Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

svchost.exe Traffic being blocked.

Created: 24 Oct 2012 | 16 comments

Hello, I have reconfigured some of the settings for SEP, and now I've been recieving a notifcation saying that Symantec Endpoint Protection has blocked traffic by the following application: svchost.exe. I searched through different discussions here on the subject, however I have not found a viable solution. I looked at the Traffic Log in the Network Threat Protection Logs to narrow down why it's blocking svchost. Basically, this was the message I get: 10/24/2012 9:06:28 PM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.1.138 74-E5-0B-8A-AB-14 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 12 10/24/2012 9:06:09 PM 10/24/2012 9:06:14 PM Block UPnP Discovery from external computers <-this log appears everytime it notifies me it has blocked svchost (varying times of course). I do not believe the issue is with IPv6, as another discussion was, nor malware issues since I've run 3 full-scans, One in normal mode, One in normal mode with my Internet connection disabled, and one in Safe Mode all with the latest definitions, and it has not found any malware. I am not sure if this issue stems from the settings I have changed on SEP.

 

I would like SEP to stop blocking svchost.exe, can anyone here offer me advice, or tell me which settings to change to fix this problem?

 

Comments 16 CommentsJump to latest comment

THE DUDE xD's picture

I have already read both of them, this problem isn't related to either of those discussions, I tried doing the solution on the first thread by unchecking the IPv6 box under my active connection in the network adapter settings, and SEP still continued to bring up a notification saying it's blocking traffic from svchost.exe. As for the second discussion, I checked tasklist/svc, all the services running are supposed to be there, so there is nothing out of the ordinary as far as that goes, additionally, I've gotten in the proactice of constantly having my task manager running set to show processe from all users, so I constantly monitor everything running on my computer. I have not noticed any programs, applications, or services running that are unknown, and again, I updated all my definitions, and ran 3 full virus scans, one on normal mode, one on normal mode with no internet, and one in safe mode, so, I stand by my earlier statement this has nothing to do with malware.

In addition, the message only started popping up and SEP blocking svchost.exe after I got done changing my SEP settings for increased security measures, because of this, and my above statements, I have a strong feeling this has to do with the settings I changed. But this is where the problem comes in, I have no idea which setting(s) I enabled that are having SEP block svchost, which it was not doing before.

If anyone can offer me help, advice, or directions on which settings to alter, I would appreciated it.

Ashish-Sharma's picture

Hi,

Let me try this.

Prachand Trusted Advisor

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services allows for better control and easier debugging.

http://support.microsoft.com/kb/314056

Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.

If you do Tasklist /SVC on the command prompt, it would show all the services that run under it.

 This will also show the PID of each svchost.

Then what yo need to do from the alert get the PID and see which service is doing so.

Once you get the service find the name of service name and the path.

Create a new svchost for that service and see.

For example say the  workstation service  is the one that is causing the issue

The steps that we need to separate the workstation service from the Svchost.exe as follows:
 
 1. Take a Backup of the Registry
 2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\
 3. Modify the vale for ImagePath from %SystemRoot%\system32\svchost.exe -k netsvcs to %SystemRoot%\system32\svchost1.exe -k netsvcs
 4. Go to C:\Windows\ system32\ copied svchost.exe and pasted it and rename it to svchost1.exe.
 5. Restart the work station

 

Check this thread

http://www.symantec.com/connect/forums/svchostexe-blocked-sep

 

Thanks In Advance

Ashish Sharma

 

 

THE DUDE xD's picture

Would you kindly read my above two posts more thoroughly, this has nothing to do with something wrong with one of the svchost.exe processes, it has something to do with a setting that is blocking its normal function. In particular, if you read my first post with the traffic log message, it says it is set to block UPnP Discovery from external computers, I know how to allow this, however, I'd like to know if it is safe to allow this first, or if there is another way to stop SEP from disabling svchost on SEP's end.

.Brian's picture

This is multicast traffic (239.255.255.250). The default rule in the firewall policy (rule #11) is set to block this but not log it. So you can set the action to Block and turn logging off.

Administratively Scoped IPv4 Multicast addresses

The 239.0.0.0/8 range is assigned by RFC 2365 for private use within an organization. From the RFC, packets destined to administratively scoped IPv4 multicast addresses do not cross administratively defined organizational boundaries, and administratively scoped IPv4 multicast addresses are locally assigned and do not have to be globally unique. The RFC also discusses structuring the 239.0.0.0/8 range to be loosely similar to the scoped IPv6 multicast address range described in RFC 1884

https://en.wikipedia.org/wiki/Multicast_address

https://en.wikipedia.org/wiki/IP_multicast

It's really up to you but yes it should be safe.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ninebirds's picture

I started to receive this popup a couple days ago and after some research, I found out that

1. The traffic is localhost:1900 to 235.255.255.250:1900 and is a SSDP / UPnP notify message. That means, I have a UPnP device, media streaming service in my case, is announcing its availability.

2. I also noticed that this media streaming service is always there from day one and I have never received this annoying popup before. I only started to receive this popup after I modified some un-related setting in Network Threat Protection Settings.

So I am wondering whether this is a bug with SEP.

To workaround this, I hide the popup by disabling "Display Intrusion Prevent notifications". I am right now researching whether I should completely disable my UPnP devices by disabling the UPnP Device Host service.

Ninebirds's picture

Hi,

I understand that it is related to the Block UPnP Discovery firewall rule. I just don't understand why it started to popup couple days ago but this machine has been in used for a month already.

If this popup can be turned off  by unchecking the "Display Intrusion Prevent notifications" checkbox, then does it seems that SEP has misinterpreted an UPnP notify alive announcement (outgoing traffic from localhost:1900 to 235.255.255.250:1900) as intrusion? Thats why I am wondering whether this is a SEP bug.

BTW, there are other kinds of traffic blocked by the SEP firewall without popup messages.

Ashish-Sharma's picture

HI,

Can you post blocked error snap shot ?

Thanks In Advance

Ashish Sharma

 

 

Ninebirds's picture

Hi, I am not sure whether the following is what you needed

31/12/12 20:47:51 Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.1.88 30-85-A9-9A-D2-7F 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 12 31/12/12 20:46:50 31/12/12 20:46:56 Block UPnP Discovery 
 

And from the packet log

0000:  01 00 5E 7F FF FA 30 85 : A9 9A D2 7F 08 00 45 00 | ..^...0.......E.
0010:  01 CE 00 4A 00 00 01 11 : 05 DB C0 A8 01 58 EF FF | ...J.........X..
0020:  FF FA 07 6C 07 6C 01 BA : B3 C6 4E 4F 54 49 46 59 | ...l.l....NOTIFY
0030:  20 2A 20 48 54 54 50 2F : 31 2E 31 0D 0A 48 6F 73 |  * HTTP/1.1..Hos
0040:  74 3A 32 33 39 2E 32 35 : 35 2E 32 35 35 2E 32 35 | t:239.255.255.25
0050:  30 3A 31 39 30 30 0D 0A : 4E 54 3A 75 70 6E 70 3A | 0:1900..NT:upnp:
0060:  72 6F 6F 74 64 65 76 69 : 63 65 0D 0A 4E 54 53 3A | rootdevice..NTS:
0070:  73 73 64 70 3A 61 6C 69 : 76 65 0D 0A 4C 6F 63 61 | ssdp:alive..Loca
0080:  74 69 6F 6E 3A 68 74 74 : 70 3A 2F 2F 31 39 32 2E | tion:http://192.
0090:  31 36 38 2E 31 2E 38 38 : 3A 32 38 36 39 2F 75 70 | 168.1.88:2869/up
00A0:  6E 70 68 6F 73 74 2F 75 : 64 68 69 73 61 70 69 2E | nphost/udhisapi.
00B0:  64 6C 6C 3F 63 6F 6E 74 : 65 6E 74 3D 75 75 69 64 | dll?content=uuid
00C0:  3A 33 30 61 34 64 66 38 : 37 2D 31 38 35 61 2D 34 | :30a4df87-185a-4
00D0:  35 30 36 2D 38 30 34 38 : 2D 38 34 37 66 36 34 31 | 506-8048-847f641
00E0:  65 33 62 63 33 0D 0A 55 : 53 4E 3A 75 75 69 64 3A | e3bc3..USN:uuid:
00F0:  33 30 61 34 64 66 38 37 : 2D 31 38 35 61 2D 34 35 | 30a4df87-185a-45
0100:  30 36 2D 38 30 34 38 2D : 38 34 37 66 36 34 31 65 | 06-8048-847f641e
0110:  33 62 63 33 3A 3A 75 70 : 6E 70 3A 72 6F 6F 74 64 | 3bc3::upnp:rootd
0120:  65 76 69 63 65 0D 0A 43 : 61 63 68 65 2D 43 6F 6E | evice..Cache-Con
0130:  74 72 6F 6C 3A 6D 61 78 : 2D 61 67 65 3D 39 30 30 | trol:max-age=900
0140:  0D 0A 53 65 72 76 65 72 : 3A 4D 69 63 72 6F 73 6F | ..Server:Microso
0150:  66 74 2D 57 69 6E 64 6F : 77 73 2D 4E 54 2F 35 2E | ft-Windows-NT/5.
0160:  31 20 55 50 6E 50 2F 31 : 2E 30 20 55 50 6E 50 2D | 1 UPnP/1.0 UPnP-
0170:  44 65 76 69 63 65 2D 48 : 6F 73 74 2F 31 2E 30 0D | Device-Host/1.0.
0180:  0A 4F 50 54 3A 22 68 74 : 74 70 3A 2F 2F 73 63 68 | .OPT:"http://sch
0190:  65 6D 61 73 2E 75 70 6E : 70 2E 6F 72 67 2F 75 70 | emas.upnp.org/up
01A0:  6E 70 2F 31 2F 30 2F 22 : 3B 20 6E 73 3D 30 31 0D | np/1/0/"; ns=01.
01B0:  0A 30 31 2D 4E 4C 53 3A : 64 62 35 32 65 34 61 31 | .01-NLS:db52e4a1
01C0:  66 33 61 64 30 36 30 65 : 32 36 62 64 32 66 35 31 | f3ad060e26bd2f51
01D0:  63 38 33 62 65 61 37 64 : 0D 0A 0D 0A             | c83bea7d....   
 

.Brian's picture

Yes, the traffic should be safe. Same exact issue here:

https://www-secure.symantec.com/connect/forums/svc...

UPnP is generally considered safe but some times unnecessary traffic. It's just a device searching for other devices on a network

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functionalnetwork services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise class devices.

It's up to you whether to allow or not. For me it is junk traffic and I don't allow it. But if you wan't to share files, music, etc on your home network than you can allow it.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ninebirds's picture

Understood. But is it kind of wierd that an "Intrusion Prevent Message" pops up for an outgoing message? I assume that SEP classify this as Intrusion because I can disable the popup by disabling the "Display Intrusion Prevent notifications" setting.

Any channel that I can submit this case for Symantec to review?

.Brian's picture

You can turn off UPnP following this KB:

http://windows.microsoft.com/en-US/windows-vista/E...

SEP IPS will monitor both incoming/outgoing traffic so this is expected behaviour.

But you can open a support case:

http://www.symantec.com/support/contact_techsupp_s...

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

GMat's picture

After upgrading from Windows 7 to Windows 8 I have been having the same syptoms with svchost.exe traffic block messages for UPnP, toredo, and LLDP traffic in SEP 12.1.2. Turning off the Microsoft LLDP Protocol Driver in the ethernet adapter settings eliminates the LLDP blocked traffic notification messages, and an allow rule I added corrects the UPnP discovery blocked traffic log entries, but disabling the IPv6 driver does not eliminate the teredo blocked traffic entries and notifications.  Although the addresses reported in the log entries are IPv4 format, I would agree with Ninebirds per his post above that there seems to be some type of bug.  My symptoms also started occurring after I had been up and running for some time, with no system changes I can identify that could have caused an issue.  Somewhere between W8 and the SEP client there appears to be a bug.

I have also had problems with my Fortinet SSL VPN client being blocked intermittently.  Re-installing the client fixed the issue each time, but when I added the UPnP allow rule the vpn client worked immediately after the rule was turned on without re-installation.  The client also worked without issue or re-install when the firewall was off.

Example log entries are as follows:

1/10/2013 1:41:06 PM Blocked 3 Outgoing UDP teredo.ipv6.microsoft.com [65.55.158.118] 00-1E-7A-20-DF-CB 3544 10.200.200.100 00-17-A4-E3-80-5A 52548 C:\Windows\System32\svchost.exe SYSTEM NT AUTHORITY Default 6 1/10/2013 1:39:50 PM 1/10/2013 1:40:21 PM Block IPv6 over IPv4 (Teredo) Remote UDP port 3544 

1/10/2013 12:28:00 PM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 10.200.200.100 00-17-A4-E3-80-5A 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 36 1/10/2013 12:25:56 PM 1/10/2013 12:26:57 PM Block UPnP Discovery 

Since I'm a system admin testing before I roll out new software I'm reluctant to turn off NTP messages until I know there are truly no threats that I need to be aware of.

.Brian's picture

The rules are Block IPv6 over IPv4 (teredo) and Block UPnP Discovery.

These are set to block by default but it is likely legitiamte traffic which you either suppress the notification or set to allow. It's up to you.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.