I need help in finding how to prevent svchost.exe from sending TCP to deploy.akamaitechnologies.com several times after each logon to my Win7 Professional PC. Doing so will allow the Comodo firewall to block unauthorized Internet access by malware hiding behind svchost.exe.
I used the free app at systemexplorer.net to find lookup the URL given the IP address and to trace that the process ID for the sending instance of svchost.exe is the one hosting the Cryptographic service. This instance of svchost.exe hosts no other services because I disabled the Workstation service. I don’t understand why the Cryptographic service is accessing the internet since I used gpedit.msc to enable “Restrict Internet communication” under \Computer Configuration\Administrative Templates\System\Internet Communication Management.
I have the latest version of Comodo’s Firewall installed (CIS 5.10). I tried to block svchost.exe from outputting TCP to host name=deploy.akamaitechnologies.com and host name=akamaitechnologies.com, but Comodo’s Firewall didn’t block this. The IP address varies with each logon, so I cannot block it based on the IP address.
I tried disabling the Cryptographic service, but Win7 forces its startup type to manual and starts it automatically at the next reboot. I am hoping someone knows a Group Policy to turn off this internet access by svchost.exe.
I forgot to mention that in \Control Panel\Programs and Features\Turn Windows features on or off, I have disabled everything except Microsoft .NET Framework 3.5.1 (subfeatures are disabled) and Windows Fax and Scan.
Akamai along with other content delivery networks, such as Level 3 are used by Microsoft and many others to facilitate various updates, including Windows and root certificate store updates. Whet you’re seeing with the Cryptographic service is related to the latter. You can read more about the mechanics of certificate checks/updates here
I am familiar with the web page you mentioned. It references this page, which has the instructions I followed for the “Restrict Internet communication” policy. As seen on that page, the individual policies affected by this meta policy include “Turn off Automatic Root Certificates Update”. Therefore, there is some other feature of the Cryptographic service that is accessing the internet. What could it be?
Thanks so much Ronny. I had to use a Cmd box with admin privileges and temporarily enable the DNS Client service for it to work, but your suggestion revealed that the host names that Win7 queries are crl.microsoft.com and crl.globalsign.net. Using these host names, the Comodo firewall successfully blocked these internet accesses.