Svchost.exe

Discussion in 'other firewalls' started by SimCC, Mar 3, 2005.

Thread Status:
Not open for further replies.
  1. SimCC

    SimCC Guest

    When i scanned my ports at grc, i was asked by outpost (2.5) what rules to set for svchost.exe, i dont know what it is so i blocked it. Can someone tell me what it is and how to configure it so it remains stealthed?

    Thanks,

    Simon.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. Simcc

    Simcc Guest

    I checked the thread but am VERY confused. Look can someone break it down for me in simple terms what i need to to, i dont understand all the rules i have to make for it? I am getting pissed at outpost, they say on their web page that they are easy to use an yet i am confounded with dealing with these rules all the time, i upgraded from zonealarm free eidition and that kept me 100% stealth at all times without hassle, is lock n stop any better?

    PLEASE HELP...........

    Simon
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The simplest way to deal with svchost (assuming you are running Windows XP) is using the following steps:
    • Place Outpost in Rules Wizard policy if it is not already;
    • Delete the entry for svchost.exe under Options/Application;
    • Outpost should give a prompt for svchost.exe the next time a network connection is made - accept the option offered (Create ruleset using preset: Generic Host Process);
    • Open the svchost ruleset in Options/Application and add the following rules at the end to prevent any further prompts appearing for it (see Web-Hiker's Guide to Outpost Firewall: Rules: Creating from Scratch for more details on rules creation):

      Protocol TCP, Direction Outbound, Block
      Protocol TCP, Direction Inbound, Block
      Protocol UDP, Block
    Rules-based firewalls can be more complex to configure and svchost.exe is an especially awkward example (blame Microsoft for this - you can't block it without losing your connection and you can't give it unrestricted access without making your PC fodder for RPC/DCOM worms like MSBlast and their ilk). However the default ruleset (which is created during the Outpost installation) will work for most people and the extra rules just serve to block any popups.

    It is, incidentally, a good idea to place Outpost in Block Most policy before running online scans just to avoid receving multiple prompts. See the Outpost forum FAQ Online Scans - What to do with Open and Closed Ports for more details.
     
  5. simcc

    simcc Guest

    Thanks for the help paranoid, however when i received the prompt for svchost.exe there was no preset for generic host process there, only custom! I thought that was strange which is why i chose to block it, at the moment i have deleted it from the rules list but for some reason outpost has not yet asked me to create any new rules for it despite being connected to the internet etc.

    Simon.
     
  6. simcc

    simcc Guest

    also, what do you mean be 'create rules at the end'o_O I am sorry if my questions seem stupid, but im really no firewall expert.

    Simon.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You should only be given the Custom ruleset option if svchost is sending/receiving traffic not covered by the Generic Host Process rules. Did you delete the previous rules for svchost and then access a website? (don't do a scan first, this will trigger the custom popup - get svchost's rules sorted first).

    As for placing rules at the end, if you double-click on svchost's entry in Options/Application, you will see a list of rules. The rules I have suggested must go at the bottom since Outpost processes rules in order and the extra rules will block everything (putting them at the top would have the effect of completely blocking svchost and thereby losing your network connection).

    I would strongly recommend checking the Outpost Help, the manuals available on Agnitum's download page and the Web-Hiker's Guide (while it covers Outpost version 1, most of it applies to version 2 also). These will provide plenty of information on the basics of rules creation.
     
  8. Simcc

    Simcc Guest

    ahh i see, thanx for your help again. I have deleted svc from the list but for some reason i still havnt been asked to set any rules for it not matter what website i visit, strange! Guess ill just have to wait for it, also, when i do eventually go back to grc.com to do a scan, are you saying that when i fail the test (because of the svc port) and outpost asks me to set a new rule with only the custom option available - that its no problem, so i should just ignore ito_O

    Thanks again,

    Simon.
     
  9. SimCC

    SimCC Guest

    Incidentally, whilst we are on the subject of outpost, i get asked quite often whether i should allow an app to run as its components have changed. The thing is, how the hell am i supposed to know whether to let it run or not, when i click on details and its says 23rp.dll or something to that effect i might as well be reading hebrew....is there something i should know?

    again, sorry for all the questions.

    Simon.
     
  10. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Hebrew is not so bad, how about Chinese?
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    Outpost seems to report a lot of changes for a while after install, but it seems to settle down a lot after that. If you're seeing changes after several days or weeks of use then I'd wonder a little I guess...
     
  12. Simcc

    Simcc Guest

    ahhhh, i just got the svc host pop up for an inbound connection so i blocked it, was this the right thing to do? There is so little detail as to what the connection is that i do not know what else to do, please help someone!

    Simon.
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Svchost only absolutely needs access (on Windows XP) for DHCP (used to obtain a lease of an IP address when your computer first connects to the Internet) and DNS (used to lookup an IP address for domain names, which happens whenever you access a website).

    DHCP and DNS are covered by Outpost's default global rules, so if you are not getting a svchost popup offering the Generic Host Process preset then temporarily disable the global default DNS rules (via Options/System/Global System and Rawsocket Rules/Rules - just clear the checkboxes beside them) - you should then receive a prompt for svchost offering the Generic Host Process preset the next time you access a website.

    Depending on your system setup, svchost may need rules for time synchronisation, Universal Plug and Play and/or Windows Help - these are covered in the Generic Host Process preset so once this is set up, no further traffic for svchost should be allowed (if you add the 3 rules I listed above, you should no longer get any prompts for svchost).

    Outpost's Component Control feature can result in frequent prompts depending on how fluid (i.e. how many updates you apply) your system setup is. The Outpost forum Component Control in Outpost 2.5 FAQ is the best place for further information.
     
  14. simcc

    simcc Guest

    thanks Paranoid once again, but i tried what you said and i just got another pop-up offering custom again! Just to re-cap, i temporarily disabled dns rules, was the asked to set dns outbound rule for svc but with no generic rule set for it, only custom....this is weird!

    the troubled Simon.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,780
    I don't know much about XP, but as P2k mentions, you should only need Svchost outbound for DHCP and DNS. There should be no reason for needing to allow an inbound Svchost connection. That might mean that some other program is listening on some port and communicating out and then waiting for a reply, but I'm not sure. Perhaps it would be a good idea to inventory what's running on your system and use something like Active Ports (free) to see what programs are using what ports.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SimCC,

    Since I don't run Windows XP, I have no way to try replicating your setup. What I would suggest is opening the preset.lst file (in the Outpost program folder) using a text editor like Notepad and doing a search for svchost. Its entry will include a line "VisibleState: 0" - change the 0 to a 1 and save the file.

    Restart Outpost (disconnecting from the Internet first) and go to Options/Application. If svchost is listed (it should be in the Partially Allowed list), highlight its entry and select Edit/Create rules using preset/Generic Host Process (the preset.lst change was to make this preset visible in the drop-down list). Double-clicking svchost's entry should list all its rules, allowing you to delete any custom rules (they will be named SVCHOST rule #n).
     
  17. Simcc

    Simcc Guest

    Paranoid, did what you said and i got the option in the drop down menu, i then created the other rules at the END like you specified, all seems ok right now but ill let you know how things progress. Again, your patience has been invaluable to me, as has your knowledge.

    all the best,

    Simon.
     
  18. Simcc

    Simcc Guest

    ahhhh! this is driving me crazy. Ok, i did what you said Paranoid, I created a rule for svc with the preset. I then put in three other rules AFTER the preset that you specified above. But this made me unable to look at any web-pages. So my sittuation now is that i still get prompted as to whether or would like to allow incoming. Please help Paranoid!


    Simon.
     
  19. Simcc

    Simcc Guest

    correction to the above - i actually put in ALL rules as specified in your guide to outpost configuration of svchost.exe, then as i said, i could not access any web pages. Also, i use AOL, not sure if this makes a differance.

    Simon.
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I've had a look at the Generic Host Process preset and it contains an error in it - the second rule (which is labelled "DHCP service", the same as the first rule) should be named "DNS service" and should specify a remote port of 53, not a local port (clear the checkbox for the local port option in the Event section).

    This error would only appear if you added "block all" rules at the end of the svchost ruleset since otherwise DNS traffic would be allowed by Outpost's global rules - so this error would not surface with "standard" use. I do remember raising this as a bug report a while back so I'll raise another one (I would suggest you report it also via Agnitum's contact form, including a link to this thread).
     
  21. SimCC

    SimCC Guest

    I will get onto agnitum ASAP, again - thanks for your time! I think this has finally solved the problem - fingers crossed!

    A happy Simon.
     
Thread Status:
Not open for further replies.