Incoming connection attempts to svchost

Discussion in 'ESET Smart Security' started by nickster_uk, Nov 29, 2010.

Thread Status:
Not open for further replies.
  1. nickster_uk

    nickster_uk Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    190
    Hello...

    over the past few days, I have noticed lots of incoming connection attempts from addresses related to my mail accounts and rss feeds. I'm pretty sure I don't have an infection, have scanned with ESET and Malwarebytes and there's no other abnormal network activity.

    I think some of the prompts may have something to do with Windows Sidebar as I use a couple of gadgets to check for mail and feeds.

    I always deny the traffic in the prompt and the gadgets continue to work normally.

    However, i've also noticed quite a few when i'm just browsing the web. I've taken a screenshot of one of the prompts and when uploading to imageshack, I got the same kind of prompt from an imageshack address. Again I denied it and the image uploaded ok. I just want to know why i'm getting the prompts.

    Screenshot:
    http://img143.imageshack.us/img143/2470/29069608.jpg

    Thanks for any help.

    Using ESS v4.2.67.10 on Windows 7 Ultimate x64
     
  2. MattJN

    MattJN Former ESET Support Rep

    Joined:
    Feb 19, 2010
    Posts:
    149
    Hello,

    You are seeing the prompts most likely because your firewall is in interactive mode and prompting you. By clicking the block communication action, it will only prompt you again when the traffic is detected. You must check the box to "remember action" for the prompt to go away permanently.

    Regards,

    Matt
    Eset
     
  3. nickster_uk

    nickster_uk Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    190
    Thanks for the reply Matt.

    I'm aware the prompts are appearing due to being in Interactive mode. What is puzzling me is that the remote addresses are contacting svchost.exe. I never used to get this amount of incoming traffic..especially related to the Windows Service host.
     
  4. nickster_uk

    nickster_uk Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    190
    Well I created a block rule for now. I'm not concerned about it being malicious but seeing as blocking the traffic does not affect connecting to the addresses for mail and web, i'm not losing out on anything.

    I'm just bemused by the sudden onset of this traffic and the amount of it.

    Pretty much the same as in the following thread:
    https://www.wilderssecurity.com/showthread.php?t=267858
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Aren't you a client of Freeola, a UK Internet provider?
     
  6. nickster_uk

    nickster_uk Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    190
    I do have a pop3 mailbox with them.

    As I said before, i'm not worried about the source of the traffic itself. I could be browsing the web and I will get a few prompts for svchost that originate from the website i'm on. Trusted sites like BBC, eBay, forums etc. Plus ones from the hosts of my rss feeds which are also from trusted sources.

    Also, denying the traffic does not have any adverse affects on my browsing those sites or downloading feeds or mail. I just don't know why svchost.exe is involved.

    Someone on the thread which I posted above suggested that it was tcp ack from the sites which sounds reasonable but surely that traffic should be directed back to the process which instigated the outgoing connection i.e; Windows Sidebar mail gadget, browser, feed client etc etc.

    Any ideas please Marcos? :)
     
  7. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    +1
    Similarly here https://www.wilderssecurity.com/showthread.php?t=267858

    Allowing all common ports to send unsolicited packets to all windows services sounds like a significant degradation of the firewall function.

    Blocking all common ports on svchost would shut it up but then may block valid traffic without me knowing. Making my system less reliable.

    Is there a fix for this problem?

    For me:
    Only occurs on one W7 laptop, not on the other 6 W7 and XP laptops and desktops.
    Appears to be related to computer load as is more common shortly after start up.
    Incoming connection requests to svchost appear to related to recent valid traffic to email or web browser. ie port 80, 443, 993 etc and relevant IP addresses.
    Not sure it makes much difference if I allow or block them.
    Occurs in ESS 5 beta and ESS 4

    Edit btw
    Firewall is in interactive mode as I believe that is more secure and gives me greater control.
    Laptop is Asus U50vg http://www.asus.com.au/Notebooks/Superior_Mobility/U50Vg/
    With P8700 2.53GHz processor, 2GB ram, 500GB disk, Windows 7 home premium service pack 1 fully updated.
    Not sure what other information is required to spot a pattern. I do have windows defender scanning the disk occasionally.
     
    Last edited: May 30, 2011
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I have this too sometimes, but only when computer has been in sleep or hibernate modeo_O
     
Thread Status:
Not open for further replies.