Firewall and incoming data for svchost.exe

Discussion in 'ESET Smart Security' started by VPIC, Jan 4, 2012.

Thread Status:
Not open for further replies.
  1. VPIC

    VPIC Registered Member

    Joined:
    Jan 4, 2012
    Posts:
    5
    Location:
    FRANCE
    Hi all,
    i have a problem with ESS 5 firewall (i'm using the last version, 5.0.95.0). I use interactive and learning mode to filter all processes, ports, remotes IP, etc. on my pro laptop, and i'm OK with this option beacause i need to see all incoming and outgoing communications for many reasons.

    It does work correctly most of the time, when an application tries to communicate, it's asking for outgoing data which for the correct process, but not always...The problem is that often, the firewall isn't able to see which process is communicating: for example, if Firefox tries to establish a communication with Mozilla servers to look at addons update (URL is explicit), firewall says that there is an incoming data from these servers for svchost.exe process. The same thing happens for example with spoolsv.exe, or PSI Secunia agent, etc. If i authorize communication, then firewall asks for outgoing data from the original application, not svchost.exe.

    I'm not sure why this is happening, but clearly i don't want to authorize all communications for svchost.exe process, especially for incoming data... so this is very annoying to see this happening, is there a way to correct this, or this is a bug? I thing it's because there is many local connections inside computers, but why firewall can't understand this?

    Thanks for your time

    PS: When i validate this post, firewall warned me for an incoming connection from wilderssecurity.com for svchost.exe...annoying...
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It is by design of Windows.
     
  4. VPIC

    VPIC Registered Member

    Joined:
    Jan 4, 2012
    Posts:
    5
    Location:
    FRANCE
    Thanks for your responses.
    I read the post you mentioned, and i know that svchost.exe is used for network services too, like DNS (that's why in case you use DNS client service, you have to authorize outgoing connections for svchost.exe and not only your browser, to translate correctly URL to IP). But i still don't understand why ESS tells me about incoming connections for svchost.exe when i use Firefox for example, and from a site which apparently has to do with the current web page. It does the same thing when Windows Update is looking for MS servers (there is normal outgoing connections from svchost.exe for WU service too): incoming connections from MS servers for svchost.exe...

    It looks like ESS isn't able to understand the way the connections are initiated, and sometimes it says it's svchost.exe process when apparently it isn't (firefox, secunia PSI, etc.)

    But what do you mean by design? There wasn't the same problem with others firewalls, neither if i remember with ESS 4....and there is no apparent problems if i refuse these "incoming" connections, but i'd like to know what kind of data are transmitted. Well, i could use WireShark but could take some time to analyze, i was hoping you could tell me what's happening.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Because Firefox calls Windows API functions to establish a connection which is done via svchost.exe ?
     
  6. VPIC

    VPIC Registered Member

    Joined:
    Jan 4, 2012
    Posts:
    5
    Location:
    FRANCE
    I suppose that not only Firefox but any applications use API calls to establish a connection, so the purpose of ESS isn't to intercept ALL traffic by using his driver or by hooking API? Could not be too easy to make an application which uses certain Windows API calls to communicate via svchost.exe to be invisible to firewall ? :blink:

    And that doesn't explain why it says incoming and not outgoing connection...
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It works fine here by the way. Firefox always appear as the application initiating the connections on Windows XP as well as on Windows 7 x64.
    I'd suggest contacting customer care and providing them with: your ESS configuration, Wireshark log with the communication captured while updating Firefox.
     
  8. VPIC

    VPIC Registered Member

    Joined:
    Jan 4, 2012
    Posts:
    5
    Location:
    FRANCE
    Thanks for your help, i'll try to investigate this if i can find time, and send some infos to maintenance team. BTW, I use Windows 7 x64.

    But just to be clear, it isn't a Firefox problem, like as said it was only an example, it does the same thing for many apps and services, like Windows Update, Secunia PSI, IE, etc. You never saw this for any application? Maybe you have all outgoing/incoming connections authorized for svchost.exe? Try to use only interactive firewall mode, starting with no rules at all, and you'll see what i mean, even after having done few normal rules interactively for legitimate connections.

    And it would be very useful if ESS firewall could gave more details about connections (services for svchost.exe, PID, possibility to log data packets...). Hum, should make a suggestion to dev team for this dream :shifty:

    Anyway, thx
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I was mistaken, applications communicate directly, not via svchost.exe. As I wrote, we'll need more information (Wireshark log, SysInspector log, your ESS configuration) to tackle this.
     
  10. VPIC

    VPIC Registered Member

    Joined:
    Jan 4, 2012
    Posts:
    5
    Location:
    FRANCE
    Ok, i just used Wireshard a few minutes to see packets, and sometimes, ESS 5 firewall says that it's an incoming connection, while it's a response from a previous packet, for example, an [ACK] response for an [RST, ACK] request, but not only...:blink:

    It can work with no problem for a while, then it makes this warning, with nothing particular from what i can see (same packets, same request o_O). Maybe ESS is too slow sometimes to test port and application, and then port is closed by application before it looks at it?

    Oh well... gonna go home with this headache :gack:
     
Thread Status:
Not open for further replies.