svchost.exe and dllhost.exe handling; a.k.a. service-specific rules

Discussion in 'other firewalls' started by QKhI2, Jul 21, 2010.

Thread Status:
Not open for further replies.
  1. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    Hi all,

    I've recently been looking over several firewall/HIPS packages, and one of the frustrations I've been having is that none I have found (actually, one I tried I think but can't remember which one) can have different rules for each windows service. Instead, each service is treated as the same (i.e. grouped as 'svchost.exe').

    There has been a thread on the CIS wishlist for about 1.5-2 years to improve their handling of svchost, so I doubt it will ever happen there. Tried Output, Online Armor, OSSS, CIS so far.

    Does anyone know a firewall and/or HIPS which can actually treat the different threads of SVCHOST as different depending on the service it represents?

    Cheers.
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    separation between the instances of svchost is not possible.
    If you know how to HIPS its possible to deny access to some COM-APIs.
    Malware Defender can do this but i have my doubts that Online armor and
    Outpost can do same.

    Firewall rules in general are only possible for ONE file - not instances.
     
  3. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    It must be possible to separate some of the services running - you can do so using tools such as:
    TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"
    or ProcessExplorer (the SysInternals tools).

    Of course, I'm not sure if all the same services tend to run in the same svchost.exe containers. A tool could ostensibly check those properties, and associate rules with the individual services (even though multiple sets of rules would apply to each svchost, based on the services running in it).

    It's weird, because I have a vague recollection of having tested a HIPS/firewall that allowed setting rules depending on the svchost instance, but I can't remember which one.

    Cheers for the response though.
     
  4. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    On another note, it looks like you may be able to force services to each run in their own container svchost.exe (see http://huddledmasses.org/separating-svchost-services/)
    If it were possible to do this, then different rules could potentially be applied to each service (if a HIPS/Firewall were service-name aware that is)
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Well, I don't have Win7 in any form atm (I ditched it from all my systems, even the VM, long story), but isn't Win7 firewall able to filter svchost by services?
    You didn't mention the OS, so...
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    No - just several pre-defined rules with names for services.
    thats a complete different topic - that website explains how to run
    combined services from one svchost in now its own svchost.
    (so you dont have 4 svchost with each 374 services - you have eg 24 svchost
    with each only one service running - waste of ram)

    but that means nothing for a firewall or hips - both still retrieves requests from svchost.
    i already told you - hips and firewalls do not know about services or instances - only files!

    if you have trouble with services give the child a name and focus it here!
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I am well aware of the predefined rules. But,
    as I already said, I don't have neither Win7 nor Vista on any of my systems and can't do my own screenshot, so first off I need to apologize cause I nicked this from Stem's thread (the post in question has quite a bit of screenies in it, so linking to it won't be of much use in this case), but I had to point out this exact screenshot. You can see that you can specify any service from the list when creating a rule -

    07.jpg

    Wasn't that what OP was asking for? Or did I misunderstand?
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    That pics show the pre-defined rules. when creating new rules you can chose
    those for existing services - otherwise you need to fill out from scratch.

    but that was not his matter - he wrote about a firewall which can handle
    several instances of eg svchost.exe without any other informations.
    The answer is still NO. Windows Firewall is also a collection of several rules.

    in malware defender i have some pre-defined zones like Windows 7 firewall control
    and can mark them for files - and some specific rules.
    (eg verisign servers and ms servers)

    svchost can use LAN, but not web - 2 rules. rule 3 and 4 denies access to
    port 443 and 135 outside LAN - those inside LAN it is rule 5.

    online armor needs same numbers of rules, cis also.
     
  9. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    Brummelchen:
    I understand the answer is 'no firewall or HIPS does that'.
    But it also seems that there is no conceptual reason that a firewall or HIPS *couldn't* do that, just none of them do.

    The only reason that you would want to force each service into its own container (which as you say would then carry the overhead of SVCHOST more times than normal, using more RAM and probably other resources) is IF a firewall or HIPS did implement sensitivity to the services running inside each SVCHOST.
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    4th time now - NO <--- read this!

    NO actual firewall can divide each instance!
    NO hips can divide files by services
    hips CAN handle COM-APIs (allow/deny) for only ONE file - NOT instances.

    you should extend your knowledge of firewalls and hips, now.

    and 2nd again - if you have trouble with a specific service - write it down!

    EOT4ME
     
  11. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    I appreciate your attempts to answer my questions Brummelchen; it seems like there is a bit of a communication problem however.

    This is me learning about firewalls. I don't have a specific problems - I have a curiosity about what is and isn't possible, and what is and isn't already achieved by existing security software.

    Anyway:
    It is possible to determine which services are running inside each SVCHOST: tasklist.exe and Process Explorer can do this.

    Each SVCHOST has its own process ID. I understand this doesn't mean that each service has its own process ID (because multiple services run within a single SVCHOST, unless you force the processes not to using the previously discussed method).

    So, unless it isn't possible to determine the process ID of a process being handled by a HIPS or firewall through the COM API (instead only having the name) it should be possible to create rules specifically for each service, and then apply *all* the rules for *all* the services running within a single SVCHOST to that SVCHOST instance. As you pointed out earlier (if I understand you correctly) that is what the Windows Firewall does.
    I understand this doesn't give you the ability to set rules which will *only apply* to a particular service - they will apply to the entire SVCHOST instance. If you did force each service to run in its own SVCHOST, however, then you would be able to apply service-specific rules *if* the HIPS/firewall is able to identify the service running in each SVCHOST instance (which tasklist or process explorer can do) AND if the firewall can handle the SVCHOST instances by process ID (not just by the name of the executable - i.e. svchost.exe).

    If there is one question to come out of this now it is:
    Can HIPS/firewalls only identify the processes they are handling by process name, not process ID?

    Thanks for keeping on responding, even when it is obvious you are getting frustrated.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Great suggestions for a thread :thumb: and something that has frustrated me for years.

    I'm following the replies on svchost.exe with interest, and "if" there is a solution i for one will be on it ;)

    Re dllhost.exe Should we see this listed in Autoruns and/or Process Exploer ? as i don't on XP/SP2.
     
  13. wat0114

    wat0114 Guest

    No they are not pre-definded rules for the services; in fact, the services can be individually custom filtered per protocol, port(s) and ip address(es).
     
  14. QKhI2

    QKhI2 Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    12
    CloneRanger: I have seen dllhost.exe operating when I attempt a task which requires running as administrator through UAC (e.g. copying a file to my c:\program files directory). In such cases, dllhost.exe seems to be what actually performs the action with the elevated privileges.
    I believe it also plays a role in IIS and other such applications.
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Thank you, wat. That was my point.
    Brummelchen here seems to be too involved with his own theories... :rolleyes:

    I will now install Win7 in a VM to check... That will take some time though.
     
  16. wat0114

    wat0114 Guest

    You're welcome Seer. Have fun setting up the firewall :)
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @QKhI2

    By the sound of it dllhost.exe isn't running permanently on your comp, so in that case you/we wouldn't normally expect to find it active, according to that ?

    When i was on 98se i had read that dllhost.exe "could" be a security risk under certain circumstances, and it wasn't absoluyely required. So i'm sure i disabled it, and never had any issues doing so. Whether we can disable it on XP etc i don't know, but i'd like to know. If we can i will, so if someone knows the answer please say, and/or provide a link to more info :thumb:
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, it does.

    - Stem
     
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    And where is now the difference for a normal used firewall? i see none..

    although you might have the better knowledge - no.

    have you tried to add a service in windows 7 firewall?
    you get a list of pre-defined rules (which are in common already defined)
    but all of those rules contain the simple information like port, protocol, address
    which are important to let that service work in a network.
    and the list in win7 is long, really long.

    This is only an example - but i hope it makes it clearer

    http://www.imagebanana.com/view/vaanqhcy/win7_fw_svc1.png
    http://www.imagebanana.com/view/rmfnlnkr/win7_fw_svc2.png
     
    Last edited: Jul 24, 2010
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, I create all my own firewall rules, I do not use the pre-defined rules.

    A simple example.

    (Win7 firewall)
    All default firewall rules are disabled, outbound set as block.
    Create a rule to allow outbound for svchost bound to DHCP service (no protocol/port added)
    Create a rule to allow outbound for svchost bound to DNS service(no protocol/port added)
    Create rule to allow browser outbound access (ports defined)

    That will allow the basics of needed internet connections on default windows setup.


    Now from those rules, and to what you are attempting to put forward, svchost would be allowed all outbound, but it is not. Just attempt(for example) to make windows updates and it will fail with error.
    If you then create a rule for svchost and bind it to the windows update service and allow that outbound, windows update will connect.


    - Stem
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    You can see ALL svchost processes, active and deactive etc, with Svchost Process Analyzer by Neuber Software :thumb:

    svc.gif

    I've posted with that app before, but nobody seemed interested enough to respond ?

    Something just occurred to me, as svchost is normally granted automatic permission to get out, and as so Many processes are using it, could malware make use of this opening/s ?

    Or even if for eg. Generic Host Process is set up to prompt in your FW, as in mine, once allowed out, it automatically allows ALL those processes access, as i see it anyway ? Therefore not good.

    I see Stem has just posted info that "might" answer the above ?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You edited your post while I was replying.

    So to add.

    When creating a rule for svchost for(example) the DNS service, you MUST bind svchost to that service.

    01.png

    Adding protocol/port info into the rule is adding restriction to the actual service.

    I posted this info when I created the vista firewall thread.


    - Stem
     
  23. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    user defined rules? ok, your point!
    (i cant do that with only "program" chosen)

    and how separates the firewall the call
    C:\Windows\system32\svchost.exe -k netsvcs *
    with
    C:\Windows\system32\wuaueng.dll
    ?
    there is no clue in the rule itself about.

    *with the first line a have a list of 12 services running.

    >> You can see ALL svchost processes, active and deactive etc

    process explorer from sysinternals can do same - and more - however...

    and whats your conclusion to that?

    #
    >> You edited your post while I was replying.
    yes, sorry.

    ## with that information i would say that only the win firewall is able to separate
    this way - i didnt see that in online armor nor outpost

    ###
    need two firewalls...
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Once the default rule for svchost is defined, you need to edit the rule to bind it to a windows service.
    Such as the wuaueng.dll is part of the windows update service (wuauserv) so rules for that are made for svchost bound to that service.
    Other instances of svchost need to be verified as to what service they control and if those services require internet access.



    As I have put forward before on this forum, most firewalls do not integrate well with vista/win7 and actually bypass the windows service hardening. As you should know, most 3rd party firewall vendors are only interested in leak test prevention not with what specific windows service can have internet access or good packet filtering.


    - Stem
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, it is possible.

    Correct.


    - Stem
     
Loading...
Thread Status:
Not open for further replies.