Re: svchost.exe

From: nogo (nogo@nogonowhere.com)
Date: 10/28/02 

From: "nogo" <nogo@nogonowhere.com>
Date: Mon, 28 Oct 2002 01:16:17 GMT

I'm not the author of the info below which I copied from a newsgroup some
time ago. My apologies for not giving credit to the author who might wish to
claim it if he recognises it.
------------------------------

Set up SVCHOST.EXE with setup #2 as per below for Agnitum.

Currently, I have three separate configurations that people can try. Two of
them are variations of the same idea. Your choice regarding each set will
depend on you sensitivity to security and privacy and you trust of
Microsoft. I will also list some general advice based on recent experiences
and a few good websites.

SVCHOST.EXE Setup #1

Setup number one is simple. DO NOT CREATE A RULE for SVCHOST.EXE. Make sure
there is no listing for this executable under Trusted, Partially Allowed, or
Blocked Applications. Be aware that you may have to "double click" on
"Trusted", "Partially "Allowed", or "Blocked" in order to verify that
svchost.exe does not exist under any of these headings. Sometimes the
program listing can be collapsed under these headings in the same way that
you can collapse and expand directories in Windows Explorer File Manager.
Another important step is to NEVER run a security scan at an online scanning
site unless your Outpost Firewall is in the "Block Most" mode. Many scanning
sites may invoke SVCHOST.EXE by requesting a connection to one of the
services that it controls. You will not see these warnings if you are in
"Block Most Mode". In fact, it is my opinion that the firewall should only
be in Rules Wizard Mode under three conditions:
1. New Outpost Installation
2. Troubleshooting a Connection Issue
3. Setting Up a Rule for a Newly Installed Application

SVCHOST.EXE Setup #2

This setup involves creating rules for SVCHOST.EXE. In this case you will
have a rule in the list for SVCHOST.EXE under Partially Allowed
Applications. The only rule that I have ever had to create was the
following.
Where the protocol is UDP
Where the host is: 239.255.255.250
Where the remote port is: 1900
Allow It.
The remote host mentioned is IANA, the Internet Assigned Numbers Authority.
I am not sure about the nature of this communication with IANA. It may be
for some kind of Domain Name Resolution.

SVCHOST.EXE Setup #3

This setup involves setting up a rule exactly like the rule created in setup
2. However, the action chosen is "Deny It".
Any one of the three setups described is probably reasonably secure, even
number two, since only one, probably trustworthy remote address is used.
Since I am uncertain about the nature of the communication with IANA, I
would suggest setup one or three for anyone very sensitive about privacy and
security.

A little extra information.

EXPLORER.EXE

Sometimes Windows Explorer will ask for permission to access the internet.
You can follow any of the suggestions, one, two, or three for EXPLORER.EXE.
The only difference is the Remote Host and the Remote Port. Here is a rule.
Where the protocol is TCP
Where the direction is Outbound
Where the host is sa.windows.com
Where the Remote Port is HTTP
Allow it OR Deny It, it is your choice or do not create any rule at all like
in Setup one for svchost.exe above. Sometimes it may be best to create the
rules for an executable like svchost.exe and choose "Deny It". "Allow It"
can also be chosen if you do not care about contact between your system and
the sites mentioned above. I would not allow any other remote hosts for
either of them though. The reason for this is that if you are in Rules
Wizard Mode, you will see less incidental popups regarding those
executables. But, as I said, "Block Most" is the best place to be almost all
of the time. One last piece of advice regarding rule setting for these
Applications. Your Remote Port may vary depending on whether you use a
LocalProxy or an ISP proxy. I do not use these, so I do not know how the
Popup box will appear for these executables. Regardless, the same methods
for setting up the rule for these executables apply.

I have tried all of the setups listed above and all have worked without
incident. So, anyone applying those methods should not experience problems.
The only reason that I have experimented with so many different setup
methods has just been curiousity. Currently, I am trying to setup everything
on a rule by rule basis to better understand the connections that different
applications need or do not need. It takes a lot of patience.

Concerning some of the services on XP. Most likely you can STOP and then set
to DISABLED the Universal Plug-n-Play Service (UPnP) and the Simple Service
Discovery Protocol Rule (SSDP). UPnP uses port 5000 and SSDP is responsible
for using port 1900. Then you should not get any popups regarding these at
all. I also worked with my system with these services enabled and disabled
with no adverse side effects either way. My opinion is that almost 100% of
the people out there can disable these services with no issue. There will
certainly be no system crashes related to disabling these services.

Concerning Trusted and Blocked Applications. My opinion is that only
programs that you wrote or that come from a highly trusted source should be
in Trusted Applications. And, the only applications that I would add under
blocked would be suspicious programs that I initally suspect are trojans.
Then I would delete the rule as soon as I removed the trojan with an
effective removal tool like Tauscan. This way, I can check the effectiveness
of the removal process. I think that this is pretty much consistent with the
advice in the Outpost Manual.

Sorry about the long message. I just wanted to try to provide as many
options as possible to suit everyone's taste. Below are a few links to some
helpful sites.

Microsoft Support Article Concerning Svchost.exe
http://support.microsoft.com/defaul...b;EN-US;q250320

Information on Windows Services (listed previously in this thread)
Windows 2000
http://www.blkviper.com/WIN2K/servicecfg.htm
Windows XP
http://www.blkviper.com/WinXP/servicecfg.htm

Good places to look up IP addresses:
www.arin.net (American Registry)
www.ripe.net (European Registry)
www.apnic.net (Asia-Pacific Registry)

Good Places for general and application port information:
http://www.iana.org/assignments/port-numbers (General)
http://www.practicallynetworked.com...p_port_list.htm
Each of these ports lists are extensive. Just scroll down.

And, of course the Outpost manual can be found in the download section of
www.agnitum.com

Quantcast