Kerio 2.1.5 need rule setup for svchost.exe

Discussion in 'other firewalls' started by CJsDad, Aug 6, 2006.

Thread Status:
Not open for further replies.
  1. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Should there be a rule for both the TCP and UDP protocols together or seperately.
    Also are the directions inbound or outbound or both?

    Thanks.
     
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi CJsDad,
    We have started to cover the very basic rules for svchost here which other rules should we cover (are you getting any popups from your firewall: (ports? IP`s? in popup))
     
  3. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Thanks Stem, I seemed to have over looked that thread, guess I should have searched a little more before asking.
    I only got this message one time, c:\windows\system32\svchost.exe asking for access.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No problem, that thread as just been created, with intention to help with question like this.
    There will still be need for further rules (to add to those posted), but info from firewall popups would help, so we can show what the connection attempt is for, and if needed.
    The 2 main rules required will be for DHCP and DNS.

    Have you currently any rules for svchost within your ruleset?
     
  5. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    These are the two pop ups I received for svchost.exe.

    1) Generic Host Process for Win32 Services TCP 80

    Create rule for this remote port only-TCP 80

    2) Generic Host Process for Win32 Services TCP 443

    Create rule for this remote port only- TCP 443
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Do you know what causes these popups? Are you starting windows help or another application when these popups show. (for normal internet browsing, svchost does not need these connections)

    I would block these untill we know for certain what is causing this.
     
  7. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Windows help, this is the same as the Microsoft Windows automatic update section right?
    If so, I was at the website when I received these two pop ups.
     
  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    svchost handles the time service, and it handles windows update, even if initiated by IE. I have not found any real range for the servers that ms farms out the bandwidth to for windows update so its left at any address, otherwise people can permit every little connection it makes manually.
     

    Attached Files:

  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Port 80 and 443 are normal for Windows Update. You need these to allow if you use Windows Update by service or IE. I have allowed these two ports on IP 207.46.0.0/16 and works perfect.
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I will have to try that netmask, and see if I have any issues.

    EdIt: There was a connection to a 64.x address, that is not sufficent to connect to windows update, and will prevent it from completing.
     
    Last edited: Aug 6, 2006
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    No, these are seperate.
    If you have started windows help then yes (but then again, this service does have an habit of just starting up (depending on settings)), these connections will be asked for. If you want to connect for help, than allow these connections, but would suggest that you confine the remote connection: meaning: that you should place the domain name of the connection (or the IP for connection if a domain name cannot be entered). On my last check of this (yesterday), the windows help connected to "wwwtkttest5.microsoft.com" (IP 207.46.198.60), giving svchost full access to connect to any remote IP on ports 80:443 is, well, not the best idea.

    Windows update,.. I am now going to perform to find all connections needed.
     
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    You cannot do name resolution in the rules, its dones by ip address only.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thanks,.. I know most firewalls will not allow domain names, but will ask due to other instructions.
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have just connected for windows updates,

    Connections made:-
    svchost.exe 208.175.160.126 (download.windowsupdate.com.c.footprint.net, download.windowsupdate.com) remote port 80
    svchost.exe 212.73.246.62 (download.windowsupdate.com.c.footprint.net, download.windowsupdate.com) remote port 80
    svchost.exe 207.46.20.93 (update.microsoft.com.nsatc.net, update.microsoft.com) remote port 443
    I only went as for as the "updates to download, as I prefer to install updates manually.

    So from this, there is the consideration, that remote IP can/may change, and that svchost will require these connections when updating. I know that in the past that updates have been fed from other mirror sites.
    So, do we allow svchost full access, do we restrict to IP`s (that may change and possible future problems), or give temp rules to allow these connections when updating?

    For me personally, I would allow svchost only temp access to these rules when updating.
     
  15. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Same as allways svchost likes to connect to god and hell when ever it wants/can.
    Regarding to Windows Update it's here working with 207.46.0.0/16. I see that the updater process likes also to connect to your mentioned IP's, but it results in my case that updating works without these.
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    your rule is restricting to 207.46.0.0-207.46.255.255 which I do not think will work for complete windows updates. Have you other rules that are allowing svchost connections on these remote ports?
     
  17. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    My rules regarding svchoste.exe and Windows Update:
    UDP outbound on 207.46.0.0/16 Remote Port 80
    UDP outbound on 207.46.0.0/16 Remote Port 443

    and ups... you are right. Have to say i never downloaded updates with IE or service, just only tested so far without trying to download.

    To get it to work i had to add following rule:
    UDP outbound on 200.49.128.0/19 on Remote Port 80 (which is strange because this is my cable provider)
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    windows updates will not work on UDP,... TCP outbound connections need to be establised. Please re-check your rules for svchost.
     
  19. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    My god, i didn't had any Whiskey or Drugs i think , of cource you are right.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is weekend :rolleyes:

    You may of allowed outbound TCP:80:443 for svchost in another rule
     
  21. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    No, it is TCP in my rules. :)
    But what i am recognicing is, that it seams that the IP for downloading the updates depends on the locacion and maybe provider you use. In my case the IP adress you provided won't be acessed, but here in Argentine my Cable-Provider IP.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Thats one of the main problems with windows update. The location of the user can make a difference on IP access/needed. Plus Microsoft use many mirrors for giving updates which add to problems for firewall rules.
     
  23. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    O.k. so now back to my original question, What should I do for a ruleset for scvhost.exe
    After reading through this thread I'm as confused as ever. o_O o_O

    As for now I removed it from the rules in Kerio 2.1.5 and I haven't received any popups asking for access.
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In this situation, with windows updates,
    Allowing svchost full access to remote ports 80:443 is the "easiest to use" option.

    Creating a full reuleset (with IP`s) would be the best idea, but the IP`s could change. (and as it appears the IP`s to access/download the updates changes, depending on location, there is no "global" set of rules that can be made)

    Giving svchost only temp access when updating (place a rule to block svchost access to remote ports 80:443, but then change this to allow when performing windows updates).

    I think this needs to be left to "personal choice"
     
Loading...
Thread Status:
Not open for further replies.