ZA Free and Generic Host Processor

A couple of times lately, ZA Free has popped up to tell me that Generic host Processor "wants to act as a server". I have disallowed this - should I have accepted? Why would svchost want to act as a server? I presume this means someone or something out there is trying to connect to my PC?

Reply to
Wilf
Loading thread data ...

Hi,

I use ZA Pro which has Smart Defense Advisor that auto configures known good programs. I see that for Generic Host Process for Win32 Services (svchost.exe), it grants it access to both the trusted and internet zones and grants server status for trusted zone while it blocks server status for internet zone and blocks sending of emails. I hope this helps. I'm not sure if the free version also has "Trust Level" but if it does, it should be three green bars, the Super Trust level.

Craig

Reply to
Craig

Thanks, Craig. ZA Free doesn't have this level of sophistication but it can allow or block internet access for the trusted zone and/or internet zone and can do the same for server status.

Reply to
Wilf

One other thing that ZA Pro does in the Program Control Settings under SmartDefense is indicate whether the settings were made by ZoneAlarm itself ("System" for Windows Operating system files or "Auto" if its a known good program) or made by the user by accepting or denying access in which case it'd be called "Custom". The programs in Program Control listed as Custom are no better than the guesses of the user while the System and Auto ones are preconfigured by Zonealarm and hopefully correct. Your Generic Host issue was a System one so I feel confident to have given you the correct info.

Craig

PS--I've recently decided that when installing an updated version of Zonealarm, it's best to do a Clean Installation and start from scratch rather than to keep the settings from previous versions of ZA. For the newest version, now v6, even Zonealarm suggests not to keep the old settings but to do a Clean Installation.

Reply to
Craig

Wilf wrote in news:dhgvj3$p3d$1 @nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com:

Svchost.exe Generic Host Process is just the messenger for the O/S and other non O/S programs that need to communicate on a network such a LAN or WAN/(the Internet). SVChost acts on the behalf of other programs for communications and it is not the one who wants communications but only provides the means for the communication. If you understand the concept of solicited and unsolicited traffic and how a FW or PFW works with this concept, then you will know that a program (not svchost.exe) on the machine has made a solicitation behind the PFW and svchost.exe is providing the means for the connection.

You should find out what is trying to use the messenger (svchost.exe) and determine if it is legit or not instead of killing the messenger. Most likely, it is just another case of Application Control in a PFW solution whining about nothing. :)

Duane :)

Reply to
Duane Arnold

Thanks - have set as per this and will see what happens.

Reply to
Wilf

Fair enough although I feel more comfortable denying svchost (on behalf of whatever) the ability to wait for incoming connections.

Reply to
Wilf

Wilf wrote in news:dhhlfg$nim$ snipped-for-privacy@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com:

The machine is setting behind ZA and ZA is stopping all unsolicited inbound traffic to the machine, unless you have opened some ports manually on ZA by you setting rules to open the port(s) to the public Internet and traffic is coming in on the ports without being solicited, then the traffic is being stopped because it's not solicited traffic (a program running on the machine didn't send outbound traffic to a remote IP behind ZA).

So that means that svchost.exe is responding to inbound traffic that ZA is letting through due to something running on your machine that made the solicitation, and again, it was not svchost.exe the (messenger) that wants to communicate. And you see that's the problem you face is the

*whatever* as you don't know what it is. It could be legit too. But all you did was stop svchost.exe. What happened to the reason or the *whatever* as it didn't go anywhere. For all you know, *whatever* could have used svchost.exe on its behalf at the computer boot and logon process and be done before ZA can even start to get to the TCP/IP connection during the boot and logon process and protect.

You should lay down the crutch and find out for yourself what's happening and not depend upon the crutch *ZA* to tell you what is happening and everything is *okay dokey* look for yourself with the proper tools every now and then.

formatting link
long version

formatting link

Short version

formatting link
formatting link
Long version

formatting link
Short version

formatting link
If the machine has a direct connection to the Internet -- no router -- in front of it, then try to secure the NT based O/S a little bit as the buck stops with the O/S and not ZA.

formatting link
Duane :)

Reply to
Duane Arnold

you could be right :-(

Reply to
Wilf

Looks like I'm going to have to do some learning. Thanks for your help.

Reply to
Wilf

Why are you running a "Personal Firewall" program, which asks you such cluttering questions, and not just using the Windows-Firewall?

This question is one of the best examples, that the concept is b0rken to ask the user what to do. The question you're mentioning here, _cannot_ be answered correctly, BTW.

Yours, VB.

Reply to
Volker Birk

All those bells and whistles of the "Personal Firewalls", all those "Trust levels" and "Super Trust levels" just hide, that the concepts of the "Personal Firewalls" are b0rken completely. They cannot lead to more security, but are confusing users like you and the OP, and giving a totally wrong feeling of security.

You cannot say what happens, when you read the question Zonealarm asked the OP - the question was just useless. So talking about "Trust Levels", "Super Trust Levels" and "Smart Defense Advisors" is only window-dressing.

Yours, VB.

Reply to
Volker Birk

^^^^^^^^^^^^^^^^^^^^^^^

This is, what "Personal Firewalls" are doing. And this is just contrary to security, BTW.

I'm recapitulating your case:

- you get a completely useless message of Zonealarm, your "Personal Firewall"

- it is useless, because of what Duane explained

- you don't understand a word of it, how should you?

- somebody tries to help you, but is falling for the bells and whistles of such products, too

- this is just like in those web forums

- you're doing something with the program, moving a slider, pressing a button, what you don't understand at all

- now your "Personal Firewall" makes you feel more comfortable

Or in other words: you're completely unsecure.

Yours, VB.

Reply to
Volker Birk

And this is, why I don't think, that "Personal Firewalls" help to improve security at all.

What to do then?

- remove Zonealarm

- use the Windows-Firewall or do something like

formatting link
*BEFORE* you connect to the network again

- don't use the browser, wich supports ActiveX and ActiveScripting, namely don't use Internet Explorer

- don't use the MUAs, which support ActiveScripting or even ActiveX, namely don't use Outlook or Outlook Express

- Keep your system up to date

- Keep every program up to date, which you're using to communicate in the network or in other ways; this includes MUA, browser but also Office programs like your wordprocessor or your spreadsheet application, if you're exchanging such documents with other people

- don't trust in what you're receiving by E-Mail without thinking about it at least one time per mail ;-)

- a Virus Scanner could help you - but be aware, Virus Scanners cannot guarantee that you don't get viruses any more, they're just filtering out the well known ones, so keep careful

Happy Internetting ;-)

Yours, VB.

Reply to
Volker Birk

All very well but this PC is not for my exclusive use - it's a familty computer and my wife and adult son use it too - they are not particularly PC-savvy; they will use IE, even though I tend to use firefox.

Reply to
Wilf

Make another browser to the default browser. Use Policies to disable Internet Explorer by forcing 127.0.0.1:9 as the proxy, with an exception for 127.0.0.0/8 and *.microsoft.com for Windows-Update.

And, the most important point: talk to them, and explain them, why using another browser is a good idea.

Yours, VB.

Reply to
Volker Birk

formatting link
(09/30)

The last paragraph: "An attacker who takes great trouble finds *always* a possibility to trick the locking mechanisms of the Personal Firewall."

Wolfgang

Reply to
Wolfgang Ewert

dr. roro rororo wrote in news: snipped-for-privacy@4ax.com:

The end-user did everything alright about what? The end-user doesn't even know what he did or what he stopped. I don't mess with svchost.exe (period) and I think that most that do know about the NT based O/S know not to mess with its ability to communicate on the network LAN or WAN, because that's its job it's the messenger. One doesn't kill the messenger. One finds out what is trying to use the messenger a kills that if necessary.

It's just another put it in your face message that PFW's whine about

99.9% of the time whining about nothing with the end-user actually thinking he or she has done something security-wise. I would go 100% but that's pushing it.

Duane :)

Reply to
Duane Arnold

you've done everything allright.

From Capta>Fair enough although I feel more comfortable denying svchost (on behalf

Reply to
dr. roro rororo

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.