svchost containment

[savchenko]

At present, mostly due to Windows Update, svchost.exe needs to have Internet access allowed. This leads to:

1. Compromise of privacy (Microsoft tracking efforts)
2. Compromise of security (with the sufficient effort malicious actors can piggyback onto it)

What are the options?

1. Set system HTTP proxy and pray that svchost will honour the setting. Then filter on endpoint; ROS example:

   /ip proxy> access print 
   Flags: X - disabled 
   #   DST-PORT    DST-HOST                        ACTION
   0   80,443      mp.microsoft.com                allow 
   1   80,443      *.mp.microsoft.com              allow 
   2   80,443      wustat.windows.com              allow 
   3   80,443      ntservicepack.microsoft.com     allow 
   4   80,443      *.windowsupdate.com             allow 
   5   80,443      windowsupdate.com               allow 
   6   80,443      *.download.microsoft.com        allow 
   7   80,443      download.microsoft.com          allow 
   8   80,443      *.download.windowsupdate.com    allow 
   9   80,443      download.windowsupdate.com      allow 
   10   80,443      *.update.microsoft.com          allow 
   11   80,443      update.microsoft.com            allow 
   12               *                               deny  

2. Block svchost entirely and use some kind of an offline update delivery.
3. Whitelist svchost by IP or A record. Former is hard due to extensive CDN usage and latter is not achievable by the Windows Firewall alone, 3rd party needs to resolve endpoints to the IP ranges.

From the above, only №3 seems to be feasible unless https://github.com/henrypp/simplewall/issues/367 gets some traction. Which is, at present, unlikely to happen due to https://github.com/henrypp/simplewall/issues/88#issuecomment-345613787.

There is MSDN article aboutINetFwServiceRestriction interface, @henrypp do you think this is something that can be used to differentiate between svchost instances?

Otherwise, I was thinking that maybe with the cooperation of @crazy-max (WindowsSpyBlocker), @henrypp and community, the following solution can be made:

1. WindowsSpyBlocker adds routine à la "Limit svchost to WindowsUpdate"
2. The above creates list of IP ranges from the referenced endpoints.
3. svchost.exe is whitelisted to these ranges via the existing interface.
4. As confirmed at https://github.com/henrypp/simplewall/issues/254#issuecomment-457551063 (and double-checked by yours truly), WinFW rules are applied first. Thus, in SimpleWall one can "allow all TCP to 80,443" and be done with it.

Thoughts?

[cloudgreen]

Sorry if this is a stupid question, but if one blocks svchosts.exe, is there any other functionality that goes missing except Windows Update?

(Note: although in v3.x there is a separate "Allow" setting for Microsoft update servers under Blocklist, but you still have to allow svchost.exe for Windows Update to work.)

[savchenko]

is there any other functionality that goes missing except Windows Update?

I would leave this to people familiar with NT systems.

but you still have to allow svchost.exe for Windows Update to work

That's the crux of it.

For my personal usage, I see no adverse effects apart from dysfunctional updates. With svchost.exe allowed network access:

> Get-WindowsUpdate -Verbose
VERBOSE: PC (08/08/2019 21:04:51): Connecting to Microsoft Update server. Please wait...
VERBOSE: Found [0] Updates in pre search criteria
>

Not allowed:

> Get-WindowsUpdate -Verbose
VERBOSE: WIN (08/08/2019 21:05:26): Connecting to Microsoft Update server. Please wait...
>

[savchenko]

Hacked temporarily solution, see paragraph №21 at https://github.com/stoptracking/windows10.

[savchenko]

Looking at https://www.binisoft.org/changelog.txt, Alexandru has managed to implement it in "Windows Firewall Control" which is, AFAIK, also uses WFP.

If someone has an account at "Wilders Security", might try asking him how. Creator of the TinyWall seems to hang out in the same thread.

[fcore117]

I have blocked everything and if i ever need update then i temporary allow object that corresponds to updateable component.

[savchenko]

@fcore117 , same here. Updates for example:

# Update Windows
function updatecmd {
 $enabled = Get-NetFirewallRule -DisplayName block_service_host | Select-Object -Property Action
 if ($enabled -like "*Block*") {
     Set-NetFirewallRule -DisplayName block_service_host -Action Allow
 }
 else {
 }
 Get-WindowsUpdate -Verbose -Install -AcceptAll
 Read-host “Press Enter to continue...”
 Set-NetFirewallRule -DisplayName block_service_host -Action Block
}

function sudo_updatecmd {
 Start-Process -FilePath powershell.exe -ArgumentList {updatecmd} -verb RunAs
}

Set-Alias -Name update -Value sudo_updatecmd

[savchenko]

This seems to be resolved now. Running 10.0.19044 (21H2) svchost.exe can stay blocked while Windows is updated with only the "Windows update service" enabled.

The system has "Delivery optimisation" disabled via GPO. @henrypp , attaching the log of TCP ops: winupdate.CSV

Perhaps it's worth to clarify this point in Simplewall docs?

[voidray]

@savchenko I still have to allow svchost.exe. Does this really work in your case with svchost.exe blocked?

[savchenko]

As far as I can tell. I can additionally include the svchost in the Procmon log if that is of any help.

[savchenko]

False alarm, the problem is back after the reboot.

[VidarrKerr]

Sorry if this is a stupid question, but if one blocks svchosts.exe, is there any other functionality that goes missing except Windows Update?

Yes, if you block it, many things will not be able to connect and fail. Like cloning a git repo in a terminal.

This is old, but has anyone come up with a solution for this?

Now, blocking svchost.exe and allowing when needed was OK, but it is getting really annoying, yet not annoying enough to wholesale allow svchost.exe.

There has to be a solution to this. Like, if svchost.exe is started by "example program" allow svchost.exe for "some amount of time". Or, always allow it if started by some app you know and trust.

It almost seems like svchost was designed this way to annoy people to the point that they just allow it, which basically grants access to anything, anytime, to do whatever it wants.