Why does it block svchost.exe's which originate from C:\Windows\system 32?

Those are safe, right? So why are they blocked? I click on ‘View Firewall Events’ and it shows 6 Asked and 5 blocked (because when it asked me, I clicked ‘Allow’, so the last one is just ‘Asked’ because it’s that one…I assume…).

Hello ozzy;

Could you please post a screen shot of the following;
Firewall Events (CIS > Firewall > firewall events)
Global Rules (CIS > Firewall > Network Security Policy > Global Rules)
Svchost Rules (CIS > Firewall > Network Security Policy > svchost (double click) )

thanks!

Jake

I couldn’t do the last one, but here are the first two:

(http://img.photobucket.com/albums/v735/ozzyoscar/co1.jpg)

Hello;

I’m assuming you have another computer(s) in your network?
192.168.1.65
192.168.1.254

Could you define these IP’s for me?
and Do you have file sharing/printer sharing/IIS Enabled on your network?

Seems that it’s from the RPC Service;

Jake

This is the only computer I have. I have a BT home hub though, which is a router I guess, and I guess those are something to do with DNS. I was goingto run ipconfig to find out, but I guess Comodo doesn’t want that because the window closes straight away.

I don’t understand the rest of your post. I have a computer connected to a home hub connected to a phone line.

I think 192.168.1.254 is the router’s address (Gateway). Ozzycosy is from the UK I think on a connection from British Telecom. Big ISP’s like BT often use Thompson Speedtouch modem/routers which have 192.168.1.254 as Gateway address.

You need to run the ipconfig command from the command prompt. At the place where you typed ipconfig you type cmd.exe and push enter. Now you are in a black box. Type ipconfig and push enter and look up the Default Gateway address.

Are there other computers in your house on this connection?

This is the only computer I have.

The .65 number is the IP address and the .254 number is the default gateway.

It is not blocking svchost.exe it is blocking the incoming Universal Plug and Play (nPnP) traffic from the router to your computer. UPnP makes sharing of multi media over the local network easier.

Since you are using this connection by yourself alone you can choose to disregard it or make the make the gateway address part of a trusted zone so it won’t show up in the logs.

Ah that’s good then. I can choose to disregard it, so that means it doesn’t matter if it’s blocked or allowed?

How do I make the gateway address trusted (assuming it’s safe rather than just convenient >_> )

In your situation it does not matter whether you allow the traffic or not.

How do I make the gateway address trusted (assuming it's safe rather than just convenient >_> )
How to make a local network a trusted zone.

Create a zone in My Network Zones (Firewall → Network Security policy). Choose Add → A New Network Zone → fill in a name like My local network → Apply.

Now select My Local Network Zone → Add → A new address → choose Single Address → fill in your router’s IP → Apply. Now check and see the new network defined. Exit using Apply.

Now we are going to use the Stealth Ports Wizard to make your local network a trusted network:
Choose “Define a new trusted network and stealth my ports to EVERYONE else” → Next → choose “I would like to trust an existing My Network Zone” → choose your local network zone from the drop down box at the bottom → Finish.

Now check your Global Rules and see your network added.

Hmm, when I first connected the router to the computer, a thing popped up asking me to name it. I ticked a box saying ‘trust to network’ or something, allowing it I suppose. Is this the same thing?

That is the same thing.

Can you show me screenshot of your Global Rules for verification of that?

Good timing: Today the connection naming window came up again for some reason, despite not doing so for days. I clicked ‘cancel’ this time.

So now, here are my Global Rules:

‘BT home hub’ being what I named the connection.

Thanks.

To go back to your original question after we diverted some.

When you look more closely at the logs you will see ask-block sequence within a short period of time. I think that indicates the user blocked the request.

There are also several sequences of “asked” with a bigger period of time in between. With standard settings you will see an alert for 120s. After that the request will be denied; it was what Comodo calls Default Deny. That means you are safe when you don’t answer an alert.

The alert you see comes up when CIS sees a new network. Sometimes during boot when the network connection has not been released Windows does not see a network. In that case Windows will give the network adapter an IP address in the 169 range (APIPA). That is most likely what you are witnessing. I see that happen when I let Easy VPN boot with Windows; I get that found a new network window for the 169 range.

You can disable that alert under More → Preferences → General → by disabling “Automatically detect new networks”.

Thanks, mang.