[Kerlingen]

I'm having a problem with a program that is able to bypass my firewall without asking for permission first. Well, not the program is the problem, but the fact that probably any malware could do it the same way.

First some basics:
The program comes as x86 and x64 version.
The program can be installed, but also runs as "portable" software.
The program does not need admin privileges to run or to bypass the firewall.
Every version is able to connect by HTTP port 80 to a webserver located on the internet.

Now the story:
I was running the program and used "check for updates" from the help menu. It told me "you're running the latest version". I was confused, since my firewall didn't pop up and ask me if I wish to allow internet access to the program.

Then I started my network monitor and did the update check again. I could clearly see a connection to port 80, HTTP protocol, requesting "/update.php" and a response from the server with the current version number.

Then I fired up my connection monitor, tried again and found out that the connection is made by the file "svchost.exe". I thought of some trojan using the same name, but it turned out that the real Windows service was the one which initiated the connection.

Since "svchost.exe" acts a proxy for many different services, I checked the process ID which had initiated the connection and ended up at "ProfSvc", the User Profile Service.

Since this is an essential Windows service which you cannot turn off and which you cannot deny network access to without crippling your system I'm now stuck.

Does anybody know how you can access the internet with the help from this service and how to prevent it?

Like I said before, a legitimate software is using this way to check for updates, it's not a trojan hourse or something like that.