Svchost.exe trying to receive a connection from the Internet

I’m receiving the following pop up message: “svchost.exe is trying to receive a connection from the Internet…”
I did not initialized any connection to the Internet at that time.
What should I do? To Allow or Dismiss the connection?

It’s happened a few times since I’ve reinstalled windows on this computer so i’ve been recording the ip addresses and ports. Here are a few of them…

  • UDP 67.230.71.147 49169
  • UDP 121.55.195.61 62319
  • UDP 24.79.242.83 54958
  • UDP 94.173.20.118 65096

and a few more. So far I’ve been blocking them.

before you have to think about unrequested ingoing traffic attempts another time, or before you dont realize that a question is about ingoing at all…

use the stealth port wizard “hide me from everyone”. because a pc, which isnt a server, usually never needs to get traffic which isnt initiated by an outgoing request first.

windows updates… and all what is needed is requested by your pc. so its allways enough to work with exclusively OUTgoing rules. the requested packets will arrive.

the internet doesnt “scan” for a pc to help him… so block all unrequested per default.

I narrowed it down to this happening only when utorrent is running. (p2p applications)

So in a sense, my computer is acting as a server, but some connections (like scv host) seem redundant when uploading and downloading to/from other computers. Unless, there’s something about scvhost that I’m not realizing… Blocking it did not seem to interfere, so my only assumption is that the incoming request was likely to be malicious. though, I sure do wonder what would happen if i was to allow these requests.

(thank you for the suggestion, by the way. I just wish i didn’t rely on a few server-related things on occasion so I could actually take advantage of that feature.)

May be this is Teredo ?

What is Teredo? Some sort of worm?
In real life, know it refers to a ship worm that would bore hole in wood…
So has Teredo been known to attack through utorrent?

No, Teredo is IPv6toIPv4 Microsoft gate. Some torent clients use ipv6 packets for detecting torent hubs on Internet and in this case Win7 running Teredo interface for connection to Microsoft IPv6toIPv4 gate. Its look like outgoing connection on port 1900 and some incoming conections on ports in range from 50000 to 65000.

Can you take a close look and tell whether the file that is getting the incoming alerts is called svchost.exe (Windows system file when in system32 folder) or scvhost.exe (possible malware)?

This is a safe file - svchost.exe.

even safe files should not listen to strangers in the internet :wink:

Just making sure it is the legit svchost.exe. Not some file dressing up. :wink:

This is LEGAL svchost.exe, No fake, no trojan or virus! CIS allow for some service (hosted in svchost.exe) outgoing connection and alerts on incoming. This is original scenario when service is gate for some p2p conections, for example - UPNP, Windows Live Essentional 2011 Mesh and Sync and so on.

I thirst for CIS can use network rules for services as for processes. If so, we can tune up rule for specific service (hosted in svchost.exe) and solve this problem.

SVCHost is a ■■■■■■ to get a handle on. Only way to get peace of mind with it is if you are rigorous and systematic with respect to ALL IP connection attempts. Do a search for my posts using key word: SVCHost and with my user name.

SVCHost virtually never bothers me, albeit I have 23 rules for it. Each rule implements a specific zone and sometimes port sets. SVCHost will share IP zones with particular apps. Those apps will also have zones that SVCHost never uses. Those apps may have components that make IP connection attempts independent of each other. These component may share zones amongst each other, but will usually have unique zones it doesn’t share.

Java (JRE), Ad-Aware, and Adobe auto-updates are examples of this behavior. While SVCHost will never access JRE specific zones, configuring all the JRE components for proper IP access rights is a nightmare in its own right. One must be diligent, discipliined, rigorous and systematic. The crux of the methodology relies explicitely on the last rule for ALL app firewall rules: ask and log. You must check your logs regularly and deal with access attempts that get blocked after several access attempts. That’s usually the case if you’ve been away from your PC for an extended time. If you’re not there to answer, after 5 attemps or so, CIS blocks the attempt. Once you set up a rule then, and with IP in proper zones, your system will just purr. Nere check ‘remember this’ for any IP connection attempt (reason being: ‘remember this’ creates an allow all all all all rule :-TD ); even if you allow it. Derive your rules based on IPs in the log and zones are your friends.

You have to understand that in the grand scheme of things youi are bad :P0l and CIS is good :P0l Without you CIS is a dumb :P0l

at WxMan1

i have just one svchost rule in the firewall: “treat as blocked”.
maybe you need an exception for windows updates (outgoing rule), or one exception in a network (but not every day for everything like you say,… and zones??? :stuck_out_tongue: ). well all runs fine, i am not annoyed by any question.

(i hope you dont think that ingoing attempts have any reason to connect to your pc usually). you say, you make ip based allow rules for programs to be sure. (of what? any new asked ip could be a bad ip though, no? if you dont trust your prgrams, dont let them contact the internet at all.)

DONT use “allow ingoing rules”, thats important. you dont need them, as requested packets arrive, and you dont need ever unrequested packets anyway.
as long as you choose “outgoing” rules exclusive, the program connects to what it was programmed for, or to where it should connect to follow your request.

block ingoing traffic per default under global rules (block ip (means all protocolls) IN any any any), as long as you are not running a server or use p2p.

simple, done.

btw, that you say, “never use remember button, because remember this would create an allow all rule”, shows that your setting is low for the firewall. just one question for any…
set it higher (adress, protocoll, port).

Well, I’ve been away on business for a bit and therefore unable to reply, but I checked in and noticed several replies. Well, as for what I’ve furthered to notice is that the svchost was indeed in the system32 folder. And another, it seems to be a different ip for every incoming request. For now, I’ll just block everyone.
I still wish I understood why these come in, but that’s really only a luxury, right? hahahh Is there way to setup a specific rule JUST for svchost to block incoming requests? As long as that wouldn’t cause any system problems of course.

any unrequested incoming connections can be blocked.

any unrequested ingoing connections are useless and possible dangerous.

stealth port wizard setting 3 (hide me from everyone) is the best solution.

imagine them as if they were people on the street, trying to talk or convince you, like salesman, trick thieves, … you will be happy when you dont have to see them at all. in the internet world its the firewall which helps you to ignore.

maybe someone is just scanning the internet for exploitable svchosts, or computers. dont think about it. block it. no one scans for giving help!

My setting is ‘too low for the firewall’? It’ve always used ‘custom’ configuration (no rules for safe apps).

If an outgoing or ingoing connection attempt is made to any arbitrary IP address, then an 'allow all src MAC dest MAC rule is created for the particular protocol that generated the alert. This rule is automatically placed above any rule already in existance for said app.

If specific rules for outbound protocol to particular IP address is desired, one must look into the log to discern protocol and src/dest IP addresses/ports and create the rule manually.

SVCHost is a glaring security risk for Windows; I have no less than 6 running on my system servicing about 20 services. There’s only ONE way to get a handle on it and that’s to keep a pulse on what services its servicing and where it wants to phone home to. Over 6 months I’ve accumulated about 25 rules for it (outbound connections to zones that I explicitely trust); some of these zones have between 5 to 15 IP addresses, ranges or entire domains.

SVCHost doesn’t merely handle Win Update, but also auto-update for Ad-Aware and Adobe. Most likely it’ll handle update requests by any service running on one’s system that is handled by SVCHost. That’s what SVCHost is, its a services service. What I found was that connection attempts where alerted by some root service (which I granted), and then immediately afterwards SVCHost wants access to the same IP destination.

That’s why I uses zones virtually exclusively because many IP connections are shared. If I put the IP address that Adobe updater wants access to into a zone, its quite simple to allow SVCHost access to that same zone; heck of a lot easier to pick a zone rather than constantly typing octets into rules all the time.

at WxMan1
Quote:
“If specific rules for outbound protocol to particular IP address is desired, one must look into the log to discern protocol and src/dest IP addresses/ports and create the rule manually.”

TOTALLY WRONG. you just have to set in the firewall behaviour setting the ALARM setting to: very HIGH.
custom mode is not automatically set all on high, custom means that you are asked. the setting for this asking has to be done extra. thats what i meant with “too low” in your case.
when you do it, you will see, that you will allow by ip adress and everything else… if it uses two ports of the same ip adress, you will be asked again, if its udp+tcp, you will be asked for any combination again.
if you want to make a more general rule, THEN you can do it manually.

and about updates: when i want to update any program, i would give this program the right “OUTgoing only, udp+tcp”. i dont know why you think, they would need svchost to connect somewhere too. for me third party program updates work fine without allowing any part of the operation system to connect to the internet.

Well, you learn something new every day. Firewall alert setting ‘very high’ does indeed create a connection specific allow rule (for the specific dest port too) when ‘remember this’ is ticked.

As far as SVCHost being implemented for certain app updates, that’s what experience has shown to be the case. Specifically Ad-Aware, Adobe ARM and JRE updates. Each app has its own components and each component requests IP address connections from time to time. After granting internet access for the app (and establishing the appropriate permanent rule), SVCHost chimes in and says: “ME TOO!” This is easy enough to configure; just allow SVCHost access to the same zone as for the previously created app update rule. What I’ve found is that SVCHost requests access to some of the updater app’s zones (but not all of them). For example, JRE updater apps comprises:

jusched
jucheck
jaucheck
javaw
deploy.jar

each app has IP addresses unique to themselves - but over time - its becomes apparent they share common connection zones. For that puporse I create a filegroup and allow the file group access to the zones in common (and remove the duplicate rule from each app seperately). Now for all the zones defined, i.e., common, jusched, jucheck, jaucheck, javaw & deploy, SVCHost shares ONE ZONE w/ONE app, i.e., jaucheck (and that specifically to a particular domain: qwest.net)

As far as UDP protocol goes, I’ve seen no need to allow UDP except on port 53 (for DNS); my rules are exclusively TCP outbound to port 80 (or 443 as the case may be). To handle DNS I created a filegruop of EVERY app that needs DNS access to port 53; no alert rule necessary since every other app has one and will intercept any unspecficed in/out IP protocol connection attempts.

As far as WAU, I don’t have (a) specific rule(s), albeit wuaclt.exe and wupdmgr.exe ARE in the DNS filegroup. Those two apps probably are handled by SVChost, i.e., this is normal status for SVCHost:

Image Name PID Services

svchost.exe 620 DcomLaunch
svchost.exe 680 RpcSs
svchost.exe 756 AudioSrv, CryptSvc, EventSystem,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, ShellHWDetection, Themes,
winmgmt, wuauserv
svchost.exe 892 Dhcp, Dnscache
svchost.exe 1160 Wecsvc
svchost.exe 1704 TermService
svchost.exe 308 TapiSrv

But I sure as heck aint giving SVCHost carte blanche to phone home whereever it wants. IF I can resolve the SVCHost connection destination IP address domain name to something reasonable, e.g., MS edge-cache network (MSECN), or Sun.com, etc. I’ll allow it w/out question. If the domain name is returned as unknown, then I ensure that SVCHost isn’t hijacked, i.e., no extra occurances of SVCHost processes are executing, and that ALL services associated w/each instance of SVChost are reasonable (and no instance of SVChost w/out an associated service is running). IF that is the case, then I cadd the IP address to the [SVCHost - ? ? ?] zone.

Otherwise if the domain name can be resolved I add the IP addres to the zone with that domain name OR create a new zone with the new domain name (and make a TCP allow out-rule to the new zone). The latter being on port 80 explicitely (unless the request is explicitely to port 443; or both 80 & 443 as the case may be). I’ve found that some port 443 zones become port 80 / 443 zones, and some IP in previously port 80 exclusive become 80 /443 shared, but some port 80 and 443 IP adderss zone remain exlusive to either port 80 or 443 as defined.

Furthermore, I’ve never seen SVCHost access the [CRL] zone, i.e., CA issuing domains, e.g. Verisign; that appears to be the explicit purvue of the individual updater apps (which interestingly enough is NEVER accessed on port 443). But those apps aacesing [CRL] ALL have domeains / zones that access port 443.

have you never tried to ignore what svchost says?

when i want to update something, maybe something else wants something too. but that does not mean it is needed.
i was allways able to update anything from third party without anything else allowed to contact the internet related to the operation system. when something from the operating system wants to connect too (while installation and update), i simply block it and look what happens: the update is a success. so i block those un-needed requests permanent.

allow what is needed, dont care about the rest, block it.

simple example: while you update something without internet connection, does it fail because svchost cant connect to the internet? i guess, it doesnt fail. so, why should svchost have suddenly to connect to the internet to update a regular third party program when you connect to the internet for the first time?

i see, you have made a lot of thoughts about zones and shares and stuff. but you create a forrest with thousand trees, so you dont see the sky no more… maybe you dont even see the forrest among all the trees. if your descriptions are necessary to use the internet, i would not use it.
the more simple your strategy is, the more effective you can decide. in a 3 page calculation, you can make mistakes. in a one row calculation, you will see the mistake…

my row is this: allow what is needed, dont care about the rest, block it.

If you want to know which process the svchost.exe that you’re looking at in TaskManager is actually servicing, you can install the free “ProcessExplorer” from SysInternals.
It’s like a beefed up TaskManager.

Then you can just hover your cursor over the svchost.exe process you’re interested in and it will show which services that particular ‘svchost.exe’ is acting for. (It will also show the relevant Command Line and Path.)