Windows 11: What processes necessarily need connection or access to the network?

then have fun with experiments. or do you think we got our knowledge with breast milk?
gambling around creates more knowledge than asking.

 

so true.

 

ymmd

 

simplewall might also be a good fit if you're looking for a "second layer" that's effective, yet you can set it and forget it after downloading.

 

Thanks!

 

maybe the thread is dead but wanted to add something
services that are used under svchost.exe netsvcs include BITS (Background Intelligent Transfer Service), Schedule (Task Scheduler), Themes, and iphlpsvc (IP Helper), IP helper is for transition technologies scenarios not needed imo, diagnostic data can be sent via svchost and its a shared process (problem)
typically though svchost does not need to be on for automatic updates in SimpleWall, its enough that you set blocklist>Microsoft Update>Allow, sometimes svchost is needed and you need to re-enable svchost, sometimes is the keyword
unfortunately science (apart from cybersecurity obviously) does not go well with privacy and security, most scientist allow remote processes and its mind blowing how they don't care, even the programmes they use are difficult to secure (e.g. linux subsystem and bash shell), manage and harden, its cool that you care

 

Thank you always for your help.

On my tests, once the firewall software is set to "block all", and after allowing network access only to few trusted apps/programs, svchost remains as basically the only piece that really needs firewall attention. That's the reason I'm testing firewalls allowing rules for svchost' processes filtered by service/programs names.

It's a fact that 99% of Windows processes without network access are going to work fine. And as a workaround, if once a month network access is allowed to these processes, probably everything is going to work perfectly (updates, time etc). The problem is those trusted apps/programs needing svchost (or malicious scripts exploiting svchosts). But based on my tests, I'm well confident that a firewall software with rules can manage 90% of these problems.

I'm not looking for 100%. And I don't expect that a firewall will be the ultimate solution for privacy/security. Firewall is another layer. But what I learnt from this experience is that hardening firewall is extremely useful for privacy/security. I have the feeling that firewalls are undervalued (or users are too lazy and they don't want to invest time learning how to harden firewalls).

 

why should i look for hardening when all gears a working together like charm? and the mass of users using windows firewall with no changes. i can create scenarios where malware is able to abuse this or that process/file - but in such cases all other preliminaries already have failed and thats a lot. i do not need to harden a firewall while the rest of my system got infected. and in that case you can be sure that malware will find its way to disable windows firewall. any questions yet?

 

That depends on the malware, but generally speaking, a simple script infects PC and then it downloads a payload from the internet. Many known attacks or ransomware could have been easily stopped by restricting access at that point.

Merely blocking office and powershell would do, but in case of allowed or hijacked apps, restricting per IP ranges could help as well.

Indeed, just setting up svchost.exe is tiresome, but once done, it is a breeze.

 

i do not need any infected file, only a native thinking user
https://www.bleepingcomputer.com/ne...ws-11-upgrade-installs-info-stealing-malware/

is performed how? "script" is a wide spreaded term.

access is futile, just prevent the script. this is one step before.

how do you know what to block or not? how do you decide when a computer got infected?
blocking PS is ok, it do not need web, maybe LAN.
windows firewall preset is - block incoming where no rule, allow outgoing anyway.

but you are still steps to late - you need to limit/control the input/incoming data. some users are still clicking like hell on any bling-bling. and in such cases there exist no receipt. those, who think about a security concept already have won.

 

Please if possible, I still would like to receive your answer to my message Apr 27, 2022.
As I wrote that day, I have the feeling you're the person I'm looking for. Reading your old posts in other forums, I have the impression you already walked all the way I'm starting to walk.
And I don't want to invent the wheel.
So, please, it'll be amazing if you can share with details how you configured your firewall, specially svhost processes + trusted CDN and MS servers, IP + Ports limits and ranges, DNS to DNS servers and all the relevant info.
I know that my request to you may take you some time to write. So, if you can't or don't want to do that, no problem, it's fine, I understand.
Thanks in advance!

 

I mostly pay attention to processes, that run nonstop or can be easily exploited, so I do not tinker much with occasional apps like a streamer software and such.
DNS is fairly simple, you allow only IPs of your DNS servers, preferably encrypted, so DoH via 443 or DoT using a designated port, so you can block UDP entirely.
As for the browser, discord, cloud apps like icedrive/onedrive, no port 80 is allowed to avoid unencrypted connections. Also only IP ranges, which are really needed.

Svchost is a little tiresome to setup, but once done, it will keep work as expected, there are only so many IP ranges they can use. You can not really use my rules, because it also depends on your location. I am in EU, so it mostly connects to UK, Germany, Austria and such, so you need to create your own rules. If you are using just windows firewall than TCP UDP Watch is a great helper, I used it a lot along with IP Info. I have recently started fresh, so I am re-creating my rules, because MS started to distribute windows updates via 443 and I hoped that it would be the end of 80, unfortunately, not really.

I use Binisoft WFC, but rules can be easily extracted as WD rules.

Spoiler

Code:

Name    Group    Profile    Enabled    Action    Override    Program    Local Address    Remote Address    Protocol    Local Port    Remote Port    Authorized Computers    Authorized Local Principals    Local User Owner    Application Package
(genshinimpact.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\genshin impact\genshin impact game\genshinimpact.exe    192.168.9.2    Any    UDP    Any    1025-65535    Any    Any    Any    Any
(genshinimpact.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\genshin impact\genshin impact game\genshinimpact.exe    192.168.9.2    Any    TCP    Any    80, 443, 8888    Any    Any    Any    Any
ABNotify.exe (abnotify.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\aomei(1)\abnotify.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
AMD Chipset Software (setup.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\amd\chipset_software\qt_dependencies\setup.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
AOMEI Backupper (backupper.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\aomei(1)\backupper.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
AOMEI Backupper Schedule task service (abservice.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\aomei(1)\abservice.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Audials (audialscentennial.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\windowsapps\audialsag.audialsplay_2022.0.22600.0_x86__3eby6px24ctcy\audials\audialscentennial.exe    192.168.9.2    Any    TCP    Any    80, 443, 1025-65535    Any    Any    Any    Any
Audials (audialscentennial.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\windowsapps\audialsag.audialsplay_2022.0.22600.0_x86__3eby6px24ctcy\audials\audialscentennial.exe    192.168.9.2    224.0.0.251    UDP    5353    5353    Any    Any    Any    Any
Autostart program viewer (autoruns64.exe)    Windows Firewall Control    All    Yes    Block    No    D:\onedrive\soft\windows repair toolbox\downloads\autoruns\autoruns64.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Background Task Host (backgroundtaskhost.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\backgroundtaskhost.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Consent UI for administrative applications (consent.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\consent.exe    192.168.9.2    23.32.0.0-23.67.255.255, 104.16.0.0-104.31.255.255, 172.64.0.0-172.71.255.255    TCP    Any    80    Any    Any    Any    Any
Consent UI for administrative applications (consent.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\consent.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
cpuz_x64.exe (cpuz_x64.exe)    Windows Firewall Control    All    Yes    Block    No    D:\OneDrive\Soft\Windows Repair Toolbox\Downloads\cpuz\cpuz_x64.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Creative.SBCommand (creative.sbcommand.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\creative\sound blaster command\creative.sbcommand.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Discord (discord.exe)    Windows Firewall Control    All    Yes    Block    No    C:\users\tairi\appdata\local\discord\app-1.0.9004\discord.exe    Any    Any    TCP    Any    80    Any    Any    Any    Any
Discord (discord.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\users\tairi\appdata\local\discord\app-1.0.9004\discord.exe    192.168.9.2    13.200.0.0-13.239.255.255, 52.84.0.0-52.95.255.255, 65.8.0.0-65.11.255.255, 99.85.128.0-99.87.191.255, 151.101.0.0-151.101.255.255, 162.158.0.0-162.159.255.255, 199.232.0.0-199.232.255.255    TCP    Any    443    Any    Any    Any    Any
Discord (discord.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\users\tairi\appdata\local\discord\app-1.0.9004\discord.exe    192.168.9.2    Any    UDP    Any    443, 1025-65535    Any    Any    Any    Any
Discord (discord.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\users\tairi\appdata\local\discord\app-1.0.9004\discord.exe    127.0.0.1    127.0.0.1    TCP    Any    Any    Any    Any    Any    Any
DNS Client (svchost.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\svchost.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any
DNS Client (svchost.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\svchost.exe    192.168.9.2    9.9.9.9, 45.90.28.91, 45.90.30.91, 149.112.112.112    TCP    Any    443    Any    Any    Any    Any
EAC_MW_klient (eac_mw_klient.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files (x86)\eac mw klient\eac_mw_klient.exe    192.168.9.2    213.81.150.0-213.81.150.255    TCP    Any    443    Any    Any    Any    Any
Euro Truck Simulator 2 - Steam (eurotrucks2.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\euro truck simulator 2\bin\win_x64\eurotrucks2.exe    127.0.0.1    127.0.0.1    TCP    Any    4455    Any    Any    Any    Any
Euro Truck Simulator 2 - Steam (eurotrucks2.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\euro truck simulator 2\bin\win_x64\eurotrucks2.exe    192.168.9.2    Any    TCP    Any    80, 443    Any    Any    Any    Any
Euro Truck Simulator 2 - Steam (eurotrucks2.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\euro truck simulator 2\bin\win_x64\eurotrucks2.exe    192.168.9.2    Any    UDP    Any    1025-65535    Any    Any    Any    Any
genshinimpact.exe (genshinimpact.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\genshin impact\genshin impact game\genshinimpact.exe    192.168.9.2    Any    TCP    Any    8999    Any    Any    Any    Any
HiBitUninstaller-Portable.exe (HiBitUninstaller-Portable.exe)    Windows Firewall Control    All    Yes    Block    No    D:\OneDrive\Soft\Windows Repair Toolbox\Downloads\Custom Tools\Added Custom Tools\HiBitUninstaller-Portable.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Host Process for Windows Tasks (taskhostw.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\taskhostw.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
HWMonitor_x64.exe (HWMonitor_x64.exe)    Windows Firewall Control    All    Yes    Block    No    D:\OneDrive\Soft\Windows Repair Toolbox\Downloads\HWMonitor\HWMonitor_x64.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Icedrive (icedrive.exe)    Windows Firewall Control    All    Yes    Block    No    Z:\temp\icedriveportable\icedrive.exe    Any    62.168.125.174    TCP    Any    Any    Any    Any    Any    Any
Icedrive (icedrive.exe)    Windows Firewall Control    All    Yes    Allow    No    Z:\temp\icedriveportable\icedrive.exe    192.168.9.2    37.58.48.0-37.58.55.255, 37.58.56.0-37.58.63.255, 46.165.192.0-46.165.255.255, 46.165.216.0-46.165.223.255, 46.165.240.0-46.165.247.255, 78.47.10.120-78.47.10.127, 78.47.27.152-78.47.27.159, 78.159.96.0-78.159.103.255, 78.159.112.0-78.159.115.255, 78.159.96.0-78.159.127.255, 84.16.224.0-84.16.255.255, 91.109.16.0-91.109.23.255, 104.16.0.0-104.31.255.255, 116.202.0.0-116.203.255.255, 172.64.0.0-172.71.255.255, 172.217.0.0-172.217.255.255, 178.162.192.0-178.162.199.255, 178.162.200.0-178.162.205.191, 178.162.206.0-178.162.207.255, 178.162.208.0-178.162.215.255, 178.162.216.0-178.162.219.255, 216.58.192.0-216.58.223.25    TCP    Any    443    Any    Any    Any    Any
Icedrive (icedrive.exe)    Windows Firewall Control    All    Yes    Block    No    Z:\temp\icedriveportable\icedrive.exe    Any    142.250.0.0-142.251.255.255    TCP    Any    443    Any    Any    Any    Any
IPNetInfo (ipnetinfo.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\onedrive\soft\windows repair toolbox\downloads\nirlauncher\nirsoft\ipnetinfo.exe    192.168.9.2    Any    TCP    Any    43    Any    Any    Any    Any
iw5sp.exe (iw5sp.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\call of duty modern warfare 3\iw5sp.exe    192.168.9.2    Any    UDP    Any    3074    Any    Any    Any    Any
iw5sp.exe (iw5sp.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\call of duty modern warfare 3\iw5sp.exe    192.168.9.2    Any    TCP    Any    3074    Any    Any    Any    Any
iw5sp.exe (iw5sp.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\call of duty modern warfare 3\iw5sp.exe    192.168.9.2    239.255.255.250    UDP    Any    1900    Any    Any    Any    Any
LibreOffice (soffice.bin)    Windows Firewall Control    All    Yes    Block    No    C:\program files\libreoffice\program\soffice.bin    Any    Any    Any    Any    Any    Any    Any    Any    Any
Local Security Authority Process (lsass.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\lsass.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Macrorit Partition Expert (dm.exe)    Windows Firewall Control    All    Yes    Block    No    D:\onedrive\soft\windows repair toolbox\downloads\macrorit\mde-free-portable\x64\dm.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Microsoft Edge (msedge.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\microsoft\edge\application\msedge.exe    Any    Any    UDP    Any    Any    Any    Any    Any    Any
Microsoft Edge (msedge.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\microsoft\edge\application\msedge.exe    Any    Any    TCP    Any    1-442, 444-65535    Any    Any    Any    Any
Microsoft Edge (msedge.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files (x86)\microsoft\edge\application\msedge.exe    192.168.9.2    Any    TCP    Any    443    Any    Any    Any    Any
Microsoft Edge Update (microsoftedgeupdate.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe    192.168.9.2    2.16.2.0-2.16.3.255, 8.224.0.0-8.241.255.255, 20.33.0.0-20.128.255.255, 23.32.0.0-23.67.255.255, 40.74.0.0-40.125.127.255, 52.145.0.0-52.191.255.255    TCP    Any    443    Any    Any    Any    Any
Microsoft Edge WebView2 (msedgewebview2.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\windowsapps\audialsag.audialsplay_2022.0.22600.0_x86__3eby6px24ctcy\audials\webview2\msedgewebview2.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Microsoft OneDrive (onedrive.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\microsoft onedrive\onedrive.exe    192.168.9.2    Any    TCP    Any    80    Any    Any    Any    Any
Microsoft OneDrive (onedrive.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\microsoft onedrive\onedrive.exe    192.168.9.2    2.23.0.0-2.23.15.255, 13.64.0.0-13.107.255.255, 20.33.0.0-20.128.255.255, 20.150.0.0-20.153.255.255, 20.180.0.0-20.191.255.255, 20.192.0.0-20.255.255.255, 23.192.0.0-23.223.255.255, 40.74.0.0-40.125.127.255, 40.126.0.0-40.126.63.255, 51.10.0.0-51.13.255.255, 51.103.0.0-51.105.255.255, 51.132.0.0-51.132.255.255, 52.96.0.0-52.115.255.255, 52.132.0.0-52.143.255.255, 52.145.0.0-52.191.255.255, 52.224.0.0-52.255.255.255, 192.229.128.0-192.229.255.255    TCP    Any    443    Any    Any    Any    Any
Microsoft OneDriveFile Co-Authoring Executable (filecoauth.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\microsoft onedrive\22.089.0426.0003\filecoauth.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
Microsoft OneDriveFile Co-Authoring Executable (filecoauth.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\microsoft onedrive\22.089.0426.0003\filecoauth.exe    192.168.9.2    13.64.0.0-13.107.255.255, 20.33.0.0-20.128.255.255, 20.180.0.0-20.191.255.255, 40.74.0.0-40.125.127.255, 51.103.0.0-51.105.255.255, 51.132.0.0-51.132.255.255, 52.145.0.0-52.191.255.255, 104.40.0.0-104.47.255.255, 104.208.0.0-104.215.255.255    TCP    Any    443    Any    Any    Any    Any
Microsoft OneDriveFileSyncHelper (filesynchelper.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\microsoft onedrive\22.089.0426.0003\filesynchelper.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
Microsoft SharePoint (microsoft.sharepoint.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\microsoft onedrive\22.089.0426.0003\microsoft.sharepoint.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Microsoft WWA Host (wwahost.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\wwahost.exe    192.168.9.2    13.64.0.0-13.107.255.255, 20.180.0.0-20.191.255.255, 52.224.0.0-52.255.255.255, 192.229.128.0-192.229.255.255    TCP    Any    443    Any    Any    Any    Any
Microsoft WWA Host Netflix    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\wwahost.exe    192.168.9.2    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
Microsoft WWA Host Netflix    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\wwahost.exe    192.168.9.2    3.128.0.0-3.255.255.255, 18.32.0.0-18.255.255.255, 23.192.0.0-23.223.255.255, 34.192.0.0-34.255.255.255, 35.152.0.0-35.183.255.255, 40.126.0.0-40.126.63.255, 45.57.0.0-45.57.127.255, 52.0.0.0-52.79.255.255, 52.192.0.0-52.223.191.255, 54.64.0.0-54.95.255.255, 54.144.0.0-54.221.255.255, 54.224.0.0-54.255.255.255, 62.168.125.0-62.168.125.255, 104.16.0.0-104.31.255.255, 104.64.0.0-104.127.255.255, 62.168.125.82    TCP    Any    443    Any    Any    Any    Any
Microsoft.Msn.Weather.exe (microsoft.msn.weather.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\windowsapps\microsoft.bingweather_4.53.33420.0_x64__8wekyb3d8bbwe\microsoft.msn.weather.exe    192.168.9.2    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
Microsoft.Msn.Weather.exe (microsoft.msn.weather.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\windowsapps\microsoft.bingweather_4.53.33420.0_x64__8wekyb3d8bbwe\microsoft.msn.weather.exe    192.168.9.2    52.132.0.0-52.143.255.255, 52.224.0.0-52.255.255.255, 104.64.0.0-104.127.255.255, 204.79.195.0-204.79.197.255    TCP    Any    443    Any    Any    Any    Any
MoUSO Core Worker Process (mousocoreworker.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\uus\amd64\mousocoreworker.exe    192.168.9.2    51.10.0.0-51.13.255.255    TCP    Any    443    Any    Any    Any    Any
NT Kernel & System (System)    Windows Firewall Control    All    Yes    Block    No    System    Any    Any    Any    Any    Any    Any    Any    Any    Any
PotPlayer (potplayermini64.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\daum\potplayer\potplayermini64.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Process Hacker (processhacker.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\process hacker\processhacker.exe    192.168.9.2    1.1.1.1, 74.125.34.46    TCP    Any    443    Any    Any    Any    Any
Radeon Software: Host Application (radeonsoftware.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\amd\cnext\cnext\radeonsoftware.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Runtime Broker (runtimebroker.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\runtimebroker.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Settings (systemsettings.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\immersivecontrolpanel\systemsettings.exe    192.168.9.2    20.33.0.0-20.128.255.255, 51.10.0.0-51.13.255.255, 52.145.0.0-52.191.255.255    TCP    Any    443    Any    Any    Any    Any
Settings (systemsettings.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\immersivecontrolpanel\systemsettings.exe    Any    Any    TCP    Any    80    Any    Any    Any    Any
Settings (systemsettings.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\immersivecontrolpanel\systemsettings.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
SIH Client (sihclient.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\sihclient.exe    192.168.9.2    20.33.0.0-20.128.255.255, 40.74.0.0-40.125.127.255, 52.224.0.0-52.255.255.255    TCP    Any    443    Any    Any    Any    Any
SSD ToolBox (ssdtoolbox.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\adata\ssd toolbox\ssdtoolbox.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Standalone Updater (onedrivestandaloneupdater.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files\microsoft onedrive\onedrivestandaloneupdater.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
Standalone Updater (onedrivestandaloneupdater.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\microsoft onedrive\onedrivestandaloneupdater.exe    192.168.9.2    2.23.0.0-2.23.15.255, 13.64.0.0-13.107.255.255, 20.33.0.0-20.128.255.255, 20.180.0.0-20.191.255.255, 52.132.0.0-52.143.255.255, 104.208.0.0-104.215.255.255, 184.24.0.0-184.31.255.255    TCP    Any    443    Any    Any    Any    Any
Steam (steam.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steam.exe    192.168.9.2    Any    TCP    Any    80, 443, 8384, 27015-27050    Any    Any    Any    Any
Steam (steam.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steam.exe    192.168.9.2    Any    UDP    Any    1025-65535    Any    Any    Any    Any
Steam Client Service (steamservice.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\common files\steam\steamservice.exe    Any    Any    TCP    Any    80    Any    Any    Any    Any
Steam Client WebHelper (steamwebhelper.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\bin\cef\cef.win7x64\steamwebhelper.exe    192.168.9.2    Any    UDP    Any    443    Any    Any    Any    Any
Steam Client WebHelper (steamwebhelper.exe)    Windows Firewall Control    All    Yes    Block    No    D:\steam\bin\cef\cef.win7x64\steamwebhelper.exe    Any    Any    TCP    Any    80    Any    Any    Any    Any
Steam Client WebHelper (steamwebhelper.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\bin\cef\cef.win7x64\steamwebhelper.exe    192.168.9.2    Any    TCP    Any    443    Any    Any    Any    Any
Store (winstore.app.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\windowsapps\microsoft.windowsstore_22204.1401.3.0_x64__8wekyb3d8bbwe\winstore.app.exe    192.168.9.2    2.16.2.0-2.16.3.255, 2.23.0.0-2.23.15.255, 13.64.0.0-13.107.255.25, 23.192.0.0-23.223.255.255, 40.74.0.0-40.125.127.255, 104.64.0.0-104.127.255.255, 104.208.0.0-104.215.255.255, 184.24.0.0-184.31.255.255    TCP    Any    443, 80    Any    Any    Any    Any
svchost.exe    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\svchost.exe    Any    93.184.220.29    TCP    Any    80    Any    Any    Any    Any
svchost.exe 443    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\svchost.exe    Any    2.19.194.0-2.19.195.255, 2.23.0.0-2.23.15.255, 13.64.0.0-13.107.255.255, 20.33.0.0-20.128.255.255, 20.150.0.0-20.153.255.255, 20.180.0.0-20.191.255.255, 20.192.0.0-20.255.255.255, 23.0.0.0-23.15.255.255, 23.72.0.0-23.79.255.255, 23.192.0.0-23.223.255.255, 40.74.0.0-40.125.127.255, 40.126.0.0-40.126.63.255, 51.10.0.0-51.13.255.255, 51.103.0.0-51.105.255.255, 51.132.0.0-51.132.255.255, 52.96.0.0-52.115.255.255, 52.132.0.0-52.143.255.255, 52.145.0.0-52.191.255.255, 52.224.0.0-52.255.255.255, 104.64.0.0-104.127.255.255, 192.229.128.0-192.229.255.255    TCP    Any    443    Any    Any    Any    Any
svchost.exe 80    Windows Firewall Control    All    Yes    Allow    No    C:\windows\system32\svchost.exe    Any    2.16.2.0-2.16.3.255, 8.244.0.0-8.255.255.255, 23.192.0.0-23.223.255.255, 67.24.0.0-67.31.255.255, 87.245.215.0-87.245.215.95, 84.53.161.0-84.53.161.255, 104.64.0.0-104.127.255.255, 168.61.0.0-168.63.255.255, 178.79.226.0-178.79.227.255, 209.197.0.0-209.197.31.255, 93.184.221.240    TCP    Any    80    Any    Any    Any    Any
Tor Browser (firefox.exe)    Windows Firewall Control    All    Yes    Allow    No    Z:\desktop\tor browser\browser\firefox.exe    127.0.0.1    127.0.0.1    TCP    Any    1025-65535    Any    Any    Any    Any
tor.exe (tor.exe)    Windows Firewall Control    All    Yes    Allow    No    Z:\desktop\tor browser\browser\torbrowser\tor\tor.exe    192.168.9.2    Any    TCP    Any    443, 1025-65535    Any    Any    Any    Any
tor.exe (tor.exe)    Windows Firewall Control    All    Yes    Block    No    Z:\desktop\tor browser\browser\torbrowser\tor\tor.exe    Any    Any    TCP    Any    80    Any    Any    Any    Any
TruckersMP Launcher (launcher.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\truckersmp launcher\launcher.exe    192.168.9.2    188.114.96.0-188.114.99.255, 104.21.64.74, 172.67.178.117    TCP    Any    80    Any    Any    Any    Any
ui32.exe (ui32.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\wallpaper_engine\bin\ui32.exe    192.168.9.2    Any    TCP    Any    80, 443, 3000    Any    Any    Any    Any
ui32.exe (ui32.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\wallpaper_engine\bin\ui32.exe    192.168.9.2    Any    UDP    Any    443    Any    Any    Any    Any
updatetime_x64.exe (updatetime_x64.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\OneDrive\Soft\Windows Repair Toolbox\downloads\custom tools\added custom tools\updatetime_x64.exe    192.168.9.2    Any    UDP    Any    123    Any    Any    Any    Any
webwallpaper32.exe (webwallpaper32.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\wallpaper_engine\bin\webwallpaper32.exe    192.168.9.2    Any    UDP    Any    443    Any    Any    Any    Any
webwallpaper32.exe (webwallpaper32.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\steam\steamapps\common\wallpaper_engine\bin\webwallpaper32.exe    192.168.9.2    Any    TCP    Any    443    Any    Any    Any    Any
Windows Explorer (explorer.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\explorer.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Windows host process (Rundll32) (rundll32.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\rundll32.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Windows_Repair_Toolbox.exe (Windows_Repair_Toolbox.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\OneDrive\Soft\Windows Repair Toolbox\Windows_Repair_Toolbox.exe    192.168.9.2    Any    TCP    Any    80, 443    Any    Any    Any    Any
winget.exe (winget.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\windowsapps\microsoft.desktopappinstaller_1.18.692.0_x64__8wekyb3d8bbwe\winget.exe    192.168.9.2    2.18.160.0-2.18.175.255, 2.23.0.0-2.23.15.255, 23.192.0.0-23.223.255.255, 104.64.0.0-104.127.255.255, 152.176.0.0-152.199.255.255, 184.24.0.0-184.31.255.255    TCP    Any    443    Any    Any    Any    Any
Wise Disk Cleaner (wisediskcleaner.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\wise\wise disk cleaner\wisediskcleaner.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
Wise Registry Cleaner (wiseregcleaner.exe)    Windows Firewall Control    All    Yes    Block    No    C:\program files (x86)\wise\wise registry cleaner\wiseregcleaner.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
WizTree64.exe (WizTree64.exe)    Windows Firewall Control    All    Yes    Block    No    D:\OneDrive\Soft\Windows Repair Toolbox\Downloads\WizTree\WizTree64.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
WMI Provider Host (wmiprvse.exe)    Windows Firewall Control    All    Yes    Block    No    C:\windows\system32\wbem\wmiprvse.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any
XSplit Broadcaster (xsplit.core.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\program files\xsplit\broadcaster\xsplit.core.exe    192.168.9.2    Any    TCP    Any    443, 80, 1935    Any    Any    Any    Any
XSplit Broadcaster (xsplit.core.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\Program Files\XSplit\Broadcaster\xsplit.core.exe    192.168.9.2    Any    UDP    Any    123    Any    Any    Any    Any
XSplit Broadcaster (xsplit.core.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\Program Files\XSplit\Broadcaster\xsplit.core.exe    192.168.9.2    Any    ICMPv4    Any    Any    Any    Any    Any    Any
XSplit Broadcaster (xsplit.core.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\Program Files\XSplit\Broadcaster\xsplit.core.exe    192.168.9.2    224.0.0.251    UDP    5353    5353    Any    Any    Any    Any
XSplit_Plugin_Installer (xsplit_plugin_installer.exe)    Windows Firewall Control    All    Yes    Allow    No    C:\Program Files\XSplit\Broadcaster\xsplit_plugin_installer.exe    192.168.9.2    Any    TCP    Any    443    Any    Any    Any    Any
zfgamebrowser.exe (zfgamebrowser.exe)    Windows Firewall Control    All    Yes    Allow    No    D:\genshin impact\genshin impact game\genshinimpact_data\plugins\zfgamebrowser.exe    192.168.9.2    Any    TCP    Any    443    Any    Any    Any    Any

 

Great help. Thank you!
Of course, I can't use your settings, but thanks to your explanation now I have a better understanding of your logic. So, once again thank you for take your time sharing with me. Very useful explanation for me!

 

i dont see nothing special except a long IP table for several programs. but you have luck that if another location is blocked eg svchost will try another server. MS has spread its servers (CDN) all over the world

XSplit is using Multicast, MC has a mask here like this: 224.0.0.252/30

subnetting and mask
https://www.elektronik-kompendium.de/sites/net/0907201.htm
windows firewall is able to use it.

eg 172.64.0.0-172.71.255.255
is 172.64.0.0/16 (much shorter)

next time you better hide your local ip

127.0.0.1 is localhost.
if you change 127.0.0.1 for localhost to another ip the eg discord will not working.
so "localhost" is translated with the HOSTS file and do not need any IP in this case.

the problem is that WFC do not tell you.

 

nothing useful needs svchost (I dont know one thing), from update to update sometimes the OS needs svchost connection, sometimes WMI (can be offline) and so on, I belive there are slight changes between iterations

 

Please don't ask me "why" but depending on the firewall software, svchost needs TCP/UDP settings, otherwise apps/programs do not start.
Also, svchost can be even weirder, (for example) on testing scenarios with Windows DNS-client service disabled (svchost TCP/UDP requests multiply geometrically to different ports, lot of stuff stop working if svchost is not configured in the firewall software).

I don't have enough know-how to explain why these things happen with svchost. I'm just starting to learn about firewall software and their rules.
But in my learning process I'm getting a lot of help, even wrong answers are helping me a lot (showing what is useful/useless).
Also, many of the firewall software I'm testing are open source, with friendly developers taking the time to help and teach me.
So, I'm far from having all the answers, but the little I'm learning is being very useful.

As I always say, the general idea is to find the minimum firewall configuration with the maximum security/privacy results. If such firewall configuration is feasible, then it'll be useful to me (I don't expect it to be universally useful to everyone). Perhaps there is no such configuration, perhaps svchost is impossible to be controlled by firewall software... but even in this case, any hardening of the firewall rules will be beneficial for my needs.

 

I dont know one that require svchost Internet connection I am sorry, nothing intrisecally useful for work and production (apart from what was mentioned)

Windows update uses port 80 for HTTP and port 443 for HTTPS, the same as svchost

hence its difficult to create rules for svchost, I suggest soemthing like eset, norton or blackfog to monitor svchost better, or shut that thing down uless you are updating, (side-loading is an option too), in the newer OS releases binaries for svchost need to be signed and validated:
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ServiceControlManager::SvchostProcessMitigationEnable
Apart from that,
in simplewall you can disable network access for browsers but use user rules instead and add rules for a particular app/browser (like firefox), such as http and quick, one downside is that Jupyter notebook will not work, maybe you use as a researcher so I thought it was worth mentioning
best

 

At present moment I'm testing different firewall software but with Windows DNS-client service disabled. I don't know "why", but empirically speaking, with DNS-client disabled I no longer needed any firewall rule for any svchost process.

On the other hand, programs that previously didn't need rules for UDP, with DNS-client disabled I had to create many new UDP IN/OUT rules.

Part of the problem here is myself and my ignorance related to rules for the firewall.
Also, the help I received in this and other forums about "minimum firewall rules"... hummmm, it seems to me that they're not that minimal. Many programs are requesting me UDP IN/OUT, or different "remote addresses", different ports etc, in short, even basic programs like browsers, are requesting me a huge variety of different types of connections, it's a salad of ports + addresses + protocols + etc... that I don't understand and I can't standardize them.
Everything gets worse for me when Windows DNS-client is disabled, or when DNSCrypt is used with 127.0.0.1 etc. I do not have the level of knowledge to set firewall rules. I just don't know what to block or what to allow access.

But changing subject, in another place I saw that you are testing WiseVector. I'm mentioning that because WiseVector is one of the software that I'm testing, including its firewall. If at any time, by chance you decide to test WiseVector firewall, please share with me the details of your rules (WiseVector firewall).

Thank you

 

It is preferable to disable DNS Client to avoid DNS poisoning and other DNS vulnerabilities, unfortunately Windows 11 uses this service for DOH, so unless you use 3rd party app like DNSCrypt, you have to keep it.

With the service disabled, each app makes it's own DNS requests, but it should only need UDP Out via port 53.
The advantage is, that you have a control over DNS, otherwise all DNS requests would be allowed within Windows.

UDP is pretty much harmless, I usually allow UDP Out for ports 443,1025-65535. TCP has to be restricted and ICMP too, since it could be used by malware.
There is hardly any reason to allow IN-bound traffic. Firefox uses TCP loopback, bittorent client might use it and some games, but it is not really that needed.

 

Exactly!
Many years ago DNS-client was useful as dns cache. Nowadays isn't needed anymore. And it became a privacy issue.

Exactly, again!
Many Windows processes only work with DNS-client enabled. Also many VPN programs need DNS-client enabled. In brief, enabled or disabled depends on user profile and user programs.

Days ago when I disabled DNS-client I clearly saw that UDP out port 53 was the substitute for svchost in firewall rules.
But day after day different programs started to request different UDP, in, out, ports etc. Some requests I blocked without noticeable consequences. But other requests when blocked they broke connections. This problem can be avoided by enabling DNS-client.
It seems that svchost can be avoided in firewall rules if DNS-client is disabled, but then, lot of UDP in out ports will appear. This is not big issue for advanced users. But for average users, this is too complicated.
Portmaster firewall Dev tried first the DNS-client disabled approach. But it causes many problems, so Portmaster firewall keeps DNS-client enabled.

And also port 53, right?
What about UDP in? Please, what's your opinion about programs requesting UDP in?

I'm trying to use only port 443... found no big issues until now.

For ICPM, what would be the best restriction using protocols, IN, OUT and ports?

Pardon my ignorance, I don't know what loopback means.
It's a headache for me to create a firewall rule for Firefox with DNS-client disabled. At startup FF requests dozens of different connections. I blocked everything keeping only TCP out 443 and UDP out 53.

 

Actually even Binisoft WFC requires it in order to show notifications, he added it to requirements when I mentioned it.

When using DOH or DOT, UDP Out via port 53 is not necessary, quite the opposite, malware could use it to make it's own DNS requests, not to mention it is unencrypted, so I block it.

I do not think I have ever enabled UDP In, but that may depend on network's configuration and apps.

You are basically connecting to yourself, to your own PC. For FF within TOR, I use this.

 

Why would you think that malware will not use the same port 443 for phoning home?

Correct. This is because otherwise the events logged by Windows Filtering Platform in Security log contain your local router IP instead of the remote IP address. You can disable DNS Client, but then notifications don't add much value since they will display connections from your local machine to your router.

 

Sure it can, but majority still downloads payloads via port 80 at one point or another, besides it is an unencrypted connection available for anyone to see enroute. As a bonus, it can block some ads, cheapskates do not pay extra.

 

I use DNSCrypt, but unfortunately lot of programs request lot of different UDP in, out, ports etc. But again, in my case this happens only with DNS-client disabled.
Pick your poison! With DNS-client enabled, svchost will need firewall rules (and malwares can use not just ports, but also svchost itself).... and with DNS-client disabled, settings will need lot of different UDP in out ports for individual programs.

Thank you for your useful help (and for your attached image).
Yeah, I can make things work allowing TCP/UDP/Ports etc. But my problem is to achieve what I called "the minimum settings with the maximum privacy/security), which means:
- Block everything by default
- Allow specific Windows processes (Windows update), and specific programs (using only TCP OUT 443 or UDP OUT 53 if needed).
- Disable DNS-client
- Use DNSCrypt
It's in my context above where I'm having problems with programs like Firefox.

If the solution is to open protocols and ports etc, then this may contradict my intention of "minimum settings with maximum".
However, perhaps at the end I'll discover that my "minimum settings with maximum" demands some customization/exceptions.

Also, if Portmaster Firewall + Binisoft + etc use DNS-client enabled, then I'm not going to reinvent the wheel, and considering my ignorance on the subject, perhaps the easy way for me will be to enable DNS-client + creating firewall rules for svchost.

Changing subject:
Binisoft' guide has a sort of "minimum settings". From there, users can start to allow specific programs. But this "allow" option is too generic because it opens all protocols, ports etc. For average users this is zero benefit because they/I don't know how to restrict protocols, ports etc for each "allowed" program.
All firewall software are similar here, all of them have the generic "allow" option for programs allowed by users. In the future It'll be nice to see from firewall software different options for the "allow" option, for example offering more restricted or generic "allow" options. Also it'll be nice a firewall software dealing with DNS-client disabled.

 

This isn't quite true:

https://www.google.com/search?q=malware uses udp

You should be able to specify the remote IP for the rule too. eg Allow UDP with remote port 53 to your ISP's DNS server's IP only.