Some curious Svchost entries in the firewall log!

With 3.0.14.273/276 I’m getting a lot of these, never saw them under 3.0.13…

[attachment deleted by admin]

How strange, they’ve changed to WOS… Weird. No more svchost entries but no changes from me…

[attachment deleted by admin]

Just an observation i noted toggie(because i to am getting all these block logs). When i first boot up i see the same source and destination ip with the same port used sending and recieving data-albeit only a small amount and it is attributed to svc.host.After this initial exchange it seems to block it every time under WOS.It`s just weird and clogging up the logs and saying xxx amount of intrusion attempts.Summats causing em ???

Cheers Matty

What’s weird is, I’m not getting the svchost entries now, just the wos entries, but they are the same, virtually.

UDP port 1026
port 1026

strange, very strange…

anyway, i just turned off my logging and log only when something’s wrong (e. g. recent troubleshooting NOD32/Thunderbird problem)… i know which ports i have open and i don’t care about other attack attempts since they’ll never get through.

Hi Burillo, I am aware of the issue surrounding port 1026, which is why I have ports 1025-1030 completely disabled via the registry.

as a workaround you can explicitly block this port and turn off logging for this rule, while still logging everything else :-))

Thanks, I know. I’m curious about why. Port 0 is a reserved port, and is generally not used. It can, and is used under some circumstances.

I’m curious as to why, for no apparent reason, the entries change from Svchost to WOS. I guess it’s just an academic thing.

I found some articles that attribute this to Spam using Windows Messenger-See 'Re: [Dragonidsuser] Port 0 UDP traffic' - MARC for example.

Sorry to mither toggie and all, but is the issue your refering to on port 1026 to do with alg.exe as i have it listening on port 1025 and for all the world cant stop it,your advise on various matters(to me and others) has been top drawer so any advise you could give me on this would be helpful :slight_smile:

Regards Matty

ALG is the Application Layer Gateway service which is used for Windows built in firewall and Internet Connection Sharing. You can disable it by disabling windows firewall (not comodo!) and ICS if you don’t use it. Then disable ALG service and that should close the port 1025. 1026 is related to Windows Messenger I believe which can also be safely disabled.

You may also wish to investigate closing DCOM and disabling netbios using google. Netbios is used with network neighborhood and windows client/file print sharing stuff though so you might not want to switch that off…

It is possible to have an XP setup so NO ports are open, but this usually means file/printer/network sharing is disabled and so is DCOM.

ALG and Messenger services are disabled. Windows Security centre and firewall are disabled. NetBIOS and SMB are disabled, as is DCOM and RPC over TCP/IP. As I said earlier, I have ports 1025 to 1030 completely disabled, so my first listening port is 1031.

Interestingly, when I run wireshark, I don’t see any entries that match those listed in the firewall, I assume, because they are blocked. What I do see, as mentioned elsewhere, are the typical ‘NetSend’ Spam messages that are related to the messenger service. See attached.

@ riggers.

As heffalump says, ALG is required if you use ICS, so if you don’t just disable the service.

[attachment deleted by admin]