svchost.exe Network usage Reduction

Discussion in 'other firewalls' started by CloneRanger, May 17, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I don't understand: If we are both using Kerio, why are you required to allow both in- and outbound for the time check Port 123, and I only have to allow outbound?

    thanks,

    -rich
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Is your time actually synchronizing? Try a manual (time) synchronization.


    - Stem
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK

    There is a config sent over PPP (for local IP etc). Have found the info in the sniffer logs.


    - Stem
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thanks for the sharing your findings. :thumb:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    UPDATE:

    Well, egg on my face!

    I just decided recently to set up the time check, and in letting Kerio prompt, I neglected to disable my 'Block All Other Inbound' rule, so I never got a prompt for inbound port 123!

    You are correct, the rule needs both directions!

    I'm glad you brought it up.

    thanks,

    -rich
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Cool :)
    The only evidence comes around when the clock battery dies and the time stands still.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Really ! I've never had problems surfing my way though. I might try it & see, just don't like the idea of so called "trusted server" rights for svchost, running free :(

    I've closed Port # 135 as per my earlier screenie etc.

    Yeah, glad i've got the free :D

    Thanks :thumb:

    Originally Posted by m00nbl00d

    Interesting, so that's at least 2 of us :D What OS are you on ?

    The're better than i expected !
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ Stem & also anyone who may be able to provide further insights :thumb:

    Re - DHCP

    Everything possible shown for Services between B - D with AR

    s-a.gif

    DHCP missing ?

    Everything possible shown for Services between B - D with PH

    s-h.gif

    DHCP present ! But not running.

    *

    Re - svchost.exe & Services

    I happened to look at ProcessGuards current log

    Noticed that wmiprvse.exe & svchost.exe are connected & the PID is 844

    Launched Svchost Process Analyzer

    svc-analy.gif

    Re - DCOM Product Launcher = & Terminal Services


    Further connections

    AppMgmt = rpcss.dll & termsrv.dll

    HidServ = rpcss.dll & termsrv.dll



    Not sure why wmiprvse.exe wanted to launch & why it was invoked by svchost.exe ? Some of the above "might" have nothing to do with any issues etc, but as i noticed them & several "appeared" connected etc, i thought i'd post the info in case any of it might be relevant and/or ring any bells :)
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    svchost is the windows "services host" and wmiprvse.exe is (part of)the windows management instrumentation service.




    - Stem
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Just wondered why wmiprvse.exe would try to run like thast ? & i'm always a bit concerned about "possible" svchost shananagins ;)

    Hows your sniffing etc going, Re the other thread & this ?
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Have a search on the Internet for that windows application. One such find would be:-
    Then make a search for WMI (Windows Management Instrumentation).
    The actual MS description should give you a word of warning as not to disable the service, or block its component(s) application(s): from execution/running-

    But of course, then does not infer that such application(s) need Internet access. Block them at the firewall if wanted.

    - Stem
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Yeah did that ;)

    Indeed.

    It didn't get that far ;)

    My concern is stuff piggybacking on top of other stuff, eg injecting code into other apps to try & get out, and/or "maybe" using svchost for the same reasons. This could be some innocent App wrongly configured in it's code etc, or of course a nasty.

    Anyway i'm going to start a new thread about this, right now ;) Hope you can provide some answers :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.