Firewall Setup...

Discussion in 'Computer Information' started by Global_Killa, Apr 1, 2004.

  1. Global_Killa

    Global_Killa Guest

    Hey all,
    I've been wondering for a while what svchost.exe application on my
    Windows XP is used for. I have to set a firewall rule for this application
    everytime I format my computer, and I don't really know what I should allow
    it to do.

    The programs location is C:\Windows\system32\svchost.exe. If I block this
    program from accessing the Internet, it seems to stop Internet activity.

    Thanks for any advice.

    --
    Global_Killa
    "You're a victim of the rules you live by!"

    http://punkthenation.tk
    Global_Killa, Apr 1, 2004
    #1
    1. Advertising

  2. Global_Killa

    bearman Guest

    In Google, type in svchost.exe. Look at 69K+ responses.


    "Global_Killa" <> wrote in message
    news:c4i5ml$8bp$...
    > Hey all,
    > I've been wondering for a while what svchost.exe application on my
    > Windows XP is used for. I have to set a firewall rule for this application
    > everytime I format my computer, and I don't really know what I should

    allow
    > it to do.
    >
    > The programs location is C:\Windows\system32\svchost.exe. If I block this
    > program from accessing the Internet, it seems to stop Internet activity.
    >
    > Thanks for any advice.
    >
    > --
    > Global_Killa
    > "You're a victim of the rules you live by!"
    >
    > http://punkthenation.tk
    >
    >
    bearman, Apr 2, 2004
    #2
    1. Advertising

  3. Global_Killa

    Duane Arnold Guest

    "Global_Killa" <> wrote in message
    news:c4i5ml$8bp$...
    > Hey all,
    > I've been wondering for a while what svchost.exe application on my
    > Windows XP is used for. I have to set a firewall rule for this application
    > everytime I format my computer, and I don't really know what I should

    allow
    > it to do.
    >
    > The programs location is C:\Windows\system32\svchost.exe. If I block this
    > program from accessing the Internet, it seems to stop Internet activity.
    >


    As you can see, blocking svchost.exe stops your machine from accessing the
    Internet. Svchost.exe is just the messenger for the O/S and other programs
    and provides the comminication link between machines on the LAN or WAN,
    along with doing many many other tasks for the O/S. One of the functions of
    svchost.exe is to provide the communication plumbing for the connection.
    Yes, Trojan and spyware can use svchost.exe on their behalf too, just like
    the O/S uses svchost to communicate. Should one kill the messenger or should
    one try to find what's using the messenger and kill it?



    http://ask-leo.com/archives/000030.html



    If svchost.exe is making connections to unknown remote IP(s), then by all
    means, one should question why and try to find out what is requesting that
    svchost provide the connection.



    You can find out by using Active Ports to see what remote IP(s) svchost.exe
    is connecting to, and you can use Process Explorer to look at what programs
    are using svchost.exe. Both of the utility programs are free (use Google).



    If svchost.exe is not running out of the path below (system32), then it's a
    Trojan.



    C:\Windows\system32\svchost.exe



    Don't kill the messenger and try to find out what is using the messenger. :)



    I don't stop svchost.exe (the messenger) from doing its job and let it run.



    Duane :).
    Duane Arnold, Apr 2, 2004
    #3
  4. Global_Killa

    Global_Killa Guest

    "Duane Arnold" <> wrote in message
    news:XP1bc.160700$po.953163@attbi_s52...

    > As you can see, blocking svchost.exe stops your machine from accessing the
    > Internet. Svchost.exe is just the messenger for the O/S and other programs
    > and provides the comminication link between machines on the LAN or WAN,
    > along with doing many many other tasks for the O/S. One of the functions

    of
    > svchost.exe is to provide the communication plumbing for the connection.
    > Yes, Trojan and spyware can use svchost.exe on their behalf too, just like
    > the O/S uses svchost to communicate. Should one kill the messenger or

    should
    > one try to find what's using the messenger and kill it?
    >
    >
    >
    > http://ask-leo.com/archives/000030.html
    >
    >
    >
    > If svchost.exe is making connections to unknown remote IP(s), then by all
    > means, one should question why and try to find out what is requesting that
    > svchost provide the connection.
    >
    >
    >
    > You can find out by using Active Ports to see what remote IP(s)

    svchost.exe
    > is connecting to, and you can use Process Explorer to look at what

    programs
    > are using svchost.exe. Both of the utility programs are free (use Google).
    >
    >
    >
    > If svchost.exe is not running out of the path below (system32), then it's

    a
    > Trojan.
    >
    >
    >
    > C:\Windows\system32\svchost.exe
    >
    >
    >
    > Don't kill the messenger and try to find out what is using the messenger.

    :)
    >
    >
    >
    > I don't stop svchost.exe (the messenger) from doing its job and let it

    run.
    >
    >
    >
    > Duane :).


    Thanks for the advice.

    --
    Global_Killa
    "You're a victim of the rules you live by!"

    http://punkthenation.tk
    Global_Killa, Apr 2, 2004
    #4
  5. Global_Killa

    Guest

    Recently, "Global_Killa" <> created this
    masterpiece for the newsgroup archives:

    > Hey all,
    > I've been wondering for a while what svchost.exe application on my
    > Windows XP is used for. I have to set a firewall rule for this application
    > everytime I format my computer, and I don't really know what I should allow
    > it to do.
    >
    > The programs location is C:\Windows\system32\svchost.exe. If I block this
    > program from accessing the Internet, it seems to stop Internet activity.
    >


    That program is a Windows service. It needs access to the internet, but
    it doesn't necessarily need server permissions. Never allow anything
    server permissions in your firewall rules unless you know it is
    necessary, and safe.

    RC
    , Apr 2, 2004
    #5
  6. Global_Killa

    Alan Illeman Guest

    "Duane Arnold" <> wrote in message
    news:XP1bc.160700$po.953163@attbi_s52...
    >
    > "Global_Killa" <> wrote in message
    > news:c4i5ml$8bp$...
    > > Hey all,
    > > I've been wondering for a while what svchost.exe application on my
    > > Windows XP is used for. I have to set a firewall rule for this

    application
    > > everytime I format my computer, and I don't really know what I should

    > allow
    > > it to do.
    > >
    > > The programs location is C:\Windows\system32\svchost.exe. If I block

    this
    > > program from accessing the Internet, it seems to stop Internet activity.
    > >

    >
    > As you can see, blocking svchost.exe stops your machine from accessing the
    > Internet.


    It doesn't in my case. Using Kerio, 'Network Security' I have denied both
    Trusted in/out' and 'Internet in/out' access. In 'System Security' I permit
    it
    to 'Start', not to 'Modify', and permit 'Launching others'.

    From my logs, I seem to be getting a lot of TCP 'attacks' on svchost.exe,
    through local port 135, which is categorized as "epmap" DCE endpoint
    resolution. So without knowing what DCE is, maybe they are not 'attacks'
    at all :)
    Alan Illeman, Apr 2, 2004
    #6
  7. Global_Killa

    Michael-NC Guest

    Duane, I would recommend folks go to http://www.download.com to search for a
    recommended program. That way they can stay avoid malicious sites that pose
    as legitimate download sites or masquerade as the home of the application in
    question.

    That site has both apps, in their latest versions. I know, cause I just
    DL'ed them. Thanks.

    "Duane Arnold" <> wrote in message
    news:XP1bc.160700$po.953163@attbi_s52...
    >
    > "Global_Killa" <> wrote in message
    > news:c4i5ml$8bp$...
    > > Hey all,
    > > I've been wondering for a while what svchost.exe application on my
    > > Windows XP is used for. I have to set a firewall rule for this

    application
    > > everytime I format my computer, and I don't really know what I should

    > allow
    > > it to do.
    > >
    > > The programs location is C:\Windows\system32\svchost.exe. If I block

    this
    > > program from accessing the Internet, it seems to stop Internet activity.
    > >

    >
    > As you can see, blocking svchost.exe stops your machine from accessing the
    > Internet. Svchost.exe is just the messenger for the O/S and other programs
    > and provides the comminication link between machines on the LAN or WAN,
    > along with doing many many other tasks for the O/S. One of the functions

    of
    > svchost.exe is to provide the communication plumbing for the connection.
    > Yes, Trojan and spyware can use svchost.exe on their behalf too, just like
    > the O/S uses svchost to communicate. Should one kill the messenger or

    should
    > one try to find what's using the messenger and kill it?
    >
    >
    >
    > http://ask-leo.com/archives/000030.html
    >
    >
    >
    > If svchost.exe is making connections to unknown remote IP(s), then by all
    > means, one should question why and try to find out what is requesting that
    > svchost provide the connection.
    >
    >
    >
    > You can find out by using Active Ports to see what remote IP(s)

    svchost.exe
    > is connecting to, and you can use Process Explorer to look at what

    programs
    > are using svchost.exe. Both of the utility programs are free (use Google).
    >
    >
    >
    > If svchost.exe is not running out of the path below (system32), then it's

    a
    > Trojan.
    >
    >
    >
    > C:\Windows\system32\svchost.exe
    >
    >
    >
    > Don't kill the messenger and try to find out what is using the messenger.

    :)
    >
    >
    >
    > I don't stop svchost.exe (the messenger) from doing its job and let it

    run.
    >
    >
    >
    > Duane :).
    >
    >
    >
    Michael-NC, Apr 2, 2004
    #7
  8. Global_Killa

    Alan Illeman Guest

    "Alan Illeman" <> wrote in message
    news:...
    >
    > "Duane Arnold" <> wrote in message
    > news:XP1bc.160700$po.953163@attbi_s52...
    > >
    > > "Global_Killa" <> wrote in message
    > > news:c4i5ml$8bp$...
    > > > Hey all,
    > > > I've been wondering for a while what svchost.exe application on my
    > > > Windows XP is used for. I have to set a firewall rule for this

    > application
    > > > everytime I format my computer, and I don't really know what I should

    > > allow
    > > > it to do.
    > > >
    > > > The programs location is C:\Windows\system32\svchost.exe. If I block

    > this
    > > > program from accessing the Internet, it seems to stop Internet

    activity.
    > > >

    > >
    > > As you can see, blocking svchost.exe stops your machine from accessing

    the
    > > Internet.

    >
    > It doesn't in my case. Using Kerio, 'Network Security' I have denied both
    > Trusted in/out' and 'Internet in/out' access. In 'System Security' I

    permit
    > it
    > to 'Start', not to 'Modify', and permit 'Launching others'.
    >
    > From my logs, I seem to be getting a lot of TCP 'attacks' on svchost.exe,
    > through local port 135, which is categorized as "epmap" DCE endpoint
    > resolution. So without knowing what DCE is, maybe they are not 'attacks'
    > at all :)


    Tlist -v (Win2K Pro SP4) reveals that one svchost thread is just using
    RpcSs,
    while another is using: EventSystem, Netman, NtmsSvc, Rasman, RemoteAccess,
    SENS and TapiSrv. Where do I find info about these?
    Alan Illeman, Apr 2, 2004
    #8
  9. Global_Killa

    Duane Arnold Guest

    "Alan Illeman" <> wrote in message
    news:...
    >
    > "Alan Illeman" <> wrote in message
    > news:...
    > >
    > > "Duane Arnold" <> wrote in message
    > > news:XP1bc.160700$po.953163@attbi_s52...
    > > >
    > > > "Global_Killa" <> wrote in message
    > > > news:c4i5ml$8bp$...
    > > > > Hey all,
    > > > > I've been wondering for a while what svchost.exe application on

    my
    > > > > Windows XP is used for. I have to set a firewall rule for this

    > > application
    > > > > everytime I format my computer, and I don't really know what I

    should
    > > > allow
    > > > > it to do.
    > > > >
    > > > > The programs location is C:\Windows\system32\svchost.exe. If I block

    > > this
    > > > > program from accessing the Internet, it seems to stop Internet

    > activity.
    > > > >
    > > >
    > > > As you can see, blocking svchost.exe stops your machine from accessing

    > the
    > > > Internet.

    > >
    > > It doesn't in my case. Using Kerio, 'Network Security' I have denied

    both
    > > Trusted in/out' and 'Internet in/out' access. In 'System Security' I

    > permit
    > > it
    > > to 'Start', not to 'Modify', and permit 'Launching others'.
    > >
    > > From my logs, I seem to be getting a lot of TCP 'attacks' on

    svchost.exe,
    > > through local port 135, which is categorized as "epmap" DCE endpoint
    > > resolution. So without knowing what DCE is, maybe they are not 'attacks'
    > > at all :)


    The link talks about Port 135 on Win 2k

    http://www.uksecurityonline.com/index5.php

    >
    > Tlist -v (Win2K Pro SP4) reveals that one svchost thread is just using
    > RpcSs,
    > while another is using: EventSystem, Netman, NtmsSvc, Rasman,

    RemoteAccess,
    > SENS and TapiSrv. Where do I find info about these?


    Google is your friend. <g>

    Duane :)
    Duane Arnold, Apr 2, 2004
    #9
  10. Global_Killa

    Night_Seer Guest

    Alan Illeman wrote:
    > "Alan Illeman" <> wrote in message
    > news:...
    >>
    >> "Duane Arnold" <> wrote in message
    >> news:XP1bc.160700$po.953163@attbi_s52...
    >>>
    >>> "Global_Killa" <> wrote in message
    >>> news:c4i5ml$8bp$...
    >>>> Hey all,
    >>>> I've been wondering for a while what svchost.exe application
    >>>> on my Windows XP is used for. I have to set a firewall rule for
    >>>> this application everytime I format my computer, and I don't
    >>>> really know what I should allow it to do.
    >>>>
    >>>> The programs location is C:\Windows\system32\svchost.exe. If I
    >>>> block this program from accessing the Internet, it seems to stop
    >>>> Internet activity.
    >>>>
    >>>
    >>> As you can see, blocking svchost.exe stops your machine from
    >>> accessing the Internet.

    >>
    >> It doesn't in my case. Using Kerio, 'Network Security' I have denied
    >> both Trusted in/out' and 'Internet in/out' access. In 'System
    >> Security' I permit it
    >> to 'Start', not to 'Modify', and permit 'Launching others'.
    >>
    >> From my logs, I seem to be getting a lot of TCP 'attacks' on
    >> svchost.exe, through local port 135, which is categorized as "epmap"
    >> DCE endpoint resolution. So without knowing what DCE is, maybe they
    >> are not 'attacks' at all :)

    >
    > Tlist -v (Win2K Pro SP4) reveals that one svchost thread is just
    > using RpcSs,
    > while another is using: EventSystem, Netman, NtmsSvc, Rasman,
    > RemoteAccess, SENS and TapiSrv. Where do I find info about these?


    Always try google first. type in either those names or the exe
    associated with them, no news is good news, but if you find something,
    it might be bad.

    --
    Night_Seer
    Night_Seer, Apr 2, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Huffaker
    Replies:
    3
    Views:
    4,423
    Rod Dorman
    Apr 12, 2004
  2. pisaac

    Cisco PIX Firewall VPN Setup

    pisaac, Nov 9, 2004, in forum: Cisco
    Replies:
    1
    Views:
    2,945
    Frankyboy
    Nov 9, 2004
  3. Snake-Eyes

    Firewall setup Help requested

    Snake-Eyes, Dec 1, 2003, in forum: Computer Security
    Replies:
    5
    Views:
    1,472
  4. Replies:
    0
    Views:
    480
  5. =?Utf-8?B?UmFkYXIxNjU=?=

    Windows XP Setup Restarts the Setup Program

    =?Utf-8?B?UmFkYXIxNjU=?=, Dec 12, 2005, in forum: Windows 64bit
    Replies:
    21
    Views:
    3,024
    Colin Barnhorst
    Dec 14, 2005
Loading...

Share This Page