Hi, Guys…
I don’t wanna draw this out.
I want EVERY single instance of “svchost.exe” attempting something (no matter what and whether or not I’m Net connected) to be alerted to me so that I can make a decision about it, myself.
I don’t want to get into any lengthy explanations about why…I just wanna know how, and I need to know this, urgently!
How do I do it? (Including all methods if more than one method exists, please.)
Ian.
Hi Ian,
Are you talking about the “Firewall” part or the Defence+ Part ?
Remove svchost.exe from Windows Updater Applications file group and use cleanpc mode before switching to paranoid mode.
[Windows Updater Applications] is defined as
---------------------------------------------------------------------------------------
[0] D:\WINDOWS\system32\svchost.exe
[1] D:\WINDOWS\system32\msiexec.exe
[2] D:\WINDOWS\system32\wuauclt.exe
[3] D:\WINDOWS\SoftwareDistribution\*
[4] D:\WINDOWS\system32\wupdmgr.exe
[5] D:\Program Files\COMODO\Firewall\cfpconfg.exe
PS: backup your cfp config before testing any D+ config changes
Hi…
Ronny…
Thanks for the reply. A few weeks ago, I got all “svchost.exe” alerts every time “svchost.exe” attempted to receive a connection from “another computer” (none of my machines are networked to any other/s) and then, mysteriously, it stopped warning me. I was kinda comforted by those warnings. So, I suppose, for now, I’m talking mostly about it being Internet oriented, which means…Firewall only.
Gibran…
Thanks for that. I’ll try it, during this evening and tonight. “Windows Updates”, “BITS” and “Event Logging” are always turned off on my machines until I decide it might be time to do a Windows Update. They get turned off, again, after each time.
Ian.
The only suspicios activity I found related to svchost.exe was due to Teredo IPv6 layer if you restrict svchost to your LAN you won’t have any issue except for updates and NTP
svchost is part of Windows. In the firewall make it outgoing only.
Hi…
Before I try that, this might make things a touch clearer.
Around the same time that I started to get the “svchost.exe” warnings, I also noticed that my Internet Service Provider were completely unable to tell me, when I phoned them, how many hours I’d used and, therefore, how many I had left, each month. The figure was locked at 200 and never decremented, no matter how many hours I knew that I’d used. I just tried removing “svchost.exe” exactly as described from “my” “file groups” and deprived the very next “svchost.exe” request, even though CFP says that “svchost.exe” is safe. No more web sites were selectable and E Mail was a fail, right across the board. That was pretty dramatic. So, I replaced “svchost.exe” and everything is back to the way it was.
How dangerous or safe, really, is this “svchost.exe”. Because of what I don’t know, I am inclined to view as seriously suspicious anything of this type. Can CFP tell me that “svchost.exe” is a safe application and that it can be safely allowed…etc.,…and it still be masking a dangerous other item (.dlls, etc.,) that should NOT be allowed Internet access?
I want to know how safe “svchost.exe” actually is, because…as I understand it, it is a very versatile and very powerful little executable to have around, running so freely, in so many ways…but, is it dangerous?..and, will a future version of CFP be likely to flag all underlying items using this “svchost.exe” (like Process Explorer currently does) so that we can make slightly more educated guesses, before clicking to allow?
Ian.
If your pc is clean and I mean clean. I dont know what you use for an av but I use NOD32 and I scan once a week with SAS and MBAM. svchost is part of Windows. Right now I have 7 svchost items running in the task manager.
Svchost itself its safe but it is only a multipurpose “host” featuring many different windows services.
Another thing are malwares with svchost-like names.
You can control your services running services.msc and you can peek at each svchost.exe instance using process explorer
Even if Svchost itself its safe, miconfigured windows services and unpatched windows pose serious security risks.
Most svchost.exe processes run with different security credentials and anyone who did not disable windows terminal services can see that svchost.exe processes belong to different users in order to provide a better security.
A router should be able to provide better protection than a dial-up connection. but If you are concerned with extra bandwidth usage an you have an always on connection you could consider turning off you router when you don’t need internet access and creating some global rules to tighten your protection.
You can even limit svchost to your lan when you don’t need to update windows. BTW you can always check updated manually on windowsupdate.
It would be even possible to restrict Svchos acces for outbond internet connectiions only to specific Hosts (eg your DNS, microsoft, your timeservers and so on).
Hi…
Thanks, guys. I’ll print all the answers out and keep 'em handy.
I’ve switched “svchost.exe” to outgoing only, but should I make it UDP/TCP/ICMP/IP etc?
My brain is turning to mushy stuff used to fill cracks in ceilings.
Ian.
Outhoing only policy is CFP default for Windows Updater Applications you can leave it that way.
You can add Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any and Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any to svchost custom policy too.
Okay…it’s official, now…
I’m effectively, utterly lost!
Every “svchost.exe” alert I was getting referred to a remote computer wanting to make a connection or to “svchost.exe” trying to allow some remote comuter to make a connection with mine.
I just want to see alerts pop up and have the power to stop “svchost.exe” doing any such thing as connecting with any remote computer, and I want to be in total control of whether each attempt is successful, or not!
Sheeeeeeeesh, guys! I almost made it all the way to understanding, there, for a while. (:SAD)
I’ve just read…
“Allow IP In From In [Local Area Network] To IP Any Where Protocol Is Any”
b[/b] How can I allow IN from IN? …and… b[/b] …where will “[Local Area Network]” appear in front of me?
…and…
“Allow IP Out From IP Any To In [Local Area Network] Where Protocol Is Any”
Again, b[/b] where will the words “[Local Area Network]” appear in front of me, because those words are not showing up where I’m looking.
I need this explaining to me…in English, syllable by syllable?..because, I’m a permanent beginner! (:HUG)
Ian.
Local Area Network is a network zone for you Lan network You should find yours in My network zones.
In [Local Area Network] is only the way CFP show rules and it means the zone named Local Area Network
If you create your rules the CFP description will match “Allow IP In From In [Your Local Area Network] To IP Any Where Protocol Is Any”
Hi…
Thanks for the reply. You’ve really tried, and I’m grateful for that, but I haven’t the slightest clue what you just said, and I read it a lot.
There are some things that I was never meant to understand and this is clearly one of them. (:AGY)
Thanks to all who tried, anyway. (:SAD)
Ian.
Due to being widespread among running processes, svchost.exe has long been a common disguise used by malware to hide its presence from the user.
I have a few very specific rules for svchost.exe. If you set this process to allow all outgoing traffic, you will be vulnerable to malware such as that described at Malware piggybacks on Windows’ Background Intelligent Transfer Service | Ars Technica.
MrBrian…
Thanks for your reply. It appears that “svchost.exe” is yet another Microsoft sinister and questionable production, just like Windows!
Every day, online, seems to be little better than a battle for survival. I miss the old days of having Commodore Amigas and when I’d never even heard of the Internet.
Sometimes, I wish they could just shut the entire planet’s Internet down and just…reboot it, a day later, but with fewer holes and bugs.
Ian.
Would you mind posting your rule set for svchost?
Thanks, Al
I guess that limiting svchost to the lan would prevent such scenarios.
Maybe additional outgoing rules to Microsoft IP ranges and timeserver would be enough to secure svchost without losing any significant feature.
It looks like CFP handle BITS exploits already. There is a BITS PoC available on http://reconstructer.org/
BITS GUID is {4991D34B-80A1-4291-83B6-3328366B9097}.
There are also other BITS guids that could be manually added (for different BITS versions) but maybe the one that is currently configured in CFP is enough.
Here it is.
By the way, I don’t use Automatic Updates. Also, when I run Microsoft Update, I disable the firewall and D+.
Some notes: 192.168.0.1 is my router. 5.0.0.1 is related to virtual private network software and can thus be ignored. 255.255.255.255 allows broadcast to local area network. 209.244.0.4 and 209.244.0.3 are for OpenDNS DNS server. Note that even some of these rules may not be necessary.
[attachment deleted by admin]