Firewall Blocking WD TV Live Hub Activity

I originally posted this in “General” but it was suggested I move it here. My wireless laptop’s firewall, free Comodo, is blocking incoming UDP connections from my WD TV Live Hub. The Hub is trying to communicate with my laptop’s svchost.exe program. The WDTVLH uses a new out-going port each time but tries to contact the same port on my laptop for many hours. Then it tries a new laptop port to contact. The rate of these are about 10 per hour. The ports on my laptop that the Hub is trying to contact, over just the past couple of days, have been 49913 and 55446, 61455 and most recently, 53045. At the Comodo forum, they suggest treating svchost as an “outgoing only” program so it blocks all incoming requests. So, I’m asking, what is the WDTVLH doing? Should I have Comodo block it? Everything seems to be working on the WDTVLH. My only complaint is that transfers from my wireless laptop to the wireless Hub are extremely slow. Transfers are 200-300 Kbps or about 1 hour per 1 GB file. I also had to start using a program, RichCopy, to copy files as using Windows 7 Copy/Paste was not really working well. I can live with that and I’m not sure if that is unusual or relevant. I appreciate any insights.

since I wrote the above post, Comodo blocked 200 attempted UDP connections to my laptop’s svchost.exe via port 53045 from the Hub. It ended at 3:12 AM, took a five hour hiatus and then started up again at 8:17 AM. This time trying destination port 63374. Comodo has blocked 20 of these attempts in the past 21 minutes. The Hub is off (standby). What can be the reason for this activity? I’m guessing the Hub is attempting this activity on all devices on my network as there seems to be no reason to single out my laptop.

The short answer is that the Service (whatever it is) is ADVERTISING itself to the network, and the WD is attempting to contact it on those ports.  The WD isn’t just picking a random IP and a random UDP port and banging away at it.   It’s trying to contact that service because the service first told the WD that it was running, and it told the WD what ports to communicate with.

Saying that the WD is trying to access SVCHOST is as vague as just saying “The WD is trying to access something.”

IF you want to know exactly WHAT it is, you’re going to need to run something like WIRESHARK and see if it can see the packets before the firewall blocks them.   The packet decodes will often indicate exactly what it’s trying to do.

Thanks Tony. I appreciate that. It seems odd that the default, or suggested, firewall setting is to allow only outgoing messages from svchost.exe if services are using it to seek responses. Anyway, I’m looking at Wireshark but there appears to be quite a learning curve. Am I right in assuming you think this activity is benign and should be allowed? Do you think there are any negatives with continuing to block it?

I’ve sent you a PM where you can upload those wireshark captures.   I’ll have a look and let you know here what they are.

Ahh!  Ok…   I think what you might be seeing is what’s called SSDP, or Simple Service Discovery Protocol.   It’s sent out as a MULTICAST packet, meaning it’s addressed to EVERYONE on the network.   What it’s advertising is the DLNA capabilities of the box.

But I didn’t see them coming from any of the ports you mention.

I DID see packets coming FROM a port 63374 TO port 1900, but it was also SSDP.   This was on a system with ip address ending in .111.

I also see the TWONKY process on the Hub trying to talk to your PC, but in those cases, your PC is responding,.

All of that is TCP, though, not UDP…

This may be a silly thing to note but wouldn’t the UDP messages not show up because the firewall is blocking them?

111 is my laptop. Perhaps the DLNA broadcasts are being accepted because they are not directed to svchost.exe? My firewall rule is to only allow outgoing from svchost.exe and block all incoming.

curtswanson wrote:
This may be a silly thing to note but wouldn’t the UDP messages not show up because the firewall is blocking them?

It depends on how your firewall works, but yes, that’s possible…  That could explain why what I saw doesn’t match up with what you’re describing…

I turned off the DNLA server and the Network Server in the Network Settings but the results are the same. I know, at one point, I enabled Twonky but when I use the web interface, the tick box for enabling Twonkly is unchecked. I’m not sure if that means it is not running or not. I no longer view this as nefarious activity but I am inclined to leave things as they are and let my firewall keep blocking it.