Ruleset for svchost.exe!

Discussion in 'other firewalls' started by RaiGal, Jan 2, 2011.

Thread Status:
Not open for further replies.
  1. RaiGal

    RaiGal Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    8
    Location:
    Here and there.
    Hello there guys,happy new year!

    Lately i have been getting a lot weird connections and activity from svchost.exe.More or less this is the executable which is targeted 99% of the time by trojans.I would really appreciate a ruleset until i find out a way to deal with this permanently.

    1)As of lately I have been thinking about installing a program to protect svchost.exe and similar important windows files but i haven't out anything.I am trying to find a shadowing/sandboxing combo program in which i can monitor programs which ask access from svchost.exe and afterwards accordingly permanently allow them or revert to the previous state.Thing is that most of the time the intruder stays permanently there.

    2)I am using Comodo Firewall and HIPS and i can say that i am very satisfied.However i have been looking for a way to isolate a program and run it in a sandboxed environment which doesn't allow interaction with any other program or net access.

    3)Also i am looking for system hardening tools for windows 7!

    Thank you for your time guys!Any help is appreciated!
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. wat0114

    wat0114 Guest

    What I'm using in Windows 7 firewall w/Advanced Security. Please note the Block rule for wuauserv.exe is actually allowed when Windows updates are needed. I just block it until I need it. Also, DNS doesn't normally have a direction placed on it, but in Win 7/Vista it does.

    The first picture is the "inbound" ruleset, while the second is the "outbound" ruleset.
     

    Attached Files:

  4. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    I allow outgoing , for incoming I allow only from local subnet.
     
  5. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    267
    Location:
    Philippines
    Maybe it would greatly help if you also read the Sticky Thread "Firewall Questions for beginners." It has svchost rules there.

    Cheers!
     
  6. RaiGal

    RaiGal Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    8
    Location:
    Here and there.
    Sorry for not replying on the topic for some time but i have been busy the past few weeks.

    @kerykeion
    I checked out the topic,it looks great!However i have windows 7,can i use these rules accordingly?

    @wat0114
    Thanks man,this helped out a lot!

    @Cudni
    I get svchost.exe connections at ports 3576 --> TCP and lot of connections at 1112--> UDP out.However more connections pop up at random times,mostly at startup!

    Also system is listening on ports 2869,139,139(twice!),10243,10243,2869!Is that normal?

    Should lsass.exe use port 528 --> IGMP Out 224.0.0.22

    I used the tasklist /svc command but it's really hard to tell what should be running and what shouldn't.Is there any program to make things a little bit easier?

    What ports should svchost.exe use in a pristine formatted windows 7 OS?

    My knowledge in firewalls is quite limited so I would love to read some tutorial/site on how to effectively configure each application/system file in order to harden my system!If someone has something in mind I would love to hear it!

    Thanks for hearing me out guys!
     
    Last edited: Jan 14, 2011
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I block IGMP; both inbound and outbound traffic. I got no use for such, therefore I block it. (-https://secure.wikimedia.org/wikipedia/en/wiki/Internet_Group_Management_Protocol)

    You could give TCPView a run, and see if you like it. It's of simple use.

    In a strict firewall rules, the remote ports would be 80 and 443, like for Windows Updates, and bound svchost.exe to Windows Update service. Adobe Reader also seems to download updates via svchost.exe, for example.

    Other than that, and unless needed o_O (I have my doubts that something else would be needed.), do not allow anymore than it really needs.

    If something you wouldn't have troubles dealing with, and if not needing such, I'd disabled DNS Client service, and then create rules for the DNS, to allow each application requiring Internet connection.
     
  8. wat0114

    wat0114 Guest

    My latest MS Update ip's with CIDR mask:
     

    Attached Files:

  9. RaiGal

    RaiGal Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    8
    Location:
    Here and there.
  10. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    There is nothing "out of the ordinary" in the image above, just some of the standard ports, used by the Windows generic host process.

    There is no single answer to the question of which ports svchost should have available. It totally depends upon personal circumstances.

    A single, Windows XP PC, with no requirement for connecting to any external devices, using only IPv4, will be completely different to a windows 7 PC that is part of a LAN using IPv4/IPv6 and is a member of a Windows 7 Homegroup. Adding other environments such as a Domain or mixed OS devices will, change the game again.

    When considering which ports to make available, use an application such as Process explorer or Process hacker, or even tasklist /svc, identify the Process ID (second column in your image above) for the individual instance of svchost, and identify the services that instance of svchost is using. Then decide if you need that service.

    As an example, if you don't use IPv6 you can disable it, doing so will close a number of ports used by that protocol stack.

    If you don't synchronise your computers clock with an Internet time server, close port 123.

    If you don't use DHCP close ports 67 and 68.

    And so on.
     
    Last edited: Jan 15, 2011
  11. wat0114

    wat0114 Guest

    Heimdall is right; nothing out of the ordinary and nothing to worry about. All pretty standard "Listening" states for Win7 svchost, including the ipv6 entries.
     
  12. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    To identify the active connections and services that instance is using, open cmd/terminal as administrator.

    Type in cd \Users\<your name>\Desktop\ > enter

    then type netstat -abno > netstat.txt > enter

    Go \Desktop\ and open netstat.txt

    Have a nice day....
     
  13. RaiGal

    RaiGal Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    8
    Location:
    Here and there.
    Thanks for the help guys!I am probably overthinking this.

    @Heimdall
    Well that's the general idea i guess.Sorta hard to find what's needed and what's not though!

    @wat0114
    May i ask what's your firewall?It looks pretty nice!
     
  14. wat0114

    wat0114 Guest

    Windows Firewall with Advanced Security :)
     
  15. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    Granted, it can be a little daunting trying to establish just what is and what isn't needed. It's also possible to introduce problems by disabling an essential service or closing a needed port.

    One small application you might find useful is Svchost Viewer http://svchostviewer.codeplex.com/ This will allow you to easily see which services are used by any given instance of svchost. It will also allow you to easily find the name of the associated service, which you may then be able to disable and thus close the ports.

    To help you decide if you can disable a service you can use a guide, such as the one published by Blackviper http://www.blackviper.com/Windows_7/servicecfg.htm

    One of the nice things about the Windows 7 firewall, is that it allows one to create rules that can be applied to a specific service. This is not something that's easy, or even possible to do, in most third party firewalls.
     
Thread Status:
Not open for further replies.