Running XP Pro SP3. My security events logs keep filling up of these entries:
"Event ID: 861 Source: Security
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1204
User account: myusername
User domain: mydomainname
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 54777
Allowed: No
User notified: No"
There are literally hundreds of these entries, with different ports with a wide range. Is this normal, and can I use CIS to somehow stop svchost from listening on those ports?
It’s not unusual for services to be listening especially svchost, which, don’t forget is only a host process for many services. Also, just because a service is in a listening state, doesn’t mean it can be connected to, that will depend on the service and your firewall settings. As far as stopping services from listening, the only way to do that is be disabling the service, but be careful with what you disable. If you want to post some additional details we can see what’s what.
If you want to post some additional details we can see what's what.
Yeah, I’d like to figure out what service is causing this. What kind of details would you need to hear?
I’m aware something like a filesharing program could be behind this kind of behaviour, but I don’t use anything of the sort.
As far as my firewall settings go, they’ve been set up according to Chiron’s guide for v6. I use Comodo’s safe DNS.
What you need to do is find the instances of svchost you have in a listening state, find the PID, then see which hosted services are using that instance. Use something like Process Explorer or Process Hacker to make things easy.
Curiously enough, I see very little activity from this service on any of my systems, regardless, this service is related to the DNS Client Service. Basically, it caches DNS queries locally so, that when you need to resolve an address, the system checks the local cache before sending the request to your preferred DNS server(s) It is possible to disable the service (services.msc) but it can cause problems, one of which, depending on your firewall rules, may require individual DNS rules for each applications.
Noticed one of the other svchost instances are running the service rpcss. Is this still considered a security risk these days, on an XP?
Whilst it’s possible to disable the services related to RPC, I wouldn’t, it will very likely break things. Just block TCP/UDP port 135.
If you’ve used the stealth ports option, you’re already blocking inbound connections on all ports, apart from those you explicitly allow. If you want to block outbound connections for this service(s) - they are several ways to do this - you could create a Global rule that blocks UDP and TCP out to port 135, but if you do that you block this port for anything that may want to use it, not just RPC. Better, would be to create an Application rule for svchost that uses the aforementioned protocols/ports. Just make sure you place your new rule above the Application rule for Windows System applications.
Application Name - svchost.exe
Action - Block
Protocol - TCP or UDP
Direction - Out
Source Address - ANY
Destination Addresss - ANY
Source Port - ANY
Destination Port - 135
Either way, it’s a bit of a hammer to ■■■■■ a nut but without turning your application rules upside down…
Be aware, if you do use these rules, you may also prevent some ‘normal’ system communication between PCs on your LAN, if you have one…