Re: Zone Alarm and winlogin.exe
From: Gianluca Manzo (gianluca.manzo@one.it)Date: 12/31/01
- Previous message: mcoleman: "Re: Zone Alarm and winlogin.exe"
- Maybe in reply to: Aaron Young: "Zone Alarm and winlogin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 31 Dec 2001 17:57:59 -0000 From: Gianluca Manzo <gianluca.manzo@one.it> To: focus-ms@securityfocus.com('binary' encoding is not supported, stored as-is)
Did you mean WINLOGON.EXE ?
I have the same config ( Win2K server and
ZoneAlarm) but no winlogin.exe at all !
When I first installed ZA, I also had the same question
about \??\c:\winnt\system32\winLOGON.exe (don't
warry about \??\c:\winnt... , sometimes API calls to
the new LogicalDisk Subsytem of Win2k may report
this kind of answer: try to open System Monitor after
enabling Logical Disk counters and see... ;-) and I
decided to deny WINLOGO.exe access to internet
(both directions, incoming and outcoming) and since
that day I work fine. But you have to manage a Web
Server, I don't know wich type of authentication you
use, so you have to check if this setting (DENY ALL)
is correct for you.
Bye!
Gianluca
>>Anyone seen this before? In the last month one of
the
sites I manage had an intrusion that forced us to take
our server offline. After putting Zone Alarm on the
Win2K server to see if it caught anything roque trying
to access the Internet, I found the following alert:
Do you want to allow
\??\C:\WINNT\system32\winlogin.exe to access the
Internet?
Since the path to winlogin.exe began with an unknown
character (\??\) I found this to be suspicious.
A.
- Previous message: mcoleman: "Re: Zone Alarm and winlogin.exe"
- Maybe in reply to: Aaron Young: "Zone Alarm and winlogin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
