Hi,
I recently had a virus in my LAN, to prevent it spreading, I have installed Comodo firewall.
After installing Comodo on a PC that had previously been infected, I noticed it was making outgoing connections using System and SvcHost to some other PC’s in the LAN.
I opened Firewall > Advanced > Network Security Policy
In Application Rules for System and SvcHost, I edited and added the following:
Action: Block
Protocol: IP
Direction: Out
Source address, destination address, source port, destination port: Any
but this did not stop the outgoing connections. Are there other settings which could still be permitting these outgoing connections?
Thanks
Nick
Hi Nick the application rule “Windows Updater Applications” includes svchost.exe, check out Defence+/Advanced/Computer Security Policy–>Windows Updater Applications to see what it contains.
Try changing that rule to Ask/Block and see if that helps, but be aware that this may upset DHCP, Windows Updates etc.
Matt
Sorry Nick should also have said move the Firewall/Advanced/Firewall Behaviour Settings–>General settings up to “Custom” and Alert settings to at least “High” this way you should receive a pop-up for any application which doesn`t have a rule for it in “Application rules”
Thanks for your advice.
I opened Defense+\Advanced\Computer Security Policy\
Windows Updater Applications contains svchost.exe
If I select Edit, Windows Updater Applications are set as Installer or Updater
Windows System Applications contains System
If I select Edit, Windows Updater Applications are set as Windows System Application
I changed both of these to Ask, but the PC still make outgoing connections.
I noticed all the IP addresses the PC is trying to connect out to are other PC’s in the network which have printers installed, to which this PC is configured to print. Destination port is always 135, source port is between 1130 → 1217, so I’m sure the traffic is legitimate, but I’d still like to know how to control it.
Nick
The Defence+ settings are/should be allright and not changed.
You need to make sure the Firewall is in “Custom” alert settings at least High.
What Application rules(in Network Security Policy) do you now have for System/Windows Updater Application and svchost?
Matt
One thing you could try Nick is to left click on the Comodo Tray icon and select Configuration-> “Pro-active security”.This should then give you the basic default rules, first off change to Cutom/High then change the Windows Updater rule in Application rules to “Ask”