Does anybody knows if the user must allow "Generic Host Process for Win32 Services" to act as a server into ZoneAlarm?

If I disable, what are the consequences?
Which applications/services will not allowed to be connected from the Internet?

I suppose that I can allow this C:\Windows\system32\svchost.exe to connect the Internet... In this case, what is connecting the Internet?

Very thanks.
Technical

Most XP users with ZA say they have to allow svchost.exe to connect out to the Internet or they can't access the net... (Some services that run under that generic process, like DNS, require that access outbound, though it does depend upon the exact configuration of each system.)

But, as for allowing server rights in ZA, that would allow Generic Host Process... (long name)... to accept unsolicited connections in from the Internet. (For example, any ports that are listening under svchost.exe would be allow open access, such as the messenger service.) Very few people say they need to allow "server rights" for svchost.exe to be able to work properly.

On my XP system, I must allow it "access out" but not server rights.

Yes, and no. Your firewall should allow for, or be able to be configured for services like DHCP and DNS without allowing it as a server.

Please start by disabling two services. Start -> Run: 'services.msc', stop and disable SSDP Discovery Protocol, and Universal Plug n' Pray.

Now if your computer is not a Lan/ICS host for dynamic addressing then you can stop, and set the DNS Client to manual.

You should avoid allowing the program to act as a server, and if you must I suggest you get a more comprehensive firewall like a rule based appliction filtering firewall which will be more complex to configure.

EDIT: I haven't played with ZA for a while, but you should be able to add your dns servers and your dhcp server(if you have one) to your trusted IP list. That way you are not forced to set the program as a server.

-{ Quote: " quoting: LowWaterMark link=board=23;threadid=15463;start=0#msg96379 date=1067217065]
Most XP users with ZA say they have to allow svchost.exe to connect out to the Internet or they can't access the net... (Some services that run under that generic process, like DNS, require that access outbound, though it does depend upon the exact configuration of each system.)

But, as for allowing server rights in ZA, that would allow Generic Host Process... (long name)... to accept unsolicited connections in from the Internet. (For example, any ports that are listening under svchost.exe would be allow open access, such as the messenger service.) Very few people say they need to allow "server rights" for svchost.exe to be able to work properly.

On my XP system, I must allow it "access out" but not server rights.
" }-

Thanks for the quick answer... ;)
I need to allow svchost.exe to connect out to the Internet or I won´t access the net anyway. In my XP, I denied the server rights too. ;)

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=0#msg96380 date=1067217109]
Please start by disabling two services. Start -> Run: 'services.msc', stop and disable SSDP Discovery Protocol, and Universal Plug n' Pray.
" }-

Very thanks. I disabled SSDP Discovery Protocol but I don´t have Universal Plug 'n Pray. I run the application from Gibson company and it says this service is Safely Disabled. Is that right? ;)

I set DNS Client to manual too.

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=0#msg96380 date=1067217109]
you should be able to add your dns servers and your dhcp server (if you have one) to your trusted IP list. That way you are not forced to set the program as a server.
" }-

Sorry but besides my name, I do not know exactly what are you telling me...
I have a dial-up connection so I suppose I have a dynamic IP but what are the DNS servers and DHCP server? I´m not in a network (although I have a net card). Thanks ;)

You don't need to add your DNS servers to the ZA Trusted Zone unless you are having some kind of a problem with access. If you are not having a problem, don't worry about it.

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=0#msg96380 date=1067217109]
I suggest you get a more comprehensive firewall like a rule based appliction filtering firewall which will be more complex to configure.
" }-

Thanks for your suggestion, I have heard Kerio is a good one. But I'm afraid I won't be able to configure such a complex firewall. If I set one wrong rule, I won´t be protected and the firewall won't do its job. :-\

ZA should work fine for you currently, and maybe one day you will need something more complex, however today is not that day :)

-{ Quote: " quoting: Technical link=board=23;threadid=15463;start=0#msg96385 date=1067218310]
-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=0#msg96380 date=1067217109]
Please start by disabling two services. Start -> Run: 'services.msc', stop and disable SSDP Discovery Protocol, and Universal Plug n' Pray.
" }-

Very thanks. I disabled SSDP Discovery Protocol but I don´t have Universal Plug 'n Pray. I run the application from Gibson company and it says this service is Safely Disabled. Is that right? ;)

I set DNS Client to manual too.
" }-

Now, ZA is asking for server rights for almost every program that just access the Internet? What service I must go back to original state? SSDP Discovery Protocol, Universal Plug n' Pray or DNS Client?

I'm dening the access but something goes wrong... :-\
The other option is that, before, this program acept conections from the Internet but I did not know this fact... :(

Well, you started by asking whether to allow server rights to Generic Host Process for Win32 Services (svchost.exe). I said that most people do not need to give it server rights. However, now you are having a problem, so the natural question is "What did you change?" That is the key to reversing it if you now have a problem.

-{ Quote: " quoting: LowWaterMark link=board=23;threadid=15463;start=0#msg96407 date=1067225783]
Well, you started by asking whether to allow server rights to Generic Host Process for Win32 Services (svchost.exe). I said that most people do not need to give it server rights. However, now you are having a problem, so the natural question is "What did you change?" That is the key to reversing it if you now have a problem.
" }-

I get a big trouble. Thanks to GoBack!
I rolled by my system to an earlier safe position...
I don't know exactly what happened. Maybe all those services could not be disabled... ;)

Please revue my past comments, I run with all three of those services not running, and tell you when you need to have the DNS Client running. I won't tell people to do things that I know are not safe. :)

I run Look n Stop as my firewall but I checked and while I already had the SSDP Discovery Protocol and Universal PnP disabled I did have the DNS service set to auto. I have just changed it to manual and now SVCHost no longer shows up as being connected all the time on the app filtering tab of LnS. It always did prior to this change. Everything seems to be working correctly, should SVCHost still be allowed to connect or could/should it be blocked all together now?

Thanks in Advance

Generic Host Process for Win32 Services (svchost.exe) has many tasks one being resolves and caches DNS. You “have to” set svchost.exe to act-as-server or it won’t accept incoming DHCP packets that lead to disconnections from their ISP, unless they don’t use DHCP. Also you won’t accept incoming DNS packets and that will cause active Connections to time-out; unless “DNS Client” service is disabled then Client Applications itself sends constant DNS packets. And that being the case all the Client Applications will need to act-as-server to receive incoming DNS packets otherwise Time-Outs for all active connections…

Am I mistaking how ZoneAlarm works?

For ZoneAlarm act-as-server Feature, does this apply to both TCP & UDP Protocols?

If firewalls/configurations didn't seperate services like DNS, and DHCP then that would cause problems. Every software firewall should be able to do this seperation since as even older 9x systems allowed for this while not requiring to make every program a server in application based firewalls.

svchost.exe should not be a general server on the internet, and should be avoided at all costs. However of coarse it does have its services which you might need to allow based on your setup.

In application based firewalls like ZA, when you allow it to be a server, it will allow all inbound tcp/udp connections not started by the connection on ports that is happens to be listening on. Which again is dangerious for svchost.exe

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=15#msg98351 date=1067841831]
If firewalls/configurations didn't seperate services like DNS, and DHCP then that would cause problems. Every software firewall should be able to do this seperation since as even older 9x systems allowed for this while not requiring to make every program a server in application based firewalls.

svchost.exe should not be a general server on the internet, and should be avoided at all costs. However of coarse it does have its services which you might need to allow based on your setup.

In application based firewalls like ZA, when you allow it to be a server, it will allow all inbound tcp/udp connections not started by the connection on ports that is happens to be listening on. Which again is dangerious for svchost.exe
" }-

So ZoneAlarm does this separation of DHCP/DNS?

UDP is connectionless Protocol btw.

I can't verify dhcp, but I know dns is seperated as on 9x you didn't have to make every program a server. I'm sure they have some simple settings to select like checking the box for DHCP if its not already enabled by default.

Of coarse I know udp is connectionless, but that doesn't stop firewalls from monitoring its outbound udp to make a direct connection with inbound udp so its only accepted from that source.

This method is not the most secure, however its even less secure to force the user to make every program a server just so it can resolve dns.

-{ Quote: " quoting: BlitzenZeus link=board=23;threadid=15463;start=15#msg98366 date=1067843799]

Of coarse I know udp is connectionless, but that doesn't stop firewalls from monitoring its outbound udp to make a direct connection with inbound udp so its only accepted from that source.

" }-

Correct; UDP do not contain any connection information such as sequence numbers. Though at the very minimum they contain an IP address & port pairs, all of these data can be analyzed in order to build "virtual connections" in the cache.

Well if I must allow SVCHost to connect then something is strange with my LnS setup. I have had SVCHost blocked since last night, today I started my computer up and everything is connecting fine. I am on a cable modem and I believe in the past SVCHost was needed for DHCP and DNS. But it is blocked and everything is connecting fine with no time outs and such. Any ideas on what to check to verify that LnS is running properly?

Thanks

Hey JPM

From what you previously said, you have “DNS Client” service set to manual and therefore svchost.exe doesn’t make DNS connections no-longer. However, you are on cable and if you have DHCP enabled and you have svchost.exe set to deny for connecting rights in Application Filtering List than you will experience re-connecting issues with your ISP after certain length of time being connected and without re-booting.

I'm not sure if this was clear from what is written above.

In ZAP running on XP Home, I do not need to give server rights to either svchost.exe (note that I have both DHCP and DNS client disabled, so this is obvious), or any network aware client programs for the sake of DNS resolution.

ZAP allows the reply packets from the DNS server back through to the client programs, (like IE for example), without needing to give that program server rights.

There are times however when DNS is slow to respond and ZAP has timed out as far as recognizing that the incoming DNS packets are replies, and so I will at that moment get a popup to grant that client program (IE example again) server rights that one time.

This is a fairly rare occurrence, though I believe other firewalls do this as well, do they not? Late replies are no longer seen as being replies to valid requests?

So, you generally do not need to give all programs server rights in ZAP to allow DNS reply packets, well unless all your DNS replies are slow, though in that case you might want to speak to your ISP about getting better DNS servers.