Svchost keeps popping up


While toying around with my Firewall Policy I wanted to check whether or not I could bar svchost from trying to access the internet(*). So I told Comodo to consider svchost.exe a blocked applicatio. However, pop-up just kept on appearing asking me what to do with svchost.exe. No matter what I clicked, (allow, deny) and whether or not remember my answer was checked or not, I would always get another pop-up. ??? What’s up with that? There’s probably a couple of instances of svchost running, but this was a true avalanche of pop-ups. Any info on what to do with svchost would be greatly appreciated.

El Presidente

*: After browsing these forums I sort of realize svchost needs an internet connection for various stuff, so I’ll probably allow it to connect. Would setting it to be a trusted application be safe?

Svchost by itself is safe, but can be used by unsafe processes. I wouldn’t set it as a trusted application. Some people have good results by setting it to outgoing only.

Welcome to the forums ElPresidente86.

Svchost.exe is used by a great many processes and really should be allowed at least some Internet access. Without it you’re going to find services like DNS and DHCP are not going to work.

If you don’t wish to go to the trouble of creating specific rules, just make it an outbound only service. There’s a predefined rule available for that.

Thanks for the replies people.

However, when taking the advice the problem persisted. :frowning: The firewall kept asking me what I wanted to do with svchost.exe. I set in the network security policy to be treated as “outgoing only”, and told Comodo in the alert to do the same. To no avail…

I’m thinking something’s wrong with my Comodo install. Updates are too slow, and now that the firewall’s turned off Defense+ started to show alerts I hadn’t seen before (like if my browser should be allowed to open my pdf-reader), even though I’d set it to “Paranoid Mode” a while ago.

ElPresidente, I have the same problem and have had since upgrading to 3.10.

CIS keeps giving me the alert below and, no matter what I answer, still pops up.

svchost is allowed out but is still a nuisance.

In the previous version of CIS I had svchost totally blocked and there was no problem.

I have asked about it and received replies, but I didn’t really understand the advice :frowning:

[attachment deleted by admin]

Once I set svchost as Outgoing only, I have never seen another popup regarding it.
Maybe due to it’s being digitally signed and I checked ‘Trust applications digitally signed by Trusted vendors’?

At ElPresidente86 can you show a screenshot of the Firewall Events?

At giraffe.
You can add a rule for the Bootstrap Protocol for svchost. I am not very familiar with the whereabouts of this protocol but I think I pretty much have the hang of it though to give it a go.

The bootstrap protocol, as far as I have seen here at the forums, is used by some cable companies to hand out IP addresses to its clients. It is a predecessor of DHCP. It will use broadcast (IP: in both directions in case the client doesn’t know it’s IP address and is asking for one. As a consequence I think you must allow for incoming traffic for svchost for IP address on UDP port 67.

Now edit the rule for svchost and choose use a custom policy → copy from predefined security policies → outgoing only → add →
Action: Allow
Protocol: UDP
Direction: In
Description: Allow incoming traffic for bootstrap

Source address: Any
Destination address:
Source Port: Any ( you could try later to tighten up to 67)
Destination Port: 67
Make sure the new rule is above the basic block rule (red icon). Apply → Apply.

For those who like a read on this: The TCP/IP Guide - TCP/IP Bootstrap Protocol (BOOTP) .

Thanks for this, Eric.
I’ve set it up as directed but haven’t rebooted (is this necessary?) and reconnecting still gives the same pop-up :frowning:

I did try, a couple of days ago, enabling DNS Client service, but that gave scores of pop-ups so I killed it again. I’ve never had that enabled and have always connected OK.

OK, now works!

Eric, I followed your instructions then tried moving the new rule to the top above Allow All Outgoing Request and it was OK.
Then limited both Source and Destination Ports to 67 and it still worked!

Now happy.

Thanks again.

Sorry, I decided to do a fresh install. Now nothing pops up. I must have messed up some rule or something. In the fresh install I’ve got svchost set up as outgoing only, and there’s no problem.

Glad to hear you solved the problem.

I was going to install afresh - downloaded the file - then tried Eric’s instructions and the ploblem’s gone. Even refined the setting down to In and Out ports being 67 and UDP to Out only and it still works. :-TU

If svchost migrated to Defense+ how can you configure it to Outgoing Only?

And if it is under My Protected Files umbrella how can it be corrupted?

Outgoing Only is only for the Firewall part. In D+ svchost is part of the Windows Updater Group.

What do you mean with corrupted?

Corrupted, hacked, infected; if it is used to call for something malicious from the Net it’s because something controlled it. How, if it’s protected by Defense+?

My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don’t see svchost anywhere.

Svchost is part of the My Protected Files. So, you should get an alert if something you do not trust tries to manipulate svchost.

My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don’t see svchost anywhere.

My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don't see svchost anywhere.

If that’s the case, I surprised you’re able to do anything. Svchost connectivity is required for a number of things and optional for many others. For example, svchost is responsible for obtaining an IP Address via DHCP. By default it’s responsible for all of your DNS queries. Also Windows Update won’t work without it.

Optionally it can be used for such things as updating your system time via NTP.

There are others…

Thanks for the answer.

I know how essential svchost is and it does connect. I can see it in the main interface, under Traffic, all the time.

The thing is that I don’t see it in FW’s Application Rules. I only see Windows Updater Applications.
Is this how it should be?

If you look in my file groups svchost is include in Windows Updater Applications.

[attachment deleted by admin]