Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Ideas
Stop Intrusions - Firewall Rules
Message
<blockquote data-quote="Victor M" data-source="post: 1079885" data-attributes="member: 96560"><p>Hi Everyone,</p><p></p><p>Hackers often manipulate or exploit Windows system programs and services, like SVCHOST , TASKHOSTW, File EXPLORER and RUNTIMEBROKER. They can do it because Windows Firewall defaults to allow all Outbound traffic, and some of these do send out and receive returning traffic. In short, these 4 programs accept traffic, and a hacker can manipulate the ip address header to slip thru.</p><p></p><p>In my Xcitium EDR Alerts, I can see SVCHOST and File Explorer invoking Powershell, and TASKHOSTW trying to manipulate Registry. These invocations are malicious.</p><p></p><p>My first solution was to use Xcitium's HIDS to Block Powershell from starting until I need to use it, then I would disable that block rule and re-enable when finished. However, that does not stop the malicious registry modifications. In short, the ways that these 4 programs can be used by hackers are infinite; invoking Powershell and changing registry are only 2 variants.</p><p></p><p>Now I have come up with a better solution. That is to make Firewall Incoming Block Rules to Block traffic to these 4 programs. Windows can do without these 4 programs talking to the Internet.</p><p></p><p>So, open File Manager and Search for all instances of SVCHOST, TASKHOSTW, EXPLORER and RUNTIMEBROKER. There are Many instances of these 4 programs scattered throughout Windows sub-folders. Right click on each item found by search and choose 'Copy as Path'. And paste it in the Inbound section Firewall Rule creation wizard, and make a Block rule. It is a laborious exercise and takes time to make all the rules. But you will stop the majority of hacking attempts.</p></blockquote><p></p>
[QUOTE="Victor M, post: 1079885, member: 96560"] Hi Everyone, Hackers often manipulate or exploit Windows system programs and services, like SVCHOST , TASKHOSTW, File EXPLORER and RUNTIMEBROKER. They can do it because Windows Firewall defaults to allow all Outbound traffic, and some of these do send out and receive returning traffic. In short, these 4 programs accept traffic, and a hacker can manipulate the ip address header to slip thru. In my Xcitium EDR Alerts, I can see SVCHOST and File Explorer invoking Powershell, and TASKHOSTW trying to manipulate Registry. These invocations are malicious. My first solution was to use Xcitium's HIDS to Block Powershell from starting until I need to use it, then I would disable that block rule and re-enable when finished. However, that does not stop the malicious registry modifications. In short, the ways that these 4 programs can be used by hackers are infinite; invoking Powershell and changing registry are only 2 variants. Now I have come up with a better solution. That is to make Firewall Incoming Block Rules to Block traffic to these 4 programs. Windows can do without these 4 programs talking to the Internet. So, open File Manager and Search for all instances of SVCHOST, TASKHOSTW, EXPLORER and RUNTIMEBROKER. There are Many instances of these 4 programs scattered throughout Windows sub-folders. Right click on each item found by search and choose 'Copy as Path'. And paste it in the Inbound section Firewall Rule creation wizard, and make a Block rule. It is a laborious exercise and takes time to make all the rules. But you will stop the majority of hacking attempts. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
