This morning when starting my computer I randomly checked the Active Connections while connecting to my wireless router.
svhost.exe was connecting to a few strange IPs (other than my router) including IP addresses from RIPE, Akamai, the DoD (DNIC) 22.77.237.49 and AT&T 75.46.20.252. I have svhost.exe set to outgoing only. So I did a WHOIS on them and found it alarming that the DoD and AT&T are connecting to my computer. After doing the whois searches and searching for this on the internet most of the strange IP addresses stopped appearing except for AT&T’s. So I changed it to only allow my local and router’s address. This was just a random check so I assume these are attempting to connect every day on start up.
I also uninstalled a couple programs that have been annoying me with their endless requests to connect despite my having set them not to automatically update (Garmin Express and f.lux a screen dimming software for nighttime use and astronomy).
What are the best settings for svhost.exe in the firewall? Also what is causing svhost.exe to connect to these addresses?
Also rundll32.exe has been attempting to connect recently when it never did before.
I did a scan and nothing has turned up.
Any advice is welcome. Thanks.
edit: I created a custom policy to only allow my computer to connect out on IP and UDP to my router. I set UDP to connect from a set of ports that it was already connecting on to port 53. The only problem is the computer is still connecting on UDP outside of those ports I set. Why are connections getting past the predefined ports?
btw: My computer will not connect to my router without at least svhost to connect to the router.
Is the trafic from your computer to the DoD and AT&T or the other way around?
After doing the whois searches and searching for this on the internet most of the strange IP addresses stopped appearing except for AT&T's. So I changed it to only allow my local and router's address. This was just a random check so I assume these are attempting to connect every day on start up.
I also uninstalled a couple programs that have been annoying me with their endless requests to connect despite my having set them not to automatically update (Garmin Express and f.lux a screen dimming software for nighttime use and astronomy).
What are the best settings for svhost.exe in the firewall? Also what is causing svhost.exe to connect to these addresses?
Service host process can be used by various other processes, both Windows processes of those of applications you have installed.
Also rundll32.exe has been attempting to connect recently when it never did before.
I did a scan and nothing has turned up.
Any advice is welcome. Thanks.
Just keep a custom policy for it that it will alert you when it wants to connect to the web. Also use Killswitch or similar tool to see the program that's calling rundll23.exe.
edit: I created a custom policy to only allow my computer to connect out on IP and UDP to my router. I set UDP to connect from a set of ports that it was already connecting on to port 53. The only problem is the computer is still connecting on UDP outside of those ports I set. Why are connections getting past the predefined ports?
btw: My computer will not connect to my router without at least svhost to connect to the router.
Traffic on port UDP 53 for getting an IP address of the DHCP server of your router.
From my computer out as I had it set to outgoing only. I can’t find the specific log of it but took them down manually as I saw the connections going out.
Service host process can be used by various other processes, both Windows processes of those of applications you have installed.
https://forums.comodo.com/firewall-help-cis/svchostexe-trying-to-receive-a-connection-from-the-internet-t63909.0.html;msg466403#new
Thanks. I'll take a ■■■■■ at it.
Just keep a custom policy for it that it will alert you when it wants to connect to the web. Also use Killswitch or similar tool to see the program that's calling rundll23.exe.
Traffic on port UDP 53 for getting an IP address of the DHCP server of your router.
Thanks again. I’ll do this soon and report the results.
Killswitch is Comodos advanced task manager. To access it, from the main page, click the green arrow in the upper right hand corner. This will open the task interface. You will notice the general tab open. Click on (view connections) and click the box (more). If you do not already have Killswitch installed, you will be prompted by the auto installer. From here you can easily install Killswitch.
Once it opens, you will notice it is similar to process manager, but with many extras. There is a system tab, when shown is very similar to process manager allowing you to monitor what processes and programs are running. To the right of the system tab, is a network tab, which is basically a process manager for network traffic. Very handy for (nailing down) what process is connecting or receiving or listening for traffic. The Comodo Killswitch install and help instructions can be found here Monitor Software, Manage Software, Computer Security Tools | Internet Security v7.0
OK I downloaded Killswitch as part of Comodo Cleaning Essentials from this link.
rundll32.exe*32 tried to access the internet again and according to killswitch it just says it is an NT AUTHORITY\SYSTEM windows host process (Rundll32)
There was a service running called Trustedinstaller.exe What is that? I’ve seen it before in security properties.
Killswitch doesn’t appear to be abe to run on a user account without administrator permission and I’m almost always using that.
A few red entries popup and disappear. What are those?
I ran cleaning essentials and ran a Smart Scan and “hosts file altered” came up as the only problem however I didn’t change that since Spybot S&D changes that (with immunize I believe) and locks it and I entered a couple addresses myself.
As a fresh user who followed Chiron’s config guide pretty much to the letter, I have a straight question: is it a good idea to set svchost.exe and dashost.exe to Outgoing Only? These two were the only popups I got so far, on a couple of different ports, and I really don’t want to create supercomplex multi-tiered rules. I don’t have the knowledge and I really don’t feel like learning these intricacies - all I need is convenience and good protection.
Ok using Killswitch I located at least one (possibly two) of the sources of the rundll32.dll*32 and uninstalled them. So far this seems to have taken care of the rundll32 problem.
I also went through task scheduler and disabled or deleted any tasks that I had never authorized and were trying to connect.
One of them being:
I uninstalled most of the Windows Live Essentials and disabled any Customer Experience Improvement program entries in options/trustcenter of any of those I kept.
Firewall is still blocking lots of svhost.exe requests to Akamai 23.77.237.42 - 50 and therein that range.
My question is Killswitch requires administrative privileges to run. Is it safe to enter your administrator password in the authorization popup while running in a limited user account on Windows 7?
WuXes: What you could try is observing what your firewall blocks when you are trying to connect and just allow UDP outgoing from what you identify as your ip (or ip range) to your router or network’s (ie. Home #1) ip. With destination port 53. I am connecting just fine using that. It takes a while for your internet access icon to appear connected but your browser will be able to connect before it appears.
That’s how I deal with svchost.exe. It’s the most convenient way and secure enough in my book. Servicehost is a protected instance and I trust that.
Rundll32 is a Windows system file. Having uninstalled or removed it may cause problems in the near future. It is something I would never have done or advice to do so.
I also went through task scheduler and disabled or deleted any tasks that I had never authorized and were trying to connect.
One of them being:
I uninstalled most of the Windows Live Essentials and and disabled any Customer Experience Improvement program entries in options/trustcenter of any of those I kept.
A warning: be careful when it concerns Windows tasks.
Firewall is still blocking lots of svhost.exe requests to Akamai 23.77.237.42 - 50 and therein that range.
Akamai is a bug Content Delivery Network where lot's of well known and totally legit programs host their updates and other downloads. You're more than likely blocking update checks from applications that use svchost.exe.
My question is Killswitch requires administrative privileges to run. Is it safe to enter your administrator password in the authorization popup while running in a limited user account on Windows 7?
Killswitch is a program that can be trusted in my book. CIS will further protect it.
WuXes: What you could try is observing what your firewall blocks when you are trying to connect and just allow UDP outgoing from what you identify as your ip (or ip range) to your router or network's (ie. Home #1) ip. With destination port 53. I am connecting just fine using that. It takes a while for your internet access icon to appear connected but your browser will be able to connect before it appears.
For problems with getting an IP addrss from the DHCP server from the router (port 53 traffic) you can check [url=https://forums.comodo.com/firewall-faq-cis/no-network-connection-after-using-stealth-ports-wizard-dhcp-broken-t41463.0.html]No network connection after using Stealth Ports Wizard (DHCP Broken) [v4][/url]. It's written for CIS v4 but the principles are the same.
I did not remove rundll32. I used Killswitch per worldwidewiretap’s advice and located the programs that were causing it to connect to the internet. As a result I kept rundll32 but it no longer runs in the background at all times nor connects to the internet. :-TU
A warning: be careful when it concerns Windows tasks.
I was careful which is why I disabled them instead of deleting them and kept a list of those I changed. As I wrote, I only disabled those like Customer Experience Improvement program that have no business running services and phoning home without my consent per Microsoft’s privacy agreement. Yet even though you click it off in those programs it still insists on scheduling a task. As a result I’ve nearly eliminated all the spurious connections that are using svhost.exe. Still have a couple more.
Akamai is a bug Content Delivery Network where lot's of well known and totally legit programs host their updates and other downloads. You're more than likely blocking update checks from applications that use svchost.exe.
Like most, I do not want update checks nor anything connecting to the internet without my authorization. I can do the updates myself. Akamai is simply a mirror (or like in radio lingo a repeater) that “operates a network of servers around the world and rents capacity on these servers to customers who want their websites to work faster by distributing content from locations close to the user.” according to wikipedia. They have no business receiving individual connections from users’ pcs without their knowledge or consent.
Killswitch is a program that can be trusted in my book. CS will further protect it.
Yes it was helpful in locating the programs causing rundll32 to run and connect. Defense+ was actually logging it as an event. I still need my question answered about whether it is safe to enter my admin’s password on my user account in order for it to run on my user account. Does that password get logged anywhere like network passwords do?
For problems with getting an IP addrss from the DHCP server from the router (port 53 traffic)
No problems with that so far. Like I said I allowed svhost traffic to that port on my router’s ip and only to that port.
you can check [url=https://forums.comodo.com/firewall-faq-cis/no-network-connection-after-using-stealth-ports-wizard-dhcp-broken-t41463.0.html]No network connection after using Stealth Ports Wizard (DHCP Broken) [v4][/url]. It's written for CIS v4 but the principles are the same.
I still need my question answered about whether it is safe to enter my admin's password on my user account in order for it to run on my user account. Does that password get logged anywhere like network passwords do?
It does not. It checks the password against the SAM file and is never stored anywhere else. There are much easier ways to access your account.
Just checked that out and looks like it is for if you don’t know your password. I know my admin password but am careful not to enter it in the user account in case it gets logged either unintentionally by malware or intentionally where it could possibly be accessed by malware. So it’s safe to use killswitch using the admin password on a user account?
