Puzzling v5.0 Firewall Inaction

Ronny- I have had ProcMon running yesterday and today, but rundll32.exe hasn’t tried to call out yet. I’ll let you know the results when it does.

~Maxx~

I think it has to do with improvements made in x64 bit version.

Normally it’s svchost.exe that does those “phone home” activities for M$ so if you put close monitoring on that it should probably drop traffic for that.

Do you have some tips regarding how to go about applying close monitoring on svchost.exe?

~Maxx~

Most simple would be to put it on the Firewall rules and set the rules to log events.
Once events show up in the logs you can narrow it down as you like…

And I am to do this with all 10 instances of svchost.exe and make 10 different rules or just one, and if so which one? Will the Firewall log differentiate one instance from the other?

~Maxx~

I have shown cis to make windows unusable as soon as you state firewall and defense+ to highest security levels and shift whatever pre-defined group of rules to custom and ask in order, precisely, to monitor the activity of every windows executable and service.

You indeed, doing so, “narrow” the situation a lot, but not “as you like”.

No all instances will use the same firewall rule.