Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: svchost.exe alert

  1. #1
    potter Guest

    Default svchost.exe alert

    I have recently had a security alert saying that svchost.exe is trying to act as server. I have not had this before so denied and did a virus/spyware scan that revealed nothing. I rebooted and when the alert came up I allowed and a few minutes later there was another alert saying that it was trying to acces IP address 121.14.136.101.
    A Google search showed this IP address was suspicious and somewhere in China.
    I can continue to block this activity but is my computer infected by some entity that ZA security cannot detect?
    Potter

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    avash Guest

    Default Re: svchost.exe alert

    I just wanted to let you know that I have had the exact same situation since yesterday. I also use Windows XP home with SP 3. Again, the system scan I performed yesterday (Monday 1 September)
    revealed nothing at all.
    I am using Zone Alarm Security Suite Version 7.0.483.000

  3. #3
    zaswing Guest

    Default Re: svchost.exe alert

    My reply to both of you re
    " I can continue to block this activity but is my computer infected by some entity that ZA security cannot detect?"

    Unlikely, but possible. Depends on the settings.
    In the Program Control list, find Generic Host Process... which is the fancy name for svchost. Make sure that it only has 3 green checks.
    DO NOT permit it to be a server for the internet zone.
    DO PERMIT, you must permit, to be a server for the trusted zone.

    If those settings are correct, then answering Deny sounds good to me.

  4. #4
    evilimp Guest

    Default Re: svchost.exe alert

    I've noticed that svchost.exe, port 135, for 0.0.0.0 has been asking for server rights as well. I've been telling it to deny, but that it can ask me the next time I reboot the machine. No program has come up with a complaint that it's blocked. It's been doing this on my primary and secondary windows PC for the last week or two. Didn't do that, that I was aware of, prior to that. It's kind of odd. Not sure what program is trying to instigate this either. If I go to the command prompt, and do: netstat -anp tcp | find ":135 " I find one line, of TCP, "listening". I might as well block it permanently, for being a server to the internet zone, but I wish I knew a way to isolate which program or process on my PC is misbehaving.

  5. #5
    avash Guest

    Default Re: svchost.exe alert

    Thanks very much for your detailed reply, zasuiteuser.
    I have now blocked the generic host process (svchost) from acting as a server in the Internet zone. We'll see what difference this now makes.

  6. #6
    avash Guest

    Default Re: svchost.exe alert

    @ evillimp: This is exactly my experience and I also find it somewhat odd that all these alerts have suddenly appeared.

  7. #7
    potter Guest

    Default Re: svchost.exe alert

    ZAsuiteuser,
    Thanks for the info, my ZA suite was already configured as you suggested so will continue to deny as you suggest.
    Like other users, this alert
    has only started recently and I
    cannot figure out which programme is triggering this, could it be a Windows
    security upgrade?
    Potter

  8. #8
    zaswing Guest

    Default Re: svchost.exe alert

    To those who still have problems -
    Windows uses port 135 for tons of things, more than my mind can absorb.
    135 is one of several ports which Windows uses that should NEVER go out to the internet. So ZA is doing the job just fine.

    The whole group are ports 135, 137 ,138, 139.
    Perhaps your LAN is not in the trusted zone? Because ZA will block NetBios ports in the Internet zone.

    So long as you keep it on your LAN you should be ok unless other computers are dirty.
    For instance (the instance I've seen) If you have several computers on the LAN, AND if you use Windows Explorer to explore files on the other computer, Explorer will connect to other computers' port 135 via TCP protocol, and computers announce/broadcast their presence and lots of ID information on port 138.
    I suppose you permit NetBios in the TCP/IP properties.

    I'm not sure I understand the 0.0.0.0 part in this context. Could be no other computers?
    Sudden appearance? Well, perhaps changed XP to SP3? Or ZA is watching differently. I don't know really.

  9. #9
    zaswing Guest

    Default Re: svchost.exe alert

    I just took a bag off my head, and related few things - here's very nice, recent explanation - perhaps the context of 0.0.0.0.:135 will be clearer when you read this thread:
    http://forum.zonelabs.org/zonelabs/b...ssage.id=19190

  10. #10
    potter Guest

    Default Re: svchost.exe alert

    Thanks for the link, it has reassured me that all is well.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •