Advice Request Comodo Firewall blocking network access to Windows services and OS?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
On my system I see that MicrosoftEdge connects to FDCservers = 50.7.X.X (I didn't lookup the IP ranges). So it is evidently a Microsoft related thing.

View attachment 143444

You could make it a full-time occupation just studying all of Microsoft IP addresses\URLs and what they do...
Yeah, I looked it up and came up with fdcservers.net too. Seems they provide bandwidth hosting services to businesses so I'm guessing it could be a Microsoft data centre or cloud server.

This is understandable. With experience you just get to the point where ... meh... if I don't see it obviously broken, then I'm not going to worry about it. Your system is more vast than you comprehend - and there is always something going wrong on it that isn't readily apparent. It's just the nature of the beast, but that doesn't mean errors and non-visible issues create huge, hidden problems.

If you go crazy constantly auditing your system you will do nothing but keep yourself crazy. Such behavior is all over the security forums.
That's good to hear. I usually don't keep much of an eye on stuff like this but I thought it was a worrying that it named the block as the actual operating system and not a process or file which is why I was compelled to ask about it.
 
  • Like
Reactions: AtlBo and shmu26
5

509322

Yeah, I looked it up and came up with fdcservers.net too. Seems they provide bandwidth hosting services to businesses so I'm guessing it could be a Microsoft data centre or cloud server.

Look at that post again. I edited it. I made a blunder. After being in front of screen for long hours the mind can go wonky.
 
  • Like
Reactions: AtlBo

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Look at that post again. I edited it. I made a blunder. After being in front of screen for long hours the mind can go wonky.
Ah. Well the destination the OS tried to connect to happened well before I visited the fdcservers site and the WhoIs lookup linked the IP to fdcservers in LA so I'm guessing it's correct.

I'm planning on ditching my AV and sticking with just Comodo Firewall in the near future so I guess I should get used to ignoring mysterious blocks for if I ever run into malware.
 
Last edited:

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Hi Arquire! CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10. The Win10 haters actually should love this as CF blocks many unsolicited requests from various extraneous Win10 services. Win7 normally isn't as prone to this stuff, but here are my suggestions:

1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).

3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

ps- my headache from Friday night is finally subsiding...
 

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Hi Arquire! CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10. The Windows 10 haters actually should love this as CF blocks many unsolicited requests from various extraneous Windows 10 services. Windows 7 normally isn't as prone to this stuff, but here are my suggestions:

1). Normally a service in Windows will use svch
1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

ost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.

2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).

3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.

ps- my headache from Friday night is finally subsiding...
Hey cruelsister. Thanks for responding.

2). Malware also can use svchost to connect out; trust me, I've coded enough of them in the past (errors of a misspent youth). And a connection to some server farm or other never should be assumed to be going to Microsoft. So if you are still having svchost blocks even after approving all the Microsoft stuff you may have (probably not, but I'm a suspicious person) some sort of Trojan injector. if it was me, I would run Zemana Anti-Malware portable to verify (it's really, really good at detecting this sort of thing).
Definitely isn't any kind of infection. Every second opinion scanner under the sun comes up clean along with multiple AVs. No suspicious start up entries, no processes I don't recognise, etc. I can't actually remember the last time I had an infection on any system I've owned; possibly early 2000's. I'm pretty good at following best practices and I tend to avoid doing anything that could lead to infection. (Besides unblocking ads now and again. My morality sways in the adblocking department from day to day.)

1). Normally a service in Windows will use svchost to get out to the Net. So you may see the blocked svchost paired with something else. If you trust all Microsoft files, go into Blocked connections and sort by Vendor. Then approve all of the Microsoft listings that you like. IF the svchost connection was initiated by another Microsoft service your problems will be solved.
Usually I just see svchost connect on its own. The log said svchost's source and destination was my own local network (192.xx) so I'm assuming it is just blocking loopback connections. I don't notice any breakage or issues when CF blocks the connection so I'm currently just ignoring it. I've got it set to block without showing alerts so I don't even notice it's been blocked until I decide to open CF. Same thing with the blocked outbound connection from "Windows Operating System". Didn't notice any issues when it did it so I'm just leaving them blocked. I'll unblock them if I see any noticeable breakage.

3). I must disagree with Lockdown about the need for Outbound alerts on a Private Home computer. If you don't have such protection YOU ARE MINE.
Definitely like having outbound connections blocked automatically. Obviously a keylogger or other form of data stealer would get blocked by CF when it tries to elevate it's privileges but it's nice to know that it can't actually send the data it harvests anywhere.

While you're here I wanted to ask you a question: Is malware using a stolen certificate of a company on Comodo's trusted vendors list a concern at all? I'd imagine this kind of thing is relatively rare and running into it is even less likely, but if I or anybody else who hasn't modified the trusted vendors list ran into one, would Comodo allow it to run uninhibited?
 
Last edited:
  • Like
Reactions: AtlBo

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Arequire- A couple of things:

1). I am hoping that Comodo will iron out the stuff with Microsoft trusted processes that many are seeing. I'm cutting them some slack on this one as CF is really still a semi-initial build and I am a FanGirl (gotta call a Spade a Spade sometimes...).

2). About the Trusted Vendors- Yes this may be a concern and can be alleviated to a great extent by modifying the Trusted Vendors list like this:

(Apologies for using my own video...)

Now there will be some liberated high quality certificates that can bypass even this restricted Trusted vendors list (I did a video on this in the past also- I forget when). But please note that such malware will NEVER EVER be something widely distributed as such certificates are as rare as Powdered Unicorn Horn- they would be used as targeted malware only (for someone who wants a Emerald and Diamond necklace but would rather shake someone down instead of paying for it herself..)

OT Romance Advice- Please note that even the best (Type 1) Emerald gemstone will have a natural flaw (inclusion). If someone tries to sell you for your girlfriend an inclusion free Emerald reject it immediately as it is probably a just a broken piece of a 7-Up bottle and not a real Emerald (I've got to teach you guys EVERYTHING...).
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Definitely like having outbound connections blocked automatically. Obviously a keylogger or other form of data stealer would get blocked by CF when it tries to elevate it's privileges but it's nice to know that it can't actually send the data it harvests anywhere.
Advanced malware can outsmart the outbound connections control by piggybacking on an allowed process. That's why you can't rely overly much on firewall to protect you.
 
  • Like
Reactions: Azure and AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Instead of immediately running Comodo firewall in block mode, you could run it for a week in safe mode, and that way, all those little Windows processes that are constantly trying to update your metro apps, etc, will have their chance to get whitelisted by you.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
CF tends to hate many components of Windows that request Outbound connections, but this usually occurs on Windows 10.
Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...
Are you using V10 or V11?
 
  • Like
Reactions: oldschool

Allego

Level 2
Verified
Jan 25, 2016
97
Okay so after you modified your TVL, is it recommended to disable Cloud Lookup or leave it enabled?
 
  • Like
Reactions: oldschool
5

509322

Glad I found this old post, because now, on Windows 10 1809, this erratic network blocking behavior seems to have reappeared.
So the moral of the story is that erratic behavior like this is to be expected, not to worry...

It isn't COMODO's fault. It is Microsoft's fault. Microsoft made unilateral, unannounced changes. COMODO could not have known.
 
  • Like
Reactions: ravi prakash saini

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Okay so after you modified your TVL, is it recommended to disable Cloud Lookup or leave it enabled?
Disable it, or else you will have hidden entries on your TVL that are beyond your knowledge and control.

@Lockdown: Unfortunately, Comodo is in denial about it. I posted twice about it on their forum, and also PMed them, and they tried as hard as they could to ignore me. When they couldn't ignore me anymore, they repeatedly denied the existence of the problem and gave idiotic answers instead. So now, it is Comodo's fault. I am thoroughly disgusted with them. :(
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I think John Lennon wrote a song about it: "Oh Com-o-o-do, Oh Com-o-o-do... (music playing)… I'd lo-ve to turn you-oo on!" :ROFLMAO:

The bane of 3rd party software! Oh, what troubles are a-comin'! MS & Comodo - true to form! (n) Time to simplify!
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think John Lennon wrote a song about it: "Oh Com-o-o-do, Oh Com-o-o-do... (music playing)… I'd lo-ve to turn you-oo on!" :ROFLMAO:

The bane of 3rd party software! Oh, what troubles are a-comin'! MS & Comodo - true to form! (n) Time to simplify!
:) :)
 
  • Like
Reactions: oldschool

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I am now trying the default "Firewall Security" configuration.
If you don't hear from me, either it works, or I died trying. :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top