Help with Windows Firewall and VPN

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
kayanco
Posts: 739
Joined: Sat Jun 07, 2014 12:20 am

Help with Windows Firewall and VPN

Post by kayanco » Sat Dec 08, 2018 3:01 pm

Hi,

Can someone please help me with Windows Firewall?

I was looking for a basic firewall program for outbound blocking. The only feature I needed was a notification for any new outbound connection so I could choose to allow or block.

The free "Windows Firewall Control" (by binisoft) did what I needed. Except one problem that I need help with:

After initial setup, the "connection log" remains mostly empty (as expected), BUT when I'm connected to a VPN, it fills up rapidly with blocked outgoing connections for svchost.exe. Even though I have previously granted full access to svchost. The VPN connection itself works fine and I can connect to the internet, but the log keeps adding new entries every second and fills to 100s of lines. Screenshot:

Image

The expected behavior would be for me to get a notification to allow/block the outgoing connection, but I don't get any. Even if manually allow svchost full access, these entries keep coming.

To troubleshoot, I tried another firewall program called "Simplewall". Here I don't see similar entries on it's default setting, but I see them again if I enable "Dropped packets log". And they look like:

12/‎8/‎2018 ‏‎9:37:27 AM,NT AUTHORITY\NETWORK SERVICE,C:\windows\system32\svchost.exe,192.168.X.X:53 (Remote),192.168.X.X:54108 (Local),udp,OpenVPN,#288909,OUT,BLOCK

Even with this firewall I don't get any new notification asking for access. And I have already granted full access to all VPN .exe files and svchost.exe (I basically said Yes to all initial notifications to allow everything). The internet/VPN works fine, but these numerous blocked attempts keep accumulating.

Sounds like it's something to do with "dropped packets" (and that these are not "normal" outgoing connection attempts).

Anyone familiar with this and can help figure out what's going on?

(Btw, I tried a third firewall called "Windows 10 Firewall Control" by sphinx software. Same phenomenon when on VPN. If I don't connect to VPN, I don't see the blocked connection entries)

mrmass
Posts: 121
Joined: Thu Jul 26, 2018 6:35 pm

Re: Help with Windows Firewall and VPN

Post by mrmass » Sat Dec 08, 2018 6:13 pm

Wow-lots of processes. They are really apps/programs disguised as svchost.exe

This will turn into a rabbit hole but if you have time here's some reading about svchost.exe processes https://www.thewindowsclub.com/svchost- ... t-services

The link below is a to install a program to view what's really running "disguised" as svchost.exe

https://archive.codeplex.com/?p=svchostviewer

Good luck

kayanco
Posts: 739
Joined: Sat Jun 07, 2014 12:20 am

Re: Help with Windows Firewall and VPN

Post by kayanco » Sat Dec 08, 2018 8:34 pm

mrmass wrote:
Sat Dec 08, 2018 6:13 pm
Wow-lots of processes. They are really apps/programs disguised as svchost.exe

This will turn into a rabbit hole but if you have time here's some reading about svchost.exe processes https://www.thewindowsclub.com/svchost- ... t-services

The link below is a to install a program to view what's really running "disguised" as svchost.exe

https://archive.codeplex.com/?p=svchostviewer

Good luck
Excellent program !!

I matched the Process ID for the svchost.exe (you'll notice that it's just one PID that's repeating), and it turns out to be "DNS Client service (dnscache)":

Image

Does the fact that this only happens when connected to a VPN give you any clue as to what's happening? If I turn off the VPN, the connection log remains empty, but once I turn it on, it starts filling.

mrmass
Posts: 121
Joined: Thu Jul 26, 2018 6:35 pm

Re: Help with Windows Firewall and VPN

Post by mrmass » Sun Dec 09, 2018 8:17 am

kayanco wrote:
Sat Dec 08, 2018 8:34 pm
mrmass wrote:
Sat Dec 08, 2018 6:13 pm
Wow-lots of processes. They are really apps/programs disguised as svchost.exe

This will turn into a rabbit hole but if you have time here's some reading about svchost.exe processes https://www.thewindowsclub.com/svchost- ... t-services

The link below is a to install a program to view what's really running "disguised" as svchost.exe

https://archive.codeplex.com/?p=svchostviewer

Good luck
Excellent program !!

I matched the Process ID for the svchost.exe (you'll notice that it's just one PID that's repeating), and it turns out to be "DNS Client service (dnscache)":

Image

Does the fact that this only happens when connected to a VPN give you any clue as to what's happening? If I turn off the VPN, the connection log remains empty, but once I turn it on, it starts filling.
Perhaps the VPN service forces all your internet traffic out the vpn tunnel. That is when you open a browser and type in bogleheads, all the flow goes out the vpn tunnel only. Your DHCP server is giving your a dns server to look for (perhaps 8.8.8.8) It can't find it when you're on the VPN.

Also you can likely turn off the DNS Client service and still have internet access.

kayanco
Posts: 739
Joined: Sat Jun 07, 2014 12:20 am

Re: Help with Windows Firewall and VPN

Post by kayanco » Sun Dec 09, 2018 1:31 pm

mrmass wrote:
Sun Dec 09, 2018 8:17 am
kayanco wrote:
Sat Dec 08, 2018 8:34 pm
mrmass wrote:
Sat Dec 08, 2018 6:13 pm
Wow-lots of processes. They are really apps/programs disguised as svchost.exe

This will turn into a rabbit hole but if you have time here's some reading about svchost.exe processes https://www.thewindowsclub.com/svchost- ... t-services

The link below is a to install a program to view what's really running "disguised" as svchost.exe

https://archive.codeplex.com/?p=svchostviewer

Good luck
Excellent program !!

I matched the Process ID for the svchost.exe (you'll notice that it's just one PID that's repeating), and it turns out to be "DNS Client service (dnscache)":

Image

Does the fact that this only happens when connected to a VPN give you any clue as to what's happening? If I turn off the VPN, the connection log remains empty, but once I turn it on, it starts filling.
Perhaps the VPN service forces all your internet traffic out the vpn tunnel. That is when you open a browser and type in bogleheads, all the flow goes out the vpn tunnel only. Your DHCP server is giving your a dns server to look for (perhaps 8.8.8.8) It can't find it when you're on the VPN.

Also you can likely turn off the DNS Client service and still have internet access.

If I manually disable the DNS Client service (dnscache), I don't see svchost.exe in the connection log, but now it gets filled with individual program block attemps (e.g. browser .exe).

Post Reply