Windows Operating System / System Idle Process in Logs [Merged Threads]

I should have thought about the Messenger Service, I just didn’t associate it with SIP. I remember reinstalling XP for a friend and forgot to disable the Messenger Service before going on-line to get the updates, I think I had 30 or 40 NetSend Messages within about 5 minutes!

Anyway, I know this system is clean, as I reinstalled using my MSDN XP Pro with updates and nothing else. LOL, my HJT log only has 10 entries :slight_smile:

Of course this doesn’t indicate infection, only outbound attempts would, I guess. I’ve never ever seen any of these messenger spam ads either, even before I disabled the service and even before I started to use CFP 2, looks like even the XP firewall blocked these attempts. Still, may these spammers rot in the Hell of Spammers for all eternity.

EDIT: By the way, as I said in my case connections with System and svchost.exe are attempted as well as with the SIP. Actually the attempts with the latter come from all around the world but to the other two just from my IP vicinity. Guess they’re all the same kind of spammers anyway.

I get a lot of events for ‘System’ and a few for Svchost. The System events are the usual MS-DS and NetBIOS, the Svchost look familiar too. Most of these were happening in V2 until I created rules to get rid of them. Once I’ve finished playing with V3 and how it works ‘out of the box’ I’ll create rules again.

I’m also getting this “system Idle process” blocked in my log for version 3. In version 2.4 I’m getting blocked port 5000 in every minut-in version 3 I’m stille blocking system Idle proces.Only CPF good-Hi

These logs don’t say if they are TCP or UDP…
Is it possible that what you are seeing are the results of dropped packets?
I’m behind a NAT router/firewall so I normally won’t see anything in my CPF logs about dropped inbound packets.

If the messages are the same as the ones reported by Toggie, you are almost certainly seeing the Storm Bot Net worm in action. That kind of message - You have an infection!!! Download a free malware removal tool by clicking Here! is the kind of spoof that they use to fool people into installing the Bot on their systems. It’s rampant in the personal networking sites and accounts for 8% of total infections worldwide with estimates varying between 1 million and 50 million infected computers. I believe that it uses MS Messenger to display its pop-ups.

NetSend does use the Messenger service, which is why I have it disabled. It’s also why I can’t understand what SIP has to do with this.

New twist, Now I’m getting gazillions of inbound SIP requests on port 80 from my backbone provider…

I don’t really need the firewall to tell me that it’s blocked 300 or so “intrusion attempts”, when they’re not really intrustion attempts. In fact, because the firewall keeps logging these events as intrusions means that I’m less likely to notice or investigate or do something when a real intrusion does occur. Ever heard of the story of the boy who cried wolf?
So, given that these “System Idle - Port 80” so-called intrustion attempts are nothing to worry about, how, please, can I stop the firewall filling up my logs with them?

I would post these logs, but I can’t see the option to export the logs as plain text - And nobody in their right mind would post their unedited HTML logs, would they? Especially since I see that the attachment options for these forums do not include html (:WIN)

On a more general note - I was alarmed to see, after installing v3, that it seems to be moving towards more bloating - Comodo are not alone in this - Ad-Aware, to my mind, have ruined a perfectly good UI and product by adding so much. Early days yet, but I may be looking at a leaner firewall if Comodo insists on adding unasked for and unrequired “extras” and needlessly playing around with the interface.

I’m sorry gibran, I really don’t believe these are RST packets

No need to be sorry :stuck_out_tongue:
Anyway I guess that V2 type packets blocked by SPI should fall in SIP blocked connections too. Well if I didn’t misinterpret egemen post.
I guess V3 Log is not yet feature-complete.

Hi Guys,

“System Idle Process” is NOT a real process and it never sends/receives any packets. For this reason, CFP uses it to for something when it does not detect any process for a packet. So blocked “System Idle Process” simply means blocked “unsolicited packet”.


I have set my customized rules up exactly as gibran noted in this post:
I have two computers set up on a LAN. I keep getting blocked SIP from one computer to the other with the following information:
System Idle Process Blocked ICMP 192.168.1.x Type(eight) 192.168.1.x Code(0)
Is it ok to add a ruleset to allow this traffic?

Thank You

If you don’t use multicast in your network you don’t have to allow ICMP. If you don’t want the messages you can probably turn it off in your router settings.

Those are echo requests If you added your lan to your trusted zone you should not be worried about this traffic.
Please try to ping the computer you have CFP on from the other pc and see if you can reach it
run cmd.exe and type ping [private ip of your computer without square brackets] and press enter.
If this test succeed then maybe these are some unneeded extra echo requests. I guess you should log ICMP OUT echo requests on the computer that cause that traffic.

Thank you AOwL and gibram for the quick responses.
My Home LAN is added under Trusted Zones.
I tried to ping my computer which was blocking the requests, and the ping requests timed out.
I added the following rule in Application rules under System Idle Process:
Allow ICMP IN/OUT From In [Home LAN] To In [Home LAN] Where ICMP Message Is Any
This allowed me to ping without blocking.
Is this rule safe to leave under SIP?

Thank you…

Maybe you didn’t create a trusted network using the stealth wizard can you post a screenshot of your global rules?

Here are my Global Rules:

Oh, and FWIW, I added the same rule:
Allow ICMP IN/OUT From In [Home LAN] To In [Home LAN] Where ICMP Message Is Any
under Global Rules at first, and it did not work. Seems that if any application is listed in Application Rules, it only reads from Application rules, and does not read from Global Rules also. I removed from Global Rules, and added under Application Rules for SIP and it worked.