Sunbelt-Kerio issues / Need new desktop firewall advise

Svchost.exe does nothing on its own. It host other programs that's its job, and programs use svchost.exe on their behalf. Svchost.exe is the messanger and only provides the means. Should you kill the messenger or should you findout what's using the messanger and kill that?

A personal packet filter or persaonl FW reples unsolicted inbound traffic by design. It never needed the so called *stealth* to do it. However, if you want the computer to be stealthed, then put the computer behind a NAT router, and the computer will be *stealthed* then, because unsolicted inbound traffic will be blocked by the router. The traffic will never reach the computer where the O/S and personal FW will have to react to it.

They all got trial ware I would suspect, Try them all and pick the one that bests fits your needs.

You might want to look at a cheap NAT router and use a PFW solution behind the router that doesn't have a lot of snake-oil in them that will stop applications from working.

Thanks! My earlier findings showed that "svchost.exe" was being used only by the OS (Windows XP SP2). If anyone knows which parts of the OS or services are using this program, I'll appreciate it, so I can disable them (hopefully MS allowed that to be done). I tried to filter by ports but this exe uses hundreds (if not thousands) of ports.

I have identified some uses of svchost.exe like trying to synchronize time on my PC, do Windows Updates, etc. But some others I just cannot explain, nor didn't have the time. I just feel that Microsoft is just "calling home" constantly, because I cannot understand why this exe is so persistent in connecting to the Internet through so wide range of ports (even on fresh installs of Windows XP).

That's why I have been using software firewalls. Maybe, one day, after I understand how to properly overwrite all these default-open connections on my computer, I'll stop using them and just use a NAT router. But until them I still have to fill so many holes in my understanding of these things.

I do not trust any application that connects to the Internet without first knowing the motive. I beleive these motives should be part of a very so limited list. Even for software that you pay big $$$ bucks, from Microsoft, Sony, Adobe, Altera,... they all first connect to the Internet on startup and/or constantly keep connecting. I will never understand/accept these bad practices, but the "industry" is just adapting this as the "good behaviour." The fact that an application starts and open a channel to connect to another network without your knowledge is just so wrong. Especially when this network is untrusted like the Internet.

I tried the latest versions of Kerio, Outpost, and Comodo. Below my experience, in case it may be of help to anyone.

I tried Sunbelt Kerio Personal Firewall 4.5.916, I really liked the previous version, but the new version just didn't work as well as before, as I explained previously.

Then I installed Agnitum Outpost Firewall Pro 4.0.1025.7828 (700). Installation was a breeze. I liked the interface and usage, but it was lacking of the application / network-monitoring console with columns for permissions and to allow block/unblock. Of course you can do this, but it just wasn't as a console; it didn't have this to-the-point feature I really like. Outpost seemed pretty refined and has many options, but its UI needed it to be more time-efficient for users to do the basic allow-this-on-this. There seemed to be some issues with my P2P and Avast program, but I did not bother to investigate more on this.

Then I tried Comodo, the installer was less than half the size of Outpost's. I did not like the installation though, too long, many steps, but works great once installed. No issues so far. It does have that application / network-monitoring console that I like. The console does not freeze when using P2P (unlike Sunbelt-Kerio).

Not sure what "snake-oil" means. Hopefully, these "techniques" have not became a standard for software firewalls out there.

Svchots.exe can be used by any program, inculding malware on its behalf. Again, svchost.exe does nothing own its on. Svchost host other programs and those programs are the ones that are opening ports NOT Svchost.

You can use Process Explorer, go to the View menu/Show Lower Pane/Show all Dll(s), and click on any given Svchost.exe and look at all the programs the Svchost is hosting, which the tools is being explained in the link.

I hate to say it, but someone who knows the O/S and knows what is happeing would not stop Svchost.exe from doing it's thing. And if Svchost.exe is providing the means for a dubious remote IP connection by a program (it's the program that is making the connection malware or not), then he or she goes and find that program.

He or she doesn't shoot the messagenger. Svchost.exe is just the messenger don't shoot the messenger and find out what's using the messenger and shoot that, if need be.

A personal FW or personal packet filter is not a firewall. What is a FW? What does a FW do? That FW can be a FW router, FW appliance or a host based network FW (we're not talking about a personal FW) running on a gateway computer. A personal FW is not a FW. It's only a packet filter running at the machine level.

Sorry, I am not trying to be a smart ass here. But I don't know what you're talking about. You're concerned about everything else under the Sun. In the meantime, a serious piece of malware has compromised the machine, and you missed that, because you're blinded by looking at all the pop-up messages and clicking with a response.

The snake-oil is anything in the solution that's preventing the connection from happening, and you don't know about it nor can you fix it, other than, try to find a lesser solution that has less snake-oil.

And the "techniques" you're talking about are unfortunately the standard on the MS platform with PFW(s) having an abundance of snake-oil in them trying to protect you from you, and they cannot do it.

The solutions have lost their way in the job they were intended to do, which is filter inbound and outbound traffic/packets to/from the machine at the machine level and not all this other junk/snake-oil in them trying to protect you from you.

Thanks I'll find out using the Sysinternal's Process Explorer you suggested, but I can assure you that I have no spyware or malware :) I'm convised it is the OS and/or services, now I have the means to prove it. Great!

Hmm.. Seems I'm lost in the concept, I have to review that.

This may have nothing to do with security or intrusion detection by itself, but I also care about privacy. There is no need and I will always be suspisous of any program that connects to the Internet without telling me first. Because there is no need. They suppose to run locally, that's it! Taking into account what I have learned so far, the fact that it connects to the Internet implies that it opens a port on my system that can be attacked (can I say that?). Then I see it as a security matter.

Most of the freeware and shareware connect to the Internet to check for updates, log the number of runs, collect and transmit users' system information, etc. Some actually allow the users to change this behavior during the setup or under menu\\options. I try to avoid these applications.

But the truth is that most of those applications don't even make the users aware of these events. Even worst, applications such as the ones I mentioned above (Sony, Altera, Pinnacle and many others) do in fact abuse of the Internet. These legit, paid and costly applications violate privacy of the individuals and connect. Without applications such as Kerio or Comodo I wouldn't even know this was happening. No hijacking or popups. I have tested this using Virtual Machine on virgin copies of Windows. Nothing to do with malware (unless I consider Windows to be one of them :)

"You have zero privacy anyway" -Scott McNealy (chairman, Sun Microsystems)

< snipped>

Maybe and maybe not that you have spyware. The only way to know for sure is to start looking for yourself with other tools, because malware can and they do circumvent every last bit of software to detect it.

You do know that malware can circumvent all of it, set its own rules, punch through the PFW and you wouldn't even know it.

Yes a program runs local on the machine. The program is locally running on the computer. But that doesn't mean that the program will not have a valid reson to access the Internet.

No, you can't say that. There are two types of inbound traffic that a FW even a PFW/packet filter deals with when opening ports to traffic.

1) Solicted inbound traffic -- is inbound traffic that has been solicted due to a machine running a program that has sent outbound traffic to a WAN (Wide Area Network)/Internet IP or to a LAN (Local Area Network) IP -- a machine connected to the router using a local IP -- from behind a FW.

That FW can be a router or FW appliance, host based software solution running on a gateway computer or PFW/packet filter, even if the PFW/packet filter is being used and is in a WAN or LAN or using both situation. The FW will open the inbound ports to let the traffic back to the machine and to the program that is listening on the port.

2) Unsolicted inbound traffic -- is any inbound traffic that has not been solicted, like up above, is going to be blocked by the FW the port is not open.

There is a third condition that is there too where unsolicited inbound traffic must reach a program that is listening that has not sent outbound traffic.

That would be a case where a Web server behind a FW mist allow your browser to make contact with the Web Server. It's called port forwarding, where as a port is opened on the FW to let unsolicited inbound traffic past the FW.

I think that should be the least of your concerns.

In the meantime, the software has gone out and made contact with the site, because it beat the PFW to the connection during the boot and login process well before the PFW could get there and protect the connection, because the O/S is not waiting on a non integrated solution like a 3rd party PFW before the connection is made active.

So why worry about something that is trivial like that. It's much to do about nothing.

What you should be concerned about is someone hacking the machine with software that has compromised the machine and using the information against you to do serious damage, like identity theft. And it circumvented and defeated all the snake-oil solutions and snake-oil solutions in software running on the machine that you and they never saw it coming, because you're leaning on the snake-oil like a crutch. Sorry, I hate to be blunt but sometimes it's needed.

Here is another link about FW solutions, and a PFW is not a FW solution. It's only a machine level packet filter protecting the machine at the machine level, which is doing way too much in trying to protect you from

*you* that it cannot do that well.

Thanks Mr. Arnold! It is going to take a while to read and exercise all the valuable information. Thanks for your assistance. I think I'm on the right track now. The links will also help a lot. This is dark but cool stuff. Hopefully I'll eventually learn to protect myself correctly, and maybe (one day) I can build firewall equipment. :)