Firewall Allows Access For "svchost.exe" And "System"

AD1

I have 2 questions:

As per pic below, I have svchost.exe disabled in Firewall rules.

Under Application Access it shows that access was allowed.

Why would Firewall allow svchost.exe through if disabled under Rules?

I also have something called System that is allowed.

I cannot find what System is.

It doesn't show up in rules.

How can I block it?

AD1

Might anyone know something about this?

Something on my laptop called "System" seems to be allowed unrestricted internet access by BD Firewall.

I don't know what process it is nor where it's stored.

When I click on it, it has no extension, nor path.

 When I click on <View application rules>, I'm taken to the <Rules> page but nowhere specific on it.

"System" is not listed anywhere on the Rules page.

Under Firewall <Settings> page, I have <Alert mode> turned on. 

I'd expect this mode to alert me to <any> process wanting internet access unless that process is set up with a rule allowing it. 

Contrary to other processes the BD Firewall alerts me to when they want internet access, I get no alerts when <System> accesses the internet.

Since I have no path showing for <System>, I have no way of knowing what that process is nor what it refers to.

Google has not helped.

Is it normal that <System> should have unrestricted access to the internet despite BD Firewall?

Is it normal that BD Firewall not give me alerts each time that <System> accesses the internet when I have <Alerts> set to on?

Background: I've just done a clean re-install of Windows using reset.

That should have wiped everything on the drive and re-installed Windows per OEM.

Anyone?

thanks.

*edited by admin at member's request.

Alexandru_BD

Hello @AD1,

Did you manually create the rule that blocks svchost, or was it created automatically?

Is it set to block access on all ports, protocols, directions, etc or only some?

In regards to <System>, that appears when the connection is made by a driver, instead of a process. Access isn't unrestricted, it's granted or denied based on the details of the attempted connection (what protocol, what port, etc).

To elaborate on the svchost part, user created rules should have priority over default rules. So if you indeed created a rule that is set to block everything, but something still works, we might need to investigate this in detail. We need to know what the setup is there, so I don't ask pointlessly 🙂

Regards

AD1

>> Did you manually create the rule that blocks svchost, or was it created automatically?

>> Is it set to block access on all ports, protocols, directions, etc or only some?

I appreciate the reply.

I created the rule for svchost. I based this on my understanding that its access to the internet is not a requirement for proper Windows functioning.

But that is now moot. 

I've since reset Windows and svchost is now showing as blocked and continues to be blocked.

>> In regards to <System>, that appears when the connection is made by a driver, instead of a process.

Access isn't unrestricted, it's granted or denied based on the details of the attempted connection

(what protocol, what port, etc).

As can be seen in the pic taken moments ago, <System> continues to have access.

Irrespective of what it is ie a process or a driver, is it possible to block it?

Thanks,

Alexandru_BD

<System> can only be blocked by rules that have the "apply to all applications" checkmark. As you can imagine, when doing this it is very likely to "affect" more things than you want. So, either you are very specific with what you want to block (ip, port), or you block absolutely everything. But first, the rules must be created that allow what you wish to allow, if that makes sense 🙂

AD1

<System> can only be blocked by rules that have the "apply to all applications" checkmark. 

So I've now applied a new rule to deny access to all.

As you can imagine, when doing this it is very likely to "affect" more things than you want. So, either you are very specific with what you want to block (ip, port), or you block absolutely everything. But first, the rules must be created that allow what you wish to allow, if that makes sense

--

It does.

If I understand it correctly, the <deny all> rule has lower priority than the individual application rules that I have already set up.

So those processes/applications that have received their own rule (allowing access), over-ride the <deny all> and continue to have access. 

So far so good.

For the moment, <System> continues to be blocked.

Would I now expect that BD no longer give me alerts when a process or application attempts to connect as a result of the blanket <deny all> rule?? 

Or will alerts still be generated?

If no alerts given, do I now need to be vigilant so as to create process/application specific <access rules> when the need arises? Ie: I will need to anticipate?

ps: All of this because I can't figure out what <System> is nor why it's always getting internet access.

Thanks,

Alexandru_BD

Hi,

If I understand it correctly, the <deny all> rule has lower priority than the individual application rules that I have already set up.

So those processes/applications that have received their own rule (allowing access), over-ride the <deny all> and continue to have access.

Not quite, it takes into account the order in which you created the rules. So, the first <deny all> rule will have a higher priority and will not reach the second allow rule.

You will have to make the rule with allow port first and then the one with <deny all>. I think that since you have already created the allow rule first, it's behaving like this now.

However, this setup is a bit fiddly to play with because if you wish to add something later on, you'll have to delete the rule with "deny all", allow what you want, and put the <deny all> rule again..

AD1

In that case, would you have any suggestions?

To block outbound connections by default and then setting up rules is a tedious process.

I have BDFirewall with Alert mode on.

So I expect to receive an alert when a process or app attempts to connect to the internet.

But something called <System> seemingly has unrestricted access and is often connecting to internet.

I never get an alert regarding <System>.

I can't determine what that process is as BDFirewall doesn't show a path for it.

Without having a path for it I have no idea what it is nor where to find it.

Nor does BDFirewall give me the option to allow or deny access for <System>.

Why does <System> have unrestricted access?

Could this be a BitDefender file?

Doing a file search on <System>will yield many thousands of results.

Is there something I've overlooked?

thanks,

AD1

Not having received a reply, I attempted to find a solution on my own. Either I would find one or I needed to find a different Firewall that allowed me to effectively control what could access the internet.

I wanted to find a way to block access to something called System since:

- it seemed to always be accessing the internet unimpeded and

- I couldn't determine what it was since BDFirewall gave me no path for it. 

So it could literally be anything ie friend or foe.

Compounded to that, Alert mode was switched on but I was getting no alerts. ??

Attempting to address this ended up taking quite a bit of time. More time than it should have taken.

In frustration, I disabled BDFirewall and installed a 3rd party firewall that easily allowed me control of outbound connections.

When I had more time to read the BD user manual, I discovered a possible easy fix that allows controlling outbound connections.

So far, it seems to work.

Going to Firewall - Settings - Default Application Behavior

Click on Edit default rules.

There are 3 possible choices:

The user manual describes the settings as follows:

● Automatic - apps access will be allowed or denied based on the automatic Firewall and user rules.

So any process that a user doesn't set up a rule for is controlled by the automatic rules that Firewall uses.

● Allow - apps that don't have any Firewall rule defined will be automatically allowed.

If an app should come asking Firewall for access and there is no automatic rule already set up by Firewall, it will be let through.

● Block - apps that don't have any Firewall rule defined will be automatically blocked.

Any apps for which I don't have a rule as to either allow or deny will be automatically blocked. This included that pesky System process that I couldn't otherwise control.

Using the Block function in Default Application Behavior is less tedious than setting up a deny all rule and then giving independent allow rules for processes that I want to allow.

With the setting on Block, all processes except those that I explicitly allow access should be blocked.

@Alexandru_BD, would this reasoning be correct?

Thanks,

Alexandru_BD

Hi,

Your latest post sums it up quite nicely and yes, in my opinion the reasoning is correct. I know there's still an ongoing investigation for the Alert Mode that in some cases does not provide the alerts as expected.

The user guide is a very good resource of helpful information indeed.

Regards