For those of you who have properly configured your comodo 3 firewall you may have noticed its allways blocking svchost.exe from accessing the internet. like to IP 207.46.20.252 shown in the below screenie. I think these IPs belong to microsft?


The only place svchost.exe needs to connect to is your DNS server via port 53. people using Online Armor will notice that this is set by default that OA only allows svchost.exe to connect to your DNS

Anyway my question is this "with windows auto updates turned off"

Why is svchost.exe allways trying to connect to microsoft ?

What information is svchost.exe trying to send to microsoft ?

-{ Quote: "

Why is svchost.exe allways trying to connect to microsoft ?

What information is svchost.exe trying to send to microsoft ?" }-

LOL! MS has many mechanisms of phoning home. Try opening your search and explorer.exe will attempto to connect to MS for example. Or open WMP...

Use XP AntiSpy and see if these connections remain. On my setup, svchost.exe only needs UDP out and nothing else. In PC Tools firewall i have it only with outgoung UDP allow rules for DNS and DHCP.

-{ Quote: "

Anyway my question is this "with windows auto updates turned off"

Why is svchost.exe allways trying to connect to microsoft ?

What information is svchost.exe trying to send to microsoft ?" }-

Good question! I've pointed this out before here (http://www.wilderssecurity.com/showthread.php?t=203231&highlight=stats.microsoft) in post #12 and elsewhere, but no one ever seems concerned about it. Go figure?

However, I use the "Custom" option for downloading updates and svchost needs access to ports 80 & 443 on various ip addresses to the Akamai servers.

Have a look with CurrPorts which Services are registered in that svchost (the column "Process Services" displays the list of services of a process)

207.46.0.0 - 207.46.255.255
65.52.0.0 - 65.55.255.255
131.107.0.0 - 131.107.255.255
64.4.0.0 - 64.4.63.255

Above are all ranges I found which are connected with MS somehow (maybe there are more)
Automatic update disabled is not enough im afraid.
BITS (Background Intelligent Transfer Service) should be disabled as well

Yes I also have Background Intelligent Transfer Service disabled.

The only services I have running are the ones below.

but as said, if your run CurrPorts (http://www.nirsoft.net/utils/cports.html) you are able to see which are the services that are handled by the svchost that phones m$, so you can narrow the field