Results 1 to 2 of 2

Thread: another question

  1. #1
    patpierspn Guest

    Default another question

    I frequently get a message from ZA that svchost wants to access the internet. I know that is just a filler name for a whole bunch of processes. I always deny it access and this continue to work on the net as they should.
    DO those messages indicate I might have a hidden malware program lurking somewhere or should I just give it permission and not worry about it?
    Many thanks.

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: another question

    Normally the minimum connections made by svchost.exe is basically for outgoing/receiving incoming connections from and to the correct DHCP and DNS servers.
    These DHCP and DNS connections demand that the DHCP and DNS server IPs should be placed as Trusted in the Zones of the Firewall and only the Trusted Server rights (allows an open port to the Trusted IPs) should be given to the svchost.exe (never the Internet Server, unless something very special is being done).
    These connections will be seen as any local port to/from the remote port 53 by UDP of the DNS server(s, ) and using local port 68 to/from the remote port 67 of the DHCP server by UDP.
    Thus the svchsot.exe needs not just Trusted Access to the DHCP and DNS, but also the Trusted Server rights.

    The svchost.exe performs various connections of the loopback (127.0.0.1) and the non routeable (0.0.0.0) both outgoing (Access) and incoming (Server). The loopback address is normally set to be in the Trusted Zone, thus the Trusted access and Trusted server is required for the svchost.exe.
    There will be a specific ZA alert for the svchost.exe requiring server rights to the 0.0.0.0 port 135, specificing this is internet and this should be allowed; however this is not a specific internet connection, but actually a simple local area network connection although conducted only internally within the windows.
    Most people have certain services/daemons snabled in windows which warrant this needed connection for windows; disabling certain services/daemons will cease the connection (and thus the following ZA alert).
    The 0.0.0.0 connections is used internally for the windows operations and for connecting to the DHCP server and various other Local Area Networked devices. The 0.0.0.0 is generally required in VPN arrangements and I suppose this is why the ZA "sees" any 0.0.0.0 connections/servers as Internet not instead as Trusted.
    (also certain dls and dialup connections which involve no hardware firewall could be setting the single computer up as a node of the provider's subnet and consequently becoming part of the network with other unknown clients of that subnet of the provider. This is something not wanted or required, and any connection to servers/IP other than the correct dhcp and dns of the provider can be safely blocked or denied).

    The svchost.exe is the main component required for the windows time updating and these will be seen as UDP connections to/from the remote port 123 of the Time servers.

    The svchost.exe is often doing many various local area network connections using netBIOS, MS dcom, UPnP, SSDP, etc.

    And for the window files such as explorer, internet explorer, etc the svchost.exe will be seen as performing http (port 80) and https (port 443) connections along with these window's internet/networking capable components.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •