Endpoint Protection

This is an oddity I have noticed in the firewall logs.

For some time now Windows Update gets blocked by the SEP12 firewall, so I have added rules to the firewall to allow those Host IP addresses permission. This is a bit tedious at times but works, clear the log, activate winupdate, look at log, if a Microsoft update URL is blocked, add a rule for those IPs and with a bit of extra space 1-255 on the ip range. This seems to work, and I am not letting in the whole world. 

Then I noticed an oddity; my computer IP was listed as the remote host, and an IP for 157.56.107.154 was listed as Local Host, the connection was blocked. I did a whois on the address and it seems to be one owned by Microsoft corporation, hmm... OK, but it was listed as inbound, so it was actually outbound from my computer to a MS host: the local MAC most definitly not on my computer (A0-21-B7-73-1D-64), I checked with ipconfig /all, nope not mine. The User listed was SYSTEM, and the busy application was c:\windows\system32\svchost.exe, but I don't know what service program called svchost to make this connection. So Is this normal and if so could someone please explain, I'm just a bit boggled by this one. 

svchost.exe goes out to windows updates for the updates....

HI,

Yes Svchost.exe goes out to windows update agree with .Brian

Please check this

Symantec Endpoint Protection: Tamper Protection appears to be blocking Windows Update
Article:TECH161109
Article URL http://www.symantec.com/docs/TECH161109 
 

Are you download Windows Updates with stealth mode Web browsing enabled?

-MK

 

Yes, I am aware that svchost.exe is used often to connect to windows update, but...

1. how was my computer come up listed as the remote computer while a MS IP address with a MAC

    address of a computer who knows where, gets listed as the local machine on a few entries of the

    firewall? Is this a manipulation to allow inbound traffic when a firewall is set to stop inbound traffic?

    hmm...

2. I have never liked the way MS has svchost.exe setup as a global gateway for up to 20 or more services

    at the same time. Just look at the results when using Sysinternals; autoruns.exe, just right click on some

   of iterations of svchost.exe to see how many services programs are using svchost as their door to the

    internet. This seems to me to be a Single Point of Failure. If svchost is given free license to make

    connections how am I to know what Service is actually initiating such connection. the firewall loggs

    only report svchost.exe made or attempted to make a connection. By the way, you don't have to

    allow svchost.exe to have internet access in order to have a internet connection work just fine.

3. Do any of you know of a method to trace back to identify:  [connection initiating program -> service ->

   svchost.exe] ?

yeah I sort of figure that out, but svchost.exe is such a single Point of Failure; For example I used process explorer and counted the services that are currently linked to svchost.exe on my computer, current count 70.

For all practical purposes that is seventy background programs turned on and waiting for a user level program to trigger anyone of them to phone home.  The firewall logs do not tell me what program or script started the internet connection request, or which of the seventy Services affiliated to svchost.exe were triggered.

Do you know a method to do this kind of analysis?

I've seen that happen when SEP tamper protection sort of freaks out, this is not the same event. I just don't give svchost.exe free reign to connect to the internet seeing as 70 services are affiliated with this program.

I have no problem connecting to the internet and my computer on LAN, without svchost.exe being able to connect whenever it wants. Just windows update demand to use that portal program. So I just have to check up on it regularly.

An example of programs that perniciously phone home are adobe and google; just look at taskschd.msc and you might find that they phone home every hour, round the clock.

So any how, why would the firewall reverse which host is remote and which is local, any idea on this?