While toying around with my Firewall Policy I wanted to check whether or not I could bar svchost from trying to access the internet(*). So I told Comodo to consider svchost.exe a blocked applicatio. However, pop-up just kept on appearing asking me what to do with svchost.exe. No matter what I clicked, (allow, deny) and whether or not remember my answer was checked or not, I would always get another pop-up. ??? What’s up with that? There’s probably a couple of instances of svchost running, but this was a true avalanche of pop-ups. Any info on what to do with svchost would be greatly appreciated.
Cheers,
El Presidente
*: After browsing these forums I sort of realize svchost needs an internet connection for various stuff, so I’ll probably allow it to connect. Would setting it to be a trusted application be safe?
Svchost by itself is safe, but can be used by unsafe processes. I wouldn’t set it as a trusted application. Some people have good results by setting it to outgoing only.
Svchost.exe is used by a great many processes and really should be allowed at least some Internet access. Without it you’re going to find services like DNS and DHCP are not going to work.
If you don’t wish to go to the trouble of creating specific rules, just make it an outbound only service. There’s a predefined rule available for that.
However, when taking the advice the problem persisted. The firewall kept asking me what I wanted to do with svchost.exe. I set in the network security policy to be treated as “outgoing only”, and told Comodo in the alert to do the same. To no avail…
I’m thinking something’s wrong with my Comodo install. Updates are too slow, and now that the firewall’s turned off Defense+ started to show alerts I hadn’t seen before (like if my browser should be allowed to open my pdf-reader), even though I’d set it to “Paranoid Mode” a while ago.
Once I set svchost as Outgoing only, I have never seen another popup regarding it.
Maybe due to it’s being digitally signed and I checked ‘Trust applications digitally signed by Trusted vendors’?
At ElPresidente86 can you show a screenshot of the Firewall Events?
At giraffe.
You can add a rule for the Bootstrap Protocol for svchost. I am not very familiar with the whereabouts of this protocol but I think I pretty much have the hang of it though to give it a go.
The bootstrap protocol, as far as I have seen here at the forums, is used by some cable companies to hand out IP addresses to its clients. It is a predecessor of DHCP. It will use broadcast (IP: 255.255.255.255) in both directions in case the client doesn’t know it’s IP address and is asking for one. As a consequence I think you must allow for incoming traffic for svchost for IP address 255.255.255.255 on UDP port 67.
Now edit the rule for svchost and choose use a custom policy → copy from predefined security policies → outgoing only → add →
Action: Allow
Protocol: UDP
Direction: In
Description: Allow incoming traffic for bootstrap
Source address: Any
Destination address: 255.255.255.255
Source Port: Any ( you could try later to tighten up to 67)
Destination Port: 67
Make sure the new rule is above the basic block rule (red icon). Apply → Apply.
Thanks for this, Eric.
I’ve set it up as directed but haven’t rebooted (is this necessary?) and reconnecting still gives the same pop-up
I did try, a couple of days ago, enabling DNS Client service, but that gave scores of pop-ups so I killed it again. I’ve never had that enabled and have always connected OK.
Eric, I followed your instructions then tried moving the new rule to the top above Allow All Outgoing Request and it was OK.
Then limited both Source and Destination Ports to 67 and it still worked!
Sorry, I decided to do a fresh install. Now nothing pops up. I must have messed up some rule or something. In the fresh install I’ve got svchost set up as outgoing only, and there’s no problem.
I was going to install afresh - downloaded the file - then tried Eric’s instructions and the ploblem’s gone. Even refined the setting down to In and Out ports being 67 and UDP to Out only and it still works. :-TU
Corrupted, hacked, infected; if it is used to call for something malicious from the Net it’s because something controlled it. How, if it’s protected by Defense+?
My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don’t see svchost anywhere.
My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don’t see svchost anywhere.
My doubt about the Outgoing Only option is that in my FW (3.10xxx513) under Application Rules, I only find Windows Updater Applications. I don't see svchost anywhere.
If that’s the case, I surprised you’re able to do anything. Svchost connectivity is required for a number of things and optional for many others. For example, svchost is responsible for obtaining an IP Address via DHCP. By default it’s responsible for all of your DNS queries. Also Windows Update won’t work without it.
Optionally it can be used for such things as updating your system time via NTP.
The firewall kept asking me what I wanted to do with svchost.exe. I set in the network security policy to be treated as “outgoing only”, and told Comodo in the alert to do the same. To no avail…