Author Topic: Is this normal>  (Read 8179 times)

0 Members and 1 Guest are viewing this topic.

Neron

  • Guest
Is this normal>
« on: November 19, 2005, 09:47:19 PM »
This is a picture from my ZA security log and it has more than 80 "intrusions" in just few days.(they are not real)
« Last Edit: November 19, 2005, 09:52:51 PM by Neron »

Offline YLAP

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2118
Re: Is this normal>
« Reply #1 on: November 19, 2005, 09:55:39 PM »
I can't say, how they calculate it, but when I was using ZA I had thousand of intrusion in one month. It was shown in blocked intrusions since install.

Neron

  • Guest
Re: Is this normal>
« Reply #2 on: November 19, 2005, 10:01:31 PM »
Yes but they are counting svchost.exe(Generic host process) as intrusion and I don't know why is ZA blocking it from accepting connection from the internet.I haven't allowed only server internet for Generic host process
« Last Edit: November 19, 2005, 10:03:43 PM by Neron »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48524
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Is this normal>
« Reply #3 on: November 19, 2005, 10:04:33 PM »
Neron
It's normal. In the Main Tab of that same window, you can change the settings.
This will determine how extensive your log file will be,
Remember, it's not how many items that get blocked that really count.
Only the ones that get thru can hurt you.
So far, ZA hasn't let me down. :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Neron

  • Guest
Re: Is this normal>
« Reply #4 on: November 19, 2005, 10:06:44 PM »
I mean ...I think ZA shouldn't block it and that's why I'm asking. ::)

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Is this normal>
« Reply #5 on: November 19, 2005, 10:30:11 PM »
I'm using Kerio, so your screen shots don't mean a lot to me, but you should block incoming connections to Generic Host Process for sure. Try Shields Up! Is ZA returning pings? If the door is not invisible, you will get people knocking on it.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Is this normal>
« Reply #6 on: November 19, 2005, 10:48:54 PM »
Frank, are you sure? I mean, should block incoming connections to Generic Host Process?
The best things in life are free.

Neron

  • Guest
Re: Is this normal>
« Reply #7 on: November 20, 2005, 12:53:15 AM »
That's what I want to know too :P

Umath

  • Guest
Re: Is this normal>
« Reply #8 on: November 20, 2005, 07:24:05 AM »
I have never allowed inbound connection to svchost.exe since I was advised to do so.  Outbound at port 80 should be allowed at least when updating Windows, though.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Is this normal>
« Reply #9 on: November 20, 2005, 09:31:10 AM »
When I took Kerio to Shields Up! the first time, the firewall failed because I allowed connections in to some system applications like Generic Host Process. I deleted the rules and tried again but this time blocked inbound connections and the firewall passed. I now have all inbound connections blocked, including 'all other applications'. The one exception is MSN Messenger which sometimes needs to accept incoming connections during file transfers.

I've never had a problem with Generic Host Process blocked from receiving connections.

I would feel very unsafe with any application set to allow incoming connections: they can be from anybody after all: Mr Evil Hacker can knock on the door if he can see it and come in if it's open.


     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline YLAP

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2118
Re: Is this normal>
« Reply #10 on: November 20, 2005, 09:49:06 AM »
Almost the same configuration here, strange coincidence...  ;D

Jarmo P

  • Guest
Re: Is this normal>
« Reply #11 on: November 20, 2005, 10:10:16 AM »
I have also denied "Internet In". Certainly Generic Host. Allowing it server right is a security risk.

Kerio gets time update from time server to local port 123 UDP cause it uses statefull packet inspection for UDP (Kerio 4.2.2 and a few earlier ones too do that).
So even though it is blocked, that statefull thing allows it to happen ;)
Sygate firewall needs an advanced rule to svchost.exe for that, but not Kerio.

My Kerio setup is very tight. From Network/Predefined's I allow only default ICMP ping rules. I use those instead BZ ICMP rules, cause Kerio seems to have them tighter inbound.
Today thanks to sded, I got the one last missing rule from Blitzen Zeus's ruleset that I thought could not be implemented with KPF 4:
http://www.broadbandreports.com/forum/remark,14826751

Umath

  • Guest
Re: Is this normal>
« Reply #12 on: November 20, 2005, 12:51:11 PM »
I have also denied "Internet In". Certainly Generic Host. Allowing it server right is a security risk.

Kerio gets time update from time server to local port 123 UDP cause it uses statefull packet inspection for UDP (Kerio 4.2.2 and a few earlier ones too do that).
So even though it is blocked, that statefull thing allows it to happen ;)
Sygate firewall needs an advanced rule to svchost.exe for that, but not Kerio.

My Kerio setup is very tight. From Network/Predefined's I allow only default ICMP ping rules. I use those instead BZ ICMP rules, cause Kerio seems to have them tighter inbound.

Oh, yes.  Strictly speaking, in stead of using the trusted column, I made traditional loopback rules for svchost.exe.  Also, I allow svchost.exe UDP in/outbound local/remote port 123 connections to connect Windows time servers, which are listed in IP Groups.  Our of habit, I tend to use packet filter rules mainly.  I don't use pre-defined sets at all.

In any case, invound port 80 for svchost.exe is wierd, I think.