Hi I have wondered why svchost.exe transmits and receives bytes all of the time on my XPpro PC?
It appears to be related to the dnscache. I understand this can be hijacked by programmes but is also required to update from microsoft SO!!
My question is:- How do I set up V3 to block svchost.exe from accessing any site other than the microsoft update website?
Thanks!
Try this:
Set firewall to custom policy mode.
Delete svchost.exe from application rules in network security policy.
Go to GUI->firewall->advanced->firewall behavior settings->alert settings and set switch to “very high”.
Start windows update procedure. There should be alerts like “svchost.exe tries to connect to IP address xxxxxx”. Choose allow and remember for them. Appropriate ruleset for svchost.exe with specific addresses should be created.
Place rule block/ip/in&out/any/any/any at the end of the list (ruleset for svchost.exe) when all appropriate microsoft update IP addresses are allowed in the ruleset for svchost.exe.
Thanks for the quick answer!!
Did every thing you said. (removed svchost.exe form network security poilcy last). Set alerts to Very high
Left it in ‘custom policy mode’ and tried the windows update and it still woked after a few D+ is learning prompts.
Never got the allow IP question. svchost.exe was running again.
Could this be the result of this being a UDP request or the fact many svchost.exe can be running at the same time?
I guess no.
I made inaccuracy: alert should look like “tries to connect (or receive connection); application: svchost.exe; remote: xxx.xxx.xxx.xxx - UDP (or TCP etc)”
If you don’t get such firewall alerts after what you have done with settings i had suggested then 2 variants (i guess):
- svchost.exe doesn’t connect to net during windows update;
- svchost.exe is executed by some system process (trusted) and connects to net, bypassing firewall rules (this is normal thing in V3 because it is Defense+ which is responsible for that and parent process is allowed to execute svchost.exe).
I guess there is nothing to worry about as svchost.exe will be unable to connect without prompting an alert with those settings or there would be alert that process xyz (which is not in the list or doesn’t have permission in D+ policy) tries to execute svchost.exe.
Real question is WHEN can you recongize svchost as benign and when should you deny access?