svchost.exe signed by MS but blocked by firewall, why?

I wonder why svchost.exe was blocked by the firewall, its signed by Microsoft etc. I also think it would be a good idea to show the user WHY it blocks and quarantines.


I have exactly the same behavior but I don’t sure if it is an issue.
I have some firewall rules over svchost.exe and by default a blocked rule from any IP that is not in my personal list.
So, theoretically maybe is correct in my case that the blocked event raised…

Do you have any custom firewall rule on svchost.exe or do you have the standard trusted rule on it?


Hi, I have no custom rule per say. I added it to the default groupe “Windows System Applications” which has one rule and that is “Allow IP Out From MAC To Any MAC Where Protocol Is Any”

Do you have HIPS enabled or are you using Proactive security configuration? You can always manually allow it. Check the logs first though.


No HIPS. Causes to much problems in my opinion and I don’t understand why it is included in the Comodo Firewall =/.
Either way. Look at the screen and you see that it was the firewall that blocket.

I see…
Can you do a little test?
Edit the Firewall rule for Windows System Applications and change the rule to “Allow IP In/Out From MAC To Any MAC Where Protocol Is Any”
Then Save, Apply and clear ALL logs and probably the Firewall event shouldn’t be raise.
Please, tell us what happen…

Stop using the blocked list as it doesn’t tell you the details of the block you must open the firewall event logs to see why it is blocked.

Yeah? since when does the Firewall event log show you WHY it blocked something ???
Please provide an example…

Here’s 2 examples.

  1. It may have a related alert associated with the block action. This will then give you an explanation as to why it was blocked.
  2. It provides more details such as the Port. Something that could help to see if it was being triggered by any rules.

Hmm, i wrote “since when does the Firewall event log show you WHY it blocked something ???” not why would I look over there seems useless. Which seems to be how you read it? :smiley:

And for the record. The Firewall event log is empty. Else I would have included that info and probably asked a bunch of other questions…
Also, have a look at this screenshot. And tell me why they are “blocked” =) AND before you say something like futuretech would have said “Stop using the blocked list as it doesn’t tell you the details of the block you must open the firewall event logs to see why it is blocked.” the event log is empty. AND I was playing FH4 at the time so non of that Comodo blocks everything before its loaded like at startup…

The log is not empty you will only see events of “Today”, so you need to change the time & date filter to show all events from entire period aka no filtering. Again the unblock list will not give you any information about a block other than the component and last date & time the most recent blocked happened for the application, the fact you only notice the blocked list shows that the applications are not being hindered in their operation. Oh and the blocked outgoing during system startup are delayed logged so you won’t notice the blocking until well after it had already happened.

I see. Have a look. They were blocked for outgoing so AND I boot my computer in the morning. Was playing FH4 when these where blocked. So we are still where we started. Why The Hell Are These SAFE apps/programs blocked!? 8)

You’re not reading and understanding the answers from futuretech . . .

This a part of the Firewall logs I have from this morning. Usually there’s NVIDIA programs in there also. All blocked going Out - until CIS loads completely and the logging stops. Nothing is affected, nothing stops working and everything loads as it should, just as it does with yours. It is CIS Firewall protecting the system. Happens on every CIS start

Who is it really that doesn’t understand I wounder… I WROTE “I boot my computer in the morning.” So even if these are from then. LOOK at what time they where registered! YEAH? that’s right about 18:00 not really in the morning is it!? OK good. We are done here. The devs are on the case on my other thread.

PM: Taking a screenshot of this reply in any case you feel like abusing your modstatus…

Okay I actually had this happen before when running a full screen app such as a video game, where after playing I have seen similar blocks around the time I was playing. But I haven’t had it happen again, question is what CIS version are you using? I had this happen in one of the older builds I think 6882 or the one before it, now using the latest beta I don’t see it happen other than the startup blocks. My guess is maybe for some reason firewall is incorrectly blocking outgoing connections of safe applications while a full screen app is running. And I only notice this on Windows 10, whereas Windows 7 does not exhibit this behavior.

Most ppl don’t admit when they are wrong. I’m not one of them. I had a look at the Windows Event log. I notice that I did a reboot around 18:00 (was fixing with Flirc) so that confirms what your were saying about blocking stuff at startup. However, if we can’t keep Comodo from blocking or logging these things at boot. At Least they can make it so that these apps/entries or whatever doesn’t make it to the “Unblock Application” section. I don’t want to manually have to clean this every boot or close to it :slight_smile:

Hi blackkatt,

Thank you for reporting, could you please check your Inbox for private message and provide the requested logs.

Already sent to Dharshu =)

Hi blackkatt,

Our developers had checked the logs, it seems there are a lot of changes in configuration and default rule was deleted. Could you please allow our developers to connect to your machine via remote session, to investigate the problem. Please let us know your opinion.

could someone report how does the story go on :wink: