FW configuration for svchost.exe?

Discussion in 'other firewalls' started by bellgamin, Jun 14, 2010.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I have been advised that svchost.exe is one of the most overused, abused and unsafe system processes that needs internet access. I also was advised that svchost.exe is a channel through which many malwares try to "phone home" because firewalls often are configured so as to give svchost.exe "carte blanche permission" to connect out, and to diddle with other programs almost at will.

    Accordingly I re-configured my HIPS/FW (Online Armor-Premium) so as to change all permissions for svchost.exe from "Allow" to "Ask."

    Not long thereafter I got my first svchost.exe-related pop-up. The pop-up advised me that svchost.exe want to control Firefox (FF) in order to access the internet. A screenshot is below. (In response to the alert, I one-time blocked svchost from using FF. There were 2 more quick attempts & it gave up. As far as I can tell, all is still working okay.)

    ScrHunt02 13-Jun-10.gif

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    I have 2 questions {Be gentle, please -- bear in mind that I have little or no idea what I am talking about. :p }

    Q1- Why would svchost.exe need to connect out? NOTE: I feel this action by svchost.exe is legitimate -- my computer is squeaky clean -- so I am asking this question so as (hopefully) to be educated.

    Q2- How EXACTLY should a firewall be configured so as to allow svchost .exe to do those jobs (and ONLY those jobs) that it is supposed to do?
     
  2. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    There are potentially many reasons why svchost.exe (assuming it's the real one) will need outbound connectivity, some, however, will depend on the version of Windows installed and their default settings, for example Vista and Win 7 have IPv6 enabled by default. It will also depend on your environment, i.e. single computer or a LAN.

    Some of the more common services controlled (by default) through the svchost proxy process that may need outbound connectivity:

    DHCP
    DNS
    NTP
    UPnP/SSDP
    Windows Updates
    IPSEC/VPN
    Certificate services
    Network Discovery
    LLMNR (IPv6)
    Teredo (IPv6)

    There are others.

    I don't use the aforementioned firewall or any kind of HIPS (the usefulness of the message dialogue box above is reason enough), however, when configuring a firewall, the first thing I do is remove any default rules for svchost and the system object and set both to Ask for everything. I won't use a firewall that doesn't allow this. Most firewalls simply allow svchost and system OUT, and most users are happy to allow these to connect to where ever they wish.

    One of the more difficult situations to control is Windows Updates, simply because MS outsource the delivery to various hosting services, such as AKAMI and they use a multitude of different IP ranges. It's also geographical, so rules that work for someone in the UK may not work for someone in Japan.

    Catering for IPv6 is also quite difficult with the current crop of firewalls, there are only a few I know of that have reasonable support, Outpost, LnS, PCTools Firewall and of course the built in Win 7 firewall (I assume Vista too, I never used it), the rest either have no support at all, or rudimentary at best. I notice your running XP, so unless you're running the IPv6 stack along side, this is less of an issue.
     
    Last edited: Jun 14, 2010
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    On the one hand your OA or other advanced firewalls (e.g. ZAPRO, etc...) will always warn the user if a third party untrusted process (malware xyz) will try to use a trusted process (svchost) to connect out, so you are perfectly safe. Just keep your OSs fully updated.

    On the other, if you do not trust svhcost then you should not run windows based OSs if you do trust it you should allow its functioning. Limiting svchost may under certain scenarios (especially for latest OSs) impair its functioning or produce malfunctions of third party software.

    You can indeed impose rules on svchost but be prepared to troubleshoot issues that may happen in a completely unrelated context and may be difficult to trace back to your inital svchost rules :)
     
    Last edited: Jun 14, 2010
  4. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    If you are using Windows Vista/7 I would say that most svchost problems have been dealt with, If you have UAC no program will be able to temper with svchost without you knowing, also no respecting antivirus would let that happen, unless we are talking about some really sneaky virus that today does not exist.
    What you saw in that pop up was (just guessing I'm no expert) probably svchost.exe doing som DNS query for firefox since svchost handles that type of things in the OS. Can't really be sure since the alert is not showing you ports or protocols regarding internet, just some ole communication.

    Try to do a google for ole communications on svchost and firefox, see what you find.

    edit: I did some bsic google and found this:
    "Service Host - Generic Host Process for Win32 Services. Windows 2000/XP only. SVCHOST is a generic process which acts as a host for processes that run from DLLs rather than EXEs. At startup SVCHOST checks the Services
    portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them. There can be many instances of SVCHOST running, as there will be one instance of SVCHOST for every DLL-based service or grouping of services (the grouping of services is determined by the programmers who wrote the services in question). Under Windows XP Professional you can find out what DLL-based services SVCHOST is running by typing Tasklist /SVC at a Command Prompt (MS-DOS Prompt - this command is not available in Windows XP Home), while under Windows 2000 you need to use the TLIST -s command from a Command Prompt (MS-DOS Prompt)."

    Perhaps what you saw was svchost loading some firefox dll??
     
    Last edited: Jun 14, 2010
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi bellgamin,

    This just looks like indirect access, where as svchost could gain internet access through the use of shared dll`s.


    - Stem
     
  6. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I use XP, on a single pc: I deny every connection to svchost.exe and I do a rule for port 53 ( DNS ) for DNS resolving. Svchost.exe is is a dynamic process that launch many DLLs. Generally, in a single pc, it doesn't really need to connect to internet, even if it tries. I must enable it only for Windows Update ( not automatic).
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I tried to include svchost.exe in the ZA free v5.5 programs list so i could allow/deny. Unfortunately it didn't work :( as it refused to appear ? Maybe it's invisibly auto included when ZA is installed ? Even if it is, i don't get the chance to allow/deny it's obviously auto allowed.

    If anyone knows how to configure it as i'd prefer, please holla :)

    Moving on,

    Here's a great free tool i use, and just a few screenies.

    Svchost Process Analyzer - Indepth detection of malwares

    1.gif

    2.gif

    3.gif

    http://pentestit.com/tag/svchost-process-analyzer

    @bellgamin

    Good thread and well overdue :thumb:
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Sorry in advance to the OP for the offtopic response.

    Usually is not listed as svchost but as "''Generic host for Win32 services" in more recent OSs (winsdows 7) is called "Host Process for windows service". A long long time I am not using 5.5 but I am pretty sure it has always been there since version 6, 7, 8 and 9.

    Cheers,
    Fax
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @fax

    Bingo :thumb:

    Generic host for Win32 services is what i see on XP/SP2 and do get prompted for every time i want to connect out :) This only happens once though at each session launch, so i don't get individual prompts as others appear they can for svchost.exe :(

    Thanks
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Probably because the other processes are trusted or the rest of the processes have not yet used svchost or 5.5 did not have that feature... :)

    Right click on the processes/programs that you want to limit the "movements", choose "options" from the drop-down menu and UNcheck "allow application interaction" and UNcheck "This program may use another program to connect to the internet".

    You may need to turn ON (under the ZA program control --> custom) :

    - Enable advanced program control
    - Enable application interaction control and
    - Enable component control (for granual control on DLLs or ActiveX)

    Cheers,
    Fax
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @fax

    Thanks i'll look into that, and post back later :thumb:
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    You're very welcome! :)
     
  14. wat0114

    wat0114 Guest

    Simple answer

    • Windows updates
    • DNS (Domain Name Service)
    • DHCP (Dynamic Host Configuration Protocol)
    • Windows Time Service

    This is a minimum necessary in most cases. Restricting the Win updates rules to specific ports is easy (80 & 443 should suffice), but restricting the remote ip addresses to the MS update servers is painstaking because there so many of them and there seems to be new ones all the time.

    That depends on the firewall used, more specifically how it processes rules.

    For purposes of clarity, I've included a ss of only my outbound/inbound svchost fw rules for Win 7. It may seem odd that I've got an Allow rule for Windows update service (wuauserv) to TCP ports 80 & 443 AND a Block rule for the same service to any ports/protocol. This is done by design. I don't want Windows update service connecting to MS mothership whenever it pleases - as it will otherwise to do on occasion - so knowing that a block rule overrides an allow rule (in Win 7 fw) for the wuauserv service, whenever I do need to run updates for Windows, I simply disable the Block rule temporarily until I'm finished updating through MS Update service.
     

    Attached Files:

  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @fax

    It looks like it's that :(

    No drop-down menu :(

    Doesn't appear to be there :(

    Thanks anyway for posting, and what you were able to help with :thumb:

    I know i could use another FW, and have tried several that could do that, but were more of a pain overall. Plus i really like how i can configure the realtime logs/info/data and the way it looks etc with this FW.
     
    Last edited: Jun 14, 2010
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    wat0114,
    What firewall in your pics, the built in one in W7?
    Regardless, applies to all. But your screen shots have a nice display of rules.
    which is why I asked what fw.

    If your battery's good, don't even need 123 and if not a travelling laptop, but a desktop with static IPs, likely don't need DHCP. And if shut down the DNS client service, don't need that permission. DNS and http and https can just be enabled for svchost around the patch Tuesday, which is what I do and what you said as well. Worked/works with ZA expert rules, old Kerio, Outpost, Sunbelt fw.

    I'm not making it up. I've done it based on reading the posts here at Wilders, the best forum in this universe.
     
  17. wat0114

    wat0114 Guest

    Win 7 built-in.
     
  18. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    Apologies slightly OT

    Actually, disabling the DNS Client Service is not a good idea for a number of reasons, primarily because doing so also disables the DNS cache, which means that every DNS query has to be resolved separately as opposed to reading the entry from the cache. In essence it can decrease performance.

    Another reason will depend on the type of rules you use in your firewall, if you simply allow applications like a browser OUT then you need not do anything else, however, if you value your security and create strict rules, you may, depending on the firewall, need to create separate DNS rules for each application.

    Painstaking, but not impossible. As I mentioned in my first post, the major problem is the outsourcing to the likes of AKAMI and their proclivity for introducing new IP ranges.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Bellgamin

    As you know I run OA also. Frankly I just trust svchost.exe and go about my business. Since I also run my browsers thru sandboxie, I've never had any issues all the time I've been doing this.

    Pete
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Ah, sorry... not surprising, 5,5 dates back to 2005 so many advance firewall features were not yet there.

    I would anyway follow the suggestion from Peter2150
    :D :thumb:
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I agree that the DNS client service issue is on the edge of security fussing over SVCHOST. That said,
    1. On XP, with the HOSTS file from MVPS running, DNS client service should be off
    2. Outpost, for instance, easily creates DNS rules on a per application basis, and other good firewalls (ZA paid, Kerio2.1.5, Sunbelt, LnS) permit that as well
    3. I have never seen a performance hit due to no cache
    4. If cache preservation is an issue, AnalogX FastCache application does wonders :)
     
  22. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Quote, see my previous post here.


    No one of these needs regular connection in XP, I a single pc; windows manual update it's better than automatic. I can select..
     
  23. wat0114

    wat0114 Guest

    Most people don't run updates full manual, nor run with a static ip, nor turn off DNS service, thus the simple answer.
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @fax

    Thanks again :thumb:

    Quote act8192

    Agreed, or with any large HOSTS file.
    Neither have i

    @blacknight

    DHCP (Dynamic Host Configuration Protocol) On XP/SP2 i don't see that ? but i have disabled DHCP Client along with lots of other things and no issues :thumb:
     
  25. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    I just checked ZoneAlarm Pro & nowhere does it list Service Host. It does list Firefox but no service host when ZAP asked for internet access it asked regarding FireFox not Service Host.
     
Loading...
Thread Status:
Not open for further replies.