Help with firewall and svchost.exe

Howdy people.

I am setting each incoming and outgoing request to “Ask”, even for trusted applications. So whenever svchost.exe wants to perform a connection, it asks me, I accept most of them since its a trusted application.

The process just keep getting more and more “unique” requests, filling up the rules page. I am considering to allow everything for svchost.exe. New unique requests for new ip addresses and new ports keep coming every day, the list is starting to get big.

What is all these requests? I know that svchost.exe is an important part of the operating system, for windows update and that sort of things.

But can anyone tell me, direct me to a webpage where I can get a complete, FULL 100% complete description of all the connections it performs. I want to see everything that it does.

Either I am in charge of my own computer or I am not. I have to admit, although I know I can probably trust svchost.exe, but I still do not like that it is performing all these connections.

Take a look at the screenshot I have added in this post. Let me know if anyone knows a website to describe all activities involved with svchost.exe

http://i.imgur.com/klWi5.png

Many of these requests is pretty straight forward, but that’s not the problem, the problem is that it just keep requesting new unique connections once in a while, every day or every second day. What IS IT doing?

Blocking the ip address doesn’t really help, however:

Port 53 - UDP mainly but also TCP is DNS - The ip addresses should only be for the DNS service you use
Port 80 - HTTP - Updates for Windows and other applications - ip addresses will be Microsoft, AKAMAI and for other applications such as Adobe
Port 443 - See HTTP but with secure connections
Port 5357 - Network discovery - Finds devices attached to your LAN
Port 5355 - Link Local Multicast - Local name resolution. A bit like DNS for local devices
Port 123 - ntp - keeps your clock synced with an Internet time source
The high numbered ports are probably loopback but could be a number of other processes. Would need more detail.

There’s no really definitive source for everything svchost listens to or can connect to, so you have to research every service that can be hosted by a svchost instance

You could…

right click on svchost in your app rules
select edit
Custom policy
copy from
a predefined policy
outgoing only
click add
and then create an Ask rule
click apply
and then drag it to the top of the list
click apply
click ‘OK’ as you exit

and then your list wouldn’t keep growing.

Thank you (:WIN)
That is a good idea, you’re a genius.

Thanks to the first reply as well, although I know the ports and services, I was really looking for a way to recognize the intention between each connection, not the type of connection made. Basically, a list of common things that svchosts performs. But if it is that many services rely on it, it may not be that easy after all.

BoredNow: So the ask rule should be on top and the allow all outgoing should be at the bottom. What will I achieve with this setting? Will it ask anything first and THEN only allow outgoing connections?

Put it at the bottom and above the block all rule (with the red icon).

Should I have a “Block all” rule for every application in my list, or will CIS automatically block anything that doesnt match when it has parsed the entire rule list?

If I should have a block all for every trusted application, what is a proper blocking rule, block all in/out connections with IP or TCP & UDP?

The rules for svchosts.exe look like this now:

http://i.imgur.com/uozts.png

By the way people, when CIS pops up a window to ask for permission to connect somewhere, after a specific time interval the window disappears, naturally. But what is the default action if it disappears, will it block by default or will it simply pass on to the next item in the rule list?

The block all rule for applications is not necessary for incoming traffic. As incoming traffic first goes the application rule and then hits the Global Rules that will also block unless permitted.

When using the Ask rule you can remove the block rule if you like. When you don’t answer the alert CIS will block the action.

I just thought that since you want to be alerted every time svchost wants to connect, that it would simplify things.
If you make the rule as I described, you won’t have that long list any more…just be aware of that…it will just be

ASK
Allow all outgoing requests
Block and log unmatching requests

Speaking of “Allow all outgoing requests”, is it really neccesary to have that in my application rule list when the global rule list already have the same rule. Isnt that redundancy?

Just curios (:SHY)

I’m curious what your global rules are?

Personally, I just use the standard ‘block all incoming connection and make my ports stealth for everyone’
found in the ‘Stealth Ports Wizard’

So many people get confused by Application and Global rules.

  1. If you want to control the outbound connections a specific application or process can make, use application rules.

  2. If you want to control inbound connections, use Global rules.

If you trust an application or process, create an application rule specifically for that application or process that allows all outbound connections. If you don’t, create specific rules. It’s not hard.

The top rule is my router, I block all access to it just in case some malware programs tries to access it from my lan. I only open it on special occasions. I used to have the router in the ‘blocked zones’ but that blocked it entirely when i use traceroute tools, so I desided to block it in the global rules, from http, telnet and the usual protocols.

http://i.imgur.com/iRSHY.png

You don’t trust your router…

All traffic is free to flow in and out through the router, but any connections to the router through http, telnet or ftp is not allowed. If malware can access it, it can change settings, even change firmware or anything. So I keep it blocked, I open it in short durations only when I need to connect to it.

!ot!
I’m often embarrassed by my apparent ‘mental block’ when it comes to Networking.
There’s something about a string of words like…ICMP message is FRAGMENTATION NEEDED…that is just beyond my comprehension.
I’m embarrassed to admit that I don’t use a router because it’s just too confusing.

???

Perhaps this topic went a bit out of topic actually. My initial question was about the intentions of the connections performed by svchosts.exe. If there is no such list of common connections or even a complete list, I will have to collect all the processes manually, I don’t think I will do that, it’s not that important to me. Anyways, thanks for the help.