Should i block windows svchost.exe connections.?

Discussion in 'other software & services' started by The Red Moon, Jun 1, 2013.

Thread Status:
Not open for further replies.
  1. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Hi,
    I have noticed that svchost.exe listens on several ports and sends out information to several sporadic ip addresses.
    What are these for and should they be blocked.

    my firewall blocks port 445 at default and i believe this has something to do with file sharing.
    I am not a firewall expert at all so some input on this would be helpful.

    Thank you.
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    svchost is needed for internet connection.

    try blocking it and see what happens... ;)
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Thank you moontan.
    just needed a little info for these connections.
    Ip addresses are all over the place lol.
     
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    Its a legitimate Windows file - block it if you want to brick up your computer, lol
     
  5. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Thanks norman.
    I dont want to brick up my computer if i can help it lol.:D
     
  6. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    http://www.neuber.com/free/svchost-analyzer/
     
  7. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    @Gerardwil.

    Thank you Gerard for your superb reply and link.
    I currently have process hacker installed and i believe it has a similar function.
    I have tried tracing the ip addresses and windows will not allow me to do this.
    Just wondered where the svchost ip addresses were located.

    Thanks.
     
  8. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I block all svchost outbound except DHCP and when running Windows updates and my system hasn't bricked. The vast majority of unsolicited outbound attempts are to AKAMAI or Cloudfront IP addresses and I have yet to figure out what Windows 7 is trying to connect to these for. This would be my biggest complaint against Windows 7 vs. XP. I had no unsolicited outbound attempts when running XP and didn't need any block rules for svchost.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Svchost.exe performs a large range of functions and services. You'll need to look at each of the services involved and decide if you need them. On XP, the need to allow svchost internet access can be eliminated. I don't know if this holds true for Vista, 7, or 8. Depending on your needs, these are some of the items you'll need to address.

    DNS service. This will need to be disabled. Your internet apps will need to be able to perform their own DNS lookups.

    DHCP will need to be disabled. This requires that you assign static IPS to all the equipment on your LAN. Depending on your setup, this may or may not be possible.

    The Windows time service will not work without svchost having internet access. You'll need to set/update your clock manually.

    Blocking svchost will break most file and connection sharing functions between PCs. The services involved will need to be disabled.

    Blocking svchost will also break most of UPnP (universal plug and play) unless all the devices have pre-assigned static IPs.

    If you decide to try this, make a full system backup before you start, including the settings for your modem/router.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    If you want a balanced approach, one that will mildly restrict svchost, you could try the following rules:

    Time service:
    Protocol=UDP, Local port=123, Remote port=123

    DNS:
    Protocol=UDP, Local port=Any, Remote port=53

    DHCP:
    Protocol=UDP, Local port=68, Remote port=67

    Windows update:
    Protocol=TCP, Local port=Any, Remote port=80, 443

    If you are using Win XP just make sure to allow only: C:\Windows\System32\svchost.exe in all cases.
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I block svchost.exe here on XP Pro and my computer functions perfectly fine... no brick here.

    You can't get away with this on any Windows OS since though. Just one of the many concessions users have to make on these newer OS's that are dubbed "more secure". From what I gather services.exe is another one that must be allowed to leak through your firewall these days, that I can block just fine with no ill effects. And very little is known about exactly what these shady processes are actually doing. I personally sleep better at night not having to make such concessions.

    It's no wonder they're pushing everyone to "upgrade". God only knows what's being seeped back to MS's lair through these shady services. This is one of the main reasons I'm in no hurry to move on from XP Pro any time soon. Any shortcoming I can overcome with hardening, the right 3'rd party software, and know-how. But you can't overcome the shortcomings mentioned above... you just have to live with them and bend over and take it.
     
  12. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Hi lucid,
    I dont think there is anything actually shady about these connections as they are legitimate services running on the computer.
    Port 445 i understand is the microsoft directory service and is connected with file sharing.
    I do not do any form of file sharing at all and for some reason file sharing will not remain turned off.
    However when i ran windows firewall for a while it allowed me to turn this off.??

    Comodo firewall informs me that windows is constantly listening on this port.
    I just find it odd that the windows firewall allows me to stop this but comodo will not.

    Also lsass.exe and other services are listening also.

    Thanks.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    XP can be configured to not have any listening ports at all, as can every version of Windows before it. Open ports serve one purpose, to listen for and receive incoming connections. AFAIC, any system that can't be configured to prevent this is designed to be insecure, regardless of what claims they make otherwise. The services listening on these ports usually have system permissions.
     
  14. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    A port in a open state is not necessarily the same as a port in a listen state. A port can appear to be in a listen state in a process viewer but may be blocked by a firewall.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Using a firewall to block access to an open port doesn't fix the problem. Used this way, the firewall is compensating for bad design or configuration. Should that firewall fail for any reason, the port is wide open. I've seen malicious web pages crash security suites, including the firewall component. There's several instances of errors in the update files (automatically delivered) crashing security suites. UPnP can be used to open or forward ports in both software firewalls and routers/modems, giving inbound access to those open ports. Malicious code that disables security software is becoming more common.

    Software firewalls aren't intended to compensate for weak configuration. If the OS doesn't allow you to close those ports by disabling unnecessary services, then the bandaid approach is the only option left, short of replacing that OS with one that can be controlled. Myself, I won't use an OS that doesn't allow me to control internet traffic in both directions.
     
  16. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176
    I don't believe I said anything about security suites or software firewalls...
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It's not an inbound comms issue with svchost, but rather an outbound comms issue. The firewall can be used very effectively to restrict it to only the remote IP's specifically needed for Windows up[dates, dns, dhcp, etc.
     
  18. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    For years I've only enabled for svchost.exe these ports in LnS:
    TCP: 53;80;443
    and
    UDP: 53;67;123;5355;1900
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ noone_particular

    What settings do you use in XP to block svchost outgoings ?

    I've been using WSA to block it, & don't have ANY issues surfing etc :thumb:

    svc.png
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    No, you just said firewall.
    Separate hardware firewalls are not application aware. The best they can do is block traffic on specific ports. Outbound control requires a software firewall, be it free standing, part of a security suite, or windows own built in firewall.
     
  21. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I never allow svchost to connect to the internet (Win XP SP3) and nothing wrong happened to me or the OS until now :)
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I disabled the specific services that opened the ports. Beyond that, I made one rule for svchost that blocks the connection and alerts me to the attempt. Although it's mainly about configuring Kerio 2.1.5, this thread has quite a bit in it regarding XP services, disabling them and making specific rules for them. Most of it will apply to other firewalls on XP as well.
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Same here :thumb:

    gen.png

    What about GHP as in my screenie ?
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    On a side note.
    Can anybody tell me if these settings are correct.

    The ones i am concerned about are the ICMP settings.
    I have searched on the web about these and opinions vary as to whether these should be blocked also.
    Thanks.
     

    Attached Files:

  25. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    176

    Ok, I guess you know best...:cautious:
     
Loading...
Thread Status:
Not open for further replies.