Windows Operating System blocked.

Hi. This is my first time posting here. I created this account just to ask this.
Recently i see that Comodo Firewall blocked “Windows Operating System” as a application. He was trying to do something to another IP from my router (In this case, my PS3). I got surprised and curious because that was the first time i’ve seen Comodo acting like that. No torrent programs or any program that uses internet was running (even Windows Media Server wasn’t running) when that happened.
So i’m wondering if this is normal and if this already happened to any user as well.
Thank you!

i wonder…

sometimes i get a lot of events (a window full of events) saying that the Operation System was blocked (TCP, UDP) different IPs too, the only thing in common is the Destination Port that is the same as my utorrent port… (i’m using Radaghasts rules)

It was the first time that happened to me.
In my case, sometimes other weird thing happens: A lot of connections appears with my router, always with the port 49152 and a different IP receiving data from my pc. It’s really weird! I have a screenshot, i think i’m gonna upload it here to the people see. This have stopped from happening for some days, but this “Windows Operating System Blocked” was the first time that happened.

Hi guys,

I got a similar problem, but in my case only when I’m using utorrent. Actually It happens only when I quit utorrent, the firewall start to block connection cause there is no app listening to it I guess.

utorrent is working just fine, but it’s weird see that many intrusions every day there :smiley: Any idea how to solve it anyone?

[attachment deleted by admin]

When CIS gets incoming traffic that no program is listening to it will log that as blocked by Windows Operating System (WOS).

If you are using a p2p program it will take several hours before the computers of the network figured out your computer is off line. During that time you will see a lot of incoming traffic logged at the port for the p2p program. If you won’t want to see that trafic follow How To - Stop Logging Blocked Torrent Port When Client Is Closed.

If you don’t have CIS set to trust local network traffic you will also see it blocking local traffic. That local traffic will be typically at ports 135-139 and 445.

Seems to be working now. Thanks a lot!

Tank you very much!

It wasn’t on these ports, it was on a high port, 5388 or something like that. Anyway, i’m posting a pic of what i said earlier.
When this happened i freaked out, because it was the first time i’ve seen and i didn’t used uTorrent in that day. :S
Is there a way to discover what svchost.exe is sending or something?

[attachment deleted by admin]

I think you are referring to the traffic to IP address IP address belongs to Akamai. Akamai is a huge hosting provider for distributing download and updates for big software companies.

From the logs it shows there is a lot of traffic coming in from Akamai which indicates a program updating. To know what program you would need to cross reference the Process ID (PID) of the service host process with the outcomes of analysis tools like svhost analyser or svchost viewer.

I see. But do you think this is normal? BTW, i’m getting a error to post in here. It’s saying that’s my IP last post was less then 1 second. What the…?

I have never heard of malware being hosted at Akamai.

BTW, i’m getting a error to post in here. It’s saying that’s my IP last post was less then 1 second. What the…?
That’s an annoying forum bug that bites all of us from time to time. It usually is short lived but it has been reported to take several hours to go and if memory serves me well a very rare case with one of our users where it took like two days.

When it happens just try again later.

Ok, thank you.

Sorry for ressurecting this topic, but i had to ask something. It is normal the svchost.exe to open connections to IP’s that are not from Microsoft?
Please help me in this question! :smiley:

Svchost.exe can be used by non system applications as well to connect to the web. I know for example that the Adobe updater may revert to using svchost.exe if another way to connect is not allowed.

Oh. I got it. Thanks.