Taming the elusive svchost.exe in WindowsXP

Allowing full access rights to svchost.exe can be dangerous, as pretty much any application can use it to contact the outside world. However, it seems that some access is needed for proper functionality of networking and Windows update. This thread is intended to explore what is and is not necessary to be contacted.

I have created the following firewall rules for svchost.exe.

Router/Gateway Connection

------------------------- Allow connection to the local IP address of you router/gateway. Usually default 192.168.0.1

Internet Time Server

------------------------- Allow the Windows clock to update the current time. I use the time.nist.gov server, 192.43.244.18

DNS Lookups

------------------------- The DNS servers of your ISP may need contacting for resolution. Include the primary and secondary DNS servers.

Windows Update

------------------------- Windows update is what really makes the svchost.exe a difficult beast to master. I have somewhat narrowed the IP ranges that Windows Update requires, but still this is a gaping whole. Main problem is Windows Update keeps changing what IPs it uses.

64.4.*.* 65.59.*.* 67.72.*.* 207.46.*.*

UPNP

------------------------- Universal Plug and Pray. If you use it, looks like 239.255.255.250 and

255.255.255.255 will need to hear from your machine.

Thoughts?

Reply to
Joe
Loading thread data ...

The bottom line is the svchost.exe is just the messenger for the O/S and its programs that use it to communicate. It is also does the same thing for other programs that may use it to communicate including malware programs.

One doesn't kill the *messenger* svchost.exe. One finds out what's using the messenger and kills that by using the proper tools such as Process Explorer (free) or other such programs/tools. One looks at processes that are running with the svchost.exe in question to make a determination if all processes/programs are legit that are running with svchost.exe.

See, that's what a personal FW will do to a user is make them all paranoid with the pop-up messages about nothing and makes one start making some ridiculous rules with the PFW about svchost.exe which is only doing its job or biding for something else or another program.

I myself don't jack around with svchost.exe period. If I find some connection questionable that svchost.exe is doing, then I go find out what it is with the proper tools instead of some band aid solution with the PFW.

Long

formatting link
short
formatting link
Duane :)

Reply to
Duane Arnold

Exactly, which is why it should be tamed, in the event that malware is installed on the system.

No one is attempting to kill the "messenger", however limiting it's reach to only what is necessary is a pretty smart thing to do. I see no reason to give 100% 'net access to a process that can be used by any program to send personal data.

I don't think anyone has a problem with svchost.exe doing it's job. However, if malware is passing your private information through svchost.exe, then there is a problem. I'm not going to stand around and have my personal information exploited because I failed to secure the outbound traffic of my machine. It amazes me that you would have no problem blocking access to the 'net if the program was called "virus.b", but it has to be ok if it is svchost.exe? *dazed*

Are you saying you monitor every connection svchost.exe makes, and if you happen to see something strange, you then worry about it? What about the damage that has already been done? I'd prefer if the outbound traffic was neutered in the first place. I guess each to his own. Call me paranoid, but I make no apologies for limiting my computers ability to send out data unless I specifically want it to be sent.

Reply to
Joe

Again, you find out what's using svchost.exe and tame that. The malware is the problem and it needs to be found and not one trying to do something with svchost.exe as it's not the problem.

Once again, it's not svchost.exe that wants access.

The problem is the malware that is making svchost.exe do its biding.

The buck stops at the O/S and not the personal FW. You need to secure the O/S and not use the band aid to do it for you.

formatting link
One should go to the O/S and secure it for a machine that has a direct connection to the Internet with no (router or other such appliance) between the modem and the computer.

What I would be using is a packet filtering FW router or FW appliance and set outbound FW rules to block outbound by IP if I needed to do it. I would not be trying to block anything at the machine level with a PFW or other type of packet filter, expecting things to be 100% effective. I would with the router or FW appliance that is not running with the O/S and is a standalone device.

Yes with a packet filtering FW router or FW appliance, I monitor inbound and outbound traffic for dubious connections by reviewing logs. I don't trust anything that's running at the machine level - nothing, because it can be beaten just like the O/S can be beaten. I always look for myself from time to time as to what's happening on the machine and I don't let a crutch tell me what's happening and everything is okay-dokey.

Let me make a suggestion to you. Install Gator on the machine (that's malware) and set rules with your 3rd party PFW to stop svchost.exe from connecting to the Gator site, set rules to stop Gator.exe if you want, and do it by IP or any means necessary to stop Gator that you want.

Install Active Ports free on the machine that's being talked about in the link, set AP's Refresh Rate to (High), create a short-cut for AP in the Start-up folder so you can see the AP screen and the connections being made at boot and login and see if the PFW you're leaning on like a crutch can get to the TCP/IP and protect it before Gator can get there and make its connections and phone home.

I doubt that PFW is going to get there first. You can apply that to any possible malware with other 3rd party host based PFW(s) that you want -- try them all.

BTW, I'll use a PFW on the machine while on the road but not at home behind the FW appliance. I also supplement the PFW on XP that I use with IPsec as a added measure in case the PFW solution is taken out by malware.

formatting link
If you have to do a direct connect, the you may want to supplement.

Nothing is 100% and if you think the PFW is a stops all and ends all solution, then you may want to think about that again.

Duane :)

Reply to
Duane Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.