Is this normal>

This is a picture from my ZA security log and it has more than 80 “intrusions” in just few days.(they are not real)

I can’t say, how they calculate it, but when I was using ZA I had thousand of intrusion in one month. It was shown in blocked intrusions since install.

Yes but they are counting svchost.exe(Generic host process) as intrusion and I don’t know why is ZA blocking it from accepting connection from the internet.I haven’t allowed only server internet for Generic host process

Neron
It’s normal. In the Main Tab of that same window, you can change the settings.
This will determine how extensive your log file will be,
Remember, it’s not how many items that get blocked that really count.
Only the ones that get thru can hurt you.
So far, ZA hasn’t let me down. :slight_smile:

I mean …I think ZA shouldn’t block it and that’s why I’m asking. ::slight_smile:

I’m using Kerio, so your screen shots don’t mean a lot to me, but you should block incoming connections to Generic Host Process for sure. Try Shields Up! Is ZA returning pings? If the door is not invisible, you will get people knocking on it.

Frank, are you sure? I mean, should block incoming connections to Generic Host Process?

That’s what I want to know too :stuck_out_tongue:

I have never allowed inbound connection to svchost.exe since I was advised to do so. Outbound at port 80 should be allowed at least when updating Windows, though.

When I took Kerio to Shields Up! the first time, the firewall failed because I allowed connections in to some system applications like Generic Host Process. I deleted the rules and tried again but this time blocked inbound connections and the firewall passed. I now have all inbound connections blocked, including ‘all other applications’. The one exception is MSN Messenger which sometimes needs to accept incoming connections during file transfers.

I’ve never had a problem with Generic Host Process blocked from receiving connections.

I would feel very unsafe with any application set to allow incoming connections: they can be from anybody after all: Mr Evil Hacker can knock on the door if he can see it and come in if it’s open.

http://donaldbroatch.users.btopenworld.com/kerionetwork.jpg

Almost the same configuration here, strange coincidence… ;D

I have also denied “Internet In”. Certainly Generic Host. Allowing it server right is a security risk.

Kerio gets time update from time server to local port 123 UDP cause it uses statefull packet inspection for UDP (Kerio 4.2.2 and a few earlier ones too do that).
So even though it is blocked, that statefull thing allows it to happen :wink:
Sygate firewall needs an advanced rule to svchost.exe for that, but not Kerio.

My Kerio setup is very tight. From Network/Predefined’s I allow only default ICMP ping rules. I use those instead BZ ICMP rules, cause Kerio seems to have them tighter inbound.
Today thanks to sded, I got the one last missing rule from Blitzen Zeus’s ruleset that I thought could not be implemented with KPF 4:
http://www.broadbandreports.com/forum/remark,14826751

Oh, yes. Strictly speaking, in stead of using the trusted column, I made traditional loopback rules for svchost.exe. Also, I allow svchost.exe UDP in/outbound local/remote port 123 connections to connect Windows time servers, which are listed in IP Groups. Our of habit, I tend to use packet filter rules mainly. I don’t use pre-defined sets at all.

In any case, invound port 80 for svchost.exe is wierd, I think.