Jump to content
An upgrade will take place on September 23, 2020 at 16:00 CEST (14:00 GMT). The Forum will not be accessible for a short period of time. ×
Ricky Martin

windows management instrumentation - svhost scheduler blocked by clients

Recommended Posts

Hi,

Windows WMI instructions within the trusted zone blocked by clients I checked the "Allow incoming RPC communication in the Trusted zone" also tried manually adding the rules but this is not feasible as hundreds of computers and each computer takes randomly port for communication, kindly advice.

Share this post


Link to post
Share on other sites

Please elaborate more on what you mean by WMI not working in the trusted zone. What exactly doesn't work? Does it work when you pause the firewall?

Share this post


Link to post
Share on other sites

Hi Marcos,

Windows Management Instrumentation service svhost.exe get block at client machine every time when executes the command over the network and its random port, the attached snapshot of built in and manually rules created rules for svhost to allow communicate, pls. advice

1.jpg

2.jpg

3.jpg

4.jpg

Share this post


Link to post
Share on other sites

Please carry on as follows:
- enabled advanced network protocol logging under Tools -> Diagnostics -> Adv. logging.
- reboot the machine
- reproduce the issue
- turn off advanced logging
- collect logs with ESET Log Collector.

The logs should reveal what kind of communication is blocked and if it's caused by your firewall misconfiguration.

Does the issue occur after uninstalling ESET, installing it from scratch with default settings and without applying any policy?

Share this post


Link to post
Share on other sites
Posted (edited)

Also it appears to be that what has been created is a plain Win Task Manager scheduled task. WMI based scheduled tasks are created as shown in this article: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--scheduled-tasks . Also: https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista

Just create an Eset firewall rule for svchost.exe schedule service not specifying a specific inbound port. Also remote IP address specification should be Trusted Zone only. Note there is a security vulnerability here. If an attacker can gain access to a local network device and create a scheduled task, he could can access to the entire network assuming the Eset firewall is duplicated on each endpoint device.

However if this scheduler activity is truly WMI consumer event based, the Eset inbound firewall rule should specify svchost.exe service winmgmt. Again, remote IP address specification should be Trusted Zone. The real problem is that the Win firewall has default firewall rules to handle inbound WMI traffic but they are not enabled by default: https://www.hammer-software.com/how-to-enable-wmi-through-the-windows-firewall-with-advanced-security-using-group-policy/  . This can also be done manually w/o Group Policy use. Note that the article shows enabling rules for the Domain profile. You would have to enable the ones for the Private profile assuming the Win firewall is using the Private profile.

Edited by itman

Share this post


Link to post
Share on other sites

I am having the exact same issue as Ricky Martin.

Regardless of the rules I create and the ports I specify (or don't) there is no change in status, the client blocks svchost.exe every time it tries to execute a WMI Scheduled Task (a reboot for example, in this case).

It's especially frustrating as it has been fairly easy to make exceptions/rules for 3rd party programs to communicate, but something so core to the function of windows seems to be blocked by default?

Share this post


Link to post
Share on other sites

Hi Marcos,

Sorry for late response! we've public holidays so couldn't check the above suggestion, will check and keep you updated!

Thank you

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...