Question about svchost.

Discussion in 'other software & services' started by jammtn, Nov 11, 2012.

Thread Status:
Not open for further replies.
  1. jammtn

    jammtn Registered Member

    Joined:
    Nov 11, 2012
    Posts:
    3
    Hi! I wanted to ask a question. What could be called as "normal" svchost.exe behavior? In last couple days i accidentally saw that often svchost with different PID's is connecting to some strange (mostly from my ISP, or just my country, but not always) IP's and is sending out some info mostly via UDP. Like for example now - svchost with PID 1208 is connected to some local IP from my country and slow(5-25B/s) but constantly is sending some info via UDP through port 61160. What could that possibly be? I have comodo firewall, and i blocked svchost.exe at all - just left open one IP for DHCP. But i don't know how but it still manages to connect and send some info. So am i paranoid or svchost do need to behave like that?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. jammtn

    jammtn Registered Member

    Joined:
    Nov 11, 2012
    Posts:
    3
    Yeah, but how do you know if you have some kind of rootkit or not..Still, i guess no, because i always check what i'm letting through firewal, and i actually never had some kind of malware. Still, those svchost's are very suspicious, because you can't actually block them from connecting to some kind of IP's, and you don't really know who is actually connecting (different PID's have different .dlls, but you still don't know whitch exactly .dll is connecting). For know i'm just blocking everything from svchost who is constantly exchanging some info. Another question - i left open 255.255.255.255:67 open for DHCP and it's constantly sending out and in some traffic - is this normal? I thought you only need to connect once and obtain IP and other info, but not constantly. Or is it normal?
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Svchost.exe should only exist in your system32 folder and also your SYSWOW64 folder (on 64 bit). If you have a svchost.exe in any other place it is not valid. I usually set up a SRP rule to make sure svchost.exe can only run from the system folders.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ xxJackxx

    This is Very good :)

    Process Explorer will also assist :thumb:

    http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Open cmd prompt, type netstat -ano or netstat -abno to get info of traffic and process. Then use tasklist /svc to see which services are attached to which PID. Svchost I/O may be legitmate depending on what services are running. There are many ways to achieve this, but I normally use Process Explorer or the cmd prompt as described.

    xxJackxx info of where svchost.exe should live is accurate and his SRP rule is an outstanding way to mitigate it. Thats how I have been doing it as well for a few years now.

    Sul.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,983
    Location:
    Canada
    You should be able to block or control any and all svchost-spawned services with an application firewall. You might not have Comodo set up properly to warn you when these services attempt an outbound network connection.
     
  8. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Noob

    Glad you like it :)
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    @ CloneRanger

    I like it too! :thumb:

    I see that I have a lot of services disabled. ;)

    ScreenShot_Svchost details_01.jpg
     
  11. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Hmm. I ran that on my PC just to try it out. Nothing happened. I tried running it a few times. One time I had Task Manager open. Two processes started for a split second and then disappeared....
     
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Try what? :D

    Hahaha thanks!
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Tarnak

    I see you have similar Services disabled, like me :) But why is HTTP SSL disabled. Won't that affect browser encryption ?

    Also what/why is the Red Triangled ID 1336 item ?
     
  14. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    The svchost scanner thing.
     
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I used Process Explorer and it shows some very detailed information about the processes. :D
     
  16. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    @CloneRanger


    I use the Opera browser and as far as I can tell it it is OK. I might be wrong.


    When I checked the PID the last time, it was the same process as you can see from the new screenshot.

    ScreenShot_Svchost details_08.jpg
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Tarnak

    Are you saying that only IE uses the HTTP SSL service ?

    I see RPC now.
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    @ CloneRanger

    I can't say one way or another, because I don't know, but I have been doing my online banking for years and I have no problem.

    I did a little search and found this (Sites suddenly insecure or Opera 12.01 too strict?), which seemed interesting.
     
  19. jammtn

    jammtn Registered Member

    Joined:
    Nov 11, 2012
    Posts:
    3

    Well, defense is in safe mode, firewall in custom and alert level is very high, so i don't know what could be done more. Plus i blocked completely svchost - UDP/TCP/IP to all IP's except one - so how they are even able to connect? That's the strangest part. For now i just blocked those IP's witch was communicating constantly and it helped - maybe for a week there is no "strange" communication. But what about my another question - do DHCP service needs constant communication?



    Looks legitmate but still, even then you really can't know witch one program under svchost name is generating traffic.
     
Loading...
Thread Status:
Not open for further replies.