simplewall icon indicating copy to clipboard operation
simplewall copied to clipboard
verified publisher icon henrypp

svchost containment

Open VidarrKerr opened this issue 1 year ago • 4 comments

Checklist

  • [X] I have used the search function to see if someone else has already submitted the same feature request.
  • [X] I will describe the problem with as much detail as possible.
  • [X] This issue only contains a request for one single feature, not multiple (related) features.

App version

3.8.2

Problem you are trying to solve

I want to contain and control svchost.exe.

Suggested solution

This was posted some time ago, but it appears no one has come up with a solution for it:

"Containing svchost" https://github.com/henrypp/simplewall/issues/516

Now, like others, I am blocking svchost.exe and allowing when needed which is kind of OK, but it is getting really annoying, yet not annoying enough to wholesale allow svchost.exe.

There has to be a solution to this. Like, if svchost.exe is started by "example program" allow svchost.exe for "some amount of time". Or, always allow it if started by some app you know and trust. But I cannot create a rule that works like this.

It almost seems like svchost was designed this way to annoy people to the point that they just allow it, which basically grants access to anything, anytime, to do whatever it wants.

If there is not a solution for this with SW, maybe someone found some other way? I can't find any decent options. It would be great if I could do this with SW. If I am missing something, let me know.

Thanks!

Screenshots / Drawings / Technical details

No response

VidarrKerr avatar Jul 07 '24 17:07 VidarrKerr

If there is not a solution for this with SW, maybe someone found some other way?

Fort Firewall solves it by using driver, so you can filter by service names.

I think, SW also could solve this problem by using its Service, monitoring the running services and updating the rules for service process id-s.

Tinywall also does not use driver (but uses a Service) and has an "Allow same rules to children processes" feature. So Tinywall updates its rules by process id-s.

tnodir avatar Jul 07 '24 18:07 tnodir

It would indeed be a nice feature to have fine-grained control over svchost.exe. But I wonder what would be the reason to let it connect to the internet?

hp8wvvvgnj6asjm7 avatar Jul 30 '24 15:07 hp8wvvvgnj6asjm7

It would indeed be a nice feature to have fine-grained control over svchost.exe. But I wonder what would be the reason to let it connect to the internet?

For example, I use the "fine-grained control over svchost.exe" as the following:

  • allow "w32time", "dnscache" and "dhcp" (only for LAN) services
  • allow "bits", "dosvc" and "wuauserv" services only when Windows Update is running

tnodir avatar Aug 02 '24 08:08 tnodir

You can just couple SvcHost.exe with selected services. Examples:

  1. SvcHost.exe + DNSCache Service - allow on UDP port 53
  2. SvcHost.exe + W32Time Service - allow on UDP port 123

HqT65W6R avatar Aug 10 '24 21:08 HqT65W6R