Avast use of RPCSS with Kerio

For Avast AV to be able to send a virus to the virus vault, RPCSS must be operational. Ashserv.exe must also be in msconfig startup.

Is a Kerio rule available to ensure PRCSS is not used by any other application. I have noticed no internet access in regard to this relationship.

Win98SE, Kerio 214, no networking functions used.

 

Hi Jessie James

Does Kerio actually prompt you for a rule for this?
If you have a generic loopback rule, I would think it should handle any traffic on your own system.

Regards,

CrazyM

 

Ok, svchost.exe which hosts rpc does require localhost communication. So start off with a loopback rule as previously suggested.

Protocol: TCP/UDP
Direction: Both
Local: Any
App: Any
Remote endpoint: single address - 127.0.0.1
Report Port: Any
Rule Valid: always
Permitted
Logging, and Alerting disabled.

Move this rule to the top of your ruleset to ensure other rules don't interfere with anything else currently.

Now make a blocking rule for svchost.exe(Generic Host Process for Win32)

Protocol: TCP/UDP
Direction: Inbound
Local: Port Type - Any Port
Application: x:\windows\system32\svchost.exe
Remote Endpoint: any address - any port
Rule Valid: Always
Deny
Enable logging, but not Alerting.

An alternative rule would be....

Windows Services Block
Protocol: TCP/UDP
Direction: Inbound
Local Ports: List of ports - 135, 137, 138, 139, 445, 500
Application: Any
Remote: Any
Rule Valid: Always
Deny
Enable logging, but not alerting.

...however this rule would not stop the number probes being targed to our port 1026, however you could add it if you have to. So you merely add 1026, or another port your getting pounded on when you have to.

Put this rule below the loopback rule for right now until you understand what your rules are permitting, and blocking.

The svchost.exe rule will block things like the windows time sync, but you can capture the outbound it makes to the remote address, restrict it to port 123 on both ends bound to that ip address, then edit the rule to both directions. After that place it above the blocking rule you just made.

However don't allow any communication port 1900, if you see these, Start -> run: services.msc You want to do this for two services SSDP Discovery service, and universal plug n' prey. Select the service, right-click then select properties, click stop, select disabled, and then click ok.

Now if you use a software proxy, you make two loopback rules. If your proxy is on 8080, then the first rule has the remote port range of 1-8079, and the second rule has the port range of 8081-65535. Then you assign programs permission to access your localhost on 8080 so they can't just slip out.

Here's a link to help you understand Kerio better.
http://www.broadbandreports.com/faq/security/all#2720

 

This was talked about last month in the avast! forums. Have a look at Reply #20 on this page http://www.avast.com/forum/showthread.php?t=651;start=15

It talks about disabling the server portion of RPCSS by renaming/removing Rpcltscm.dll. Everything still functions as normal & now RPCSS is no longer listening to any ports.