A couple of times lately, ZA Free has popped up to tell me that Generic host Processor "wants to act as a server". I have disallowed this - should I have accepted? Why would svchost want to act as a server? I presume this means someone or something out there is trying to connect to my PC?
I use ZA Pro which has Smart Defense Advisor that auto configures known good programs. I see that for Generic Host Process for Win32 Services (svchost.exe), it grants it access to both the trusted and internet zones and grants server status for trusted zone while it blocks server status for internet zone and blocks sending of emails. I hope this helps. I'm not sure if the free version also has "Trust Level" but if it does, it should be three green bars, the Super Trust level.
One other thing that ZA Pro does in the Program Control Settings under SmartDefense is indicate whether the settings were made by ZoneAlarm itself ("System" for Windows Operating system files or "Auto" if its a known good program) or made by the user by accepting or denying access in which case it'd be called "Custom". The programs in Program Control listed as Custom are no better than the guesses of the user while the System and Auto ones are preconfigured by Zonealarm and hopefully correct. Your Generic Host issue was a System one so I feel confident to have given you the correct info.
PS--I've recently decided that when installing an updated version of Zonealarm, it's best to do a Clean Installation and start from scratch rather than to keep the settings from previous versions of ZA. For the newest version, now v6, even Zonealarm suggests not to keep the old settings but to do a Clean Installation.
Wilf wrote in news:dhgvj3$p3d$1 @nwrdmz01.dmz.ncs.ea.ibs-infra.bt.com:
Svchost.exe Generic Host Process is just the messenger for the O/S and other non O/S programs that need to communicate on a network such a LAN or WAN/(the Internet). SVChost acts on the behalf of other programs for communications and it is not the one who wants communications but only provides the means for the communication. If you understand the concept of solicited and unsolicited traffic and how a FW or PFW works with this concept, then you will know that a program (not svchost.exe) on the machine has made a solicitation behind the PFW and svchost.exe is providing the means for the connection.
You should find out what is trying to use the messenger (svchost.exe) and determine if it is legit or not instead of killing the messenger. Most likely, it is just another case of Application Control in a PFW solution whining about nothing. :)
Wilf wrote in news:dhhlfg$nim$ firstname.lastname@example.org:
The machine is setting behind ZA and ZA is stopping all unsolicited inbound traffic to the machine, unless you have opened some ports manually on ZA by you setting rules to open the port(s) to the public Internet and traffic is coming in on the ports without being solicited, then the traffic is being stopped because it's not solicited traffic (a program running on the machine didn't send outbound traffic to a remote IP behind ZA).
So that means that svchost.exe is responding to inbound traffic that ZA is letting through due to something running on your machine that made the solicitation, and again, it was not svchost.exe the (messenger) that wants to communicate. And you see that's the problem you face is the
*whatever* as you don't know what it is. It could be legit too. But all you did was stop svchost.exe. What happened to the reason or the
*whatever* as it didn't go anywhere. For all you know, *whatever* could have used svchost.exe on its behalf at the computer boot and logon process and be done before ZA can even start to get to the TCP/IP connection during the boot and logon process and protect.
You should lay down the crutch and find out for yourself what's happening and not depend upon the crutch *ZA* to tell you what is happening and everything is *okay dokey* look for yourself with the proper tools every now and then.
If the machine has a direct connection to the Internet -- no router -- in front of it, then try to secure the NT based O/S a little bit as the buck stops with the O/S and not ZA.
All those bells and whistles of the "Personal Firewalls", all those "Trust levels" and "Super Trust levels" just hide, that the concepts of the "Personal Firewalls" are b0rken completely. They cannot lead to more security, but are confusing users like you and the OP, and giving a totally wrong feeling of security.
You cannot say what happens, when you read the question Zonealarm asked the OP - the question was just useless. So talking about "Trust Levels", "Super Trust Levels" and "Smart Defense Advisors" is only window-dressing.
And this is, why I don't think, that "Personal Firewalls" help to improve security at all.
What to do then?
- remove Zonealarm
- use the Windows-Firewall or do something like
*BEFORE* you connect to the network again
- don't use the browser, wich supports ActiveX and ActiveScripting, namely don't use Internet Explorer
- don't use the MUAs, which support ActiveScripting or even ActiveX, namely don't use Outlook or Outlook Express
- Keep your system up to date
- Keep every program up to date, which you're using to communicate in the network or in other ways; this includes MUA, browser but also Office programs like your wordprocessor or your spreadsheet application, if you're exchanging such documents with other people
- don't trust in what you're receiving by E-Mail without thinking about it at least one time per mail ;-)
- a Virus Scanner could help you - but be aware, Virus Scanners cannot guarantee that you don't get viruses any more, they're just filtering out the well known ones, so keep careful
All very well but this PC is not for my exclusive use - it's a familty computer and my wife and adult son use it too - they are not particularly PC-savvy; they will use IE, even though I tend to use firefox.
dr. roro rororo wrote in news: email@example.com:
The end-user did everything alright about what? The end-user doesn't even know what he did or what he stopped. I don't mess with svchost.exe (period) and I think that most that do know about the NT based O/S know not to mess with its ability to communicate on the network LAN or WAN, because that's its job it's the messenger. One doesn't kill the messenger. One finds out what is trying to use the messenger a kills that if necessary.
It's just another put it in your face message that PFW's whine about
99.9% of the time whining about nothing with the end-user actually thinking he or she has done something security-wise. I would go 100% but that's pushing it.