svchost.exe and rule-settings

[Falke]

Today I installed Windows XP Pro.

Two questions:
Can I import the rule settings of Outpost under W98 without problems to Outpost under Win XP?
Does anybody know how to handle svchost.exe? Some things that should be blocked? Or can I allow all?

Falke

[MegaHertz]

Falke

Quote:

Can I import the rule settings of Outpost under W98 without problems to Outpost under Win XP?

I suspect as long as the apps are the same it would work, but I'm not sure on that (I don't think that there is an import option for rules. Yet). You may try using the old config file, I don't think the config file is affected by OS (just make sure you switch back to rules mode to cover anything that may pop up).

Quote:

Does anybody know how to handle svchost.exe? Some things that should be blocked? Or can I allow all?

On my system I have to allow svchost.exe for DNS and DHCP. My rules for it however are very strict. I would recommend you got to BlackViper.com and read up on the services and disable all the uneccessary ones.

P.S. I would never allow all if you can avoid it.

[Falke]

I already have imported the old cfg.-File. But I was not sure If all functions correct than.

Thx for your advise with svchost.exe.
I will look at BlackVipers Site.

Falke

[David]

Hi Falke,

I have done a lot of work and posting regarding svchost.exe. By now you have probably got some insight from the microsoft knowledge base or the excellent site by Black Viper. Currently, I have three separate configurations that people can try. Two of them are variations of the same idea. Your choice regarding each set will depend on you sensitivity to security and privacy and you trust of Microsoft. I will also list some general advice based on recent experiences and a few good websites.

SVCHOST.EXE Setup #1

Setup number one is simple. DO NOT CREATE A RULE for SVCHOST.EXE. Make sure there is no listing for this executable under Trusted, Partially Allowed, or Blocked Applications. Be aware that you may have to "double click" on "Trusted", "Partially "Allowed", or "Blocked" in order to verify that svchost.exe does not exist under any of these headings. Sometimes the program listing can be collapsed under these headings in the same way that you can collapse and expand directories in Windows Explorer File Manager. Another important step is to NEVER run a security scan at an online scanning site unless your Outpost Firewall is in the "Block Most" mode. Many scanning sites may invoke SVCHOST.EXE by requesting a connection to one of the services that it controls. You will not see these warnings if you are in "Block Most Mode". In fact, it is my opinion that the firewall should only be in Rules Wizard Mode under three conditions:
1. New Outpost Installation
2. Troubleshooting a Connection Issue
3. Setting Up a Rule for a Newly Installed Application

SVCHOST.EXE Setup #2

This setup involves creating rules for SVCHOST.EXE. In this case you will have a rule in the list for SVCHOST.EXE under Partially Allowed Applications. The only rule that I have ever had to create was the following.
Where the protocol is UDP
Where the host is: 239.255.255.250
Where the remote port is: 1900
Allow It.
The remote host mentioned is IANA, the Internet Assigned Numbers Authority. I am not sure about the nature of this communication with IANA. It may be for some kind of Domain Name Resolution.

SVCHOST.EXE Setup #3

This setup involves setting up a rule exactly like the rule created in setup 2. However, the action chosen is "Deny It".
Any one of the three setups described is probably reasonably secure, even number two, since only one, probably trustworthy remote address is used. Since I am uncertain about the nature of the communication with IANA, I would suggest setup one or three for anyone very sensitive about privacy and security.

A little extra information.

EXPLORER.EXE

Sometimes Windows Explorer will ask for permission to access the internet. You can follow any of the suggestions, one, two, or three for EXPLORER.EXE. The only difference is the Remote Host and the Remote Port. Here is a rule.
Where the protocol is TCP
Where the direction is Outbound
Where the host is sa.windows.com
Where the Remote Port is HTTP
Allow it OR Deny It, it is your choice or do not create any rule at all like in Setup one for svchost.exe above. Sometimes it may be best to create the rules for an executable like svchost.exe and choose "Deny It". "Allow It" can also be chosen if you do not care about contact between your system and the sites mentioned above. I would not allow any other remote hosts for either of them though. The reason for this is that if you are in Rules Wizard Mode, you will see less incidental popups regarding those executables. But, as I said, "Block Most" is the best place to be almost all of the time. One last piece of advice regarding rule setting for these Applications. Your Remote Port may vary depending on whether you use a LocalProxy or an ISP proxy. I do not use these, so I do not know how the Popup box will appear for these executables. Regardless, the same methods for setting up the rule for these executables apply.

I have tried all of the setups listed above and all have worked without incident. So, anyone applying those methods should not experience problems. The only reason that I have experimented with so many different setup methods has just been curiousity. Currently, I am trying to setup everything on a rule by rule basis to better understand the connections that different applications need or do not need. It takes a lot of patience....

Concerning some of the services on XP. Most likely you can STOP and then set to DISABLED the Universal Plug-n-Play Service (UPnP) and the Simple Service Discovery Protocol Rule (SSDP). UPnP uses port 5000 and SSDP is responsible for using port 1900. Then you should not get any popups regarding these at all. I also worked with my system with these services enabled and disabled with no adverse side effects either way. My opinion is that almost 100% of the people out there can disable these services with no issue. There will certainly be no system crashes related to disabling these services.

Concerning Trusted and Blocked Applications. My opinion is that only programs that you wrote or that come from a highly trusted source should be in Trusted Applications. And, the only applications that I would add under blocked would be suspicious programs that I initally suspect are trojans. Then I would delete the rule as soon as I removed the trojan with an effective removal tool like Tauscan. This way, I can check the effectiveness of the removal process. I think that this is pretty much consistent with the advice in the Outpost Manual.

Sorry about the long message. I just wanted to try to provide as many options as possible to suit everyone's taste. Below are a few links to some helpful sites.

Microsoft Support Article Concerning Svchost.exe
http://support.microsoft.com/default...;EN-US;q250320

Information on Windows Services (listed previously in this thread)
Windows 2000
http://www.blkviper.com/WIN2K/servicecfg.htm
Windows XP
http://www.blkviper.com/WinXP/servicecfg.htm

Good places to look up IP addresses:
www.arin.net (American Registry)
www.ripe.net (European Registry)
www.apnic.net (Asia-Pacific Registry)

Good Places for general and application port information:
http://www.iana.org/assignments/port-numbers (General)
http://www.practicallynetworked.com/..._port_list.htm
Each of these ports lists are extensive. Just scroll down.

And, of course the Outpost manual can be found in the download section of www.agnitum.com

Well, I hope that I helped more than confused anyone reading this message. Again, nobody should experience any problems with any of the setups that I listed above. I've tested them all.

Good Luck..

Best Regards,
David

[David]

To anyone reading the reply by me above, please be aware that I modified my original post slightly to reflect that SSDP uses UDP port 1900, not TCP. Anyway, the above message has been corrected also. Sorry if that mistake caused anyone a problem.



Thanks,
David

[Falke]

Hi David

Thank you very much for your help :-)
I disabled SSDP and now svchost.exe needs no configuration anymore and I'm running Outpost in Block Most Mode.
Only DNS Resolving but I never got a pop-up from Outpost to make a rule. It is allowed without asking me. Is this normal?

Falke

[David]

Hi Falke,

I believe this is normal. There is a Global Rule to allow DNS on UDP port 53. I think that is the correct port and protocol.

svchost.exe, seems to be involved in DNS resolution and is necessary to browse the web. In a way, even if you do not have any extra rule created for svchost.exe, you always have the Global rule for DNS which uses svchost.exe. Global rules do not show up in the Applications Lists. svchost.exe controls many functions, but like you, I only want svchost.exe allowed for DNS, nothing else.

If you want to see where the rule is to allow DNS, you must go to Options -> System and click on settings under Global Applications and System rules. You will be able to inspect the rules there. These rules are the reason that you were not asked about DNS.

Hope that answered your question. I was starting to confuse myself.

I think everything that you described is NORMAL....

David

[Falke]

thanks again :-)
Yes, this answered my question...

[Le Prechaun]

Quote:

I believe this is normal. There is a Global Rule to allow DNS on UDP port 53. I think that is the correct port and protocol.

That's correct. But not as widely known is that in some situations DNS can use TCP port 53, too. Such a situations is e.g. when the size of the DNS response exceeds 512 bytes. Then your box issues the request again, using TCP instead of UDP.

Just came to my mind...

[Alan Guy]

Quote:

Originally posted by David

svchost.exe, seems to be involved in DNS resolution and is necessary to browse the web. In a way, even if you do not have any extra rule created for svchost.exe, you always have the Global rule for DNS which uses svchost.exe. Global rules do not show up in the Applications Lists. svchost.exe controls many functions, but like you, I only want svchost.exe allowed for DNS, nothing else

That caught my attention because on my Win2000 it's the services and controller app (services.exe) which does the dns work. So I did a little checking and it appears that for XP, svchost .exe handles the dns, but on Win2000 it's services.exe that does it.

I actually have svchost.exe totally blocked with no ill effects. And my services.exe is allowed ONLY for dns. Again this is on a stand-alone Win200Pro, dial-up.

I understand you were discussing XP, but I just didn't want someone mistakenly thinking that it's svchost that does the dns on ALL Windows machines.

[David]

Hi Alan,

That is a great catch. Thank you. I went straight from Me to XP, so I have no experience with Windows 2000. But, I do have a question for you. If there is a global rule for DNS, why did you need to create a rule for it under the application services.exe? The global rule seems to handle svchost.exe and accessing the DNS just fine on my PC. I think that if you deleted the rule that you have for services.exe and DNS, you would be OK. The global rule allows for DNS through UDP 53. I am only GUESSING, but I have a feeling that the rule that you created for services.exe is probably for TCP 53. Occasionally if I am in Rules Wizard mode, I will get a popup for creating a rule for svchost.exe TCP 53, but I just press block once. In fact, most of the time, I am in 'Block Most' mode, so I do not get that popup at all. The only rule that I have ever needed is the Global Rule for UDP 53. Check your settings for services.exe (DNS) and try what I have recommended here and let me know. I do not think you will have any problems getting rid of your services.exe DNS rule if you use the global rule, but please verify this if you get time.

Thanks again,
David

[Alan Guy]

Hi David,

Quote:

Originally posted by David
If there is a global rule for DNS, why did you need to create a rule for it under the application services.exe? The global rule seems to handle svchost.exe and accessing the DNS just fine on my PC. I think that if you deleted the rule that you have for services.exe and DNS, you would be OK. The global rule allows for DNS through UDP 53. I am only GUESSING, but I have a feeling that the rule that you created for services.exe is probably for TCP 53.

No, my rule for services.exe is for UDP, Outbound, Remote Port 53 and for my ISP's 3 DNS IPs only. My Global DNS Rule is deleted.

The main reason I made my own rule is that the *fun* part of firewalls (for *me*, and the best way for me to learn) is to delete all the out-of-the-box default rules; turn on a packet sniffer; connect to my ISP and one-at-a-time create rules to make things work. I don't need the sniffer that much anymore, though

When a transaction wont work for me, I switch off the firewall, switch on a packet sniffer and perform the task then log off. Then look at the packets to see what protocols, ports and IPs were involved in the transaction; switch on the fw again, build the necessary rules, log back on and test and tweak.

In awhile you learn what rules are necessary to do what you need to do, whether VPN, ftp, pcAnywhere, IRC or anything else - and build YOUR rules for YOURself. If a desired transaction fails - switch on the packet sniffer and quickly see why. That's just my preference, though. Obviously there's a need for good *default* rules. That's how we ALL start, right?

Sooo... I uncheck the Global Rules to start with, and build my own rules - under Applications, mainly.

Quote:

Occasionally if I am in Rules Wizard mode, I will get a popup for creating a rule for svchost.exe TCP 53, but I just press block once. In fact, most of the time, I am in 'Block Most' mode, so I do not get that popup at all. The only rule that I have ever needed is the Global Rule for UDP 53.

I stay in Rules Wizzard mode, but really only because there's no *Build All Your Own Rules* mode. And really, and especially for a newbie, the Pop-ups help one learn what's necessary for a given transaction to happen if you haven't made a rule to allow it yet. So even though I feel pretty competent at building rules - I stay in Rules Wizzard Mode. It also saves having to fire up the packet sniffer sometimes.

Quote:

I do not think you will have any problems getting rid of your services.exe DNS rule if you use the global rule...

Oh I already know that that works. As I said, I just prefer to build my own rules: Inbound, Outbound, Ports, Protocols and Applications.

I wasn't saying I had a problem with services.exe or with DNS, I'm doin fine here I just wanted to point out that DNS is not universally handled by svchost.exe in all Windows OSes. On Win2000 it's the Services and Controller APP or services.exe.

Take care, David.

[David]

Hi Alan,

Thanks for the very complete reply. Actually, my situation is kind of a hybrid of yours. I rarely use the presets for applications, and even if I do, I edit the rules once they are set in order to tighten them up as much as I can get them without causing great inconvenience. As far as the global rules go, I have looked at them all but have not edited or added to them yet. But, I do see a great deal of wisdom in specifying only your ISP DNS machines in your rules and will make similar changes to my configuration. In addition, I will scrutinize the other global rules over the coming days and maybe make some changes there also. The technique of using the sniffer to see what is going on with your system ports and then applying what you learn to rule setting is OUTSTANDING . In fact, I hope that some other users will pick up on that and give it a try on those applications they are having difficutly using. It is a very good method. I have one utility that I can use for the same purpose if I need to. I was about to ask you why you used a sniffer when Agnitum does not recommend it. But, you already answered that question when you commented about shutting down the Firewall and Service before operating the port sniffer.

Well, this has been good dialog for me, especially since I moved directly to XP and skipped 2000. Thanks for the dialog. I think that many people, especially new users will find the dialog in this thread educational.

Best Regards,

[mengano]

interesting options but none of them work blocking Svhost.exe prevents me from connection to the cable network using WinXP Pro and I must allow for DHCP for renewal of IP as required by ny connection. Viper did not help that much and the last time I did use few of his suggestions I could not get WinXP to boot.Ok I must admit that was six months ago so he's changed few of his suggestions I noticed hehe!

[David]

Hi mengano,

If you set up the rules properly, svchost.exe should only be communicating with the DNS server or possibly localhost.

It is important to take a look at the LOCAL ADDRESS and the REMOTE HOST. On my system, I see svchost.exe incoming on 1900 but through the loopback rule. NO REMOTE HOST IS CONTACTED.

If you see an outside host connected to any port but DNS through svchost.exe, then you have set up the rules improperly.

As far as DHCP goes, that is handled by a GLOBAL rule. So, you will have no problem getting your IP unless an application rule is set up to deny this. There is NO reason why you cannot set up the rules as outlined above and be successful.

I use WinXP home. And, I assure you that rules you need to set up for this firewall concerning svchost.exe will be no different than stated here.

I have used these rules for several months and have tested these rules on multiple online security scanning sites. The results of all of those security checks met or exceeded my expectations. In all cases, the results showed my PC completely stealth. Additionally, I have not had any issues with online exploit or privacy tests.

I will be online later to help if you need further assistance refining your ruleset. With a little time, I am pretty sure that we can create a configuration that you will be happy with.

Be patient and keep working with it....you will get there.