Hi.
After installing Utorrent and while I was configuring it (no Torrents running) I received an alert from the FW (see snapshot).
I decided to block it and after beginning a download entries started to show in FW Events (snapshot). These entries continued for two hours after the download was finished.
I still can’t figure out what the alert exactly meant. Can anyone shed some light?
Regards,
Jose.
[attachment deleted by admin]
The initial alert is for an inbound connection against svchost, however, the entries in the log appear to be against the system process, neither of which should be happening in the context of uTorrent.
Is there any additional information you can provide. I assume 56169 is your uTorrent port?
You will find, depending on your firewall configuration, log entries for inbound connections against your uTorrent port, even after you have closed the application. This is simply due to the behaviour of p2p networks. However, these entries are typically picked-up by the Windows Operating pseudo process and can easily be handled with a simple rule.
Hi Radaghast, thanks for the answer.
The entries are for svchost (snapshot 1).
The Utorrent port is 45088 (snapshot 2). After the alert for port 443 (same snapshot) a download starts.
Some minutes after (snapshot 3) the svchost alerts begin.
There’s also a type 8 alert (snapshot 4) wich I don’t know if it’s relevant or not.
I’ll start a new download in half an hour just to see if the issue continues.
[attachment deleted by admin]
It’s difficult to see how these are related. The port for the inbound svchost connections is not associated with your uTorrent port.
The connection to port 443 is from mdfeedsync, which is the RSS updated in Internet Explorer and it’s destination is Microsoft. The ICMP entry in the fourth image is an Echo request, also destined for Microsoft.
Svchost, as you may know, is simply a vehicle for numerous other processes, quite a few of which open listening ports in the Dynamic range (49152–65535) To get a better idea of what may be going on, it might be helpful to identify which svchost instance is listening on that port.
The easiest way to achieve that is to open a command prompt and type netstat -ano identify the PID of the instance of svchost listening on that port, then type tasklist /svc find the PID and identify the services.
Alternatively, download something like Process Hacker and use the network tab to identify the PID of the svchost instance using that port. Double click the svchost entry and it will take you to the Process page from which, by double clicking on the highlighted entry, find out which specific services it’s using (services tab)
In Process Hacker/Network tab I see that the “owner” is iphlpsvc.
Going to Processes tab and double clicking shows the following (snapshot).
I think I’ll just tell CIS not to log those entries.
[attachment deleted by admin]
The iphlpsvc is associated with IPv6 and provides the framework to support the various tunnelling options used by the protocol stack. If you’re not using IPv6 you could disable it and see if the events go away…
Hi again Radaghast.
Disabling IPV6 didn’t make a difference.
I think I’ll just forget it. After all CIS is doing its job, so I suppose all is right.
It’s curious though… I had this issue on my previous Vista 32-bit; then, with a new install of CIS it went away; then with yet another install it came back; then… this hapenned several times with both the same version of CIS and new versions. First I thought it had something to do with the machine but now I’m on a new one with W7 64-bit.
Anyway, not serious I think.
Thank you so much for your help,
Regards.
A little further investigation reveals that these may indeed be uTorrent related and also associated with IPv6. What threw me was the originating port and I still need to think about that, but these are almost certainly related to IPv6 tunnelling.
You could try disabling Teredo, one of Microsofts tunnelling technologies. At a command prompt type:
netsh int teredo set state disabled - press return
See if that makes a difference…
You can safely block with out logging on these events.
Radaghast, you’re the man!
It worked.
After I disabled Teredo I noticed there was a box in Utorrent/Preferences/General saying “Install IPv6/Teredo” wich had been previously greyed out. I should had noticed that.
And now I understand the issues in my previous Vista. Sometimes I would install Utorrent while Windows FW was on; and only after I would install CIS. So Windows FW would probably enable Teredo by default.
Thank you kindly, you’ve been priceless.
Just one last question: I presume there will not be any kind of problems with Teredo off?
Regards.
I’m glad we got to the bottom of that 
Disabling Teredo won’t have any adverse effect on day to day operations. If you do decide you wish to investigate Teredo tunnelling, at some point in the future, just re-enable it:
netsh int teredo set state client
:-TU