Windows Operating System Getting 100's of intrusion attempts!

Ok so I listed the Windows Operating System service from active process list as a “Windows System Application” and I set it to allow outgoing connections only.
When ever I make that rule I always get 100s of intrusion attempts from an IP in my range.
Its trying to send out UDP,TCP,IGMP connections. The connections are being blocked and everything is working fine but I don’t get why Windows Operating System needs to connect to so many foreign addresses?
Also if I remove Windows Operating System as an outgoing connection and if I don’t make a rule for it then the Intrusion Attempts stop…
Can somebody tell me what they think is going on here?

This is one of the addresses its trying to connect to-
IP Address
Location CA CA, Canada
City Fredericton, NB -
Organization Stentor National Integrated Communications Network
ISP Stentor National Integrated Communications Network
AS Number AS855
Latitude 45°95’00" North
Longitude 66°63’33" West
Distance 6761.43 km (4201.36 miles)

Can you post a screenshot of the firewall logging ?
We need a bit more details about what tcp/udp ports are used to “probe” your system.

I have that too… I just ignore the intrusion attempts… I have 650 intrusion attempts, all are UDP and have foreign destinations… spooky…

Are those related to UDP port 137, 138 and 1027 ?

Mine ports are very random… you see all possible combinations…

Can i assume that you don’t have a filtering router in front of your pc ?

Are the “attack” source ip’s in or near your own ip address ?

I shall post a screenshot I think


I know what is causing all those alerts:

When you enabled port forwarding on your router (in this case port 17657) and you use a torrent client and you block incoming requests, you get the stuff you see in the screenshots:

[attachment deleted by admin]

I’m having the same problem. I’ve noticed that they are related to ports pretty close to these numbers. I don’t use a torrent client, nor a router.

‘sychost.exe’ is also getting a lot of attempts (port 135).

Grateful for help.


I found this thread while doing a search for a similar problem. I am using CIS version 3.8 and am getting thousands of intrusion alerts from Windows Operating System - UDP - source port 67 - destination port 68. I left out the IP addresses as I read somewhere to do and also noticed on the screenshots they were blanked. I am not on a router. I have a fast ethernet cable broadband connection via Virgin Media. Reading the replies that came up during my search I realise that this may be just the firewall doing it’s job but before I change the rule to not log these events I would appreciate it if someone with more knowledge can tell me what ports 67 & 68 are as at least 90% of the blocked results are from and to there and I would like to be sure that it is not something I should allow rather than block. I reopened this thread rather than open a new one and would appreciate any help offered.

Hello BJ,

Those are the ports used for DHCP see also Dynamic Host Configuration Protocol - Wikipedia

This gives a network administrator the option to control which ip address your computer gets.

You can check your ip configuration by opening a cmd prompt (start, run, type cmd and press enter)
Now type ipconfig /all then you can see all properties for your network configuration and also if it’s using DHCP or not.

If you are not on DHCP you can safely drop these packets, if you are on DHCP you should have to allow them because once the “lease” time is over you could run in to connectivity trouble because you won’t receive an updated ip address from the DHCP servers.

Right Ronny,
First off thanks for the reply. I followed your instructions and in the results under the first part regarding my Ethernet adaptor along with my PC address and some other stuff it stated,
DHCP — Enabled.
Auto configuration — Enabled.
Lease obtained from 16/02/09 to 20/02/09.

Now I am not very PC techy being 60yrs old and don’t really understand what this means. Reading the Wikipedia link it seems that it has to do with a network. Now my PC is the only PC at my address. I have a broadband Internet cable connection provided by Virgin Media here in the UK. Is that what is meant by a network and if so then what rule would you suggest I set for this setting.

I did a search on DHCP and found the following thread which seems to be what is happening. I have applied the DHCP rule as the first in my Global rules as recommended there and will wait and see if that solves the problem.

Hello BJ,

I would create the following rule to allow the DHCP traffic.
First create a rule on the “Global rule” Tab, open the GUI, Firewall, Advanced, Network Security Policy, Switch to the Global rules tab. Click on the top rule and press the [ADD] button.

Action: Allow
Protocol: UDP
Direction: In/Out
Source: Any
Destination: Any
Source port: Range Start Port 67 End Port 68
Destination port: Range Start Port 67 End Port 68

You could use the “log” option if you like to see if it matches.
And then press [Apply]. Drag the rule to the top and apply the policy pressing the [Apply] Button.

Now if you open the command box (cmd) again and try the following:

ipconfig /renew press [ENTER]

This should trigger a renew request for the current IP Address using DHCP, there could be an alert that for the same ports some windows applications wants access, you can safely allow and remember it, I’m not sure but i guess it will be svchost.exe.

Okay then you could test it using the option i suggested…

Thanks again Ronny, I have followed your test instructions and hopefully that is the problem solved. The new rule is working fine I am now only getting a fraction of the intrusion alerts to previously.

No problem,
You can always ask what the other one’s are so i can see if they are “attack/probes” or just noise you can safely filter.

Here is what I have now this morning Ronny, the ones mentioned in previous posts have gone and I have figured out how to take and post a screenshot (see below). The first two on the list the ICMP ones appeared at exactly the same time as I get the “Updates are available for Comodo” message which when I click to install get the Error 108 warning mentioned in a previous thread I started.

I very much appreciate your help in this and hope you can tell me if any of the listings are ok or if indeed they are genuine malware intrusion attempts.

[attachment deleted by admin]

Hello BJ,

Glad i could help, i can confirm all other traffic that is blocked are active probes on a live internet connection.
And justified to be dropped, unless you run a ssh server, ftp server, file server, ms sql server, irc server and MS RPC…

For the updates available, are you running Vista and are you running cis version 3.8.64263.468 ?


Thanks again Ronny, I am running CIS version 3.8, Virus Database 983. The VDB is updating normally but 2-3 times daily I get a little pop up bubble telling me that updates are available for Comodo Firewall. I just X them now as when I click on ok it disappears and when I go to manual, it searches tells me updates are available and when I click next to install I then get the error 108 message. Everything other than this works fine so I think it is just some sort of glitch which hopefully will resolve itself after the first genuine Comodo update. I am not on Vista but am on Windows XP Home Edition updated to SP3.
On release day I downloaded V3.8 to my desktop and disconnected from internet. I then uninstalled V3.5 went to Program Files and Application Data (with hidden files and folders revealed) and deleted all Comodo Firewall folders but leaving BoClean. I never used the Comodo registry cleaner as I am wary of such tools. I then rebooted my PC and while still off line switched off BoClean and installed V3.8. Prior to reboot notification after AV scan I reconnected my internet connection. I then came here and reapplied all of Kyles Guides as I forgot to retain them from V3.5. I have my Network Defence Policy set at Custom Policy Mode and Defence+ set at Safe Mode.