Re: svchost.exe connect port 80 and 443

From: Big Will (spamWspamispamlspamlspamBspam4spamespamvspaaaammespammityrspam_at_nidontlikespamet)
Date: 02/24/04


Date: Tue, 24 Feb 2004 12:25:45 -0800

Duane Arnold wrote:

> Big Will
> <spamWspamispamlspamlspamBspam4spamespamvspaaaammespammityrspam@nidontlik
> espametzero.net> wrote in news:403aeeb0$1@darkstar:
>
>
>>Duane Arnold wrote:
>>
>>>Big Will
>>><spamWspamispamlspamlspamBspam4spamespamvspaaaammespammityrspam@nidont
>>>lik espametzero.net> wrote in news:403a3971@darkstar:
>>>
>>>
>>>
>>>>Duane Arnold wrote:
>>>>
>>>>
>>>>>>I disagree with that. At times, svchost.exe will try to connect for
>>>>>
>>>>>
>>>>>>no
>>>>>
>>>>>
>>>>>>apparent reason, and I'll kill it. Furthermore, because I still use
>>>>>
>>>>>
>>>>>>Plug-and-Play (for Windows Sound purposes) I simply block svchost
>>>>>>when
>>>>>
>>>>>
>>>>>>it tries to connect on TCP 1900. If a communication is remotly
>>>>>
>>>>>
>>>>>>initiated, and I don't know why it's being remotely initiated, then
>>>>>>I
>>>>>
>>>>>
>>>>>>block it, even if it's svchost.exe. If some apps stop working then,
>>>>>
>>>>>
>>>>>>then I'm that much the wiser about that particular remote IP
>>>>>>address and
>>>>>
>>>>>
>>>>>>what it has to do with my PC. I wouldn't say blocking svchost.exe
>>>>>
>>>>>>from
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>accessing the internet is killing the messenger, just blocking him
>>>>>
>>>>>>from
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>delivering his message.
>>>>>
>>>>>
>>>>>
>>>>>Big Will if I thought you knew what you're talking about I would
>>>>>listen. You don't know. SVChost.exe never tries to do anything on
>>>>>its own. Some program element on the machine makes the requests to
>>>>>svchost to do its bidding. Now whether that be some third party
>>>>>program element on the machine, a Trojan, spyware or the O/S itself
>>>>>making the request, some program element on the machine makes the
>>>>>requests. The svchost has many functions that many program elements
>>>>>will call upon svchost to do and communications is just one of them.
>>>>>That's why there can be several svchost.exe running on the machine
>>>>>doing various tasks.
>>>>
>>>>I never said there wouldn't be. I am fully aware of what svchost
>>>>does.
>>>> The point I was making is that sometimes it's OK to block these
>>>>connections (like when svchost tries to connect to internet on port
>>>>1900, which is a result of plug-and-play being enabled on XP
>>>>systems).
>>>
>>>
>>>UPnP is a service that is disabled on my computers.
>>
>>I would disable the service except Windows Sound depends on it, and
>>since I use a laptop, this is my only source of volume control.
>>
>>
>>>
>>>>Furthermore, by blocking some svchost connections that are the result
>>>>of certain Windows Services being activated, you get the benifits of
>>>>the security that you would have for not having that connection while
>>>>at the same time are able to enjoy services that might otherwise pose
>>>>a security risk.
>>>
>>>
>>>I don't shutdown or block scvhost, because I take the time to make
>>>the determination if someting needs to use svchost by reviewing
>>>what's running in the first place. If it needs to run it does and if
>>>it doesn't, I shut it down.
>>
>>So you do shut down the communication once you determine rather it
>>needs to communicate with the internet or not. Thank you, that's all
>>I was saying. I do take the time to determine what's causing svchost
>>to connect to the computer, and if I don't need that component to
>>connect to a remote server, then I don't use it.
>>
>>
>>>So there is no need for me to be making any rules to govern what
>>>svchost is doing.
>>
>>Nor should you, unless a specific connection with svchost (like in my
>>case, UPnP) doesn't need to connect in order to perform the necessary
>>functions (Windows Sound on XP systems, in my case). Therefore, it
>>wouldn't hurt me to make a general rule blocking remote port 1900
>>connections (which would in effect block this instance of svchost
>>while still allowing UPnP to function), and it would increase
>>security.
>>
>> Nothing unsolicted is coming in unless I open the ports to
>>
>>>allow it in and if I do open the ports, then rules are made to govern
>>>what can make contact. Or I have some application or program on the
>>>machine that I know is going to make the solicitation.
>>
>>So you mean to say that even when Windows generic host (svchost.exe)
>>is trying to receive communications from a remote server for no
>>apparent reason, you would block it?
>>
>>
>>>So, it's just a sign, that you don't know what's running on your
>>>machine and you take the path of trying to set some rules, instead of
>>>making deteminations as to what is using svchost and stopping that,
>>>if need be.
>>
>>No, I set these rules with full knowledge of knowing what's on my
>>system and how these rules are effecting my system. The majority of
>>my blocks are unsolicited requests of programs on my computer to
>>receive connections from a remote server. Oh, BTW, I use DLL
>>authentication, so I now exactly what's trying to connect when svchost
>>tries to connect. Also, the remote port it connects to is a dead
>>giveaway in most cases.
>>
>>
>>>
>>>>I hope this clarifies things up for you, since you
>>>>obviously either misunderstood my comments or didn't understand the
>>>>subject matter at all.
>>>>
>>>
>>>
>>>When you're under the gun at 1:00 pm and you're in a meeting with the
>>>SQL server DBA and Systems as to why nothing is wrong with the the
>>>COM+ application and it's the COM+ server and the SQL Server Cluster
>>>not communicating, because they don't know that it's Svchost and RPC
>>>that have stopped working on the SQL Server and you need to do the
>>>damn failover, because it's been down half the day and they finally
>>>listen and do it, I think I do understand what's happening with
>>>svchost.
>>>
>>
>>Well, even with what I block, I simply don't have those kinds of
>>problems.
>>
>>
>>>You ever face that *heat*?
>>>
>>>Duane :)
>>
>>Yup. I'm sure you've heard of the DOS attacks on merijn.org. Well,
>>somehow my computer was involved (probably from unsafe browsing with
>>active-X, doh!!) That F***ing zonmbie forced me to uninstall NIS and
>>install Sygate. I also monitor my communications with Active Ports
>>periodically just to make sure that nothing bad happens (which it
>>hasn't since I unisntalled NIS). Needless to say, I do feel the heat
>>myself, but the good news is I managed to catch my computer sending
>>out these get requests long before the DOS attacks on Tom Coyotes site
>>(which I believe were related), that is unless the two of them were
>>done at the same time. All that's left for me to do is a clean sweep
>>Format C: and reinstall stuff, which I'm going to do when I get the
>>Win XP Windows Update CDs.
>>
>
>
> I am up here shortly and then back to get some damn sleep. I'll tell you
> that you should Format C:. Why, because my first reply post to you, I did
> it with OE and I made the mistake of not doing a GROUP reply, but back to
> you directly through POP3. Outlook which OE is the NG reader alerted that
> something was trying to access the Outlook Address Book. I have did some
> other replies in other NG(s) with OE and Outlook has not alerted.
>
> I know there is no sh*t on this machine that is doing it. You may want to
> check that out.
>
> back to sleep man back to sleep
>
> Duane :)
What machine are you talking about. Whether you try to reply to me
directly or in the post, it wouldn't make any difference. As for me, I
don't use OE for newsgroups or e-mail (I'm currenlty using Netscape,
which is based on Mozilla 1.4). Furthermore, when you try to reply to
me via e-mail, chances are you'll get a bounce unless you de-munge
properly. This will result in a new contact
(spamWspamispamlspamlspamBspam4spamespamvspaaaammespammityrspam@nidontlikespametzero.net,
or whatever failed demunging attempt you ended up wtih) ending up in
your address book if you use OE. As for format c:, like I said, I'm
going to do that, but not for the reasons you suggested.

-- 
William
If it don't work, hit it.
If it still doesn't work, kick it.
If it works after hitting it and kicking it, then it doesn't matter if 
hitting it or kicking it helped, what's important is it worked.
------------ And now a word from our sponsor ----------------------
For a quality mail server, try SurgeMail, easy to install,
fast, efficient and reliable.  Run a million users on a standard
PC running NT or Unix without running out of power, use the best!
----  See http://netwinsite.com/sponsor/sponsor_surgemail.htm  ----