Morning All.
For some time i have not been able to automatically receive Windows Updates,although my computer is set to download the updates and for me to install.
I have tried everything,but still no updates unless i install manually.
This month i reset CPF to allow everything and enabled the Windows Firewall
Updates worked perfectly.I received them this Morning
My question is what do i need to change or reset in CPF to enable me to receive updates
I would be much obliged if a well informed person would tell me exactly what i need to do.
I am not yet fully upto speed as regards CPF,but i am getting there with the help of this Forum
Thanks and Regards
** FAQs/Threads - Read Me First **:
[b]Windows Updates Doesn't Update[/b] https://forums.comodo.com/index.php/topic,1632.0.html https://forums.comodo.com/index.php/topic,1702.0.html https://forums.comodo.com/index.php/topic,1955.0.html https://forums.comodo.com/index.php/topic,6518.0.html https://forums.comodo.com/index.php/topic,6579.0.html https://forums.comodo.com/index.php/topic,6836.0.html https://forums.comodo.com/index.php/topic,7866.0.html
Essentially, remove any blocked svchost.exe application monitor rules. This is a vital Windows process.
Thanks for your reply but there is no mention for SVCHOST anywhere however one of the entries for IEXPLORE is blocked.Is that what i am looking for?
Regards.
That could indeed be it, rambo.
Any time something like this is blocked (referring to the updates process, not a specific application), the first place to look is in Activity/Logs. You’ll want to keep your eyes open for entries showing blocked applications especially. Then blocked traffic (Network Monitor).
If setting CFP to Allow All gets you the updates, this is a good indication of a rules configuration problem with CFP. The logs would help identify that problem.
LM
Thanks a lot.
Just as a matter of interest,i have two computers neither of which will get Windows updates unless i allow all
PC 1 is the one that has IEXPLORE blocked,PC2 has Ybrouser blocked.
As you say"Look at the log"
Thanks,i am much obliged
LM
I have just looked at the log for yesterday and today.
For Yesterday there are 11 entries with medium severity.The severity descripition is inboard Policy Violation(access denied,IP.).
Today is about the same number with medium severity but 3 with outbound policy violation(access denied,PR).The reporter in all cases is Network Monitor
Does this give you any idea as to where the problem lies
This is i should add is PC 2.I have not yet looked at PC 1
Regards.
I think we need more details as in what exactly was the program(s) being blocked. Maybe you should upload an edited copy of the log as a text file here.
Thanks.
I will get back to you when i have figured out how to do it
Regards
This i think is what you want
Edited by Mod to replace long log with text attachment.
[attachment deleted by admin]
rambo,
I went through your logs, and saw nothing that I would relate to svchost or windows updates. It’s pretty much all Inbound, except for two Outbound IGMP. Updates are all Outbound connections; no unsolicited Inbound, and I’ve not ever seen Updates to use IGMP; it’s always UDP to microsoft updates IP addresses; not a multicast address like your logs show.
I have a question for you - when you say the updates work “manually” do you mean you go into the updater and cause it to run and check for updates, or that you go online and check that way (via the browser)?
LM
I wondered the same because I highly doubt your log was captured during the midst of your attempt to run Windows Updates.
PS: Rambo, I replaced your long log posting with a text file.
LM
By manually i mean click START,click WINDOWS UPDATE.I am then informed of the updates available,together with the updates for Windows Defender.
The funny thing is that definition updates for Defender work automatically at other times but not for Windows Updates.
It must be possible to create a permission for Windows Updates so they are not blocked every time or is that not possible?
I feel now we are getting into deep water.Perhaps it is just easier to set CPF to allow all when Windows Updates are available ie second Wednesday of each Month in the Afternnoon between the hours of 4-6 pm
I know that sounds rather a defeatist attitude but i dont have the understanding to take it further.
Thanks for all your trouble
There really isn’t a significant difference between what you’re doing to update manually, and Windows updating itself automatically. They both utilize svchost.exe as the connecting process. They both require the Windows Updater Service and Transfer Service (BITS) to be Started on Automatic.
The only difference I can think of is perhaps what’s creating the call to svchost for the auto updates; perhaps the combination is not allowed by application monitor.
Do you have a rule (any rule) for svchost.exe in Application Monitor? If so, set the Parent to ‘Skip’ or ‘Learn’ prior to the next update cycle.
You may also find it helpful to go to Security/Tasks/Scan for Known Applications. Follow the prompts and reboot when finished.
LM
Thanks LM
That is what is so stupid about it.How i can retrieve updates,without any problem,by connecting to Windows Update but unable to retrieve them automatically unless i reset CPF to Allow All
What else is annoying is that i have installed CPF on a lot of my friends computers without issue.
There are no entries,whatsoever, for SVCHOST in Application Monitor.
I have tried a scan but there are no prompts after it is finished,just restart the application.
No doubt we will get to the bottom of the problem in the end.
Regards.
Try doing this, rambo…
Go to Security/Advanced/Miscellaneous, and uncheck the box “Do not show alerts for applications certified by Comodo.” OK, and reboot.
Watch for any alerts (after reboot) which mention svchost.exe. Be sure to Allow w/Remember on all of those. Now, with no other applications running do a Manual Update, just as you have been. Respond Allow w/Remember on any svchost.exe (or other) alerts during this process. This should create some specific rules in Application Monitor for svchost.exe (where you can see them); depending on where you have the Alert Frequency set, it should be something like Application: svchost.exe, Parent: services.exe, Allow TCP/UDP In/Out Any Source/Destination Port/IP.
Then go back to Security/Advanced/Miscellaneous and check the “Do not show alerts…” box again. OK, and reboot.
You know, I just got to thinking… it’s possible that svchost.exe uses Parent of explorer.exe when Manual Update is done, rather than services.exe. If this is the case, Add another Application Monitor Rule for svchost.exe, identical to the one already created, except change the Parent Path to services.exe (which will be c:\windows\system32\services.exe).
LM
LM
We now have 2 entries in Application Monitor for SVCHOST------Great
I am not sure how to carry out your suggestions in your last paragraph.Give me a while to think about it and i will be back to you.
If in the meantime you could expand,like guide me through,i would indeed be most grateful
I am much apprecative for your advice
Thanks.
Philip
Okay, Philip; hopefully we’re moving in the right direction with this thing… 
It will help to know the content of those two rules for svchost. If you double-click each one, it will open for editing, where you can see all the details. If you would (don’t actually change the rules), post those details here in the following format, and cancel out of the Edit on each one.
Application:
Parent:
Action:
Protocol:
Direction:
Destination IP:
Destination Port:
Miscellaneous: (just indicate which - if any - are checked)
- Skip advanced security checks
- Allow invisible connections
- Limit number of connections
Then if it looks like we might need to add another one, I’ll walk you through it.
LM
Me Again.
Application c:\windows\system32\svchost.exe
Parent c:\windows\system32\services.exe
Action Allow
Protocol tcp or udp
Direction out
Destination IP any
destination Port any
Miscellaneous nothing checked.
Just one thing i didn’t understand you say “cancel out of the edit on each” could you please expand.
I havn’t changed anything just looked.The content of the two rules are the same for both
As you say “we’re moving in the right direction” thanks to you.
Philip
LM
I have just noticed a slight difference between pc1 and pc2 in as far as on pc1 i reported the Direction being out for both entries of SVCHOST on pc2 one direction is in the other is out
Philip.
That should be okay; just Edit that rule to change the direction to In/Out instead of just Out. And that was generated when you ran the Manual Updates, correct?
Just to see if it makes any difference, on “Update Day,” shortly before the updates should occur, Add a rule to Application Monitor. You will build it in this way:
Application: svchost.exe (you’ll have to browse to the file; it cannot simply be typed into the field)
Parent: (set it to ‘Learn’)
Action: Allow
Protocol: TCP/UDP
Direction: In/Out
Destination IP: Any
Destination Port: Any
Miscellaneous: (none; leave blank)
At that point, close Application Monitor, then reopen it. Find the rules for svchost. We want this newly-created one to be the lower of the svchost rules. If it already is, fine. If it is placed in order above the previous rule(s) for svchost, double-click those older rule(s) as though to Edit. Then (without making changes) click OK or Cancel. This will move those older rule(s) for svchost above the newer rule.
The reason is, when the Updates try to run, Application Monitor will look to the svchost rule in the highest (top) position first. We want to give the previous rules a chance to work first. If they won’t pass the traffic, then the new rule should kick in to “Learn” the parent (hopefully that will be the only difference).
LM
PS: My comment about canceling out of the edit was just to make sure you realized I wasn’t saying to make any changes to the rules.
PPS: You’ve said there are two rules; are they completely/exactly identical?