eEye Digital Security

One of the BP activity alerts led to a system wide rule I'm uncertain as to whether or not I should be having.

The rule's under "Generic Host Process for Win32 Services"
and is "Allow svchost.exe".

It's description says "Allow TCP and UDP between Remote (All IPs : All Ports) and Local (All IPs : All Ports)".

What bothers me is the word "Remote", especially since I don't remote desktop and as much of a novice as I still am, anything related to "Remote" kind of unnerves me.

Attention Santa Claus: Wish for BP's design will be completed so it includes GUI regarding what program, etc., as well as when firewall rules are/were created (to enable users the ability to check on rules and maybe even point us to some guidance for what the risks are for given rules).

Local means your computer.

Remote means the computer the program is trying to contact.

These rules are all outbound rules, they tell BP which 'remote' computer each program is allowed to talk to. 

Thanks for replying.  The why for's are appreciated.

Hope my X-mas wish wasn't seen as anything remotely negative against Blink.  It is clearly the best I've found and is well structured.  It's just that as good of a job that was done, it seems to be one missing a key ingredient (i.e.; ideally when they're prompted for a decision, or at least later something that users can use to evaluate rules, default or otherwise).

As nobody's yet replied with indications that this rule's necesary and safe, I'm left assuming the likelihood that what the rule amounts to is that all my machine's programs having access thru "Generic Host Processes for Win32 Services" have blanket clearance with all IP's via all ports using TCP and UDP.

I doubt that's always a good idea and I find no means to determine if the rule's a problem, ref. a USER defined rule (unlike Blink's cool default rules). So I'm still hopeful someone will post a 'what to do' reply.

Maybe 'delete the rule' to see if connectivity improves and when/if it prompts again for a decision, I need to note what was going on then.

I say that as I'm seeing a lot of '404 server not availables' (for well known sites I never have had issues with before) and I don't think it coincidence that they're occurring right after installing Blink'.  Plus I'm seeing some long pauses before many sites load in IE, most just momentarily, but some hang forever and I can't even exit the window until using end task.

So I'm left to posting here for 'what to do' and for now just for a single USER defined rule.  But how when there seems nowhere to start from?

Hi wguru,

The svchost process (Generic Host Processes for Win32 Services) pretty much does exactly how its named. Microsoft says "Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs)."  Basically this means that it acts as a means to allow DLLs network access. You can open cmd.exe and run "tasklist /svc" and you'll see all the windows services that are running using svchost.exe. 

To answer your question, svchost.exe handles the services you see listed when you run the above command line.  You'll see that svchost.exe can have several instances running. One of them you'll see is "TermService" (ie Terminal Services... Remote Desktop). Having a blanket rule for Allow ALL for svchost.exe is probably not as secure as having rules for each specific piece (or DLL) using svchost.exe.  I would suggest removing the rule. Then you can wait for the next prompt and see what local port (for inbound) or remote port (for out bound) traffic its trying to do. 

Example: If you have Remote Desktop turned on, you should expect to have a rule created to allow inbound local port 3389 for Remote Desktop.

Hope that helps answer your question. And yes, your input about the product is always welcome. We're always looking for feedback on how to make the product better.

Thank you.

 Hi everybody again,

 Well.  Nobody's beating down the door on that question.  Maybe my other question will have better luck.

I have two ticked 'system wide' rules (stop symbol tagged) B-Personal version '1.0.398' (file version 3.5.6.1761?):

Deny incoming port 2000 - Central Policy  - Denies incoming requests on TCP port 2000

Deny all other*  NetBios requests - Central Policy - Deny all incoming NetBios requests

"Other" system wide NetBIOS rules:

Ticked -

Allow local subnet NetBios - Central Policy - Allows incoming NetBios connections from private networks

Unticked -

TCP allow inbound NetBIOS from subnet - eEye 'policy' - Allow incomin TCP conns to ports 139 and 445 (NetBIOS)

UDP allow inbound NetBIOS - eEye 'policy' -  Allow inbound UDP packets to local ports 137 & 138 (NetBIOS)

UDP allow outbound NetBIOS - eEye 'policy' - Allow outgoing UDP packets to remote ports 137 & 138 (NetBIOS)

Apparently B-Personal's home page differs with B-Pro's and it seems B-Personal's Contents and Index mght be actually written for B-Pro and not specifically for B-Personal.  That assumtion's based on the fact that there isn't any Options and Settings on B-Personal's home page (ref. B-Personal toolbar's Help "Contents & Index" which inappropriately tells users it's selection is on the Home page).

Since access the "Central Policy URI" and/or "Blink Rules" appear pretty much unmanagable for B-Personal users (unless purchasing support,  Pro', or Retina w/REM suite.).

So with little to no user information aveiled for what amounts to B-Personal being similiar to a speeding car on cruise-control with nobody in the car, but the owner is provided a remote control to steer, accelerate and brake while the owner has no idea where the car is, nor where it's headed.

As such, it seems until paying for support or upgrades, B-Personal users aren't afforded reasonable control over their computers.

I accept that if someone 'gives' me a car and offers no responsibility for my use of it thereafter, it's my responsibility for operating it.

But, if the previous owner also gave me his handwritten owner's manual and service records, telling me how well he'd taken care of the car, how can the previous owner feel no responsibilty for the vehicle after it quit running because I 'put diesel in it instead of gasoline' (i.e.; the owner forgot to update the manual when he changed out engines)?

So anybody knowing anything about my couple of 'Central Policy' rules, I'd really apprectiate someone familiar with these rules, sharing their nature and what they would do about them (besides take it to the dealer, purchase a service plan, or sell the car).

Best regards and hap-e-trails,

wguru

Hi again wguru,

You're right that Central Policy is what allows remote management of Blink Pro. For Blink Personal, its used to pull protection rules from eEye. Those CP rules you mention above are rules to protect home users. The deny inbound 2000 is simply blocking port 2000 (used for Central Policy) since there is no management console. The deny all other netbios is used to do exactly that, allow for whats checked, then all else deny. You have to understand that all firewall rules are all processed in order top to bottom. So those 2 CP rules should  be at the bottom of the list. You'll see that by looking at the Allow local subnet netbios from private networks is used to allow netbios (windows file sharing) in home networks (like 192.168.X.X). This ensures that file sharing only occurs within the local network subnet of certain IP schemes. 

We understand that the advanced detail of all of our FW rules can be too much detail for home users and are looking to improve that in the future. 

Hope that answers your question.

Thank you.  

Oops

Thank you for replying.  I seem to recall indicating a lot of 404's and that wasn't answered, but I'm hopeful that when I install MS's hotfix for users who disable the MS firewall, maybe the 404's will stop.

Regarding "to improve", hopefully foremost in such efforts will be adding notice (at Blink' installs) with respect to the MS firewall bug and the hotfix needed when disabling MS firewalls.

I mention that as my inquiries here failed to disclose this and moreover since it oddly took my OS weeks before it finally kicked in and began to properly prompt the 7023 event ID (which is the only thing that led me to the KB889320 article on the bug, ie; causing the system's "Computer Browser" to stop running exactly every "five" minutes).

 Thanks again for replying