Hello there guys,happy new year! Lately i have been getting a lot weird connections and activity from svchost.exe.More or less this is the executable which is targeted 99% of the time by trojans.I would really appreciate a ruleset until i find out a way to deal with this permanently. 1)As of lately I have been thinking about installing a program to protect svchost.exe and similar important windows files but i haven't out anything.I am trying to find a shadowing/sandboxing combo program in which i can monitor programs which ask access from svchost.exe and afterwards accordingly permanently allow them or revert to the previous state.Thing is that most of the time the intruder stays permanently there. 2)I am using Comodo Firewall and HIPS and i can say that i am very satisfied.However i have been looking for a way to isolate a program and run it in a sandboxed environment which doesn't allow interaction with any other program or net access. 3)Also i am looking for system hardening tools for windows 7! Thank you for your time guys!Any help is appreciated!
what kind of connections, can you list few samples? what are you using for an AV. One of the links from MS on system hardening http://www.microsoft.com/downloads/...e1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en
What I'm using in Windows 7 firewall w/Advanced Security. Please note the Block rule for wuauserv.exe is actually allowed when Windows updates are needed. I just block it until I need it. Also, DNS doesn't normally have a direction placed on it, but in Win 7/Vista it does. The first picture is the "inbound" ruleset, while the second is the "outbound" ruleset.
Maybe it would greatly help if you also read the Sticky Thread "Firewall Questions for beginners." It has svchost rules there. Cheers!
Sorry for not replying on the topic for some time but i have been busy the past few weeks. @kerykeion I checked out the topic,it looks great!However i have windows 7,can i use these rules accordingly? @wat0114 Thanks man,this helped out a lot! @Cudni I get svchost.exe connections at ports 3576 --> TCP and lot of connections at 1112--> UDP out.However more connections pop up at random times,mostly at startup! Also system is listening on ports 2869,139,139(twice!),10243,10243,2869!Is that normal? Should lsass.exe use port 528 --> IGMP Out 224.0.0.22 I used the tasklist /svc command but it's really hard to tell what should be running and what shouldn't.Is there any program to make things a little bit easier? What ports should svchost.exe use in a pristine formatted windows 7 OS? My knowledge in firewalls is quite limited so I would love to read some tutorial/site on how to effectively configure each application/system file in order to harden my system!If someone has something in mind I would love to hear it! Thanks for hearing me out guys!
I block IGMP; both inbound and outbound traffic. I got no use for such, therefore I block it. (-https://secure.wikimedia.org/wikipedia/en/wiki/Internet_Group_Management_Protocol) You could give TCPView a run, and see if you like it. It's of simple use. In a strict firewall rules, the remote ports would be 80 and 443, like for Windows Updates, and bound svchost.exe to Windows Update service. Adobe Reader also seems to download updates via svchost.exe, for example. Other than that, and unless needed (I have my doubts that something else would be needed.), do not allow anymore than it really needs. If something you wouldn't have troubles dealing with, and if not needing such, I'd disabled DNS Client service, and then create rules for the DNS, to allow each application requiring Internet connection.
These are the ports used by svchost.exe.Is there something out of the ordinary?Gonna try and apply the rules today! http://img835.imageshack.us/i/123ph.jpg/
There is nothing "out of the ordinary" in the image above, just some of the standard ports, used by the Windows generic host process. There is no single answer to the question of which ports svchost should have available. It totally depends upon personal circumstances. A single, Windows XP PC, with no requirement for connecting to any external devices, using only IPv4, will be completely different to a windows 7 PC that is part of a LAN using IPv4/IPv6 and is a member of a Windows 7 Homegroup. Adding other environments such as a Domain or mixed OS devices will, change the game again. When considering which ports to make available, use an application such as Process explorer or Process hacker, or even tasklist /svc, identify the Process ID (second column in your image above) for the individual instance of svchost, and identify the services that instance of svchost is using. Then decide if you need that service. As an example, if you don't use IPv6 you can disable it, doing so will close a number of ports used by that protocol stack. If you don't synchronise your computers clock with an Internet time server, close port 123. If you don't use DHCP close ports 67 and 68. And so on.
Heimdall is right; nothing out of the ordinary and nothing to worry about. All pretty standard "Listening" states for Win7 svchost, including the ipv6 entries.
To identify the active connections and services that instance is using, open cmd/terminal as administrator. Type in cd \Users\<your name>\Desktop\ > enter then type netstat -abno > netstat.txt > enter Go \Desktop\ and open netstat.txt Have a nice day....
Thanks for the help guys!I am probably overthinking this. @Heimdall Well that's the general idea i guess.Sorta hard to find what's needed and what's not though! @wat0114 May i ask what's your firewall?It looks pretty nice!
Granted, it can be a little daunting trying to establish just what is and what isn't needed. It's also possible to introduce problems by disabling an essential service or closing a needed port. One small application you might find useful is Svchost Viewer http://svchostviewer.codeplex.com/ This will allow you to easily see which services are used by any given instance of svchost. It will also allow you to easily find the name of the associated service, which you may then be able to disable and thus close the ports. To help you decide if you can disable a service you can use a guide, such as the one published by Blackviper http://www.blackviper.com/Windows_7/servicecfg.htm One of the nice things about the Windows 7 firewall, is that it allows one to create rules that can be applied to a specific service. This is not something that's easy, or even possible to do, in most third party firewalls.