I need help in finding the last Windows component that is attempting DNS Internet access via svchost.exe. Doing so will allow the Comodo firewall to block unauthorized Internet access by spyware hiding behind svchost.exe. What is making this process difficult is that the Comodo firewall neither logs the service or allows service-specific rules for svchost.exe.
I disabled the DNS client service so that non-Windows processes must directly request Internet access. Here is what I have done so far:
regedit:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, new DWORD DisabledComponents=8 (see IPv6 Day - Windows Vista)
Right-click clock|Adjust date/time|Internet Time tab|Change settings…|uncheck “Synchronize with an Internet time server”, OK
For the firewall alerts when performing a Windows Update, choose Allow but uncheck “Remember this setting”.
There is still one Windows component causing firewall alerts every 8-10 minutes due to attempting DNS Internet access (port 53). In the Windows Event Viewer (System log), I see once after logon:
Event ID 1014 “Name resolution for the name dns.msftncsi.com timed out after none of the configured DNS servers responded.”
The website access blocked corresponds to 2) above, but this could be normal when active probing is disabled.
Does anyone have ideas on how to find the last Windows component making DNS accesses?
I’m trying to understand your post is small pieces at a time.
I hope you are allowing port 53 for at least the most part because port 53 is DNS
I disabled the DNS client service so that non-Windows processes must directly request Internet access
In the firewall section in comodo, Under "firewall behavior settings". You can put a check mark on "create rules for safe applications.
Your post is some what confusing, berfore I’ll attempt to study your post
Is this for a vista computer and is this a laptop (if so, do you use it outside the house? (I ask this because on another topic you were asking some questions about "file and print sharing on Windows 7 PRO 32x and 64x)
My other question is,
Is this to lock down your internet as tight as possible and/or is it because of malware issues.
According to the PID of the svchost instance in use, which services are involved? My guess would be the instance that hosts NLA, DNS and Crypto amongst others. (see image. Your PID will probably be different)
The chances are, these are NLA events, although Crypto services will connect to MS from time to time for root cert updates. However, those is usually done through WUS.
You could try disabling the NlaSvc (Network Location Awareness Service) but you may then have problems with connectivity.
First, you should know that I am a very experienced user of the Comodo firewall. I have my Firewall Security Level in Custom Policy Mode. Everything is working. I am asking for help in diagnosing OS behavior with the firewall and other tools. I am in the process of proactively tightening my security. I am seeing the same behavior in both 32-bit and 64-bit Win7 Pro.
My PCs are behind a router. I have a static IP for my printer. I have a global firewall rule to block all IP in. If one PC on the LAN gets infected, this strategy prevents spreading to the other PCs.
I have manually disabled the following services:
DNS Client, TCP/IP NetBIOS Helper, Remote Registry, SSDP Discovery, uPNP Device Host, WinHTTP Web Proxy Auto-Discovery, HomeGroup Provider, HomeGroup Listener, Distributed Link Tracking Client and Offline Files.
Thanks for the suggestion. I will try disabling NlaSvc.
Disabling NlaSvc solved the problem! Thanks again for the suggestion Radaghast.
I also disabled Network List Service to prevent a lot of errors in the Event Viewer (under System).
I have removed the default firewall rule for Windows System Applications. I still have the default firewall rules for COMODO Internet Security and Windows Updater Applications.
My goal was to avoid firewall allow rules for svchost.exe, and I have now succeeded. If any malware attempts to hide under svchost.exe and access the internet, I will get an alert.
Since I have 3GB+ of RAM and I am happy with the speed of my PCs, what is the advantage of disabling the additional services you mention? Weigh this against the time it takes to debug problems caused.
I think most of those services you can live with, they just came to mind as possibilities for further investigation when trying to lock things down.
You might want to look at BITS (Background Intelligent Transfer Services) it’s used as part of Windows Update as well as a number of other MS services and applications, such as MSE. The service can also be use by third-party applications, like Google Gears.
The IPSec Policy Agent may also be disabled, unless you’re using ipv6 or an L2TP vpn. It’s one less listening service.
If you’re not partial to MS, the time server for NTP may also be changed, Personally I use pool. ntp.org
There are others, but it really depends how far you want to take things…
