I’ve come to the forums looking for assistance about svchost.exe. My question is how should me and others deal with svchost when we get alerts for connection requests. Is there a rule setup to help CIS users in dealing with svchost? I’ve tried to get assistance before however it went no where fast. If I could get some support from someone here at comodo that would be great. Thank you.
Allow UDP out and register IP source 0.0.0.0 and IP the Destination 255.255.255.255
Where Source Port Is Any and Destination Port is 53
I’m not that great with firewalls so I’m not exactly sure what I need to do to put those 2 rules into the firewall. If I put Allow UDP out(rule 2) wouldn’t that mean that rule 1 would be listed under that?
And as for rule 3, you kinda didn’t complete the rule unless I’m misunderstanding something. If you want post a picture of the SVCHOST rules competed in your CIS and I’ll make mine look like yours.
If you want the least hassle, just set svchost.exe to use the ‘Outgoing Only’ pre-set ruleset (which is allow IP out from any address to any address using any protocol). Which is probably what I’d do if I were you.
However, if you want to set it up manually so you know exactly what it’s connecting to, then the following screenshot is roughly what you can expect svchost to be making outgoing connections to. The certificate authorities it requests revocation lists from will likely differ.
As the ports are in ‘Portsets’, for reference these are the port numbers:
DNS Port - 53
BOOTP Port - 67
NTP Port - 123
SLP Port - 427
DHCPv6 Port - 547
LLMNR Port - 5355
Non Privileged Ports - 1024 - 65535
Thanks for the response. I appreciate the feedback :). I’m gonna go with liosant’s post and how he is set up since I’ve already started it. Maybe the outgoing only would of been the easiest option though lol.