Re: A remote system is attempting to access Microsoft Generic Host Process for Win32
From: Lionel Fourquaux (use.reply.to_at_nospam.invalid)
Date: 08/30/04
- Next message: SEWS: "Trying to create a Visitor's Access Share without authentication."
- Previous message: Steve Dodson [MSFT]: "Re: SP2 disabling sharing"
- In reply to: Bill: "A remote system is attempting to access Microsoft Generic Host Process for Win32"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Aug 2004 09:37:01 -0700
Short answer : click on deny whenever this message pops up, and
don't worry about it.
If you want to understand what is happening, and what are the
risks, read the explainations below.
"Bill" wrote in message <2b1701c48e93$ffd23740$a301280a@phx.gbl>:
> My question is that every so often my firewall pops up
> saying, "A remote system is attempting to access Microsoft
> Generic Host Process for Win32", and wants me to permit or
> deny it.
This message means that some other computer on the network is
trying to connect to your computer. More precisely, let's call your
computer A. On A, a program (svchost.exe, aka Generic Host Process for
Win32 Services) is running, and it is waiting for connections from the
network. Just before this message popped up, another computer (call it
B) tried to connect to svchost.exe on A. The message doesn't say
anything else, but you probably do not want to allow a stranger (B) to
connect to your computer. That's why I recommend that you click "deny"
to block the connection attempt.
> Permit is recomended
This is an oversimplification. If B is a total stranger, very
likely you do not want to allow the connection. On the other hand, if
someone has a legitimate reason to connect to your computer (e.g.
because you are using some program that require an inbound connection),
then you should permit it, or something (the program you're using)
will not work. Since it's likely that you don't known which software
will require such a connection, you can apply the following rule : if
the message appeared just after you did something on you computer (e.g.
just after you started a program), click "permit" ; if you were doing
something else (e.g. reading the content of a window, or exploring
menus, or modifying _local_ files), click "deny" ; if something doesn't
work just after you clicked "deny", retry and check whether the message
pops up again, if it does, click "permit". The idea is that the connections
you want are those you requested explicitely (even if you were not aware
that you just requested a connection from a remote computer).
An important warning: this rule of thumb is approximative, and
suppose you trust the programs installed on your computer. If some
spyware may have been installed, or if you feel that you are not always
very careful about choosing what to install, you'd better click "deny"
everytime.
When in doubt, ask !
> but everything I've been
> hearing says that someone is trying to hack into my
> computer.
Well, it's likely that, yes, in some sense, someone is trying to
hack into your computer. However, if you want to avoid some
misunderstandings, you'd better read the rest of the explainations.
A frequent cause of such messages is programs "scanning" the
Internet, i.e. trying to connect to random addresses in search of
computers that accept connections. Obviously, malicious programs
(especially worms/viruses) often do this. Such scans do not target
anybody in particular. May guess is that this time the random numbers
generator just hit the address of your computer and tried a connection.
Don't worry too much about it. Such scans are common, and do not mean
that the security of your computer has been breached. Imagine someone
wandering in the street and trying to open every door in sight. You
don't know what he wants, and don't want him to get into your house, but
just checking which doors are closed won't get him anywhere. Just ignore
the madman...
What, precisely, are the risks ? I can't be very specific,
because the message didn't give enough details : svchost.exe is a "host"
program (sort of an empty box, where the useful bits of programs will be
added later) used by many parts of Windows. Let's say it's highly likely
that it has legitimate reasons to be waiting for connections. (I'm
simplifying, here: some of these reasons may not apply to your case, and
you could increase the security of your computer by stopping these
services. Doing it right can require a lot of technical knowledge). If
you block all connection attemps, that's it. Since you permitted it at
least once, you'll want to know what happens in this case.
Computer B connected to your computer, and talked to a service
inside svchost.exe. Obviously, this service didn't blindly trust
computer B, so B either gained some rather public information about your
computer, or asked for something it wasn't allowed to have and got its
request denied. Either way, no harm was done.
Unfortunately, this is an ideal picture. Real programs have
bugs, and there is a possibility that some programming error in the
service on computer A will allow B to gain a real access to A. In this
case, bad things (virus infection, stolen confidential information...)
can happen. That's why firewalls are useful.
If your computer is fully patched (use Windows Update, and
especially install the SP2!), it's unlikely that the attack succeeded
(although it's always possible, since there are unpatched bugs). With
the checks you report, I'm pretty sure the attack did not succeed.
As a guess, I think it was Blaster or some similar virus, on
computer B, that was scanning the Internet for other victims. It looks
like your Windows was patched, and the error exploited by the virus
wasn't there anymore. But it's only a guess.
> I was told to go into c:
> \windows\system32\drivers\etc, and open the "hosts" file
> and delete everything in it exept for some numbers which I
> think was my local host address.
This advice doesn't apply to your problem. Either the person who
suggested it only hear the word "Host", or you'd better ask someone
else. :)
The hosts file is used to translate some machine names to
network addresses. (There are other methods, this one is rarely used).
By default, on Windows, it will contain comments (starting with #, to
the end of the line), and this address:
127.0.0.1 localhost
(This line says that the computer "localhost" has address 127.0.0.1, and
127.0.0.1 is a special address that correspond to the local computer).
Some malicious programs modify the hosts file. For example, an
ill-intentioned person can use it so that www.microsoft.com is mapped to
a computer it controls, intead of the real MS website. You can guess the
consequences...
Again, this is another problem, and afaik doesn't apply to your
computer. The only relation I see is the word "host".
> But that did not solve the
> problem. I've scanned my computer with lavasoft's adaware 6
> SE (updated) and spysweeper 3 (updated), as well as Norton
> (updated) and found no problems.
It was a good initiative.
> Why do I get a remote
> system trying to access my computer? Thanks for any advice.
I hope I've explained clearly enough what happened. Again, don't
worry too much about it: scans are quite common, and most often do not
find anything useful. If you want more details, don't hesitate to ask
again!
Hope this helps.
-- Lionel Fourquaux
- Next message: SEWS: "Trying to create a Visitor's Access Share without authentication."
- Previous message: Steve Dodson [MSFT]: "Re: SP2 disabling sharing"
- In reply to: Bill: "A remote system is attempting to access Microsoft Generic Host Process for Win32"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
