I’m using CIS with custom rule-set enabled in firewall. I’m not sure why “svchost.exe” and “system” want to access the internet. I’ve tried to block them but then am unable to browse internet. I’ve checked online for both of these processes and found the method to block svchost.exe from services.msc (Background Intelligent Transfer Service), however even after disabling this service it again starts when system is restarted. There is no information available online about “services”
Can someone please help me as I really would like some information if these two services should be allowed and if so why because there is not much information available online about it.
Please let me know if any additional information is required.
Service Host(svchost.exe) does the connections or for: DHCP’s initial and established connection (port 67-68 just for ipv4), DNS lookups(if dns service is still enabled) by port 53 (ipv4), Time Protocol (port 123 udp) and for windows updating.
Very much needed.
System is allowed (the system kernel does connect out). So do other files in System for both LAN and internet connections. Also very safe.
if not shared files, allowed only port dns and ports dhcps in process svchost (if like update windows allowed ports 80 and 443 - it is not safe)
you can setting blocking ports except ports dns, dhcp…, and ports windows update;
…
if it happen the all time and port especify, block in settings firewall…
report your problem in area “bug report”: Comodo Forum
for one undestanding post image or vídeo of your problem com CIS…
sorry my english!
In Process Explorer or Process Hacker I have at least 13 instances of svchost services running.
I would like some of those svchost instances block access to the internet but…
It’s a very missed feature of CIS not being able to add FW rules for services but only for processes…
Hope we get this great feature one day…
“svchost.exe” is windows service that provides a shared service for multiple processes, this to reduce resource consumption or so they say.
so two programs chose to use “svchost.exe” to connect to internet instead of each having a separate dedicated internal module that do this.
then instead of seeing two processes in the firewall each connecting like “GoodAppA.exe” and GoodAppB.exe" that we can chose to block or create rules for.
we see:
“svchost.exe” connecting to this ip and that ip.
this because the firewall doesn’t know what process started that svchost service.
if one uses “Process explorer” from microsoft he can see that there are many instances of svchost present. sometimes there is info about the various process atached to svchost. most of the time there is no info
that is because windows hides on purpose what processes opened the service because they don’t want the user to know what OS is doing, what info is sending to internet, what data is collected and on.
it also makes it very difficult to block any of these microsoft services and one can’t create rules for them.
unfortunately miscrosoft is not the only one that do this, other evil parties can use this “svchost.exe” service
so the answer is no “svchost.exe” is not “safe” far from it.
It’s like oldsod said but it also depends on what on level of privacy and the surface attack area your after. Personally I block all traffic for System(4) and for svchost.exe only allow BootPC ports 67/68 and then create a a single rule to allow any outgoing connection to any address to connect to a single port 53 (DNS). Under that I create a rule to block all incoming and outgoing traffic. No Windows updates but rather depend on HIPS and exploit protection. svchost.exe is the single greatest risk to privacy and security on a PC. As far as NTP it’s disabled in services.msc and sync time with a old school program called Neutron if needed.