After installing Comodo Firewall I notice svchost trying to connect to some remote site. The first question is how to best handle this. I understand svchost is running something else which can be good or bad. In reality I would need to know what is really trying to connect as svchost is just the enabler for that application. How should I handle this?
In this particular instance I checked the IP address it was trying to connect to and it happens to be Microsoft so it is Windows phoning home. What is going on here?
Go to the Defense section, then click on View Active Process List. There you should see Svchost expanded to show which processes and PID (process ID, which should also match the PID on the process on Task Manager). There are better process exploring programs if you want even more info about what is happening.
You can also make a note of the IP address that Svchost is connecting to and do a search to see. I know that Svchost connects to Microsoft for the IPv6 but also for Windows Updates and other legitimate reasons… not necessarily phoning home.
Approve it on a case by case basis (do not put a check mark in the Remember box) while you do more research or see what other processes may open up.
Thanks Lenny. I had already discovered the Active Process List on the Summary page where it says “X (number) applications are active and running”. Clicking on that number also brings up the Active Process List.
In that list I do not find any specific information about which program is running SVCHOST. I see the process number but I do not know how to get any further information by using that process number.
I also have and use Sysinternals Process Explorer which provides a bit more info. It is still confusing that I am asked to allow or block just SVCHOST and I have no further info on that. I do not know if allowing SVCHOST would allow it for all applications in which case it seems to me a malicious program could use SVCHOST to communicate outside. It seems to me the authorization should be for the program using SVCHOST.
Or maybe I am just not entirely understanding how it works.
in most cases, svchost.exe is used to check for avaiable updates.
I’ve allow svchost.exe to remote access Port 80 and 443, here you could ad some adresses of Microsoft servers, but i don’t know which they are(Update).
It’s needed for DNS Resolve UDP - 53, too, when you use the DNS service of microsoft, as central DNS resolve.
Last thing is synchronising the clock about UDP - 123.
This is how I saw it explained once. Svchost would be comparable to a truck or train carrying lots of different packages/containers. At a check-point, they don’t have to check each package through, just the truck or train, since the packages were already individually checked before loading them on the truck/train. Svchost works by carrying several DLL processes at once. .EXE processes run on their own but .DLL processes need a carrier so they are bundled into once Svchost.exe process.
Your AV scans all files and when you first start up your computer, the AV scanner checks all processes to make sure they are not malware… but the firewall still gives you control over whether you want them to be able to connect to the internet. Presuming the AV scanner is working properly, any file that starts up (or opens) that is malicious should be caught by the AV real-time scanner.
Here’s more reading about Svchost… and the How-To-Geek page tells you how to use a CMD window or Task Manager to explore the actual Svchost also, in XP-Pro and Vista. You would have to use Process Explorer in XP-Home.