svchost, many outbound connections

I’m getting lots of svchost.exe connections (udp out). Is this normal? There is about 10-20 of them listed in my comodo firewall active connections. They seem to only open up when I open my web browser. I know this is a normal process but not with so many outbound connections. I also read that svchost only needs access to port 53. Is this true, and how do I fix this.

 

Is your browser home page set to "about:blank"?
If not, multiple concurrent connections at startup shouldn't be surprising.
(20 does sound excessive. Have you 'tweaked' your TCP-related registry settings?)

Do you know which browser extensions are installed, and are enabled?
In addition to the 'start' webpage loading when you open a browser instance, some of your browser extensions may be 'calling home' at each launch.

====================

"svchost only needs access to port 53. Is this true, and how do I fix this."

Fix? If you mean 'tighten'...

you would alter the policy rules for svchost.exe
Comodo interface: "Firewall" tab } "Advanced" button } Network Security Policy

double-click the svchost entry, choose "use a custom policy"

first rule: allow TCP/UDP (perhaps just UDP) out where dest.port is 53
second rule: ask (or deny, your call) out for any TCP/UDP

even tighter:
enter the IPs for your primary/secondary DNS servers as the only permitted destination IPs within first rule

even tighter:
you could install a local DNS caching proxy (DNSKong, or TreeWalkDNS) and set your first rule for svchost (and ALL processes) so that requests ONLY to 127.0.0.1:53 are permitted

 

Wow, thankyou thankyou.

I do have a few browser addons plus a realtime AV webscanner. I will do as you suggested.

Any more info on the reg tweaks?

 

"reg tweaks", as in: a couple HowTo guides & trying-to-be-helpful utilities have circulated which mess with your registry settings toward optimizing your xfer speeds... but the tweaks can produce detrimental rather than optimal results. One of reputedly helpful tweaks was to set a high number of simultaneous half-open connections. (Arguably, reuse of existing connections is usually more efficient.) If you haven't 'messed with' the registry settings in this way, don't worry about it.

 

I have 19 after 30 minutes of safe browsing on a malware-free four day old installation of Vista. No problem.

 

FWIW the connections are all on ports in the 50,000 - 60,000 range. I just read in another forum that that may indicate a malware infection. I ran MBAM, SAS, and Avast and none of them detected anything. The destination IP is always the same and I think it might be my ISP, but I don’t know if I‘m reading that correctly or if my ISP is showing up simply because its the same ISP the destination IP is using. I haven’t yet tightened my policy but will do so once I figure this all out.

 

Hmmm…I’m reading conflicting things on ports in that range. I’m still on XP SP3. The full path shows that svchost.exe is in the proper location (system32\) so it's likey not malware. I’m probably just being paranoid.

 

Instead of sitting by, worrying & guessing, fire up WireShark and peek inside the packets.