Jump to content

windows management instrumentation - svhost scheduler blocked by clients


Recommended Posts

Hi,

Windows WMI instructions within the trusted zone blocked by clients I checked the "Allow incoming RPC communication in the Trusted zone" also tried manually adding the rules but this is not feasible as hundreds of computers and each computer takes randomly port for communication, kindly advice.

Link to comment
Share on other sites

  • Administrators

Please elaborate more on what you mean by WMI not working in the trusted zone. What exactly doesn't work? Does it work when you pause the firewall?

Link to comment
Share on other sites

Hi Marcos,

Windows Management Instrumentation service svhost.exe get block at client machine every time when executes the command over the network and its random port, the attached snapshot of built in and manually rules created rules for svhost to allow communicate, pls. advice

1.jpg

2.jpg

3.jpg

4.jpg

Link to comment
Share on other sites

  • Administrators

Please carry on as follows:
- enabled advanced network protocol logging under Tools -> Diagnostics -> Adv. logging.
- reboot the machine
- reproduce the issue
- turn off advanced logging
- collect logs with ESET Log Collector.

The logs should reveal what kind of communication is blocked and if it's caused by your firewall misconfiguration.

Does the issue occur after uninstalling ESET, installing it from scratch with default settings and without applying any policy?

Link to comment
Share on other sites

Also it appears to be that what has been created is a plain Win Task Manager scheduled task. WMI based scheduled tasks are created as shown in this article: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--scheduled-tasks . Also: https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista

Just create an Eset firewall rule for svchost.exe schedule service not specifying a specific inbound port. Also remote IP address specification should be Trusted Zone only. Note there is a security vulnerability here. If an attacker can gain access to a local network device and create a scheduled task, he could can access to the entire network assuming the Eset firewall is duplicated on each endpoint device.

However if this scheduler activity is truly WMI consumer event based, the Eset inbound firewall rule should specify svchost.exe service winmgmt. Again, remote IP address specification should be Trusted Zone. The real problem is that the Win firewall has default firewall rules to handle inbound WMI traffic but they are not enabled by default: https://www.hammer-software.com/how-to-enable-wmi-through-the-windows-firewall-with-advanced-security-using-group-policy/  . This can also be done manually w/o Group Policy use. Note that the article shows enabling rules for the Domain profile. You would have to enable the ones for the Private profile assuming the Win firewall is using the Private profile.

Edited by itman
Link to comment
Share on other sites

I am having the exact same issue as Ricky Martin.

Regardless of the rules I create and the ports I specify (or don't) there is no change in status, the client blocks svchost.exe every time it tries to execute a WMI Scheduled Task (a reboot for example, in this case).

It's especially frustrating as it has been fairly easy to make exceptions/rules for 3rd party programs to communicate, but something so core to the function of windows seems to be blocked by default?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...