Re: Active Ports

From: Duane Arnold (
Date: 08/20/04

Date: Fri, 20 Aug 2004 10:40:13 GMT

"Brian" <> wrote in

> I found this useful freeware program that runs in the background and
> constantly monitors all running services. I was amazed to see that I
> have 35 services listening on different ports and one established
> connection (Messenger).

Well is Messenger supposed to have a connection?

> Surely that means that a hacker has 35 opportunities to penetrate my
> PC. If the services are listening to all those ports it must mean that
> they are receptive to any incoming signals.

The only way a hacker for the most part is going to do that is if the
machine has been compromised by a Trojan that is listening on the port and
you see a remote connection. Yes, Sygate will allow the connection to the
remote IP, because something a (program) has solicited inbound traffic from
a remote site. Otherwise, Sygate should block all unsolicited inbound
traffic. A Trojan can piggy back off something like svchost.exe or other
programs like MSN and communicate out.
> The Sygate SPFP firewall is presumably designed to intercept
> non-standard code addressed to those services but can I be sure of
> that?

Unsolicited traffic YES but solicited traffic NO. And unsolicited traffic
can come in if the FW is somehow mis-configured.

> I have various other security programs installed but I'm not yet
> convinced that this firewall is doing a good job. In particular, the
> Traffic Log tells me that my PC is occasionally and spontaneously
> (even during screen saver periods) addressing remote locations that
> mean nothing to me when I trace them. Paranoia is setting in!

Once, malware hits the machine and can execute, it's over and if you're
depending upon the highly overrated Application Control the (crutch) to
tell you what's happing with things on the computer and programs being
stopped or not stopped by Application Control, then you may want to think

You should look for yourself from time to time on a routine basis. You
should put a short-cut for Active Ports with screen Refresh rate set to
high and see what's making connection at the boot and login sequence, since
Sygate cannot get to the TCP/IP connection before the malware can to stop

You may want to use Process Explorer (free) to look at running processes
and you can look inside a running process to see what processes are using

You close down uneeded services that close down ports and *harden* the O/S
to attack. The buck stops at the O/S and everything else is secondary to

Duane :)

Relevant Pages

  • Re: Active Ports
    ... > Well is Messenger supposed to have a connection? ... Sygate should block all unsolicited inbound ... few 'Allowed' incoming polls on stealthed ports from addresses that I don't ... > You may want to use Process Explorer to look at running processes ...
  • Re: how do you display incoming and outgoing connections in windows?
    ... >> Active Ports, and netstat. ... incoming ftp connection. ... nothing was listed as listening. ...
  • Re: tool to discover some non-firewalled TCP ports?
    ... > application must listen on ports accessible to the internet. ... (including those that do outgoing filtering any proxy filtering). ... distributed DNS and hold the TCP connection open so it ... would have to be listening all the time on each of the ports you want to ...
  • Re: Receive Connector - [WP]
    ... You can use any that you are bound to the connection for other purposes. ... You probably ought to stay away from any you might bind in the future. ... are there any recommended ports for this kind of scenario ...or best ... If you want to use the same IP, change the port it is listening on. ...
  • Re: Port Scans
    ... for tcp 'listening' means it is waiting for a connection on that port. ... the *:* is for udp ports that are listening, ... >>this group for other questions about ports. ...