Why is svchost.exe getting blocked by Comodo at least 5 times a minute?

Here’s a screenshot of my logs. There are over 1500 records of svchost being blocked so far:
http://i51.tinypic.com/j9xdli.jpg

I’m not sure why this is happening. I scanned svchost with Avast, then with virusscan.jotti.org and there doesn’t seem to be any infection. Is it safe to exclude svchost from the firewall?

Are there other computers in your network?

(Go to start > run > cmd > ipconfig )
IP Address’s of 2 computers in your network should match the above)


Regards
Jacob

No, there’s only one computer. In ipconfig, 10.0.0.2 is listed as my IPv4 address and 10.0.0.1 as my default gateway in case you wanted to know.

edit: As I look further in the logs, this has been happening since OCTOBER.

Am I missing something? don’t see a screenshot…

[at] Panic2 (Liek the name, but it’s horribly close to mine),

Without detailed info, I would suggest that your PC has an IP address of 10.0.0.2 and your gateway is a router that has an address of 10.0.0.1. As such, this could just be normal LAN chatter.

Can you please answer the following;

  1. What band and model of device do you use to connect to the internet (modem, router, modem/router etc.)
  2. How do you connect to this device - USB, ethernet,wifi?
  3. Have you run the trusted networks wizard?
  4. Do you run any P2P applications (torrents or similar)?
  5. Is this PC on a network that contains an IBM Domino server?

[at] Ronny,

I can see the screen shot. It shows multiple inbound UDP connections from 10.0.0.1 port 2050 (gateway) to 10.0.0.2 port 60231 (PC). Ephemeral to ephemeral - that’ why I asked about P2P. :wink:

I’m not sure if it’s the same thing, but the connections being blocked are from/to 10.1.1.1-10.1.1.2 and not 10.0.0.1-10.0.0.2

  1. What band and model of device do you use to connect to the internet (modem, router, modem/router etc.) D-Link 504T Modem/Router
  2. How do you connect to this device - USB, ethernet,wifi? Ethernet
  3. Have you run the trusted networks wizard? If that’s the “Stealth Ports Wizard” that asks you to add a trusted network, I just did it for 10.1.1.1-10.1.1.2
  4. Do you run any P2P applications (torrents or similar)? No.
  5. Is this PC on a network that contains an IBM Domino server? No.

As of yesterday, I haven’t encountered anymore of these except for one which blocked 10.1.1.1:67 → 10.1.1.2:68

Kind of strange how it stops happening suddenly after apparently happening since October of last year.

Bump, it’s also blocking 10.1.1.1:2050->10.1.1.2:58160 and 10.1.1.1:2050->10.1.1.2:49634. Is this normal behavior? Should Comodo be blocking/ignoring this?

It’s not strange when you consider that you have made a change - an important change;

3. Have you run the trusted networks wizard? If that's the "Stealth Ports Wizard" that asks you to add a trusted network,[b][u] I just did it[/u] [/b] for 10.1.1.1-10.1.1.2

Running the Stealth Ports Wizard and specifying the IP address range that you did, sets up a trusted newtwork between the IP addresses in the range - therefore traffic between the IP addresses is classed as trusted.

Ewen :slight_smile:

Without further info, I would leave these BLOCKED. Ports above 1056 are classed as ephemeral ports and are not assigned to a standard service or protocol.

Your router (10.1.1.1) in sending a request from port 2050 to your PC (10.1.1.2), to its port 49634.

Port 2050 is not assigned to a standard service or protocol and shold remain blocked.

Please check the firewall in your router. If needed, setup rules in the routers firewall to block these. This way, the requests will never reach CIs and therefore never get blocked by CIS, as they are being blocked by the router.

Ewen :slight_smile: