Incoming connection attempts to svchost

Hello...

over the past few days, I have noticed lots of incoming connection attempts from addresses related to my mail accounts and rss feeds. I'm pretty sure I don't have an infection, have scanned with ESET and Malwarebytes and there's no other abnormal network activity.

I think some of the prompts may have something to do with Windows Sidebar as I use a couple of gadgets to check for mail and feeds.

I always deny the traffic in the prompt and the gadgets continue to work normally.

However, i've also noticed quite a few when i'm just browsing the web. I've taken a screenshot of one of the prompts and when uploading to imageshack, I got the same kind of prompt from an imageshack address. Again I denied it and the image uploaded ok. I just want to know why i'm getting the prompts.

Screenshot:
http://img143.imageshack.us/img143/2470/29069608.jpg

Thanks for any help.

Using ESS v4.2.67.10 on Windows 7 Ultimate x64

 

Hello,

You are seeing the prompts most likely because your firewall is in interactive mode and prompting you. By clicking the block communication action, it will only prompt you again when the traffic is detected. You must check the box to "remember action" for the prompt to go away permanently.

Regards,

Matt
Eset

 

Thanks for the reply Matt.

I'm aware the prompts are appearing due to being in Interactive mode. What is puzzling me is that the remote addresses are contacting svchost.exe. I never used to get this amount of incoming traffic..especially related to the Windows Service host.

 

Well I created a block rule for now. I'm not concerned about it being malicious but seeing as blocking the traffic does not affect connecting to the addresses for mail and web, i'm not losing out on anything.

I'm just bemused by the sudden onset of this traffic and the amount of it.

Pretty much the same as in the following thread:
https://www.wilderssecurity.com/showthread.php?t=267858

 

Aren't you a client of Freeola, a UK Internet provider?

 

I do have a pop3 mailbox with them.

As I said before, i'm not worried about the source of the traffic itself. I could be browsing the web and I will get a few prompts for svchost that originate from the website i'm on. Trusted sites like BBC, eBay, forums etc. Plus ones from the hosts of my rss feeds which are also from trusted sources.

Also, denying the traffic does not have any adverse affects on my browsing those sites or downloading feeds or mail. I just don't know why svchost.exe is involved.

Someone on the thread which I posted above suggested that it was tcp ack from the sites which sounds reasonable but surely that traffic should be directed back to the process which instigated the outgoing connection i.e; Windows Sidebar mail gadget, browser, feed client etc etc.

Any ideas please Marcos?

 

+1
Similarly here https://www.wilderssecurity.com/showthread.php?t=267858

Allowing all common ports to send unsolicited packets to all windows services sounds like a significant degradation of the firewall function.

Blocking all common ports on svchost would shut it up but then may block valid traffic without me knowing. Making my system less reliable.

Is there a fix for this problem?

For me:
Only occurs on one W7 laptop, not on the other 6 W7 and XP laptops and desktops.
Appears to be related to computer load as is more common shortly after start up.
Incoming connection requests to svchost appear to related to recent valid traffic to email or web browser. ie port 80, 443, 993 etc and relevant IP addresses.
Not sure it makes much difference if I allow or block them.
Occurs in ESS 5 beta and ESS 4

Edit btw
Firewall is in interactive mode as I believe that is more secure and gives me greater control.
Laptop is Asus U50vg http://www.asus.com.au/Notebooks/Superior_Mobility/U50Vg/
With P8700 2.53GHz processor, 2GB ram, 500GB disk, Windows 7 home premium service pack 1 fully updated.
Not sure what other information is required to spot a pattern. I do have windows defender scanning the disk occasionally.

 

I have this too sometimes, but only when computer has been in sleep or hibernate mode