Need help on Firewall configuration

I feel that I might have a problem with the firewall configuration. The firewall does not seem to stop what I wanted it to block. I am blocking svchost due to a bot problem but I cannot seem to do so. Some descriptions are listed below:

Observed phenomena that was suspected to be some kind of bot behavior:
svchost tcp connections to xxx.xxx.xxx.xxx:80 from local IP, random port (non-privileged)

Application rules:
c:\windows\system32\svchost.exe

  • Block and log tcp or udp in/out from ip any to ip an where source port is any and destination port is 80
  • allow and log IP in from ip any to ip 255.255.255.255 where protocol is any
  • allow ip out from ip ant to ip any where protocal is any
  • allow and log tcp or udp in/out from ip any to ip 169.254.154.43 where source port is any and destination port is any
  • allow and lof tcp or udp in/out from ip 0.0.0.0 to ip 255.255.255.255 where source port is in [67-68] and destination port is in 67-68
  • block and log tcp or udp in/out from ip any to not in [secure] where source port is any and destination port is not in [necessary ports]

General notes:
Secure: 127.0.0.1, 192.168.0.0-192.168.255.255, 169.254.154.43-255.255.255.255
necessary ports: 53, 67, 68
Other blocked ports: port 137-139, 445 (on router, not Comodo)

Since the bot seems to be trying to connecting to a lot of different ip-s from limelight networks and level 3 communications, I have blocked each one I see whenever I see it in the active connections. The phenomena observed is that svchost is sending a couple of bytes out (xxxx KB), then it’s receiving lots of bytes (1.5mb/s). There is no definite limit to the stuff it downloaded since I always stop it before it hits 10 (highest is 10 before I blocked it) and I don’t have much interest to try and see how high it can go. I feel that it might be a rootkit backdoor-trojan+spyware. As of now, I am using another computer to write this message.

But with the configuration above, a connection like this appeared.
Svchost Source Destination

  • TCP 192.168.0.xxx:2023 69.28.183.254:80

I can’t explain this. I thought I have already blocked port 80, didn’t I? If someone can give me some directions, that would be great! :slight_smile:

svchost.exe is part of “Windows Updater Applications” in Firewall/Advanced/Network Security Policy,that may be overiding the svchost.exe entry.
Try removing it and then for svchost put in these rules for starters:->

Allow and Log UDP out from Source ANY/Destination ANY/Source port=67/Destination port=68
Allow and Log UDP in from Source (Your Router`s IP)/Destination ANY/Source port=68/Destination=67
Allow and Log UDP out from Source Any/Destination (your DNS server)/Source port any/Destination port=53
Block and Log IP in/out Source Address=ANY/Destination=ANY/IP details=Any

Try and get rid of the Malware as this will help a lot.Downloadhttp://www.malwarebytes.org/ and run a full scan to see what it finds.

Matty