Avast and svchost.exe

[renegade04]

While i was watching at my firewall i saw that svchost.exe connects to internet.

Is this normal? And for what purpose is that?

While using other Av's, svchost.exe connect through out the net @ 255.255.xxx..

When i use Avast i see that svchost.exe connects to internet using IP address from ISP.

Is this normal for Avast?  And is this secure?

[DavidR]

It depends on what it was connection to as you don't say what, typically this is connecting to dns servers to retrieve an IP address for a given domain name.

The fact that when you use avast (which happens to be running all the time) doesn't mean it is responsible, there simply isn't enough detailed information from your firewall log.

What is your firewall ?

Hopefully someone else can pick up on this as it is almost 1:40am here and I'm calling it a night.

[lukor]

When i use Avast i see that svchost.exe connects to internet using IP address from ISP.

Hi, what's wrong on the fact that it is using the IP address from your ISP. Do you have any other IP address it might possibly use?

[renegade04]

When i use Avast i see that svchost.exe connects to internet using IP address from ISP.

Hi, what's wrong on the fact that it is using the IP address from your ISP. Do you have any other IP address it might possibly use?

Well probably is nothing wrong. Maybe this has to do something with the fact i have disabled NetBIOS over TCP/IP so probably my PC has to find some way to connect to internet.
 
Now it seems everything normal, but the last time (before i reinstaled  AV and FW , my FW was connecting to some strange ip address and when Avast was installed svchost.exe wasn't using the standard 255.xxx.xxx.

And this was case only with Avast only and not with other AV's that i have tried.

But now it seems everything is normal. I keep monitoring to see what happens.


But can somebody tell if it's normal svchost.exe to connects to internet and why?

Thanks.

[scythe944]

From the information that I gathered from this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;314056

it seems that the only service that svchost.exe provides internet access to would be w32time, browser, lanmanworkstation, and messenger.

Of course, browser should be local, lanmanworkstation should probably be local, messenger just listens unless you start a net send command, but w32time could be accessing the internet...

I don't know, it's too late to be thinking this much quite honestly.  I'm going to bed.

[lukor]

From the information that I gathered from this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;314056
it seems that the only service that svchost.exe provides internet access to would be w32time, browser, lanmanworkstation, and messenger.

And for example "DNS cache".

When sending data to the Internet I don't know about any method but using your IP address. Don't know what the OP means by "connect through out the net @ 255.255.xxx..". 255.255.255.255 is the broadcast address and is not routed outside your own network as far as I know.

Ok, the OP has a problem that previously he was used to see broadcasts sent by svchost, now he sees packets send from his own IP address, but what packet? To what peers? What protocols?

[scythe944]

Yeah, I guess my post only answered this question:

Is this normal? And for what purpose is that?

Shouldn't we let him try running the usual?

http://malwarebytes.com
http://superantispyware.com

Download those, make sure to update them, and run a quick scan (quick scan for malware bytes will find 99% of problems without a long wait).

If those don't work, then I'd suggest running "netstat -a -b" to see what port svchost.exe is using, and where it's going.

If that's not enough information, use a network scanner like ethereal.

However, I highly doubt that "Avast!" is the one making svchost make internet calls.  Unless of course Avast uses svchost to update it's definitions.

Is it that much to worry about though? As long as your system is clean by 3 different programs, SAS / MBAM / Avast then I would think if there was something accessing the net, it's probably legit.