Re: Active Ports

From: Duane Arnold (
Date: 08/20/04

Date: Fri, 20 Aug 2004 10:40:13 GMT

"Brian" <> wrote in

> I found this useful freeware program that runs in the background and
> constantly monitors all running services. I was amazed to see that I
> have 35 services listening on different ports and one established
> connection (Messenger).

Well is Messenger supposed to have a connection?

> Surely that means that a hacker has 35 opportunities to penetrate my
> PC. If the services are listening to all those ports it must mean that
> they are receptive to any incoming signals.

The only way a hacker for the most part is going to do that is if the
machine has been compromised by a Trojan that is listening on the port and
you see a remote connection. Yes, Sygate will allow the connection to the
remote IP, because something a (program) has solicited inbound traffic from
a remote site. Otherwise, Sygate should block all unsolicited inbound
traffic. A Trojan can piggy back off something like svchost.exe or other
programs like MSN and communicate out.
> The Sygate SPFP firewall is presumably designed to intercept
> non-standard code addressed to those services but can I be sure of
> that?

Unsolicited traffic YES but solicited traffic NO. And unsolicited traffic
can come in if the FW is somehow mis-configured.

> I have various other security programs installed but I'm not yet
> convinced that this firewall is doing a good job. In particular, the
> Traffic Log tells me that my PC is occasionally and spontaneously
> (even during screen saver periods) addressing remote locations that
> mean nothing to me when I trace them. Paranoia is setting in!

Once, malware hits the machine and can execute, it's over and if you're
depending upon the highly overrated Application Control the (crutch) to
tell you what's happing with things on the computer and programs being
stopped or not stopped by Application Control, then you may want to think

You should look for yourself from time to time on a routine basis. You
should put a short-cut for Active Ports with screen Refresh rate set to
high and see what's making connection at the boot and login sequence, since
Sygate cannot get to the TCP/IP connection before the malware can to stop

You may want to use Process Explorer (free) to look at running processes
and you can look inside a running process to see what processes are using

You close down uneeded services that close down ports and *harden* the O/S
to attack. The buck stops at the O/S and everything else is secondary to

Duane :)