Generic Host Process for Win32 Services

Discussion in 'other firewalls' started by Technical, Oct 26, 2003.

Thread Status:
Not open for further replies.
  1. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Does anybody knows if the user must allow "Generic Host Process for Win32 Services" to act as a server into ZoneAlarm?

    If I disable, what are the consequences?
    Which applications/services will not allowed to be connected from the Internet?

    I suppose that I can allow this C:\Windows\system32\svchost.exe to connect the Internet... In this case, what is connecting the Internet?

    Very thanks.
    Technical
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Most XP users with ZA say they have to allow svchost.exe to connect out to the Internet or they can't access the net... (Some services that run under that generic process, like DNS, require that access outbound, though it does depend upon the exact configuration of each system.)

    But, as for allowing server rights in ZA, that would allow Generic Host Process... (long name)... to accept unsolicited connections in from the Internet. (For example, any ports that are listening under svchost.exe would be allow open access, such as the messenger service.) Very few people say they need to allow "server rights" for svchost.exe to be able to work properly.

    On my XP system, I must allow it "access out" but not server rights.
     
  3. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Yes, and no. Your firewall should allow for, or be able to be configured for services like DHCP and DNS without allowing it as a server.

    Please start by disabling two services. Start -> Run: 'services.msc', stop and disable SSDP Discovery Protocol, and Universal Plug n' Pray.

    Now if your computer is not a Lan/ICS host for dynamic addressing then you can stop, and set the DNS Client to manual.

    You should avoid allowing the program to act as a server, and if you must I suggest you get a more comprehensive firewall like a rule based appliction filtering firewall which will be more complex to configure.

    EDIT: I haven't played with ZA for a while, but you should be able to add your dns servers and your dhcp server(if you have one) to your trusted IP list. That way you are not forced to set the program as a server.
     
  4. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Thanks for the quick answer... ;)
    I need to allow svchost.exe to connect out to the Internet or I won´t access the net anyway. In my XP, I denied the server rights too. ;)
     
  5. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Very thanks. I disabled SSDP Discovery Protocol but I don´t have Universal Plug 'n Pray. I run the application from Gibson company and it says this service is Safely Disabled. Is that right? ;)

    I set DNS Client to manual too.
     
  6. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Sorry but besides my name, I do not know exactly what are you telling me...
    I have a dial-up connection so I suppose I have a dynamic IP but what are the DNS servers and DHCP server? I´m not in a network (although I have a net card). Thanks ;)
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    You don't need to add your DNS servers to the ZA Trusted Zone unless you are having some kind of a problem with access. If you are not having a problem, don't worry about it.
     
  8. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Thanks for your suggestion, I have heard Kerio is a good one. But I'm afraid I won't be able to configure such a complex firewall. If I set one wrong rule, I won´t be protected and the firewall won't do its job. :doubt:
     
  9. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    ZA should work fine for you currently, and maybe one day you will need something more complex, however today is not that day :)
     
  10. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Now, ZA is asking for server rights for almost every program that just access the Internet? What service I must go back to original state? SSDP Discovery Protocol, Universal Plug n' Pray or DNS Client?

    I'm dening the access but something goes wrong... :doubt:
    The other option is that, before, this program acept conections from the Internet but I did not know this fact... :(
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, you started by asking whether to allow server rights to Generic Host Process for Win32 Services (svchost.exe). I said that most people do not need to give it server rights. However, now you are having a problem, so the natural question is "What did you change?" That is the key to reversing it if you now have a problem.
     
  12. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    I get a big trouble. Thanks to GoBack!
    I rolled by my system to an earlier safe position...
    I don't know exactly what happened. Maybe all those services could not be disabled... ;)
     
  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Please revue my past comments, I run with all three of those services not running, and tell you when you need to have the DNS Client running. I won't tell people to do things that I know are not safe. :)
     
  14. JPM

    JPM Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    76
    Location:
    Las Vegas, NV
    I run Look n Stop as my firewall but I checked and while I already had the SSDP Discovery Protocol and Universal PnP disabled I did have the DNS service set to auto. I have just changed it to manual and now SVCHost no longer shows up as being connected all the time on the app filtering tab of LnS. It always did prior to this change. Everything seems to be working correctly, should SVCHost still be allowed to connect or could/should it be blocked all together now?

    Thanks in Advance
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Generic Host Process for Win32 Services (svchost.exe) has many tasks one being resolves and caches DNS. You “have to” set svchost.exe to act-as-server or it won’t accept incoming DHCP packets that lead to disconnections from their ISP, unless they don’t use DHCP. Also you won’t accept incoming DNS packets and that will cause active Connections to time-out; unless “DNS Client” service is disabled then Client Applications itself sends constant DNS packets. And that being the case all the Client Applications will need to act-as-server to receive incoming DNS packets otherwise Time-Outs for all active connections…

    Am I mistaking how ZoneAlarm works?
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    For ZoneAlarm act-as-server Feature, does this apply to both TCP & UDP Protocols?
     
  17. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    If firewalls/configurations didn't seperate services like DNS, and DHCP then that would cause problems. Every software firewall should be able to do this seperation since as even older 9x systems allowed for this while not requiring to make every program a server in application based firewalls.

    svchost.exe should not be a general server on the internet, and should be avoided at all costs. However of coarse it does have its services which you might need to allow based on your setup.

    In application based firewalls like ZA, when you allow it to be a server, it will allow all inbound tcp/udp connections not started by the connection on ports that is happens to be listening on. Which again is dangerious for svchost.exe
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    So ZoneAlarm does this separation of DHCP/DNS?

    UDP is connectionless Protocol btw.
     
  19. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I can't verify dhcp, but I know dns is seperated as on 9x you didn't have to make every program a server. I'm sure they have some simple settings to select like checking the box for DHCP if its not already enabled by default.

    Of coarse I know udp is connectionless, but that doesn't stop firewalls from monitoring its outbound udp to make a direct connection with inbound udp so its only accepted from that source.

    This method is not the most secure, however its even less secure to force the user to make every program a server just so it can resolve dns.
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Correct; UDP do not contain any connection information such as sequence numbers. Though at the very minimum they contain an IP address & port pairs, all of these data can be analyzed in order to build "virtual connections" in the cache.
     
  21. JPM

    JPM Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    76
    Location:
    Las Vegas, NV
    Well if I must allow SVCHost to connect then something is strange with my LnS setup. I have had SVCHost blocked since last night, today I started my computer up and everything is connecting fine. I am on a cable modem and I believe in the past SVCHost was needed for DHCP and DNS. But it is blocked and everything is connecting fine with no time outs and such. Any ideas on what to check to verify that LnS is running properly?

    Thanks
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey JPM

    From what you previously said, you have “DNS Client” service set to manual and therefore svchost.exe doesn’t make DNS connections no-longer. However, you are on cable and if you have DHCP enabled and you have svchost.exe set to deny for connecting rights in Application Filtering List than you will experience re-connecting issues with your ISP after certain length of time being connected and without re-booting.
     
  23. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    I'm not sure if this was clear from what is written above.

    In ZAP running on XP Home, I do not need to give server rights to either svchost.exe (note that I have both DHCP and DNS client disabled, so this is obvious), or any network aware client programs for the sake of DNS resolution.

    ZAP allows the reply packets from the DNS server back through to the client programs, (like IE for example), without needing to give that program server rights.

    There are times however when DNS is slow to respond and ZAP has timed out as far as recognizing that the incoming DNS packets are replies, and so I will at that moment get a popup to grant that client program (IE example again) server rights that one time.

    This is a fairly rare occurrence, though I believe other firewalls do this as well, do they not? Late replies are no longer seen as being replies to valid requests?

    So, you generally do not need to give all programs server rights in ZAP to allow DNS reply packets, well unless all your DNS replies are slow, though in that case you might want to speak to your ISP about getting better DNS servers.
     
Loading...
Thread Status:
Not open for further replies.