Detection Of Modified Applications - ESET PERSONAL FIREWALL User Manual

As the above list implies, you must create specific rules for handling communication within ESET Smart Security
itself (updates, connection to ESET Remote Administrator Server, etc.). For security purposes, these rules are not
predefined by ESET.
Please pay special attention to the svchost.exe process, as the rule configuration for this process depends on the
local configuration. The RPC and DHCP communications are specified by a predefined rule (incoming RPC is enabled
in Trusted zone), so you should focus primarily on the outgoing communication of svchost.exe. An ideal rule for the
svchost.exe process would look like this:
Requirement Direction
svchost.exe ven Out

3..1 Detection of modified applications

The Application modification detection option can be found In the Advanced Setup window under Personal
firewall. When enabled, ESET Smart Security initiates a cyclic redundancy check (CRC) for each monitored process.
If the process is changed, the user is notified and prompted to allow or deny communication (see the dialog below).
Select Deny to deactivate the corresponding rule and to deny the current communication. The behavior of this
feature can be adjusted by the Allow modification of signed (trusted) applications option. This option checks
the certificates of digitally-signed applications, which are typically found on Microsoft applications and operating
system components.
Local
Protocol Application
port
TCP svchost.exe
Remote port
update.microsoft.com,
443 download.microsoftupdates.com,
windowsupdate.microsoft.com
Remote address
13