Avast use of RPCSS with Kerio

Discussion in 'other firewalls' started by Jessie James, Aug 21, 2003.

Thread Status:
Not open for further replies.
  1. Jessie James

    Jessie James Guest

    For Avast AV to be able to send a virus to the virus vault, RPCSS must be operational. Ashserv.exe must also be in msconfig startup.

    Is a Kerio rule available to ensure PRCSS is not used by any other application. I have noticed no internet access in regard to this relationship.

    Win98SE, Kerio 214, no networking functions used.
  2. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    Hi Jessie James

    Does Kerio actually prompt you for a rule for this?
    If you have a generic loopback rule, I would think it should handle any traffic on your own system.


  3. BlitzenZeus

    BlitzenZeus Security Expert

    Feb 11, 2002
    Oregon, USA
    Ok, svchost.exe which hosts rpc does require localhost communication. So start off with a loopback rule as previously suggested.

    Protocol: TCP/UDP
    Direction: Both
    Local: Any
    App: Any
    Remote endpoint: single address -
    Report Port: Any
    Rule Valid: always
    Logging, and Alerting disabled.

    Move this rule to the top of your ruleset to ensure other rules don't interfere with anything else currently.

    Now make a blocking rule for svchost.exe(Generic Host Process for Win32)

    Protocol: TCP/UDP
    Direction: Inbound
    Local: Port Type - Any Port
    Application: x:\windows\system32\svchost.exe
    Remote Endpoint: any address - any port
    Rule Valid: Always
    Enable logging, but not Alerting.

    An alternative rule would be....

    Windows Services Block
    Protocol: TCP/UDP
    Direction: Inbound
    Local Ports: List of ports - 135, 137, 138, 139, 445, 500
    Application: Any
    Remote: Any
    Rule Valid: Always
    Enable logging, but not alerting.

    ...however this rule would not stop the number probes being targed to our port 1026, however you could add it if you have to. So you merely add 1026, or another port your getting pounded on when you have to.

    Put this rule below the loopback rule for right now until you understand what your rules are permitting, and blocking.

    The svchost.exe rule will block things like the windows time sync, but you can capture the outbound it makes to the remote address, restrict it to port 123 on both ends bound to that ip address, then edit the rule to both directions. After that place it above the blocking rule you just made.

    However don't allow any communication port 1900, if you see these, Start -> run: services.msc You want to do this for two services SSDP Discovery service, and universal plug n' prey. Select the service, right-click then select properties, click stop, select disabled, and then click ok.

    Now if you use a software proxy, you make two loopback rules. If your proxy is on 8080, then the first rule has the remote port range of 1-8079, and the second rule has the port range of 8081-65535. Then you assign programs permission to access your localhost on 8080 so they can't just slip out.

    Here's a link to help you understand Kerio better.
  4. Amerk_5

    Amerk_5 Registered Member

    May 22, 2003
    Dansville, NY
    This was talked about last month in the avast! forums. Have a look at Reply #20 on this page http://www.avast.com/forum/showthread.php?t=651;start=15

    It talks about disabling the server portion of RPCSS by renaming/removing Rpcltscm.dll. Everything still functions as normal & now RPCSS is no longer listening to any ports.
Thread Status:
Not open for further replies.