svchost.exe firewall rule problem

Hell-o :slight_smile:
Here’s what I’ve stumbled at…

  1. 32 bit
  2. windows XP SP3
  3. CIS 3.5.54375.427 (Firewall & Antivirus) & BOClean 4.27
  4. Rules concerning ICMP outgoing connections for WINDOWS\system32\svchost.exe don’t seem to apply. Despite blocking and “remembering” (and seeing that a rule is added) it keeps asking whether to allow connection. When I block it again (+ remembering the action) - identical rule is added and so on. It might be somewhat specific to our intranet and maybe uneasy to reproduce.
  5. I tried to allow all outgoing IP connections for svchost.exe (supposedly including ICMP) and even then - again getting a pop-up. Also tried to move the whole svchost.exe ruleset above System (as there are some more liberal rules allowing connections to local intranet) with no different behaviour.
  6. Firewall is at safe mode, high alert level, enabled alerts for ICMP requests (now this is something :D), protect ARP cache, block gratuious ARP frames, other non-specific options are at default I think.

Other than this slight inconvenience, CIS seems OK at the moment (except for 1-2 freezes while trying to edit rules making CIS unresponsible until reboot…don’t know whether this will occur with this latest update)

At another pop-up I decided to try and allow + remember - rule was added and I deleted the blocking rules mentioned above. Guess what ;D Now firewall is blocking & logging all outgoing ICMP connections. So there seems to be something rotten in Denmark…

[attachment deleted by admin]

Try to create global rule…

Well, it’s not such a big annoyance :stuck_out_tongue: Just shows that perhaps some flags concerning at least ICMP are somewhat reversed and obviously not working as expected, doesn’t seem something difficult to fix. Hopefully developers will spare a bit of time (R)

SVCHost.exe turn to out going only,

System turn to out going only

did this help?


umm, svchost.exe was set as “outgoing only” at first. For system I must allow certain types of incoming connections from our local lan (as in picture 2) so I can not set system as “outgoing only”. As mentioned, at some point it appeared that by allowing (no logging) ICMP incoming (picture 3) CIS is actually blocking & logging (exactly opposite to the rule) ICMP incoming…which is what was aimed from the beginning.

short summary of what’s encountered so far for svchost.exe ruleset => what’s CIS actually doing:
0. “out-going only” standard ruleset => ask for each incoming ICMP attempt

  1. block (no logging) all incoming ICMP connections rule (above the “standard out-going only” pattern - “allow all outgoing TCP/UDP” and “block all incoming/outgoing IP” at the bottom) => ask for each incoming ICMP attempt
  2. allow (no logging) all incoming ICMP connections rule (above the “standard out-going only” pattern) => block & log each incoming ICMP attempt, (this is new) ask for each out-going ICMP request
  3. rule from 2. above rule from 1. (both above the “standard out-going only” pattern) => from time to time ask on ICMP incoming connection, from time to time - block & log incoming ICMP connection - here the mess is full ;D

Update i
With all mentioned settings (what’s common is obviously the “out-going” pattern at the bottom which is supposed to silently allow all out-going TCP/UDP requests…) I’m asked from time to time for out-going UDP requests. Another one :slight_smile:

Rules which are at the system ruleset were automatically generated when networks were detected after install (allowed access for comps in the network), haven’t touched them since. The ICMP incoming connections (logged/asked for svchost.exe) are from computers exactly from these zones.

vlups, is it normall that in the firewall process explorer our beloved svchost.exe has multiple entries? I’ve been using CFP and CIS for some months but don’t remember to have seen such case.

Sorry, this is quite trivial, there are multiple instances running.

[attachment deleted by admin]