Following a cautious reformat, I’m finding myself delving more into net security, and as a matter of interest to me, I notice there is always one svchost with an IN conn running as a child to svchost.exe, with 74Bytes IN, and 78Bytes OUT. Previously this wasn’t the case, I have disabled some non-essential services in msconfig, but still 1 conn runs consistently.
Any advice on this, perhaps it can be disabled to see the effect?
Svchost,exe (Generic Host Process) typically loads a number of service dlls and is itself called by services.exe during the boot process. Personally, I can’t ever remember seeing, svchost loading an instance of itself.
You could try running the following command from a command prompt, it might provide a little additional insight:
I have similar case that really concerns me if this is a threat: I am working at wireless, I usually see lots of TCP IN connections (image attached). I am not IT guy, but this makes me feel someone link to my laptop and some security compromise? Could anyone please help me on this please? Thank you very much.
scvhost for sure should be denied inbound in the general situation (some applications might need it on a lan, or even on wan, e.g. remote assistance software or rights to upload on a private ftp server).
On the other side, i don’t see why it should be globally allowed outbound: it is very inelegant to everyone if your computer is infected by some trojan/rootkit but, even if not, i see no valid reason for not monitoring the destination of your private data.
My idea of the situation is to monitor every single connexion, in or out, and this goes by setting cis to proactive and custom level, so as to be asked of whatever happens.
Some specific tools can monitor the running services, including scvhost ones (of course, command line syntax as quoted works, but is quite unfriendly); autoruns and procexp are good basic softwares for that.
Last thing, one should never use msconfig to disable whatever service, but disable the service itself (and, when necessary, disabling uneeded entries with autoruns).
Click Firewall/Advanced/Network Security Policy
Under Application Rules,
scroll down to see if Svchost.exe and/or System is already listed (most likely is, and is currently ‘Custom’)
Click on the name (Svchost.exe or System), and click ‘Edit’ (on the right).
Select ‘Use a Predefined Policy’, and select ‘Outgoing Only’ from the Dropdown box. Then click ‘Apply’.
Select and edit the second name the same way.
Click 'Apply, and then click ‘OK’.
If it is not already in the list (strange, but may happen), click Add/Select/Running Processes.
Scroll down the list to locate System and Svchost.exe (possibly will be near the top of the list).
Click on one, and click ‘Select’.
Now click on ‘Use Predefined Policy’ and follow the steps listed above.
Go back and select the other name, and again follow the steps already outlined above.
There you go.
You have now either changed or added these successfully as ‘Outgoing Only’ to your Firewall Rules.