Many threads about svchost and what rules to apply to this process exist around firewall forums. The process can run almost anything and that’s why problems occur. One service need internet access to work properly whilst the other needs to be cut of from the internet to ensure a secure system.
I have been looking for a way to apply rules to individual services instead of the svchost file. I have only found one personal firewall that have functionality for this.
Maybe this would be something to add to a future version of Comodo Firewall / Internet Security. A special handling window where all services running on svchost.exe can be managed individually.
In “Active Connections”, whenever svchost.exe is shown as being used, Comodo Firewall should identify which actual process is using svchost.exe. As you know, svchost.exe can be used both by legitimate software and malicious software, it would be very useful if Comodo could identify which process is using svchost.exe to aid us in analysing any potential system compromises. It should also explain which IP addresses svchost.exe is calling to.
If you can’t wait for Comodo to make your wish come true, you might want to try this handy tool. The downside is that it needs .NET to work, but runs great and the information is very revealing
I use Sysinternals Process Explorer for the same purpose. (In an attempt of minimizing the number of utilities I use and have on my system.)
Just point on svchost.exe in Sysinternals Process Explorer. You will get the same result as in these external programs. The only difference is displaying data in tool tip (in Process Explorer).
Sysinternals Process Explorer does not even require installation.
It would be nice if CIS identifies which processes are using svchost.exe not only in the “Active Connections” window, but also in the “Active Processes” window.
