SVCHOST.exe rules

Discussion in 'ESET Smart Security' started by polocanada, Dec 25, 2009.

Thread Status:
Not open for further replies.
  1. polocanada

    polocanada Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    60
    I wish ESS adds rules to firewall for SVCHOST.exe. This has been a headache to setup after fresh Windows 7 install already. The file is original in it's proper directory windows/system32. System seeems clean. There are a few legit connections, most of them are documented (like DHCP or time updates or 443 updates etc..) Still when I create rules manually sometimes I end up with loosing connection in web-browser or losing connection completely.

    Is it possible to add some proper rules in Eset firewall with default installation? If you could setup a rule not only based on the application SVCHOST in this case but based on the service or process it has started. There is no use to have Svchost rule if I don't know the service or at least the port it is using. Right now there is no way to find out in ESS notification (unless I use apps like TCPView and Process Explorer). Also would be nice if Eset adds name of the service or process along with svchost.exe in the details of the Notification window when an connection attempt is made.

    I found these rules on another posting for Outpost, not sure if these are right, will need testing..... This is for Win XP, so might be outdated.

    SVCHOST.EXE (Secure Service Host Presets rules)

    -----------

    There are three places where an IP address(es) must be manually entered in this file before you can use the preset.
    First is your DHCP Server IP Address.
    Second is the UDP DNS rule.
    Third is the TCP DNS rule. Note if you do not intend to enable this rule you can either place a ; before each line of the rule and Outpost will ignore it or you can delete it completely.

    Allow DHCP Service
    Where the protocol is: UDP
    and Where the remote host is: AAA.BBB.CCC.DDD ;<-- Enter your DHCP server IP here
    and Where the remote port is: 67
    and Where the local port is: 68
    Allow It

    Allow DNS Service
    Where the protocol is: UDP
    and Where the remote host is: AAA.BBB.CCC.DDD, AAA.BBB.CCC.DDD ;<-- Enter your ISP's DNS server IP's here
    and Where the remote port is: 53
    Allow It

    Allow TCP DNS Service
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote host is: AAA.BBB.CCC.DDD, AAA.BBB.CCC.DDD ;<-- Enter your ISP's DNS server IP's here
    and Where the remote port is: 53
    Allow It

    Possible UDP Trojan DNS
    Where the protocol is: UDP
    and Where the remote port is: 53
    BlockIt
    and Report It

    Possible TCP Trojan DNS
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: 53
    BlockIt
    and Report It

    HTTP connection
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: 80
    Allow It

    HTTPS connection
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: 443
    Allow It

    Time Synchronizer connection
    Where the protocol is: UDP
    and Where the remote host is: 192.43.244.18, 207.46.130.100 ;<-- Thiese IP's were current as of this posting.
    and Where the remote port is: 123
    Allow It

    Block Inbound SSDP
    Where the protocol is: UDP
    and Where the local port is: 1900
    BlockIt

    Block Outbound SSDP
    Where the protocol is: UDP
    and Where the remote port is: 1900
    BlockIt

    Block Inbound UPnP
    Where the protocol is: TCP
    and Where the direction is: Inbound
    and Where the local port is: 5000
    BlockIt

    Block Outbound UPnP
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: 5000
    BlockIt

    Block RPC (TCP)
    Where the protocol is: TCP
    and Where the direction is: Inbound
    and Where the local port is: 135
    BlockIt

    Block RPC (UDP)
    Where the protocol is: UDP
    and Where the local port is: 135
    BlockIt

    TCP Inbound Coverage Rule
    Where the protocol is: TCP
    and Where the direction is: Inbound
    BlockIt

    TCP Outbound Coverage Rule
    Where the protocol is: TCP
    and Where the direction is: Outbound
    BlockIt

    UDP Coverage Rule
    Where the protocol is: UDP
    BlockIt

    --------
    SOURCE:
    http://www.outpostfirewall.com/forum/showpost.php?p=77980&postcount=12
     
    Last edited: Dec 25, 2009
  2. polocanada

    polocanada Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    60
    So right now I have this outgoing alert:

    Application: Host Process for Windows Services (SVCHOST.exe)
    Publisher: Microsoft Windows
    Remote Computer: 64.156.132.140 (which is experts-exchange.com)
    Remote Port: 80 (http)
    Local Port: 59532

    I happened to visit a website (using Opera Browser, Windows 7). On website there ware possibly links or ads linking to expert-eschange.com?

    In case above it's clear, remote address, Http port so it's easy to associate with browsing. But not sure why is SVCHOST accessing the pages. Local port is strange. Why these strange numbers..

    Connections happen randomly. In some cases SVCHOST would use differnt port different site.. like in this case:

    Application: Host Process for Windows Services (SVCHOST.exe)
    Publisher: Microsoft Windows
    Remote port: 80
    Remote computer: vx-in-f102.1e100.net
    Local port: 59541

    Could this be svchost is connectinig to DNS Server or what?

    It's pretty confusing what to do with SVCHOST. I have never paid attention to it before. Can't block it completely, can't leave it completely unattended. Or am I just getting hopelessly paranoid?

    o_O
     
    Last edited: Dec 30, 2009
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    vx-in-f102.1e100.net resolves to 74.125.115.102, the IP range 74.125.0.0 - 74.125.255.255 seems to belong to Google.

    As for local ports, don't pay attention to them unless you run a server service, such as HTTP server. Local ports are assigned automatically by the operating system when an application establishes a connection to another computer.
     
Thread Status:
Not open for further replies.