To stream video and music to my PS3 I have to allow outgoing connections for svchost.exe. Problem is, i've encountered a lot of malware that likes to disguise itself as svchost. Is there any workarounds?
When you make an outbound rule for svchost you will specify an IP address. Malware disguising itself as svchost and attempting to connect outbound will be flagged as shown here from an old Netsky exploit Three reasons the firewall will alert: 1) Unauthorized IP address 2) Wrong directory (.../temp) 3) Unauthorized MD5 Hash The first will be stored in your filter rules as a custom address. The second two -- path/directory and MD5 binary -- are stored somewhere in your Firewall Configuration: ---- rich
Thanks Rich, this helps alot. At the moment i'm using Windows Firewall Control V2 where only programs I allow can access the internet. This means I allow svchost in the system32 folder. Will a disguised svchost always be in the temp folder or can it overwrite the real svchost? Is this a safe setup or should I choose a different firewall (HIPS). I guess if I wasn't streaming to the PS3 I wouldn't need to allow this file and it would be a non-issue. Thanks!
No, I've seen one put in a startup location so that it would run each time the victim booted the computer. I did a test, copying a bogus svchost.exe to \system32, and my security blocked: Then I turned off my security and did the test again, and Windows prompts: So unless there is other trickery involved, I don't see the original file being overwritten w/o my permission. Besides, Windows file protection which monitors systems files would replace it with one from the dll cache, so this would be another hurdle for the malware to overcome. Also, current malware uses injection tricks to control processes, not just using bogus files. Just look at a Conficker analysis. I can't answer that question for you. Others more knowledgeable about firewalls/HIPS products will have to make recommendations. regards, -rich
