svchost

  • Thread starter Thread starter Andre
  • Start date Start date
A

Andre

I have windowsxp pro. Running Sygate. Ever so often the firewall
blocks something called svchost.exe- Is this something I should be
concerned about? If so, is there a fix? Could it be some malware or
parasite?


thanks.....Andre
 
I have windowsxp pro. Running Sygate. Ever so often the firewall
blocks something called svchost.exe- Is this something I should be
concerned about?
Click to expand...

What happens when you block it? Can you then establish new
connections? You may not be able to under normal conditions (no
malware infestations).

It's normal for the "real" svchost to outbound. It's used for DNS
resolution.

What does a scan with a with a up to date antivirus or two show up?

Do a Google search on "blocking svchost.exe" and you'll find some
interesting posts.


Art
http://www.epix.net/~artnpeg
 
(e-mail address removed) (Andre) wrote in
I have windowsxp pro. Running Sygate. Ever so often the firewall
blocks something called svchost.exe- Is this something I should be
concerned about? If so, is there a fix? Could it be some malware or
parasite?


thanks.....Andre
Click to expand...

http://support.microsoft.com/?kbid=314056

Svchost.exe is part of the NT based O/S and the O/S uses it. There can be
several svchost.exe(s) running on the computer doing various tasks for
the O/S. One of its task is to let certain elements/programs used by the
O/S to communicate out on the network and the Internet is a network. If
it's running out of the Windows\system32 directory it's a valid program,
If it running from any other directory, other than system32, consider it
a possible Trojan and investigate.

However, malware such as Trojans and spyware can use svchost.exe too. So,
if SVChost.exe is trying to connect to IP(s) you don't know about, then
investigate it and stop it.

Most people don't let svchost.exe connect to IP(s). I myself stop it from
communicating and the only thing that has stopped working is the MS Auto
download and update of security patches. It notifies and I go to the MS
Update site. I let svchost.exe run but I don't let communicate on the
network or the Internet.

Duane :)
 
(e-mail address removed) (Andre) wrote in


http://support.microsoft.com/?kbid=314056

Svchost.exe is part of the NT based O/S and the O/S uses it. There can be
several svchost.exe(s) running on the computer doing various tasks for
the O/S. One of its task is to let certain elements/programs used by the
O/S to communicate out on the network and the Internet is a network. If
it's running out of the Windows\system32 directory it's a valid program,
If it running from any other directory, other than system32, consider it
a possible Trojan and investigate.

However, malware such as Trojans and spyware can use svchost.exe too. So,
if SVChost.exe is trying to connect to IP(s) you don't know about, then
investigate it and stop it.

Most people don't let svchost.exe connect to IP(s). I myself stop it from
communicating and the only thing that has stopped working is the MS Auto
download and update of security patches. It notifies and I go to the MS
Update site. I let svchost.exe run but I don't let communicate on the
network or the Internet.

Duane :)
Click to expand...

Love to know how you did this. every time i block it i loose my internet connection till i reboot.
 
I have windowsxp pro. Running Sygate. Ever so often the firewall
blocks something called svchost.exe- Is this something I should be
concerned about? If so, is there a fix? Could it be some malware or
parasite?
thanks.....Andre
Click to expand...
************** REPLY SEPARATER ***************
Svchost.exe is part of the operating system that is used to load DLL files.
There can be one to four of them running at the same time, and in at least one
of them (netsvc) there can be a substantial number of processes attached to it.
Therefore, it is an ideal place for malware to hide.

On my own system, the telephony service is part of the netsvc group. It opens
up TCP port 251 for listening. No one seems to be able to tell me why it opens
up this port or what it is used for, so I keep the telephony service disabled
until I need to use the modem. If it is malware, I have not been able to trace
the source.

For more information see:

http://www.yellowhead.com/xpcfg1.htm
 
Love to know how you did this. every time i block it i loose my
internet connection till i reboot.
Click to expand...

I don't know what FW you're using and maybe the one you're using actually
terminates svchost.exe when you tell it to block communications on
svchost.exe. BlackIce has an Application control settings to let a
program run or terminate when it starts. BI has Communication control
where the settings are let it communicate, terminate if it tries to
communicate, and block the communications but let it run. I use the
*block* which still lets svchost.exe run to not have an adverse affect on
svchost.exe in doing its tasks, which could kill the O/S if prevented.

Duane :)
 
************** REPLY SEPARATER ***************
Svchost.exe is part of the operating system that is used to load DLL files.
There can be one to four of them running at the same time, and in at least one
of them (netsvc) there can be a substantial number of processes attached to it.
Therefore, it is an ideal place for malware to hide.

On my own system, the telephony service is part of the netsvc group. It opens
up TCP port 251 for listening. No one seems to be able to tell me why it opens
up this port or what it is used for, so I keep the telephony service disabled
until I need to use the modem. If it is malware, I have not been able to trace
the source.

For more information see:

http://www.yellowhead.com/xpcfg1.htm
Click to expand...

That's easy. source is redmond.
 
I don't know what FW you're using and maybe the one you're using actually
terminates svchost.exe when you tell it to block communications on
svchost.exe. BlackIce has an Application control settings to let a
program run or terminate when it starts. BI has Communication control
where the settings are let it communicate, terminate if it tries to
communicate, and block the communications but let it run. I use the
*block* which still lets svchost.exe run to not have an adverse affect on
svchost.exe in doing its tasks, which could kill the O/S if prevented.

Duane :)
Click to expand...
Ya. i use Zonealarm. Which blocks any/all (?) attempts of it going anywhere.
might stop it from working. guess i'll dig out an old blackice and see what happens.
 
Look at your firewall's log when you block it. The entries should
include destination ip addresses and ports which will indicate which
service wants the access.
 
Ya. i know where it's trying to go and if it's sending / recieving. that's why i blocked it the 1st time. and how i found out i lost connection.

tried blackice. my version was 3. something. wasn't impressed. there a newer version i assume?
 
Ya. i know where it's trying to go and if it's sending / recieving.
that's why i blocked it the 1st time. and how i found out i lost
connection.

tried blackice. my version was 3. something. wasn't impressed. there a
newer version i assume?
Click to expand...

All I ask of anything is for it to work and do it when I need it. BI has
done its job and has saved my network from being attacked, even when the
attacks came past the router and even when I mis-configured BI's FW and
left it wide open to all IP(s). The IDS/FW kicked in on those occasions and
protected.

I am not impressed with a bunch of point and click the pretty pictures,
just protect when I need it.

Duane :)
 
All I ask of anything is for it to work and do it when I need it. BI has
done its job and has saved my network from being attacked, even when the
attacks came past the router and even when I mis-configured BI's FW and
left it wide open to all IP(s). The IDS/FW kicked in on those occasions and
protected.

I am not impressed with a bunch of point and click the pretty pictures,
just protect when I need it.

Duane :)
Click to expand...

What version?
 
Back
Top