Re: Zone Alarm and "svrhost.exe"

From: Charlie Tame (charlie@tames.net)
Date: 10/31/02 

From: "Charlie Tame" <charlie@tames.net>
Date: Thu, 31 Oct 2002 06:02:58 -0600

SamSpade resolves the name of the IP you gave as
10/31/02 05:47:03 dns 207.46.226.34
nslookup 207.46.226.34
Canonical name: time.windows.com
Addresses:
  207.46.226.34

Who or what that is I am not certain, however one might guess at an MS time
server, which would possibly explain regular checks. Personally I was
wondering if you were seeing the Windows Critical update notification, after
all to know if there are any updates it does have to go and look and it does
have to receive replies.

When ZA mentions "Server rights" it is a bit misleading. What it really
means is "Permit a port to be opened for incoming connections". Doesn't
actually mean "Something" wants to "Serve" anything. It also used to give
the same message for local connections, such as the different parts of
Windows communicating via 127.0.0.1 (Localhost) which is also misleading and
when blocked causes all kinds of odd effects.

Grab a copy of "Fport" from here
http://www.foundstone.com/knowledge/free_tools.html
which will help identify what is opening ports (though in this case knowing
it's svchost may not be news to you) and check names you permit carefully.

For example there is (was) a trojan that used rund1l instead of rundll as
part of a filename which looks like a legit windows file unless you type in
caps when RUND1L is easily seen as different from RUNDLL. Of course it's
designed so users will "Permit" it as the legit "Run a dll as an
application" pops up often.

Should you decide to try other firewall programs www.kerio.com has a good
one that's free for personal use and although there are a few glitches in
their latest beta3 the beta4 should be out soon and that has very
interesting application control. It may actually be able to tell you what is
using svchost.

Hope this helps a bit, it can be a confusing subject at first

Charlie

"jstarr" <starrja@hotmail.com> wrote in message
news:129601c2807d$9cb30340$37ef2ecf@TKMSFTNGXA13...
> Thanks- this is what I am figuring, too, as I do more
> research. Now all I gotta do is figure out what all those
> damned little abbreviated names *mean*... Does anyone
> have a cheat ***?!?
>
>
> >-----Original Message-----
> >SVCHOST.EXE means you should check the services that are
> running in the
> >Services applet. One of them may well be the cause.
> Knowing the port number
> >it's trying to use would be helpful as well.
> >
> >Windows XP, Office XP, etc. have some known licensing
> features where I
> >believe the computer tries to contact Microsoft from time
> to time. [It's
> >been a while, so I'm getting fuzzy on the specifics.]
> Windows Media Player
> >and other apps may do similar things, I don't know.
> >
> >I don't care much for Zone Alarm because if a firewall
> gives you the user a
> >chance to permit a program to access the internet, your
> firewall has just
> >been compromised.
> >
> >
> >"jstarr" <starrja@hotmail.com> wrote in message
> >news:71ff01c28076$2cd99b30$35ef2ecf@TKMSFTNGXA11...
> >> Okay- so here's what happened- follow this through:
> >>
> >> I installed ZoneAlarmPro this morning. It immediately
> gave
> >> me alerts for Internet Explorer and the ftp client I was
> >> using at the time. I said yes to those. Within about an
> >> hour, as I was in chat, I got an alert for the
> following:
> >> Generic Host Process
> >> IP 207.46.226.34
> >> svchost.exe
> >> A quick lookup showed this to be a microsoft IP; I
> wasn't
> >> real happy about an executable program wanting access,
> so
> >> I said "No".
> >>
> >> Less than 30 minutes later, up pops an alert: This
> program
> >> is asking for server rights- allow it? Same IP, same
> name,
> >> same description- this time, I checked Do Not Ask Me
> Again-
> >> and "No". I immediately lost internet connection.
> >>
> >> So I go into ZA, find it- and give it access, reboot,
> and
> >> voila`! I am back online. Called my ISP, nice young man
> >> there did some research for me- this is what he turned
> up:
> >>
> >> PING 207.46.226.34: 56 data bytes
> >> ICMP Communication Administratively Prohibited from
> >> gateway
> >> iustsecurc1201-ge-6-0.msft.net (207.46.224.195)
> >> for icmp from tacacs02 (12.242.25.151) to
> time.windows.com
> >> (207.46.226.34)
> >>
> >> ----207.46.226.34 PING Statistics----
> >> 5 packets transmitted, 0 packets received, 100% packet
> >> loss
> >> asettles@tacacs2:~
> >>
> >>
> >> Anyway, Leonard- the ISP techie- said when they looked
> it
> >> up, it says microsoft, and when they follow that stuff,
> it
> >> says it is a windows program. Now can someone tell me
> why
> >> Windows/Microsoft needs server rights for an executable
> >> program through my internet connection? I'm connected
> >> through AT&T, and they've not run into this before; this
> >> is a new puter running XP- any ideas?
> >
> >
> >.
> >

Quantcast