firewall alert

Discussion in 'other firewalls' started by the mul, Apr 4, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I would like some help on this please, when I am on the internet I get only one alert from npf 2003 and it says [ a remote system is attempting to access microsoft host process for win32services on your computer] the programme is[ c:windows/system32/svchost.exe] tcp inbound and it gives it a low risk rating and asks you to permit it as npf gives it a low risk rating.
    I have blocked it as i am not sure what to do and i have not discovered any difference to my system by blocking it.Should i allow it as npf asks to permit it due to low risk, or should i block it, or set up special rules and allow all the time or block it all the time.


    The Mul
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Regardless of the answer to the next question, my suggestion would be to continue blocking that access. A key rule in firewall security is to block anything that you don't need, regardless of the severity or importance given to it. If your system works fine when you block a certain access, then keep blocking it.

    The question I have is "what port" does it say the incoming connection is going to? Not that it is important, per se, since I still suggest blocking it, it's just I'm not sure I like the association being made between "low risk" and a suggestion to "permit it".

    Yes, a blocked inbound connection attempt is low risk, however, depending upon exactly what port that's coming into, since it's a service the Generic Host Process (svchost.exe) is listening on, allowing the inbound connection could open your system to as yet unknown and unpatched exploits in svchost.

    In other words, if you were to allow some unsolicited packets to enter through your firewall and connect into svchost, you are no longer at "low risk". You could be at very high risk depending upon what port (service) in svchost those packets are targeting.
     
  3. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks for your reply i checked with port explorer and it is port 1025 and i will set up special rules in npf to block this alert from happening again, and as i was reading your reply the same alert was asking for permision again.


    The Mul
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi The Mul

    In NPF do you have the personal firewall setting at high?

    Regards,

    CrazyM
     
  5. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    yes, I have all settings in npf 2003 set at high and I have set up special rules for this alert and blocked this inbound connection that is trying to access svchost .exe and now there is no more problems and It has no affect on my system with the block in place.


    The Mul
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That inbound blocking rule should be fine and cause you no problems. You might want to consider a final inbound block rule in your trojan rules to cover this off as the ports used by services on your system such as svchost.exe can vary. Examples of this type of rule(s): AtGuard/NIS Trojan Horse Settings/Final Block Rules

    Regards,

    CrazyM
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hi the mul for what it's worth.... i occasionally see this same activity and have always blocked it and all seems well. Have not seen it lately until today when i had two or three attempts made to come visit :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.