Windows Operating System / System Idle Process in Logs [Merged Threads]

I recently installed comodo firewall 3 and while looking through the new gui i suddenly notice a lot of connection blocked i check the log and its all a bunch of incoming tcp from seemingly random ip’s for system idle proccess
what can this be?

Additional Information:
comodo firewall version:3.0.1
os: windows xp sp2
internet: adsl shared through home lan
other secuirty program: avast antivirus 4.7.1074
permissions level: admin

[attachment deleted by admin]

I also am getting around 100 of these alerts too… wonder if anyone knows why?

I got them as well, but I disabled the logging on it :). Depending on how you set your rules (I shouldn’t have picked expert on everything :’(), the application rules now have the ability to log blocked connection attempts.

Don’t remember seeing this in Beta, but I’m getting a lot of blocked inbound connection from various IP’s to SIP. Any thoughts?

Really? I’ve always had blocks against System Idle in probably every release. Although Egemen might have said… I’m vague on this. I’ve asked previously what it was, but I can’t remember if I got an answer. It’s not reference in the Help. I’ve assumed, up to now, that System Idle means “no associated process”… and/or maybe a Global Block. :slight_smile:

Hi Kail, I guess the block does come under the Global Rule, but I’m curious as to what, exactly, it’s doing. I’ve never seen this in any firewall I’ve used. Almost as soon as I logged on to the Net, I got inundated with these block events.

I’ve put Wireshark on the case, maybe it’ll reveal something.

Have just installed and am also seeing plenty System Idle Process blocks. Even testing at
Shields Up (via dial-up to bypass router), shows all the Shields Up source ports as SIP blocks.

AFAIK SIP is only required to be configured for tunneling and can be safely blocked for other things.
Always blocked it, since it always tried to make outbound DHCP calls to some unknown(for me) locations.

I’m also getting this “system Idle process” blocked in my log for version 3. I’ve never seen it in any firewalls I’ve used either. What does it do and what is it blocking?

I’ve noticed this as well. The SIP from what I understand has to do with process’ in your own computer, nothing with the internet. Under Firewall-Advanced-Network Security Policy the system is outgoing only and blocks unmatching requests. I don’t know what it means but I, personally, don’t think it’s going to hurt the system.

If you look at the TaskManager processes window, SIP is the process that nominally uses all the system resources that are not being used by other processes. I think it is a RAM scavenger, picking up RAM from other processes as a housekeeping action. I don’t get the blocks on my system, but I have configured it for local and multicasting privileges. The multicasting IP range is from to and to for local multicasting and to for Internet multicasting. If you are seeing remote IP’s not in the multicasting range, you should try stealthing your ports. There is also the possibility of torrent servers polling your computer to see if it is available and probably others that I know nothing about.

‘System Idle Processes’ reflects the percentage of time your Processor has nothing to do, that’s all. Generally this value has a high value 90 plus.

I can see no reason why this process should be trying to connect to the Internet, as it’s a local system process.

As I said the IPs and ports it’s attempting to connect to are totally random. I don’t use P2P or IM…

What those entries look like?

Hi gibran, here’s a couple.

[attachment deleted by admin]

I have the same problem like Toggie.

I’m experiencing the same. Sorry I hadn’t bothered to examine the logs in v2. I seem to get millions of inbound attempts from all over the world on the System Idle Process, and from my IP vicinity on System and svchost.exe (better explained here). I’ve disabled logging for the block global rule just because of it, I wasn’t experiencing problems or noticeably high processor or hard disc usage but I though it was no good logging all that and besides burying more relevant events.

Hey you kept your word there are really two :stuck_out_tongue:

Anyway I guess that Source and destination ports are all random.

Here it is the deal it is possible to have SIP blocked entries with the same source port (usually source port 80 are caused by late RST packets) due to V3 Stateful Packet Inspection but the log cannot show this extra info ATM.

So I guess that this activity is due to SPI too.

Since this is strange traffic I guess you could install Wireshark and check if there are invalid TCP flag combinations or such.

Thanks gibran, I have wireshark installed already, but I until a few minutes ago I kept missing thise events.guess I should have just left WS running :-X

Anyway, I finally managed to capture several of these events and they turn out to be the typical NetSend rubbish


. Of course I have the Messenger service disabled, so I don’t see these pop-ups. It is curious, however, that these are being intercepted by SIP.

Your kit is unclean Sir! :wink: I’ve read about these… you run an on-line scan or download something… & occasionally it jumps out & tries to scare the skin off the user into buying the said product. Not nice. You need to run HiJackThis mate or something like that… adware? scareware? :smiley:

The bastards! (:AGY)