rules for system and svchost

i know there are a few other topics about this but i have read through them a none of them give clear and definite rules for each of these. they both give a lot of popups and i want to have the best settings so they can do what they need to do and i dont get infected

so can someone please give me clear details and instructions on what rules i should set for each of these
thanks so much

I am afraid that no standard configuration exists, depending of one’s hardware settings (router, local network and external devices), os and used applications.

On a global point of view, svchost should only allow tcp/udp out to the destinations ip of your isp, port 53, and in some situations, bootstrap (udp out, destination ip, destination port 67).

system does not have default allowing rules.

But the best way, as you said yourself, is trial and error: when you get popups, you extend them to general rules (e.g., if a request is made tcp in by some internet ip and port, deny globally all tcp in whatever the ip and port are; if now the requests comes from you lan, make the same kind of rules, before the previous one, allowing them as long as both source and destination are localhost or lan, for whatever protocol and port…).

It reallly depends how you feel about security and your ability technically. If you want the easy (in my opinion the least secure method) then follow the recomendation of the default install and some of the mods opinions here. Basically this means you don’t have a clue about the connections these services are making, as the rule advocated, simpley allows everything for these services out.

If you want to understand what your system is doing and where it is connecting to, then you will have to do things manually. it’s really not so hard but some are just to lazy to learn and are quite happy to put their trust in a third party.

The rules you need to create will, to some extent, depend on the OS you are using. As a rough guide:

Microsoft Uptdates`
Teredo (vista/7)
Protocol 41 tunnels (vista/7)
LLMNR (vists/7)

Protocol 41 (vista/7)

There are others.

thanks a lot you guys for the help
i am still learning how to learn comodo
how do i set up those 2 rules you said and then block everything else that isnt specified

On a global point of view, svchost should only allow tcp/udp out to the destinations ip of your isp, port 53, and in some situations, bootstrap (udp out, destination ip, destination port 67).

and one more question when you say port 53 is that the source port or destination port?

So are you behind a router ? If you are behind a router which also means NAT, you would worry about applications or viruses more than attacks from internet.

Normally, for any single computer environment, the default “Outgoing Only” pre-defined rule is enough for svchost and system.

However if you have a small home network, you’ll have to deal with file and printer sharing, thus you have to give access to LAN computers. You can create a Network Zone and allow in/out for that zone.

To do that:
-You need to select Use a Custom Policy > Copy From > Predefined Security Policies > Outgoing Only
-Then add one yourself, select your zone for Source and Destination, Action Allow, Protocol IP, Direction In/Out. So Comodo will allow any connection between home(local) computers.
-Then move it into between the existing 2 rules.

thanks for the answer

SVCHost can be fairly gnarly to get a handle on, but if one is paying attention to what they’re system is doing and keeps track of the IP’s, protocols that applications are using and setup zones for those IP’s, along with perhaps port ranges also, its possible to discern what belongs to what.

For example I have concurrently on my system Ad-Aware 2010, Adobe, Windows Defender not including the default Windows Automatic updates. The only way to get a hang of SVCHost is to know what IP’s and protocols those applications use & dial out to. That way when an IP address is alerted by SVCHOST, you’ve got something as a baseline. So if SVCHost is attempting access to an IP that exists in Ad-Aware Admin.exe’s IP zone, then its a simple matter to add that zone to the SVCHOst ACL. This only gets more complicated by the fact that there’s multiple appclications within some of those apps, e.g., Ad-Aware Aware Admin, AAWService, Adobe ARM, Java JRE (several update apps) all of which have several different server domains from which they obtain updates (not to mention that sometimes edge caching networks are shared by different update applications, and some applications first hit SSL (port 443) prior to hitting a different IP (only to discover a week or two later the port 80 IP is now used as port 443 IP, but the port 80 IP is something completely different and not shared by anything else).

You really have to ride herd closely on the herd of cat’s application ACL if you want to keep a tight reign on SVCHOST