I’m trying to limit svchost.exe connections to net by leaving it only the essentials.
Today I went to Microsoft Update via IE8 and I analyzed, what connections it needed, and…
TCP Out (or In/Out) 192.168.1.64 to Any Address, Any Source Port to HTTP Ports, which include 80, 443 and 8080,
but, when I set that rule, and started the Microsoft Update search progress, firewall still somewhy blocked all connections, like this:
svchost.exe - Blocked - TCP - 192.168.1.64 - 2455 - 65.55.184.16 - 80
Why?
Btw, the rest of configurations like Windows Updater Applications, System Applications and System are all below this rule and are Trusted.
I could limit svchost perfectly without problems before CIS’s latest update.
Did you create a DNS rule for svchost.exe; UDP outbound port 53? I also always point this rule’s destination to my router gateway IP address since the router contains my DNS server.
BTW - change your TCP rule to outbound only. Stateful inspection will take care of the matching inbound connection.
svchost.exe is a windows generic host process for services that run from dll. You need to allow it out namely for dhcp, dns, windows clock and windows update.
But as you have rules for Windows System Applications and for Windows Updater Applications, you already allowed all the connections needed by svchost.exe. Then it is completely useless in that case to make specific ones for svchost.exe unless you want to remove the fore mentioned Windows * * rules.
And as Donz mentioned, Windows System Applications and Windows Update Applications require only outbound connections while the rule 'trusted application" allows outbound as well inbound connections reducing therefore your security.
Check your other rules to see if there isn’t one explaining the blocking you mentioned.
Don’t forget rules are hierarchical, so even if the default ‘Windows System Applications’ rule still exists, if it’s below the new rule that’s been created, it may never be checked.
I thought, that I’d better erase all svchost rules, and catch and log everything all over again,
and, now it just works good.
3 rules to limit (excluding windows timesync, which I don’t need) + deny everything else and it works as expected.
I have no idea, why I had so much fuss yesterday. I even thought it was a CIS bug and tried to reproduce this, but no success… This is so ■■■■ weird. :-\