svchost rules

Hi,

I’d really like to tighten application rules for svchost. I’ve searched around fruitlessly. Can you please give an example of rules for this so I might be able to plug in my settings?

Thank you,

Michele

There are no default allowed incoming Network rules, only some outgoing. So I take it that you want to tighten svchost.exe outgoing rules. I don’t know any, but I can lead you to the right places:

** FAQs/Threads - Read Me First ** (–> Bookmark this one if you haven’t!):

Increased Security Settings/Configuration (for power users) https://forums.comodo.com/index.php/topic,2405.0.html

https://forums.comodo.com/index.php/topic,3248.0.html

Firewall Leak Tester http://www.firewallleaktester.com/ has some info on security, including IP addresses and whatnot for various Windows/MS activities.

At the basis, you’ll probably want to set svchost.exe with parent of services.exe for UDP Out, destination port 53, 67 (DNS & DHCP); UDP In, destination port 68 (DHCP again); TCP Out, destination port 21 (Windows Updates). You can even set the IP addresses in there as well.

As long as you’ve left the default Network Monitor rule to Allow TCP/UDP Out to Any IP on Any Port, you don’t need to make any special allowances there, in regards to these Application rules.

Hope that helps get you started.

LM

svchost.exe is in the safelist. What if there’s a tightened Application rule to only allow svchost outgoing TCP/UDP where IP address is 192.168.1.1 (for simplicity’s sake) and the ‘don’t show any alerts certified by Comodo’ option enabled? Which takes precedence: the App rule or the option?

I’m gonna say the AppMon. Reason being, I use the safelist. I also have some specified rules for svchost.exe. I have seen it get blocked when it doesn’t conform to the rules. In fact, I get popups if it doesn’t conform; I get popups if it ABA’s me. Hmm. Hopefully that’s a “feature” not a “bug”… :wink:

LM

Why not throw it in the wishlist, m8?

I know that one’s in there already. Something to the effect of: User-defined rules to override predefined rules/alert frequency definitions.

LM

Soya & Little Mac,

Wow! Such speedy responses! Great! Going to read up! Thank you!

Michele

LM
I saw those rules a while back in a capture file, (Soya could find it, I can’t :)). I was having quite a lot of “limited connectivity” errors at the time, sometimes 2 or 3 times a day. Event Viewer log was couldn’t renew dhcp.
I have had at least 4 months error free since I added the 3 svchost rules.

Sullo,

Yeah, we all know about Search Maestro Soya’s capabilities! ;D

Glad to know those worked for you. Connectivity is part of the reason I worked those out, myself. I wanted to limit svchost’s access, but not my connectivity. Worked for me, too. I did have to add some network rules to help with DNS and DHCP upkeep, for the traffic side of things.

LM

You can also stop svchost from doing DNS.

To do so, open services and stop/disable the DNS Client service. Once done, you will need to create individual DNS rules for each of your applications:

App Name - Dest: Your ISP DNS servers - port: 53 - UDP Out.

An easy way to create those rules, is to set the Alert Frequency to Very High and then remember and allow for each DNS prompt. Unfortunately, your likely to get a lot of additional prompts too; just allow with out remember. Once all your apps have DNS rules, you should be able to lower the Alert Frequency.

Also, if you don’t use win32time block port 123.

Toggie

Thanks Toggie
For some reason or other I had forgotten to disable windows time. Another service gone by the wayside.
I’ll give the dns rules a go.

LM
I haven’t added any netmon rules, should I?

Thanks
Sullo

Don’t have to if it works without them. If you’ve kept the default rules, you may not have to. If you’ve modified those to “tighten” things up, you may need to create some specific NM rules to match the detail of your AM rules, so the apps can connect.

I’d wait to see how the application rules do, first. In my experience, the NM rules are the first things that get “broken” as users try to tighten up their security. So I recommend it not be messed with unless necessary. As soon as Toggie finishes his security tutorial, we’ll all have a better idea of what to do… :wink:

LM

Thanks LM
Things are working fine, so I think I’ll take your advice and leave well enough alone.
I’m one of those users who have broken things a number of times requiring reinstall.
Learnt a lot though.

Regards
Sullo

As soon as Toggie finishes his security tutorial, we'll all have a better idea of what to do... Wink

Meh!

Every time I think I’m there, something changes ???

That reminds me, I need to post a query for the experts :wink: