. That’s all.

LM

LM

The following is the log entry in question:

Date/Time :2007-03-06 13:04:28
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: 192.168.1.101::1038
Details: C:\WINDOWS\system32\WgaTray.exe has tried to use
C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be
used to hijack other applications.

This must be a normal system process(?)

Regards

Goby

goby,

That does explain a lot. Unfortunately, you’ve been attacked by the Windows Geniune Advantage, computer-killing virus. Just kidding about the virus part. WGATray is the systray icon/controller for the WGA module, which is a wonderful little part of Windows that MS cooked up to help prevent piracy. That’s well and good, but it has caused a number of problems, and is, IMO, just as bug-ridden as every other aspect of Windows security. Since WGA, this little module has to go online, connect to MS, and validate that you have a genuine Windows product, in order to do certain MS downloads, updates, upgrades, patches, etc.

And yes, it uses svchost.exe to do so. I haven’t seen it trigger an OLE alert before, though. In theory, that should only happen if one of the applications in question is not on the Comodo certified safelist (provided that the user has that option enabled), which if I understand how it works, in this scenario that would be svchost.exe (which I know is on the safelist). All that said, I would guess that when this occurred, you had the “Do not show alerts for applications certified by Comodo” unchecked (Security/Advanced/Miscellaneous).

While we may not like the WGA thing, if we’re using Windows, we must peaceably coexist. :wink: Thus, if you see such a popup, you can allow and not worry about it. Select “Remember” and you shouldn’t be asked for it again.

LM

Thank you kindly, Little Max for all of your help and interest in increasing
my understanding of CFW. I really like the program for it’s value in
securing the privacy of my system as well as the further value of stimulating
inquiry into basics of networking and system function.

Best Regards,

Goby

No problem, goby, I’m glad to help.

And yes, I agree about the increasing understanding part. It has helped me tremendously, and not just with CFP!

Let me know if the situation seems to be holding steady and working well… if so we’ll mark the topic as resolved for other users’ benefit.

LM

Little Mac

Everything is stable and doing well. Thanks again.

Regards

Goby

Great, I’m glad to hear it.

I’ll go ahead and mark the topic as resolved, and close it. If it turns out you continue to have some issues with it, just PM me or another Moderator with a link back here, and we’ll reopen it for you.

LM