svchost, many outbound connections

Discussion in 'other firewalls' started by jason68, Nov 16, 2009.

Thread Status:
Not open for further replies.
  1. jason68

    jason68 Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    4
    I’m getting lots of svchost.exe connections (udp out). Is this normal? There is about 10-20 of them listed in my comodo firewall active connections. They seem to only open up when I open my web browser. I know this is a normal process but not with so many outbound connections. I also read that svchost only needs access to port 53. Is this true, and how do I fix this.
     
  2. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Is your browser home page set to "about:blank"?
    If not, multiple concurrent connections at startup shouldn't be surprising.
    (20 does sound excessive. Have you 'tweaked' your TCP-related registry settings?)

    Do you know which browser extensions are installed, and are enabled?
    In addition to the 'start' webpage loading when you open a browser instance, some of your browser extensions may be 'calling home' at each launch.

    ====================

    "svchost only needs access to port 53. Is this true, and how do I fix this."

    Fix? If you mean 'tighten'...

    you would alter the policy rules for svchost.exe
    Comodo interface: "Firewall" tab } "Advanced" button } Network Security Policy

    double-click the svchost entry, choose "use a custom policy"

    first rule: allow TCP/UDP (perhaps just UDP) out where dest.port is 53
    second rule: ask (or deny, your call) out for any TCP/UDP

    even tighter:
    enter the IPs for your primary/secondary DNS servers as the only permitted destination IPs within first rule

    even tighter:
    you could install a local DNS caching proxy (DNSKong, or TreeWalkDNS) and set your first rule for svchost (and ALL processes) so that requests ONLY to 127.0.0.1:53 are permitted
     
  3. jason68

    jason68 Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    4
    Wow, thankyou thankyou.

    I do have a few browser addons plus a realtime AV webscanner. I will do as you suggested.

    Any more info on the reg tweaks?
     
  4. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    "reg tweaks", as in: a couple HowTo guides & trying-to-be-helpful utilities have circulated which mess with your registry settings toward optimizing your xfer speeds... but the tweaks can produce detrimental rather than optimal results. One of reputedly helpful tweaks was to set a high number of simultaneous half-open connections. (Arguably, reuse of existing connections is usually more efficient.) If you haven't 'messed with' the registry settings in this way, don't worry about it.
     
  5. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    814
    I have 19 after 30 minutes of safe browsing on a malware-free four day old installation of Vista. No problem.
     
  6. jason68

    jason68 Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    4
    FWIW the connections are all on ports in the 50,000 - 60,000 range. I just read in another forum that that may indicate a malware infection. I ran MBAM, SAS, and Avast and none of them detected anything. The destination IP is always the same and I think it might be my ISP, but I don’t know if I‘m reading that correctly or if my ISP is showing up simply because its the same ISP the destination IP is using. I haven’t yet tightened my policy but will do so once I figure this all out.
     
  7. jason68

    jason68 Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    4
    Hmmm…I’m reading conflicting things on ports in that range. I’m still on XP SP3. The full path shows that svchost.exe is in the proper location (system32\) so it's likey not malware. I’m probably just being paranoid.
     
  8. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Instead of sitting by, worrying & guessing, fire up WireShark and peek inside the packets.
     
Loading...
Thread Status:
Not open for further replies.