Advice Request Comodo Firewall blocking network access to Windows services and OS?

Arequire · Mar 18, 2017

Lockdown said:
On my system I see that MicrosoftEdge connects to FDCservers = 50.7.X.X (I didn't lookup the IP ranges). So it is evidently a Microsoft related thing.

View attachment 143444

You could make it a full-time occupation just studying all of Microsoft IP addresses\URLs and what they do...

Yeah, I looked it up and came up with fdcservers.net too. Seems they provide bandwidth hosting services to businesses so I'm guessing it could be a Microsoft data centre or cloud server.

Lockdown said:
This is understandable. With experience you just get to the point where ... meh... if I don't see it obviously broken, then I'm not going to worry about it. Your system is more vast than you comprehend - and there is always something going wrong on it that isn't readily apparent. It's just the nature of the beast, but that doesn't mean errors and non-visible issues create huge, hidden problems.

If you go crazy constantly auditing your system you will do nothing but keep yourself crazy. Such behavior is all over the security forums.

That's good to hear. I usually don't keep much of an eye on stuff like this but I thought it was a worrying that it named the block as the actual operating system and not a process or file which is why I was compelled to ask about it.

509322 · Mar 18, 2017

Arequire said:
Yeah, I looked it up and came up with fdcservers.net too. Seems they provide bandwidth hosting services to businesses so I'm guessing it could be a Microsoft data centre or cloud server.

Look at that post again. I edited it. I made a blunder. After being in front of screen for long hours the mind can go wonky.

Arequire · Mar 18, 2017

Lockdown said:
Look at that post again. I edited it. I made a blunder. After being in front of screen for long hours the mind can go wonky.

Ah. Well the destination the OS tried to connect to happened well before I visited the fdcservers site and the WhoIs lookup linked the IP to fdcservers in LA so I'm guessing it's correct.

I'm planning on ditching my AV and sticking with just Comodo Firewall in the near future so I guess I should get used to ignoring mysterious blocks for if I ever run into malware.

cruelsister · Mar 19, 2017

Hi Arquire! CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10. The Win10 haters actually should love this as CF blocks many unsolicited requests from various extraneous Win10 services. Win7 normally isn't as prone to this stuff, but here are my suggestions:

1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).

3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

ps- my headache from Friday night is finally subsiding...

Handsome Recluse · Mar 20, 2017

cruelsister said:
3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

Most people are mortals ya' know.

Arequire · Mar 20, 2017

cruelsister said:
Hi Arquire! CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10. The Windows 10 haters actually should love this as CF blocks many unsolicited requests from various extraneous Windows 10 services. Windows 7 normally isn't as prone to this stuff, but here are my suggestions:

1). Normally a service in Windows will use svch

cruelsister said:

1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

Click to expand...

ost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).

3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

ps- my headache from Friday night is finally subsiding...

Hey cruelsister. Thanks for responding.

cruelsister said:
2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).

Definitely isn't any kind of infection. Every second opinion scanner under the sun comes up clean along with multiple AVs. No suspicious start up entries, no processes I don't recognise, etc. I can't actually remember the last time I had an infection on any system I've owned; possibly early 2000's. I'm pretty good at following best practices and I tend to avoid doing anything that could lead to infection. (Besides unblocking ads now and again. My morality sways in the adblocking department from day to day.)

cruelsister said:
1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

Usually I just see svchost connect on its own. The log said svchost's source and destination was my own local network (192.xx) so I'm assuming it is just blocking loopback connections. I don't notice any breakage or issues when CF blocks the connection so I'm currently just ignoring it. I've got it set to block without showing alerts so I don't even notice it's been blocked until I decide to open CF. Same thing with the blocked outbound connection from "Windows Operating System". Didn't notice any issues when it did it so I'm just leaving them blocked. I'll unblock them if I see any noticeable breakage.

cruelsister said:
3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

Definitely like having outbound connections blocked automatically. Obviously a keylogger or other form of data stealer would get blocked by CF when it tries to elevate it's privileges but it's nice to know that it can't actually send the data it harvests anywhere.

While you're here I wanted to ask you a question: Is malware using a stolen certificate of a company on Comodo's trusted vendors list a concern at all? I'd imagine this kind of thing is relatively rare and running into it is even less likely, but if I or anybody else who hasn't modified the trusted vendors list ran into one, would Comodo allow it to run uninhibited?

cruelsister · Mar 20, 2017

Arequire- A couple of things:

1). I am hoping that Comodo will iron out the stuff with Microsoft trusted processes that many are seeing. I'm cutting them some slack on this one as CF is really still a semi-initial build and I am a FanGirl (gotta call a Spade a Spade sometimes...).

2). About the Trusted Vendors- Yes this may be a concern and can be alleviated to a great extent by modifying the Trusted Vendors list like this:

(Apologies for using my own video...)

Now there will be some liberated high quality certificates that can bypass even this restricted Trusted vendors list (I did a video on this in the past also- I forget when). But please note that such malware will NEVER EVER be something widely distributed as such certificates are as rare as Powdered Unicorn Horn- they would be used as targeted malware only (for someone who wants a Emerald and Diamond necklace but would rather shake someone down instead of paying for it herself..)

OT Romance Advice- Please note that even the best (Type 1) Emerald gemstone will have a natural flaw (inclusion). If someone tries to sell you for your girlfriend an inclusion free Emerald reject it immediately as it is probably a just a broken piece of a 7-Up bottle and not a real Emerald (I've got to teach you guys EVERYTHING...).

shmu26 · Mar 21, 2017

Arequire said:
Definitely like having outbound connections blocked automatically. Obviously a keylogger or other form of data stealer would get blocked by CF when it tries to elevate it's privileges but it's nice to know that it can't actually send the data it harvests anywhere.

Advanced malware can outsmart the outbound connections control by piggybacking on an allowed process. That's why you can't rely overly much on firewall to protect you.

shmu26 · Mar 22, 2017

Instead of immediately running Comodo firewall in block mode, you could run it for a week in safe mode, and that way, all those little Windows processes that are constantly trying to update your metro apps, etc, will have their chance to get whitelisted by you.

shmu26 · Nov 4, 2018

cruelsister said:
CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10.

Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...

codswollip · Nov 4, 2018

shmu26 said:
Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...

Are you using V10 or V11?

shmu26 · Nov 4, 2018

Telos said:
Are you using V10 or V11?

v11

Allego · Nov 5, 2018

Okay so after you modified your TVL, is it recommended to disable Cloud Lookup or leave it enabled?

509322 · Nov 5, 2018

shmu26 said:
Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...

It isn't COMODO's fault. It is Microsoft's fault. Microsoft made unilateral, unannounced changes. COMODO could not have known.

shmu26 · Nov 5, 2018

Allego said:
Okay so after you modified your TVL, is it recommended to disable Cloud Lookup or leave it enabled?

Disable it, or else you will have hidden entries on your TVL that are beyond your knowledge and control.

@Lockdown: Unfortunately, Comodo is in denial about it. I posted twice about it on their forum, and also PMed them, and they tried as hard as they could to ignore me. When they couldn't ignore me anymore, they repeatedly denied the existence of the problem and gave idiotic answers instead. So now, it is Comodo's fault. I am thoroughly disgusted with them.

oldschool · Nov 5, 2018

I think John Lennon wrote a song about it: "Oh Com-o-o-do, Oh Com-o-o-do... (music playing)… I'd lo-ve to turn you-oo on!"

The bane of 3rd party software! Oh, what troubles are a-comin'! MS & Comodo - true to form!

Time to simplify!

shmu26 · Nov 6, 2018

oldschool said:
I think John Lennon wrote a song about it: "Oh Com-o-o-do, Oh Com-o-o-do... (music playing)… I'd lo-ve to turn you-oo on!"

The bane of 3rd party software! Oh, what troubles are a-comin'! MS & Comodo - true to form! Time to simplify!

shmu26 · Nov 6, 2018

I am now trying the default "Firewall Security" configuration.
If you don't hear from me, either it works, or I died trying.

Search

Advice Request Comodo Firewall blocking network access to Windows services and OS?

Arequire

Level 29

509322

Arequire

Level 29

cruelsister

Level 43

Handsome Recluse

Level 23

Arequire

Level 29

cruelsister

Level 43

shmu26

Level 85

shmu26

Level 85

shmu26

Level 85

codswollip

Level 23

shmu26

Level 85

Allego

Level 3

509322

shmu26

Level 85

oldschool

Level 85

shmu26

Level 85

shmu26

Level 85

Similar threads