Re: Kerio 4 won't block Messenger, svchost

From: Duane Arnold (notme_at_notme.com)
Date: 03/25/04 

Date: Thu, 25 Mar 2004 12:53:54 GMT

Kevin Goodsell <usenet2.spamfree.fusion@neverbox.com> wrote in
news:0cu8c.55812$aT1.3911@newsread1.news.pas.earthlink.net:

> My Kerio 2 rules got nuked somehow (I think it was because I rebooted
> WinXP immediately after it booted up, about the time Kerio usually
> shows its splash screen (I had intended to boot from a CD, but didn't
> hit the button in time)), so I decided to upgrade to version 4. I'm
> having trouble making it do what I want. In particular, nothing I do
> seems to stop Messenger and svchost from passing packets back and
> forth (maybe it's only from Messenger to svchost, I'm not sure). Just
> to be clear, I am talking about Windows Messenger, the IM application,
> not the spam delivery service. I turned that off long ago.
>
> Now, I don't use Messenger and I don't want it doing anything. Even if
> it's only passing datagrams to svchost. In fact, I'm going to look for
> a way to kill it off completely, but it's really bothering me that I
> can't make Kerio block it. I set up a packet filter for it, telling it
> to block all connections, all ports, in and out, but that didn't
> change anything. The rule is never triggered. I set up svchost to ask
> before doing anything (except for untrusted incoming connections,
> which are blocked), and it never asks. I set all the predefined rules
> to block. I set the loopback to untrusted. Still nothing. Or rather,
> still something. It doesn't prevent Messenger and svchost from
> exchanging packets.
>
> I think in version 2 I had Messenger completely locked down (with a
> simple packet filter rule - the only type they had in that version, as
> far as I know). Does anyone know why I can't shut it up in 4? I can't
> even create an Application rule for it, because apparently Kerio has
> to catch the application doing something first, and prompt you to
> permit, deny, create a rule, etc., and Messenger seems to be
> completely under Kerio's radar.
>
> Thanks.
>
> -Kevin

You can shut it down.

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q302089&ID=KB;EN-
US;Q302089&LN=EN-US&rnk=21&SD=tech&FR=0&qry=Type%20your%20Keywords%20or%
20Question%20here%20and%20click%20go&src=DHCS_MSPSS_tech_SRCH&SPR=WINXP&

You can go to the O/S and shutdown more things you may not need.

http://www.uksecurityonline.com/husdg/windowsxp.php

It starts with the O/S not the FW.

If svchost.exe is not running out of Windows/System32, then it's a Trojan.

Otherwise, if it is not, then you should leave it alone and find out what's
using svchost.exe by using something like Process Explorer (free use
Google).

Duane :)

Quantcast