Kerio 2.1.5 need rule setup for svchost.exe

Should there be a rule for both the TCP and UDP protocols together or seperately.
Also are the directions inbound or outbound or both?

Thanks.

 

Hi CJsDad,
We have started to cover the very basic rules for svchost here which other rules should we cover (are you getting any popups from your firewall: (ports? IP`s? in popup))

 

Thanks Stem, I seemed to have over looked that thread, guess I should have searched a little more before asking.
I only got this message one time, c:\windows\system32\svchost.exe asking for access.

 

No problem, that thread as just been created, with intention to help with question like this.

There will still be need for further rules (to add to those posted), but info from firewall popups would help, so we can show what the connection attempt is for, and if needed.
The 2 main rules required will be for DHCP and DNS.

Have you currently any rules for svchost within your ruleset?

 

These are the two pop ups I received for svchost.exe.

1) Generic Host Process for Win32 Services TCP 80

Create rule for this remote port only-TCP 80

2) Generic Host Process for Win32 Services TCP 443

Create rule for this remote port only- TCP 443

 

Do you know what causes these popups? Are you starting windows help or another application when these popups show. (for normal internet browsing, svchost does not need these connections)

I would block these untill we know for certain what is causing this.

 

Windows help, this is the same as the Microsoft Windows automatic update section right?
If so, I was at the website when I received these two pop ups.

 

svchost handles the time service, and it handles windows update, even if initiated by IE. I have not found any real range for the servers that ms farms out the bandwidth to for windows update so its left at any address, otherwise people can permit every little connection it makes manually.

 

Port 80 and 443 are normal for Windows Update. You need these to allow if you use Windows Update by service or IE. I have allowed these two ports on IP 207.46.0.0/16 and works perfect.

 

I will have to try that netmask, and see if I have any issues.

EdIt: There was a connection to a 64.x address, that is not sufficent to connect to windows update, and will prevent it from completing.

 

No, these are seperate.

If you have started windows help then yes (but then again, this service does have an habit of just starting up (depending on settings)), these connections will be asked for. If you want to connect for help, than allow these connections, but would suggest that you confine the remote connection: meaning: that you should place the domain name of the connection (or the IP for connection if a domain name cannot be entered). On my last check of this (yesterday), the windows help connected to "wwwtkttest5.microsoft.com" (IP 207.46.198.60), giving svchost full access to connect to any remote IP on ports 80:443 is, well, not the best idea.

Windows update,.. I am now going to perform to find all connections needed.

 

You cannot do name resolution in the rules, its dones by ip address only.

 

Thanks,.. I know most firewalls will not allow domain names, but will ask due to other instructions.

 

I have just connected for windows updates,

Connections made:-
svchost.exe 208.175.160.126 (download.windowsupdate.com.c.footprint.net, download.windowsupdate.com) remote port 80
svchost.exe 212.73.246.62 (download.windowsupdate.com.c.footprint.net, download.windowsupdate.com) remote port 80
svchost.exe 207.46.20.93 (update.microsoft.com.nsatc.net, update.microsoft.com) remote port 443
I only went as for as the "updates to download, as I prefer to install updates manually.

So from this, there is the consideration, that remote IP can/may change, and that svchost will require these connections when updating. I know that in the past that updates have been fed from other mirror sites.
So, do we allow svchost full access, do we restrict to IP`s (that may change and possible future problems), or give temp rules to allow these connections when updating?

For me personally, I would allow svchost only temp access to these rules when updating.

 

Same as allways svchost likes to connect to god and hell when ever it wants/can.
Regarding to Windows Update it's here working with 207.46.0.0/16. I see that the updater process likes also to connect to your mentioned IP's, but it results in my case that updating works without these.

 

your rule is restricting to 207.46.0.0-207.46.255.255 which I do not think will work for complete windows updates. Have you other rules that are allowing svchost connections on these remote ports?

 

My rules regarding svchoste.exe and Windows Update:
UDP outbound on 207.46.0.0/16 Remote Port 80
UDP outbound on 207.46.0.0/16 Remote Port 443

and ups... you are right. Have to say i never downloaded updates with IE or service, just only tested so far without trying to download.

To get it to work i had to add following rule:
UDP outbound on 200.49.128.0/19 on Remote Port 80 (which is strange because this is my cable provider)

 

windows updates will not work on UDP,... TCP outbound connections need to be establised. Please re-check your rules for svchost.

 

My god, i didn't had any Whiskey or Drugs i think , of cource you are right.

 

It is weekend

You may of allowed outbound TCP:80:443 for svchost in another rule

 

No, it is TCP in my rules.
But what i am recognicing is, that it seams that the IP for downloading the updates depends on the locacion and maybe provider you use. In my case the IP adress you provided won't be acessed, but here in Argentine my Cable-Provider IP.

 

Thats one of the main problems with windows update. The location of the user can make a difference on IP access/needed. Plus Microsoft use many mirrors for giving updates which add to problems for firewall rules.

 

O.k. so now back to my original question, What should I do for a ruleset for scvhost.exe
After reading through this thread I'm as confused as ever.

As for now I removed it from the rules in Kerio 2.1.5 and I haven't received any popups asking for access.

 

In this situation, with windows updates,

Allowing svchost full access to remote ports 80:443 is the "easiest to use" option.

Creating a full reuleset (with IP`s) would be the best idea, but the IP`s could change. (and as it appears the IP`s to access/download the updates changes, depending on location, there is no "global" set of rules that can be made)

Giving svchost only temp access when updating (place a rule to block svchost access to remote ports 80:443, but then change this to allow when performing windows updates).

I think this needs to be left to "personal choice"