Win 10 CF block outgoing TCP Windows Operating System

Comodo Internet Security - CIS Firewall Help - CIS
#1

The CF settings:

Out of the box clean Config:
“Proactive Security”

Firewall:
“Safe mode”
Do not show popup alerts “Block Requests”
Filter IPv6 Traffic “On”
Filter Loopback Traffic “On”
Do Protocol Analysis “On”
Enable Anti-ARP Spoofing “On”

HIPS:
“Safe Mode”

Containment:
Do not virtualize access to … “Both Off”
Do not show privilege elevation alerts “Run inside the container”

The rest is default.

I’m still in the process of setting up Win 10 for a friend, no odd programs just some basic stuff and at first I noticed 4 Windows Services (one labeled as Network Service and the others just as System) in the task manager that where nameless, as in defined “(null)” if examined showing up as a win 10 service icon and no description, just running a normal svchost.exe when checking what process was linked to it, doing nothing else they’re idle, they could not be terminated as they where part of the system which struck me as even stranger, they where gone after a reboot and I’ve been trying to pinpoint which program calls them but no such luck.

Now I suddenly noticed a firewall warning from the localhost to the localhost getting blocked.

Application “Windows Operating System”
Action “Blocked”
Protocol “TCP”
Direction “Out”
Source “127.0.0.1”
Source port “49670”
Destination “127.0.0.1”
Destination Port “49669”

Which landed “Windows Operation System” in the Blocked Applications section waiting for me to unblock it.
It struck me as odd, especially the ports used on the loopback zone while doing nothing.
Something doesn’t feel right. I haven’t really worked with Win 10 much I’m doing this for someone else but it just doesn’t feel right because of the odd (null) services as as well.

Scanned for viruses with the Windows scanner and Avast, both as deep as possible and afterwards an Avast bootscan, nothing showed up as infected.

This is the entire program list, I removed most of the Win 10 bloatware and some OEM MSI stuff but other then running the Win10 Privacy (source Major Geeks) this is the entire installed programs list, there is nothing odd there but I’m still wondering if I need to reinstall, I’m more then likely wrong but I just don’t trust what’s going on.

Is there someone that knows what could cause these two events?

#2

If it only happened once and you can’t trigger it again then it most likely was a bug that cfw couldn’t determine the process making the connection so it just attributed it to WOS. Or it could be a kernel mode driver making use of winsock kernel though unlikely.

#3

Only happened once so far.
With my policy I had to whitelist it first but deleted the right away so the event could happen again but I haven’t seen it.
Haven’t seen it create nameless Windows Services anymore either.

Normally I would just reinstall just to be paranoid (since its about an hour work away from a fresh install and I wanted a 100% clean install) but it’s not my SSD and I’m not that familiar with SSD’s but I do know it has a limited TDW of about 60 or 80 GB a day :stuck_out_tongue: