Rules for system.exe and svchost.exe


Sorry if I am posting in the wrong section.
I know that this has been discussed several times, but I want to get some things clear. From time to time I get alerts from the firewall that system.exe is trying to receive a connection from the Internet, in most cases trough the port 137 and from a remote IP. That happens to svchost.exe too, but it’s from the other computer on the lan, which I understand it’s normal.

My home network looks like this: I have a desktop, aslo with CIS on it, which is linked to a Thompson SpeedTouch 516v6 and a laptop connected trough lan and Internet Connection Sharing. I’ve tried to add some rules myself for system.exe and svchost.exe, but I’m not sure those are the right ones.

From what I’ve read on the forum those two (and a few other windows services) should be set to outgoing only, but I think it’s not my case because the computers are in the lan and I could interrupt their comunication.

So, would you be so kind to tell me what rules should I make for system.exe and svchost.exe in order to let the two computers “speak” to each other and in the same time “Block and Log All Unmatching Requests”.

Thank you!

P.S.:I am running the CIS 4

Welcome to the Forum, Adrosmart.

I would place both of these as Outgoing Only (firewall rule)

Firewall/Advanced/Network Security Policy

Locate System and svchost.exe. Select each one and click Edit.
Select ‘Use a predefined Policy’, and from the drop down box, select ‘Outgoing Only’
Click ‘Apply’ and ‘OK’

I too am behind a router in a home LAN, and this does not interrupt communications from the other computers (one wired, one wireless), as they can see me and connect to my shared folders, access the files and folders that are available, write to and read them.

I will note, when CIS discovered my Home network, I selected to make my computer seen to all on this network.
On the Stealth Ports Wizard, I selected the second option, ‘Stealth my ports on a Per-case basis’

[attachment deleted by admin]

I’ve just applied your suggestions and restarted. It seems that the Internet works fine on the laptop, but the desktop can’t see the shared folders anymore. Furthermore, in the firewall logs I found like 20 blocking notifications of system.exe between the IP-s of my network.

So, I guess that there has to be other rules than Outgoing Only. I somehow know how to set them, but I get confused at the protocol and I’am afraid not to do something stupid and make a breach in my system.

Other suggestions?


If the rules apply like in v3, don’t do an outgoing rule (besides the fact that even outgoing netbios ports is not a good idea).

Define a network zone (or two if you need localhost) and call it LAN, ip from say to

Now, make not global firewall rules, but applications rules for your firewall.

You could create a rule for “all applications”, and allow it for everything as long as BOTH the source and destination are the zone called “LAN”, and place it on the top of the rules.

If not, you have to write a specific rule for each concerned application.
e.g., in system or svchost, you would make a rule as above, immediately followed by a restricted rule for internet (i see no reason to allow anything else for svchost then tcp/udp out to your dns ip, port 53, and bootp port 67 to ip if you have no fixed ip), immediately followed itself by a partial or global deny rule: concerning system, ports 135 to 139 should be denied, udp out, as well as whatever traffic, ip in, while of course tcp and udp in should be denied for scvhost particularly for these same 135-139 ports, and at least asked for whatever else if you need some rule for a specific application not already present in the applications rules, like ftp.