I have been trying to restrict Svchost.exe to prevent it from being used to connect. So far, I have disabled the DNS service in Windows and applied restrictive rules to Svchost to specifically prevent it from providing DNS lookups and connecting to any IP address except some multicasting IP’s. That seemed to work and several updaters and the like were not able to work until I gave them access to the DNS server by manually editing their Firewall rules. On Tuesday, update.exe - the MS Patch Tuesday updater - connected without any problem. There was no log of the event and both a DNS lookup and a connection to several IP addresses outside the permitted ones was obsevable in the “Active Connections” window. I am a bit puzzled as to why events that are easily observable in the “Current Connections” window are not being logged, especially since the connections are supposedly not allowed. It would be really nice to have a “Log all connections” option which really does record everything that happens. The problem is likely due to MS having built in a hole in the method used to firewall internet connections. However, that hole seems like a gift to hackers and should be plugged. Currently, there are no CIS rules for Update.exe in the Firewall’s “Network Security Policy”, which seems really odd since it obviously connects to the internet. This probably results from Update.exe using Svchost.exe to do its connections for it, but it does not seem possible to restrict Svchost.exe from providing connections. See the attached for the rules for Svchost and the Active Connections window showing the rules being broken.

Windows XP sp2 with other patches and updates all applied. Firewall version 3.5.57173.439

[attachment deleted by admin]

Never mind - I see that svchost.exe is considered a “Windows Updater Application”. Since that was listed at the top of the file list, Svchost.exe was getting its permissions from that rule set, so nothing that I did to the rules I wrote made any difference. That explains a lot.