What Are Generic Host Processes?

Discussion in 'Computer Support' started by Sam, Jun 9, 2004.

  1. Sam

    Sam Guest

    Well I know the relevant file is C:\WINNT\system32\svhost.exe. I keep
    getting messages from the Firewall, asking whether I should give it
    access to the Internet and Server privileges. Can anybody explain
    what this is all about? Thanks.
     
    Sam, Jun 9, 2004
    #1
    1. Advertisements

  2. Sam

    °Mike° Guest

    °Mike°, Jun 9, 2004
    #2
    1. Advertisements

  3. Sam

    Sam Guest

    Do you have to also let it act as a server? Thanks.
     
    Sam, Jun 9, 2004
    #3
  4. Sam

    Duane Arnold Guest

    Svchost is the messenger for the O/S. Svchost has many tasks and one of
    them is being the communication link between programs running between
    machines on the LAN and WAN (WAN being the Internet). Not only does the
    O/S use Svchost on its behalf to communicate but other programs such as
    malware can use Svchost on their behalf too.

    If Svchost is communicating to unknown remote IP(s), then one should be
    concerned and find out what is using the messenger and kill it instead of
    the messenger, because it's never Svchost the messenger that wants to
    communicate -- don't kill the messenger.

    So, one stops svchost from communicating for some reason (that is
    unknown) and then one turns around and allows svchost to communicate for
    some other reason. What happened to the reason one stopped svchost? It
    did go anywhere and is still there on the machine.

    If svchost.exe is not running out of winnt\system32 or windows\system32
    on the NT based O/S, then it's a Trojan.

    You can use Active Ports (free) to determine inbound and outbound
    connections on a routine basis by running processes on the machine,
    because malware can easily circumvent and defeat any PFW solution. One
    can put a short-cut in the startup folder for Active Ports and it will
    give you a clear picture as to what is happening, since malware can beat
    any PFW solution at boot and be done before a PFW solution can even get
    on the TCP/IP and stop it.

    You can use Process Explorer (free) to look inside a running process and
    see what processes/programs are using the process.

    You're out there on the Internet and they have got to practice on someone
    and you're fair game.

    http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
    _Rootkit_Tools_in_a_Windows_Environment.html

    You should *harden* the XP O/S to attack a little bit. The buck stops at
    the O/S and everything else is secondary to it.

    http://www.uksecurityonline.com/index5.php

    Duane :)
     
    Duane Arnold, Jun 9, 2004
    #4
  5. Sam

    °Mike° Guest

    You should allow it:

    DHCP...
    Protocol UPD
    Remote port = BOOTPS (67)
    Local port = BOOTPC (68)

    DNS...
    Protocol UDP
    Local port = DNS (53)

    HTTP...
    Protocol TCP
    Direction = Outbound
    Remote port = HTTP (80)

    HTTPS...
    Protocol TCP
    Direction = Outbound
    Remote port = HTTPS (443)

    Time Synchronizer...
    Protocol UDP
    Remote port = NTP (123)

    SSDP Discovery Services (1)...
    Protocol UDP
    Remote port = 1900

    SSDP Discovery Services (2)...
    Protocol UDP
    Local host = 239.255.255.250 (255.255.255.255)
    Local port = 1900

    SSDP Discovery Services (3)...
    Protocol TCP
    Direction = Outbound
    Remote port = 5000

    MS Remote Desktop
    Protocol TCP
    Direction = Outbound
    Remote port = RDP (3389)

    Generic Host Process LDAP
    Protocol TCP
    Direction = Outbound
    Remote port = LDAP (389)
     
    °Mike°, Jun 9, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.