Jetico and SVCHOST.EXE

Discussion in 'other firewalls' started by luvhirez, Aug 12, 2005.

Thread Status:
Not open for further replies.
  1. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi,
    Ive got a question about svchost
    what is a good rule/rules to stop these requests for send/recieve datagrams?
    im using XP home.
    I have disabled quite a few services, but i keep getting requests at port 1027.

    Cheers
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    I'm not running XP so I can't be sure, but I believe that Svchost.exe will be needed for DNS, DHCP and Windows Update in XP. If I remember right, the default rules for Win Update might not be right. So you may have to play with those a little and set them up or allow those that pop up. I am just guessing though and that might not be the problem at all. Maybe someone else can offer some suggestions...
     
  3. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    HI Kerodo,
    thanks for your reply

    I have auto windows update disabled, I go through the windows update site which ive set up some rules in sys apps for svchost on port 80 and 443.

    DHCP is already configured in the default rules, both for svchost.exe and services.exe.

    DNS there is a default rule already for port 53 which i have configured the address of my DNS servers.

    so does that mean i can just block everything else or does svchost need to talk with the internet for other things?

    Cheers
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Ok, sounds like the usual stuff is ok then. Sending and receiving datagrams means UDP I believe. Is there some program trying to connect out for any reason? Also what remote port is involved (what does it say in the popup)?

    I am running Win2k, so I'm not sure what goes on with XP. Could be some services wanting to connect out for some reason. Not sure. It would help if you could post what ports are involved though.
     
  5. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    hi again,
    the pop up says

    recieve datagrams
    TCP/IP
    loc add ANY
    local port 1027
    remote port ANY
    ask user

    thanks
     
  6. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    the remote addresses seem pretty random also

    Im also using XPsp2
     
  7. Hi Luvhirez, as you say if you have configured your dns, and because you have disabled autoupdates, the only thing you have to to do is leting svchost to go to time update, remote port 123, at system applications. I use XP.
    If you see the image of system applications in the next place you are going to have an idea about this.

    http://www.geocities.com/ladidel_jetico/jeticoindex

    I hope this helps.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    All I can think of is that Svchost is listening on local port 1027 UDP for some reason, and when you get random incoming packets to 1027 UDP then Jetico gives you the old popup asking if it's ok to let the packet in. The incoming UDP packets are probably messenger spam, which usually hits 1026-1029 from random addresses like you've described. If this is indeed the case, then I don't know why Svchost would be listening on 1027, but you should be able to block the incoming packets without doing any harm. If Svchost was sending out packets and then expecting a reply, Jetico should allow the incoming response without asking due to SPI etc.

    So what I would do is go into the internet section and create a rule to block incoming UDP to local port 1027 from any remote address, any remote port. That should take care of it with any luck.

    If something ceases to work properly, then you'll have to research things more and find out what's going on there.
     
  9. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    thanks guys for your help,
    I just had the same pop up for port 1026 and they are TCP/IP, not UDP

    edit,
    yep they are coming in on 1026 now, not 1027. I havent made any changes to the rules
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Receive datagrams makes it UDP. But that's not so important. What I am wondering is, if there are programs (namely Svchost) listening on those ports? Can you run a utility like Active Ports (or similar) and see what (if any) programs are listening on those two ports? What you are seeing is messenger spam, I am 99% sure of that, and it's typically UDP.

    If there are no programs listening on those ports, then there is a problem of some kind going on there.

    PS - If you reboot, Svchost (or any program) can change the ports it's listening on. So that would be why it's different now. Also, on cable here, without the router, I used to see tons of packets UDP to port 1026 and 1027 constantly. Never got any prompts from Jetico though, probably since nothing was listening on those two ports and Jetico just blocked them silently...
     
  11. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi Zorro, thanks for the link!
    Ive never had a pop up for port 123, I have turned windows time off in services, thats probably why. but i see that that link you gave me, he has deny incoming datagrams and connections for ports 1024-1028, 137-139,135,445 and 500.
    are these ports bad or are they the spam ports?

    Cheers
     
  12. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Thanks Korodo,
    Ill get active ports and see what happens.
    Ill post back
     
  13. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Ok Ive run Active ports, heres what it says

    there are 2 svchost's
    pid 780
    local ports 1026,1057,1058
    LISTEN
    UDP
    svchost.exe on the correct path

    also 2 unknown's
    but they just dissapeared


    cheers
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Just curious why it would be prompting for unsolicited inbound packets. Is there a configuration option for this? Is it just because you may have something listening on that port? Does it not deny all unsolicited inbound by default?

    Have you tried making a deny all inbound rule?

    edit: sorry more questions than answers right now

    Regards,

    CrazyM
     
  15. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi crazy M,
    I dont know, this is just the default rules with extra ones for my programs and manual windows updates, and some extra tables.
    I havent made a deny all inbound rule.
    But there is a defauly "block all non procesed ip packets" at the end of the system ip table.
     
  16. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Ive had a look in my jetico logs,

    OK im getting pop ups for tcp/ip port 1026, its blocking UDP port 1027,
    before I rebooted when i was getting pop ups for tcp/ip port 1027 it was blocking UDP port 1026.
    so it had done a reversal
    o_O o_O o_O
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    The reason why you're getting popups on the 1026 packets is because Svchost is listening on that port, and Jetico will always ask/prompt you when a packet comes in to a listening port like that. It will not prompt you if the incoming packet is the response to an outbound packet, but that's not the case here. You are getting random messenger spam UDP to port 1026 and 1027. So...

    You can do 2 things. You can go ahead and just respond to the prompt and Deny the packet, and tell Jetico to remember. Also make sure Svchost is in the app section, so in effect, you're just having Jetico deny inbound packets to Svchost on port 1026. If Svchost changes to port 1027 later when you reboot, you'll get the same prompt again for that new port, and you need to Deny it and remember again, same thing.

    The other thing you can do is create a rule in the Internet section to Deny any inbound UDP packets to ports 1026 and 1027. You'll need 2 rules, one for each port, since you can't specify port ranges in Jetico (if I remember right).

    I think I would go with the first solution. This will block inbound packets to Svchost only on only those 2 ports. It will allow Svchost inbound on other ports and protocols as necessary, so DNS, DHCP and Windows Update will work if you need it.

    Hope all this makes sense and helps.. :)
     
  18. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is there a setting that will have the firewall just deny and log these inbound packets to ports that may have local services listening so you do not get prompted? Just seems like a bit of a nuisance if you have to create rules for this instead of an implicit deny.

    Regards,

    CrazyM
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    CrazyM, I don't know of any setting in Jetico that will change it's behavior. It seems like some firewalls will just block and log these packets (like ZA) and others by default will prompt you (like Kerio 4 and Jetico). I prefer that it just block and log without asking, but as far as I know, JPF won't do that. Perhaps someone else has another idea though...
     
  20. Hi, yes, he can deny and log those inbound packets "at the end of the ask user module" if he changes from ask to reject, it is before the arrow that says continue. Making this way, only the application that were permited at the application table will have acces to the web and it won´t ask anything about this anymore. It only is going to ask if there something like injection and other things if he has at the end of the module process attack table ask instead of reject. That´s all, very easy.
     
  21. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    If he changes that from ask to reject however, it will then never ask him for ANY subsequent app that tries to get out either. It will just deny the traffic. So while this will solve his inbound packet problem, it will also prevent the firewall from asking about any new app. Don't know if that's what he wants..
     
  22. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi all again, Ive just turned on the computer again and got onto the net to see your replies,
    Believe it or not ive just got another strange pop up.
    All it says is


    APP: C:\WINDOWS\System32\svchost.exe
    Configuration table: ask user


    Jetico has already put a tick in "Handle as..." option with "FTP Client" already selected in the drop down list.

    If I change it from "handle as" to "block this activity"
    it changes the alert to
    svchost ,recieving datagrams ,TCP/IP through port 1027

    What does it mean by FTP client??

    This is so weird!!
    im going to block it for now and go to bed,
    Ill check in tomorrow and try some of your ideas.

    I appreciate all this help

    cheers
     
  23. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi all,
    I think I will try the rules i stated in post 11. this is from the site zorro metioned.
    I will give it a while and post back with the results.
    This may help others as well with the same problem
    :)
     
Thread Status:
Not open for further replies.