NIS is intercepting a lot of remote requests to access SVCHost.exe, from a variety of IP addresses.
I have a vague idea this has something to do with the blaster worm.
So far, I’ve been blocking future requests from individual IP’s, but it’s a pain in the ass.
This isn’t my computer, and its owner tends to panic when confronted with a dialogue box that they’re not familiar with. (Beyond that, the “Recommended” action is to allow access.)
I have only the most marginal understanding of the way SVChost.exe works, and that understanding doesn’t extend so far as knowing why letting remote systems at it might be a good thing. Still, I know that accidentally blocking its privileges to get a line out has caused people some grief.
Can I tell Norton to deny all inbound requests for SVCHost.exe without creating problems?
This probably wouldn’t be a good idea and isn’t likely to protect your PC from the blaster worm. The blaster worms works by contacting the rpc service on port 135 and gaining access to run privileged commands remotely. Set the firewall to block port 135 and you will be protected. Also keep current on XP updates.
Can anyone illustrate a specific circumstance in which allowing remote access to this service would be a good thing?
To clarify, I’m not concerned about being infected with the blaster worm – The update has been installed, and I’ve confirmed that the update was successful, since many have reported that Windows Update has gone through the motions and reported success without actually fixing the problem.
I’m just want to prevent the firewall from popping up an alert every two minutes in the future.
I have two easy options-- Set the rules so that all requests are denied, or so that all requests are accepted. I can see a potential for difficulty with either of those.
Alternately, if there is a single known circumstance where allowing remote access to this service is crucial, I can say, “Accept requests from this IP range, and bugger the rest.”
I have firewalls on each of my computers so I know a general warning isn’t much to be worried about, but I’ve had 17,000 ‘intrusions’ blocked in THREE DAYS! What is going on?
Absolutely deny all inbound connection requests, unless you are on an internal (business) network(and connections are local), or know what they are. Unless you are a server of some sort, you will never need to allow someone to establish a connection to you, you should always initiate the connection.
It provides things like printer and drive sharing, remote registry services, SNMP, RPC, etc. Stuff used for networking machines in a business environment, not the average home environment.
We buy TWO computers from Dell. The FIRST THING we do when we get them is install a virus scan and a firewall. Having not had the computers for a combined 4 days we ALREADY HAVE VIRUSES!!!
