SVCHOST: UDP inbound connection

[A884126]

Hello,

I often get some inbound connection from remote addresses (check image attached)

I made a rule to block everything as UDP, Inbound, Port 1026.

Good thing?

Cheers

[nippauls]

Hello A884126,
As UDP is a directionless protocol, you may find your rule doesn't work properly.
It might be better to make any rules allowing what you want for UDP within Svchost, e.g. DNS... then make a rules below blocking UDP.
Paul

[Paranoid2000]

A884126,

You need to create a proper ruleset for svchost to avoid popups. This has been discussed at length in threads here, here and here to take a few examples. Svchost rules are also covered in detail in section E2 of A Guide to Producing a Secure Configuration for Outpost.

[A884126]

I know I konw guys, but all my svchost.exe rules always end up with a system which does not work at the end.
Sorry Paranoid, I follow your rules but I never found the right config to get a smooth system.

[nippauls]

Hello again 884126,
If you want to write your Svchost rules here we can look at them for you.
However, some of your problems may be resolved, once your rules have been created, by going into block most mode.
Rules Wizard is meant to be for short-term use only and doesn't provide optimum protection.
If you want to try my Svchost rules as an experiment, maybe they will work for you; they have helped others:

SVCHOST RULES FOR OUTPOST PRO


ALLOW MS UPDATE

TCP
OUTBOUND
REM HOST: download.microsoft.com, download.windowsupdate.com,hm.msn.com,update.micro soft.com,stats.update.microsoft.com
ALLOW


ALLOW UDP DNS

UDP
REM HOST: YOUR ISP DNS SERVER IP ADDRESSES & ROUTER IP
ALLOW

BLOCK UNKNOWN PROTOCOLS OUT

WHERE DIRECTION IS OUTBOUND
BLOCK

BLOCK UNKNOWN PROTOCOLS IN

WHERE DIRECTION IS INBOUND
BLOCK

Paul

[A884126]

nippauls,

Actually, OP is now in block most mode. FYI all OP settings have been set following strictly our friend Paranoid's recommendations. I might admit that some of the Global Rules fill in pretty fast the blocked lconnections log which make me think that I might have done something wrong there.

Anyway these are my svchost.exe rules in the following order.
Thanks

Allow DNS UDP
UDP
Remote Host: my FAI DNS
Remote Port: DNS
Allow

Allow DNS TCP
TCP
Outbound
Remote Host: my FAI DNS
Remote Port: DOMAIN
Allow

Possible Trojan DNS UDP
TCP
Outbound
Remote Port: DOMAIN
Block & Report

Block Incoming SSDP
UPD
Local Port: 1900
Block

Block Incoming SSDP
UPD
Remote Port: 1900
Block

Block Incoming UPnP
TCP
Inbound
Local Port: 5000
Block

Block Incoming UPnP
TCP
Outbound
Remote Port: 5000
Block

Block RPC TCP
TCP
Inbound
Local Port: DCOM
Block

Block RPC UDP
UDP
Remote Port: 135
Block

Allow DHCP Request
UDP
Remote Host: 255.255.255.255
Remote Port: BOOTPS
Local Port: BOOTPC
Allow

Allow Help Web Access
TCP
Outbound
Remote Port: HTTP, HTTPS
Allow

Allow Time Synchronisation
UDP
Remote Host: 207.46.130.100, 192.43.244.18
Remote Port: 123
Allow

Block Other TCP Traffic
TCP
Outbound
Block

Block Other TCP Traffic
TCP
Inbound
Block

Block Other UDP Traffic
UDP
Block

[nippauls]

Hi 884126,
The screenshot in your original posting confused me as this should only ever appear in Rules Wizard mode, certainly not in Block Most. So if you are now in Block Most, you should no longer be getting this pop-up.

I will paste your svchost rules below and make some comments on them: Paranoid's guide is excellent for people getting acquainted with Outpost as they can see many, clear and precise rules and understand what each rule does.

However, some of your rules are weak and basically allow svchost to do anything it wants. My short ruleset I posted is much tighter and more secure, but my learning started with Paranoid's rules and then with experience and practice I developed my own that are less clear, but somewhat tighter.

Your rules:

Allow DNS UDP
UDP
Remote Host: my FAI DNS This should have your router IP (if applicable) and also your TWO primary and TWO secondary DNS addresses. Same applies to the TCP DNS Rule.
Remote Port: DNS
Allow


Allow DNS TCP
TCP
Outbound
Remote Host: my FAI DNS
Remote Port: DOMAIN
Allow

Possible Trojan DNS UDP
TCP
Outbound
Remote Port: DOMAIN
Block & Report

What about a Possible Trojan TCP rule????

Block Incoming SSDP
UPD
Local Port: 1900
Block

Block Incoming SSDP DUPLICATED, THE RULE ABOVE IS THE SAME, AND UDP HAS NO DIRECTION, IT IS A DIRECTIONLESS PROTOCOL
UPD
Remote Port: 1900
Block

Block Incoming UPnP
TCP
Inbound
Local Port: 5000
Block

Block Incoming UPnP SHOULD BE NAMED OUTGOING
TCP
Outbound
Remote Port: 5000
Block

Block RPC TCP
TCP
Inbound
Local Port: DCOM
Block

Block RPC UDP
UDP
Remote Port: 135
Block

Allow DHCP Request IS THIS NECESSARY?
UDP
Remote Host: 255.255.255.255
Remote Port: BOOTPS
Local Port: BOOTPC
Allow

Allow Help Web Access THIS RULE BASICALLY GIVES SVCHOST PERMISSION TO DO ANYTHING IT WANTS. SERIOUSLY UNWISE.
TCP
Outbound
Remote Port: HTTP, HTTPS
Allow

Allow Time Synchronisation
UDP
Remote Host: 207.46.130.100, 192.43.244.18
Remote Port: 123
Allow

Block Other TCP Traffic
TCP
Outbound
Block

Block Other TCP Traffic
TCP
Inbound
Block

Block Other UDP Traffic
UDP
Block

I hope my comments make sense, and help you to decide what you want to achieve. Any questions, please post again.... you could always try my rules.... very tight and very simple. You have started on the path of learning, and with experimentation and perserverance you will be an expert before long

Paul

Paul

[A884126]

Paul, OK I disabled all my rules except the "Time Synch" one, add yours and I will check how things run.

Thanks very much for your help.

[nippauls]

A884126,
If you find the new rules stop something, look at the blocked log and make adjustments... it's all part of learning and understanding, but any time you are not sure, or need assistance, just post here
Let us know how you get on.
Paul

[Wild Cat]

May I jump in? A new Outpost user, just sumped in from NIS...
Started out by finding about inbound LSASS but that was clarified by reading the forum. Now about SVCHOST I have questions:

1) nippauls, what means "unknown protocol" in rules you cite? When I click the protocol "link" in rules I can only select TCP or UDP and I cannot leave the protocol unspecified (Outpost wouldn't let me)

2) Also you specify UDP rules with hostnames for windows update for SVCHOST. What about wuauclt.exe going through TCP? Are they working both in pair or being on WinXP I should rather specify those addresses for wuauclt than for SVCHOST?

3) I have some strange requests for Genereic Host Process for Win32 (SVCHOST) requesting outbound on UPD 1900 at 239.255.255.250. When I block it, nothing bad happens. WTF???

4) Also, I have 3 predefied (if I didn't allow it myself mindlessly) rules for SVCHOST beginning with "SSDP Discovery Service" and "unPnP device host" (two of which requests the same as above UDP (one with IP), the third one an outbound TCP on port 2869) and one SSDP Legacy event notification (Outbound TCP :5000)

Anyone has an idea what is this about?

[nippauls]

Hello Wildcat,
Welcome to the Forums
I will try to answer you questions:

1) nippauls, what means "unknown protocol" in rules you cite? When I click the protocol "link" in rules I can only select TCP or UDP and I cannot leave the protocol unspecified (Outpost wouldn't let me)

In application rules, by "unknown" I mean "anything"... the rule is simple, you don't choose a protocol... quite simply you just choose "where the direction is inbound" and "block" and likewise for outbound. I find it works for any protocol, and remember there are a considerable number of different protocols that can be used on the internet.

2) Also you specify UDP rules with hostnames for windows update for SVCHOST. What about wuauclt.exe going through TCP? Are they working both in pair or being on WinXP I should rather specify those addresses for wuauclt than for SVCHOST?

wuauclt needs permissions for windows update, but so does svchost. If you give just one permission and deny the other,then your windows update won't function. Microsoft is sneaky and wants both

3) I have some strange requests for Genereic Host Process for Win32 (SVCHOST) requesting outbound on UPD 1900 at 239.255.255.250. When I block it, nothing bad happens. WTF???

My ruleset will block all that

4) Also, I have 3 predefied (if I didn't allow it myself mindlessly) rules for SVCHOST beginning with "SSDP Discovery Service" and "unPnP device host" (two of which requests the same as above UDP (one with IP), the third one an outbound TCP on port 2869) and one SSDP Legacy event notification (Outbound TCP :5000)

You REALLY don't need those
Once again, the rules I set out stop all those things

That said, I am currently assisting a user who has adopted my svchost and system rulesets to "adjust" them slightly to work on his system. Every system is slightly different, some are a lot different. The rules were written for my system and will often need tweaking to work successfully on other systems. The important thing is they are very simple and very safe rulesets.

Hope this helps,

Paul

[tony62]

I believe that granting svchost any internet access is an avenue for attack. Although for some people there may be no alternative other than to let it have it's certain permissions. In my case i have Windows Update removed, as i feel it is unessasary on my system, the remaining services have also either been disabled/removed. There is one service however which is relatively important and that is WindowsTime, how do i get around that Timesync. With this setup, svchost isn't even in Outposts Application rules,and never a prompt for it.
I know that some of you may disagree with the update side of life, besides if you really wanted your updates, then browse to microsofts update site.

[nippauls]

Hi tony62,
time synchronisation can easily be done manually by double-clicking on the clock in the system tray and making the adjustments... I find twice a year works fine
Paul

[tony62]

Hi Paul,
I am aware that TimeSynchronization can be achieved this way, however being as it was it was very last rule within svchost i couldn't help but be spiteful and take it away

[nippauls]

Oh right!
I don't have it either