Firewall Complaining About Svchost.exe

Hi,

My 2 WIN XP Home systems have just been givin access to the net recently and had Kerio 2.1.5 installed on them. I have all my rules up and running for DHCP, ICMP, DNS as well as APPS. SVCHOST.EXE keeps asking for permission for UDP outbound connections to 239.255.255.250 port 119. I tried pinging this address and got request timed out. Anyways my questions about SVCHOST.EXE is, under what conditions can I block it compleatly for IN/OUT communication in my firewall rules. Or does it need some access to various things for the system to operate properly? If so what are they? I am new to XP so go easy on me

Thanks in advance,
FIREDANCER

 

Groan - this is one of those short questions with a very long answer that will be full of 'if's'.

First off, 239.255.255.250 is in a range of specialized IP addresses that are not assigned to a specific device. It is a Multicast address. Dry, tech stuff but worth a read for anyone wishing to know what is happening with their PC and the internet these days.

Next (and it gets worse), Svchost.exe is a sort of 'wrapper' program that will be hosting and providing services to anywhere from one to a dozen utilities and you will have from 2 to 5-6 of them running at any given time.

XP-pro provides a way to find out exactly what is running within each of the svchost.exe processes using a utility called tasklist.exe. XP-home (you gotta love it) does not have tasklist.exe. But you can get a copy, put it on an XP-home PC, and get results when you run it. Not all the features will work but it will show you what is running in svchost at least. Click to download then put it in c:\windows\system32. Once you have it,

Code:

start~run~cmd to open a cmd window then
tasklist.exe /svc

and the results should show you lots of stuff including all the available info about svchost.exe on your PC. You might want to save a copy of the results and if so,

Code:

tasklist /svc > c:\services.txt

will send the info to that text file rather than the screen and you can open it with notepad and print a copy or whatever.

After you've done some sniffing around and reading, post back with remaining questions.

 

Newt,

Well after reading up on multicast it seems it is a more efficiant way to transmit data packets over a network, and also a pain in the *ARSE* IMHO.

Am I to assume that Microsoft made these (minor modifications) when building XP as well as all the newer OS' to make them more efficiant with networking?

It would seem that I will just have to sort through all the *BS* and nail down what SVCHOST.EXE actually has to have access to. As far as other questions go I am not sure I have any at this moment I will have to think more on it.

Maybe one question would be for anyone who could answer is there a link that might help to determine/learn what needs access and what doesnt.

I got the program you linked for me and used it and it does show the services but I cannot figure out where or how to get it to text. When I run the command tasklist /svc > c:\services.txt the command window flashes and thats it I dont see a notepad or anything anywhere.

Regards,
~FIREDANCER~

 

You will have a file in c:\ named services.txt and if you double click it, you will have it open in whatever you use as default for opening .txt files. It will not auto-open like the logs from Hijackthis do after you run the command.

 

Newt, I thought of a few questions

I am posting this thread in hopes of asking some questions that I hope are well thought out and understandable about SVCHOST.EXE and what it is used for and what can be done about securing certain ports within Windows XP. I have done alot of searching and found many threads about how to secure ports within your firewall rules as well as what SVCHOST.EXE does and why it should be secured in certain instances. I hope my questions are intelligent and understandable. If I am incorrect in any of my questions/ideas/or understanding please feel free to let me know.... NICELY as I am trying to learn how to make informed decisions about my WIN XP machines and thier security.

#1) DNS Client Service. This service in Windows XP does the lookups for your particular DNS servers to access the net.
Question: If your are behind a router/firewall on a Dynamic IP (Cable/DSL) does DNS Client Service need to be enabled?
I would also ask this question concerning DHCP.

#2) SSDP.( Simple Service Discovery protocall) This service is used to to discover UPnP devices on the network such as (printers).
Question: Does this service use port 1900 strictly? Could I create a rule for SSDP and limit it to my IP's only to secure it from the net?

Sample Rule: Allow( SSDP Local Lan) UDP (both directions) local single port (1900) remote port (1900) my IP's/networkmask
Sample Rule: Deny All Other SSDP (both Directions) Any/Any

Would this above sample rule insure security for my SSDP Service?

#3) UPnP (Universial Plug and Play) This service if I am correct is a TCP connect only and uses port 5000 and can a rule be defined as it is above for SSDP?

Sample Rule: (Allow UPnP Local Lan) TCP (both directions) local single port (5000) remote port (5000) limit to my IP's/Network mask
Sample Rule: (Deny All Other UPnP) both directions Any/Any

#4) RPC/DCOM: This service I am not sure of yet I have to do more investigation on it as of now I have a rule, WINDOWS SERVICES BLOCK for ports 135, 445, 500 Deny All both directions.

These are my questions/theories concerning these services and keeping them from broadcasting out over the internet. I know there are a few others such as Time Sync and Allow Help Web Access. I will need to do a bit more research on these two services and how to approach them. I hope I have been somewhat knowledgable and understanable. Thanks in advance for your time and patience.

Regards,
~FIREDANCER~

 

#1
DHCP is absolutely essential if your PC is getting a dynamic IP address from somewhere. A PC connected directly to a cable/dsl modem and with an ISP that does not give the user a static/permanent IP address must have DHCP running. If you are connected to cable/dsl via your own router-switch, the router/switch will be using DHCP to get it's own address assigned but PCs on your internal network can either get dynamic (DHCP) addresses from the router/switch or you can opt to give them static addresses. Basically, have the service running if you need it and turn it off if you don't. But given the way it works, it creates about zero security risk.

DNS Client (dnscache is the real name) is absolutely not essential. All it does is make note of the IP address <--> URL name matches and store those in a temporary data base that is wiped out when you shutdown or reboot. It does speed up internet (and large network) connections a little when it's running and it does cut down on network discovery traffic. The speed up is almost impossible to notice on a broadband connection and the traffic resulting from it's not running is of no consequence on a small network. Run it, don't run it, your choice. Not any sort of security risk that I can think of but can on occasion cause connection problems when it's running. If you turn it off, you will simply be relying on your ISP's DNS server(s) every time you want to reach a site.

#2/#3
SSDP - without too much discussion here, unless you have a large network where you are adding and removing PnP devices on a regular basis and don't know what they are (so you would want the auto-discovery), I'd disable this one.

Go into services, stop SSDP Discovery Service, change the startup to Disabled. That way it won't start unless you change the settings. If you notice in it's properties under Dependencies, the UPnP Discovery Service depends on SSDP so it will be disabled as well.

#4
RPC/DCOM - good. If you don't see any internal network issues from this setting, keep it like this. There could be situations where you'd want to allow your LAN devices to use these ports amongst themselves but deal with that if it happens.

Feel free to ask about any or all of this stuff. My guess is the info here will help others as well who didn't know, needed to know, didn't ask.

 

Newt,

Thank you for your replys they have help me very much in making some informed decisions on what I needed to do to control SVCHOST.EXE with in my network. I am sorry for such a late reply as I have been very ill the past 4 days and not able to do much but I did want to thank you for your help. Your always the PRO!!!! Thanks to Windowsbbs.com as well

Regards,
~FIREDANCER~

 

Hope you are feeling better and glad the info helped.