SVCHOST.exe rules

[polocanada]

I wish ESS adds rules to firewall for SVCHOST.exe. This has been a headache to setup after fresh Windows 7 install already. The file is original in it's proper directory windows/system32. System seeems clean. There are a few legit connections, most of them are documented (like DHCP or time updates or 443 updates etc..) Still when I create rules manually sometimes I end up with loosing connection in web-browser or losing connection completely.

Is it possible to add some proper rules in Eset firewall with default installation? If you could setup a rule not only based on the application SVCHOST in this case but based on the service or process it has started. There is no use to have Svchost rule if I don't know the service or at least the port it is using. Right now there is no way to find out in ESS notification (unless I use apps like TCPView and Process Explorer). Also would be nice if Eset adds name of the service or process along with svchost.exe in the details of the Notification window when an connection attempt is made.

I found these rules on another posting for Outpost, not sure if these are right, will need testing..... This is for Win XP, so might be outdated.

SVCHOST.EXE (Secure Service Host Presets rules)

-----------

There are three places where an IP address(es) must be manually entered in this file before you can use the preset.
First is your DHCP Server IP Address.
Second is the UDP DNS rule.
Third is the TCP DNS rule. Note if you do not intend to enable this rule you can either place a ; before each line of the rule and Outpost will ignore it or you can delete it completely.

Allow DHCP Service
Where the protocol is: UDP
and Where the remote host is: AAA.BBB.CCC.DDD ;<-- Enter your DHCP server IP here
and Where the remote port is: 67
and Where the local port is: 68
Allow It

Allow DNS Service
Where the protocol is: UDP
and Where the remote host is: AAA.BBB.CCC.DDD, AAA.BBB.CCC.DDD ;<-- Enter your ISP's DNS server IP's here
and Where the remote port is: 53
Allow It

Allow TCP DNS Service
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote host is: AAA.BBB.CCC.DDD, AAA.BBB.CCC.DDD ;<-- Enter your ISP's DNS server IP's here
and Where the remote port is: 53
Allow It

Possible UDP Trojan DNS
Where the protocol is: UDP
and Where the remote port is: 53
BlockIt
and Report It

Possible TCP Trojan DNS
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 53
BlockIt
and Report It

HTTP connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 80
Allow It

HTTPS connection
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 443
Allow It

Time Synchronizer connection
Where the protocol is: UDP
and Where the remote host is: 192.43.244.18, 207.46.130.100 ;<-- Thiese IP's were current as of this posting.
and Where the remote port is: 123
Allow It

Block Inbound SSDP
Where the protocol is: UDP
and Where the local port is: 1900
BlockIt

Block Outbound SSDP
Where the protocol is: UDP
and Where the remote port is: 1900
BlockIt

Block Inbound UPnP
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 5000
BlockIt

Block Outbound UPnP
Where the protocol is: TCP
and Where the direction is: Outbound
and Where the remote port is: 5000
BlockIt

Block RPC (TCP)
Where the protocol is: TCP
and Where the direction is: Inbound
and Where the local port is: 135
BlockIt

Block RPC (UDP)
Where the protocol is: UDP
and Where the local port is: 135
BlockIt

TCP Inbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Inbound
BlockIt

TCP Outbound Coverage Rule
Where the protocol is: TCP
and Where the direction is: Outbound
BlockIt

UDP Coverage Rule
Where the protocol is: UDP
BlockIt

--------
SOURCE:
http://www.outpostfirewall.com/forum...0&postcount=12

[polocanada]

So right now I have this outgoing alert:

Application: Host Process for Windows Services (SVCHOST.exe)
Publisher: Microsoft Windows
Remote Computer: 64.156.132.140 (which is experts-exchange.com)
Remote Port: 80 (http)
Local Port: 59532

I happened to visit a website (using Opera Browser, Windows 7). On website there ware possibly links or ads linking to expert-eschange.com?

In case above it's clear, remote address, Http port so it's easy to associate with browsing. But not sure why is SVCHOST accessing the pages. Local port is strange. Why these strange numbers..

Connections happen randomly. In some cases SVCHOST would use differnt port different site.. like in this case:

Application: Host Process for Windows Services (SVCHOST.exe)
Publisher: Microsoft Windows
Remote port: 80
Remote computer: vx-in-f102.1e100.net
Local port: 59541

Could this be svchost is connectinig to DNS Server or what?

It's pretty confusing what to do with SVCHOST. I have never paid attention to it before. Can't block it completely, can't leave it completely unattended. Or am I just getting hopelessly paranoid?

[Marcos]

vx-in-f102.1e100.net resolves to 74.125.115.102, the IP range 74.125.0.0 - 74.125.255.255 seems to belong to Google.

As for local ports, don't pay attention to them unless you run a server service, such as HTTP server. Local ports are assigned automatically by the operating system when an application establishes a connection to another computer.