rules for svchost.exe???

hi,

i don’t understand which is the intention of this application, comodo firewall notices to me that it’s dangerous, but when i block it, it doesn’t update kaspersky and i lose internet connection in a few hours…

now my rules in application monitor: application control rules are:

application: svchost.exe
destination: any
port: any
protocol: tcp/udp out
permission: allow

and

application: svchost.exe
destination: any
port: any
protocol: tcp/udp in
permission: allow

that’s ok?

with these rules the update problem was solved and by now -i let my pc on all night- i not lost internet connection

question: with these rules, what is allowed and what no to svchost.exe? i have to add any specific rule? can generate me some problem?

thanks

i thinks this is an app responsible for holding tcp/ip connections.

well, i ask if with these rules there are any security problem

i need these rules for the correct update of kaspersky antivirus and to not lose internet connection

but:

what is allowed and what no to svchost.exe? i have to add any specific rule? can generate me some security problem?

there are a lot of people talking about svchost.exe and firewalls, saying block this, block that…

with the mentioned rules there aren’t problems with kaspersky or internet connection, i only want that you guys tell me if these rules are ok or if i have to add any specific rule or anything that can help me to understand

thanks again

Don’t worry about the details.
CPF will catch every action, either it’s incoming trafic or outgoing.
CPF will handle your PC’s security in real time.

…eventualy, someone with a better explanation will help you, if you ever come across any problem with your current setup.

What sort of internet connection do you have, nonick?

CPF lists svchost as a safe application. If you are getting reports that it is not safe you may have a problem with svchost.

I know opinions differ, but I would not give svchost that much access to the internet. There are some ports that it opens which are very easy to exploit from remote computers. Ports 1900, 445, 135, 5000 are among these. The ms-blaster worm targets port 135, which makes me wonder why CPF allows it to be open under the default settings.

If you have a router then svchost will need access to the router which involves ports 67 and 68. For security updates windows and some AV programs ( I have never used kaspersky so I can’t comment on it) svchost needs access to port 443 and port 53 (dns).

Ports 67, 68, 443, and 53 are the only ports I allow svchost to use. All else are blocked either specifically or by default settings covered in the network rules.

Paris

Tho’s it seems vulnerable, but it’s not I believe.
As there is a guarantee for “Out of the box” full protection, plus (so far) they’ve passed all of the leak test that another firewall won’t, and that’s including alot of port scaning.

I agree CPF passes all the leak tests, though problems do arise when you run the same leak test 2 or more times consecutively CPF does encounter difficulties dealing with them.

Where is the guarantee listed that you speak of? And what compensation is offered when it does not pass the tests. It’s pointless offering a guarantee if there is no recall upon failure. It is a straw man guarantee.

I just feel safer with extra security deliberately closing and blocking specific ports. This way I can rest assured nothing accidentally or purposefully will access my system on ports that are know to invite problems.

Paris

Whatever safe level that is, it will always depends on how the user took every action.
And about those 2 times or more consecutive test that’s said to bypass CPF, well for real, I think it won’t work in the REAL action.

IE:
…if a person get’s a warning (alert), that’ll raise he’s/she’s awarness for something (might be) wrong on the system. And if it ever pops back again, I say that’s pretty ignorant user that let those warning to pass-by twice. Doesn’t it?

Even, the most un-educated user know this.
…once you hit the wall, Man… don’t come back and hit the same wall, doh!

So do we need any special specific access to svchost.exe or let comodo do its job as it is by default?!

I really don’t know about “the others”, but I put my trust to CPF.
…it’s how windows utilize this file, that started this problem.

You can try to Google around about this svchost, and might be surprise to what you might find.

Assuming that you have all CPFs settings at default, then I agree with wisanggeni & that you should let CPF deal with it.

Background: svchost.exe is normally used by services.exe in order that System Services can access the Net (like Windows Update & such). CPF knows what svchost should be used for & will report any suspicious activity (giving you the option to allow or deny the action).

i didnt knew that CPF knew the origin and existance of each service used by windows.
Very Kewl :wink:

I get the following msg from Comodo Firewall every time WinXP starts up, on a brand new PC a week old with new OS install:-

C:\windows\explorer.exe has tried to use svchost.exe through OLE Automation, which can be used to hijack other applications

I deny it each time (not remembering) in case I affect Windows, but I (as a newbie to firewalls) cannot understand why this high risk issue arises.

Hi Julie_M & welcome to forums.

Why high risk? Because nasty software has been known to exploit it.

But, this is probably OK & is likely to be something like Windows Update or some other such Windows Service. However, to be certain take a look a CPFs log… export the log to HTML, open the HTML log version, find the relevant log entry & cut ‘n’ past it here. We’ll check it for you, just to make sure.

All being well, you’ll be able to tell CPF to Allow the event (remembered) & that pop-up will not trouble you again (unless one of the components is updated, of course).

Hi kail, I’m looking at the activity log right now but I can’t see any option to export it to html! Would appreciate if you could explain how to export.

ok, I found it !

There are several “high” alerts involving svchost.exe, here are some samples:-

Date/Time :2006-09-22 23:50:40
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 207.46.232.189:ntp(123)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2006-09-22 23:51:14
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 255.255.255.255:bootp(67)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2006-09-22 23:56:42
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:207.46.157.125:http(80))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 207.46.157.125:http(80)

Date/Time :2006-09-22 23:53:42
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: TCP Out
Destination: 64.4.23.190:https(443)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications

The IP is MS & NTP (Network Time Protocol) indicates that it’s probably something that is trying to make sure your system time is correct.

Date/Time :2006-09-22 23:51:14 Severity :High Reporter :Application Behavior Analysis Description: Suspicious Behaviour (svchost.exe) Application: C:\WINDOWS\system32\svchost.exe Parent: C:\WINDOWS\system32\services.exe Protocol: UDP Out Destination: 255.255.255.255:bootp(67) Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

This is DHCP (Dynamic Host Configuration Protocol). Simply put, it is trying to obtain your Internet IP address & other relevant information (eg. IP addresses of DNS Server from a DHCP Server, subnet mask, router, etc…).

Date/Time :2006-09-22 23:56:42 Severity :High Reporter :Application Monitor Description: Application Access Denied (svchost.exe:207.46.157.125:http(80)) Application: C:\WINDOWS\system32\svchost.exe Parent: C:\WINDOWS\system32\services.exe Protocol: TCP Out Destination: 207.46.157.125:http(80)

The IP is MS again & it’s probably Windows Update trying to check for new updates.

Date/Time :2006-09-22 23:53:42 Severity :High Reporter :Application Behavior Analysis Description: Suspicious Behaviour (svchost.exe) Application: C:\WINDOWS\system32\svchost.exe Parent: C:\WINDOWS\system32\services.exe Protocol: TCP Out Destination: 64.4.23.190:https(443) Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications

The IP is Hotmail & HTTPS on port 443 says that its a Secured connection over HTTP. If you have something on your system that attempts to check if you have any new email, then this is that.

In summary, if what I’ve said matches up with your expectations of your system’s actions, then allow it. If not, deny it. But, all these look OK to me.

I get the idea. Thank you very much!

It appears to be a very efficient firewall. :slight_smile:

svchost.exe can be an Achilles Heel for Windows. What CPF recognizes as svchost should be left alone unless something is alerted. At which point, as indicated above, it should be checked out. The bottom line is that Windows can’t live without it and firewalls should be programed carefully for this Windows process.

More info:

I found an interesting article on this subject - though in Spanish! - on this page:

part of which advises as follows (a rough translation ;)):-

+++

The majority of Firewalls come with preset rules for outward connections, but when the connections are incoming, two rules should be defined :

If the protocol is TCP
If the connection is IN
BLOCK

If the protocol is UDP
If the connection is IN
BLOCK

There are rare cases, very rare … in which the preset rules for outgoing connections are not enough and if this is your case (if there are occasions when the Firewall asks about an application requesting an outgoing connection using TCP), it would be best to define this rule:

If the protocol is TCP
If the connection is OUT
BLOCK

+++