Re: ZA Free and Generic Host Processor
From: Duane Arnold (notme_at_notme.com)
Date: 09/30/05
- Next message: Mark: "Re: Firewall with MAC address ACL that is dynamic"
- Previous message: Joe Beasley: "Re: Cisco PIX and multiple VPN"
- In reply to: Wilf: "Re: ZA Free and Generic Host Processor"
- Next in thread: Wilf: "Re: ZA Free and Generic Host Processor"
- Reply: Wilf: "Re: ZA Free and Generic Host Processor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 01:35:53 GMT
Wilf <wilf.wilf@wilf21.com> wrote in
news:dhhlfg$nim$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com:
> Duane Arnold said ...
>> You should find out what is trying to use the messenger (svchost.exe)
>> and determine if it is legit or not instead of killing the messenger.
>> Most likely, it is just another case of Application Control in a PFW
>> solution whining about nothing. :)
>>
> Fair enough although I feel more comfortable denying svchost (on
> behalf of whatever) the ability to wait for incoming connections.
The machine is setting behind ZA and ZA is stopping all unsolicited
inbound traffic to the machine, unless you have opened some ports
manually on ZA by you setting rules to open the port(s) to the public
Internet and traffic is coming in on the ports without being solicited,
then the traffic is being stopped because it's not solicited traffic (a
program running on the machine didn't send outbound traffic to a remote
IP behind ZA).
So that means that svchost.exe is responding to inbound traffic that ZA
is letting through due to something running on your machine that made the
solicitation, and again, it was not svchost.exe the (messenger) that
wants to communicate. And you see that's the problem you face is the
*whatever* as you don't know what it is. It could be legit too. But all
you did was stop svchost.exe. What happened to the reason or the
*whatever* as it didn't go anywhere. For all you know, *whatever* could
have used svchost.exe on its behalf at the computer boot and logon
process and be done before ZA can even start to get to the TCP/IP
connection during the boot and logon process and protect.
You should lay down the crutch and find out for yourself what's happening
and not depend upon the crutch *ZA* to tell you what is happening and
everything is *okay dokey* look for yourself with the proper tools every
now and then.
http://www.snapfiles.com/get/processexplorer.html
long version
http://www.pcworld.com/downloads/file_description/0,fid,23780,RSS,RSS,00.
asp
Short version
Long version
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html
Short version
If the machine has a direct connection to the Internet -- no router -- in
front of it, then try to secure the NT based O/S a little bit as the buck
stops with the O/S and not ZA.
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Duane :)
- Next message: Mark: "Re: Firewall with MAC address ACL that is dynamic"
- Previous message: Joe Beasley: "Re: Cisco PIX and multiple VPN"
- In reply to: Wilf: "Re: ZA Free and Generic Host Processor"
- Next in thread: Wilf: "Re: ZA Free and Generic Host Processor"
- Reply: Wilf: "Re: ZA Free and Generic Host Processor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
