A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Windows XP Help and Support
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Unknown download activity in background - how to determine what it is?



 
 
Thread Tools Display Modes
  #31  
Old July 30th 07, 01:43 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
John John
external usenet poster
 
Posts: 3,149
Default Unknown download activity in background - how to determine whatit is?

Straight Talk wrote:
On Sun, 29 Jul 2007 20:18:45 -0300, John John
wrote:


If you know how to internally stop the Sysinternal Help utilities from
calling home please post your findings here.



It's not the app itself "phoning home".


Yes it is. If you use the help utility it calls an Akamai server. I
know why it's doing it and I am not saying that it is necessarily good
or bad. The example was used to demonstrate that there *are* things
making outbound connections without users being aware. If the
applications that we think of as "tame" are doing it you can be sure
that other not so tame applications may also be doing it.


Clearing the
CodeBaseSearchPath key in the registry (Internet Settings) probably
does the job. But maybe it's not such a good idea after all.

Anyway, if you had taken the time to packet sniff the "phoning home"
instead of letting your PFW drive you paranoid, you would probably
have realized that it's no big deal and that this big scary MS thingy
isn't really spying on you.


Once again, I know what it is doing and I am not saying that anyone is
spying, that is not the point. The point is that Microsoft and many
others are consistently saying that monitoring outbound connection is a
useless firewall feature for *any* reason. I disagree with that. All
good firewalls have outbound connection monitoring available, the
Microsoft XP firewall doesn't. When users made mention of this, or if
they asked why it wasn't available, the response from Microsoft and its
fans was to embark on a campaign of discrediting all firewalls that do
outbound monitoring and to claim the feature as absolutely useless.
When that tactic failed they then decided that anyone who even suggests
that the firewall should do outbound monitoring should be immediately
clobbered, it may keep some people quiet but it won't keep me quiet.
Microsoft customers spoke and asked a valid question. Instead of
Microsoft saying something as simple as: "We have received requests for
this feature and are investigating the possibility of including it in a
future update", they decided that it was best to kill the messengers
and to proclaim their firewall as superior to all others.


I would also like to hear your advice and solutions as to port monitoring
and outbound traffic in general on Windows operating systems.



App's like CurrPorts and WireShark come to mind.


Brilliant. Give that to novice users. Instead of having the firewall
do what firewalls usually do have the users dig about and find utilities
on their own to do the job! And for your information you don't have to
go out of the Microsoft stable to find port monitoring tools.


Should users follow your advice and ignore all outbound traffic?



Users should think twice before installing all kinds of stuff. And
they should not let PFW's drive them paranoid. Problem is, neither the
PFW nor the user understands what's happening. I've seen users freak
out about app's "phoning home" to IP address 127.0.0.1


More BS. There are all kinds of computer users and computer users do
all kinds of things. Good firewalls know what is going on and most
seasoned users know what the loopback address is. The simple fact that
the extra ability to detect outbound connections can be a useful
firewall feature is something that guys like you are insisting on
denying. You are on a campaign to discredit this as a useful feature,
but you offer no simple, easy way or alternative for users to even have
basic outbound connection monitoring.



However, there won't be much inter netting without allowing outbound
traffic.


No there won't be. But that doesn't mean that everything installed on a
computer should be calling out and it doesn't mean that firewalls that
help identifying those "call home" utilities are bad, useless firewalls!
If that is the case then why would Microsoft include such a useless
feature in its newest flagship operating system? And then insist that
it is useless for XP users?

John

Ads
  #32  
Old July 30th 07, 03:45 PM posted to microsoft.public.windows.mediacenter,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
John John
external usenet poster
 
Posts: 3,149
Default Unknown download activity in background - how to determine whatit is?

Kerry Brown wrote:

"John John" wrote in message
...

Kerry Brown wrote:

You said that this: "Myth: Host-Based Firewalls Must Filter Outbound
Traffic to be Safe." was baloney.



I never said that and don't attribute things that I have not said to
me! Reread my post!

I quoted this from the article:

"Speaking of host firewalls, why is there so much noise about outbound
filtering? Think for a moment about how ordinary users would interact
with a piece of software that bugged them every time a program on
their computer wanted to communicate with the Internet..."

And I said that (quoted material) was baloney! A firewall monitoring
outbound connections will ask you if you want to permanently allow or
disallow the connection, you will not be "...bugged them every time a
program on their computer wanted to communicate with the Internet...".
That is false information in the article, and for some reason or other
and for sometime now Microsoft has been trying to discredit *all*
firewalls except its own. What is it that Microsoft is hiding? Why
are they so adamant that users not be aware of outgoing connections on
their computers?



That may have been what you intended to say but here is the the relevant
snippet from your post:

--------------------------------------
" and scroll down to:
Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.


That article itself is baloney. It is true that any malware can
circumvent a firewall's outbound protection but it is also true that a
lot of malware is detected by firewall outbound monitoring. The
outbound monitoring also alerts you when otherwise legitimate software
is trying to call home. Perhaps you like it better when things like
Media player call home without your knowledge, a pesky annoyance that
you should be aware of things like that."
-----------------------------------------

It sure sounds to me like you are calling the whole article baloney.

I don't presume to speak for Microsoft but personally I'm not hiding
anything. Software firewalls are a useful part of a layered security
setup. They can't be relied upon to protect you from malicious outbound
traffic. Anybody who says they can and tries to sell this to you is
deceiving you. They are selling snake oil. Software firewalls became
popular because the current versions of Windows at the time didn't have
any firewall. When XP came out with a firewall the vendors realized that
they had to give people a reason to keep buying their product. This is
when they started pushing the outbound monitoring features. Software
firewalls can, and most do, give you a level of protection against
inbound attacks from unsolicited traffic. That is all they are good for
as a defense against malware. Even that can't be relied on if something
does get inside the security perimeter. Once your security has been
breached you can no longer trust anything running on the computer.
Monitoring outbound traffic does have it's uses. One is as you say to
stop legitimate programs from making outbound connections that you don't
want. I don't know why Microsoft didn't include outbound monitoring in
the XP firewall. Personally I don't care as I believe it to be of
limited use anyway. Outbound monitoring is included in the Vista
firewall and many other Microsoft products like ISA server.

This is obviously something I'm passionate about :-) Don't take it as
personal attack. Whenever I see a post espousing the usefulness of
software firewalls I am compelled to point out the fallacy of this
approach to security.


To tell you the truth, Kerry, when a published article from a supposedly
authoritative source contains even only one such blatant outright lie as
the one in the above mentioned article, it casts doubts on the whole
article, one cannot rely on anything said in the article because it is
extremely prejudiced and tarnished by some of the false information it
contains. Serious publishers, researchers or technical writers would
automatically correct the false information or pull such flawed
articles. You won't see companies like Intel publishing seriously
tarnished articles like the one above.

As for "espousing the usefulness of software firewalls", if they are so
useless why did Microsoft include one in XP SP2? I whole heartedly
agree with you that some firewall vendors are making exaggerated claims
in an attempt to sell their products and that some of the firewalls
offered by some companies are crappy products, Microsoft too at times
makes exaggerated claims to sell its products. But long before Windows
XP and Windows 2000 even came out, many users were using firewalls,
several *very* good, free personal firewalls were available and were
being used to protect computers from outside attacks.

Microsoft invented nothing new with its firewall. Companies like Kerio
and Sygate made good free firewalls long before Microsoft decided that
it could no longer ship its operating systems without basic firewall
protection, some companies still make good free firewalls. That there
are shoddy products out there is a fact, but outbound traffic detection
has *always* been one of the tasks that any good firewall does and there
is no reason to label all firewalls that do this as *useless* products
and there are even fewer reasons to label such a feature as a *useless*
feature. Firewalls do not only deal with malware, they deal with *all*
traffic, inbound and outbound, and with *all* applications. If the
firewall doesn't do outbound monitoring then novice users are left on
their own to try and detect these things, with outbound connection
monitoring even advanced experienced users are sometimes surprised to
find out that certain applications are trying to establish outbound
connections.

Sure, there are all kinds of malware that can circumvent this
monitoring, things like rootkits and what not can easily get around
firewalls. That is beside the point, firewalls are not and were never
meant to be used as virus or rootkit detectors, you need special tools
to detect and deal with those insidious pests. Anti virus software
cannot detect all or some of those pests and that is what they are
supposed to do. Should we tar all AV software as useless because they
can't detect rootkits? Strange that most persons would say no but that
they would then insist that firewalls that monitor outbound traffic are
devilishly bad because they can't detect those same rootkits or pests.

I understand that you are passionate on this subject and I don't take
your posts and comments as personal attacks. I hope that you don't take
mine as personal attacks against you or anyone else. I too am
passionate on the issue and I don't like it when good products are all
tarred at the same time with a wide brush. I am also passionate when I
read posts saying that outbound traffic monitoring is completely useless
or that it is completely unnecessary because users should not be
concerned about outbound traffic on their computers, the logic being
that only sloppy uninformed users have applications that call home, or
that you should not be concerned about legitimate applications that
might be calling home even if they have absolutely no valid reason to do
so. I am somewhat vindicated by the fact that Microsoft thought that
this feature was useful enough to be included it in its Vista firewall.

John

  #33  
Old July 30th 07, 04:42 PM posted to microsoft.public.windows.mediacenter,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
Gary S. Terhune
external usenet poster
 
Posts: 1,366
Default Unknown download activity in background - how to determine what it is?

Thank you. Strangely enough, when I tried Help on those two apps, the pages
all failed to load. Go figure.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

"John John" wrote in message
...
Preocess Explorer and Autoruns are two that do.

John

Gary S. Terhune wrote:

What "help menu"? Hey, I just asked a question and I really want to know
the answer. Which Sysinternal apps call home? I presume you know of at
least some, or you wouldn't have made that statement.



  #34  
Old July 30th 07, 05:16 PM posted to microsoft.public.windows.mediacenter,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
John John
external usenet poster
 
Posts: 3,149
Default Unknown download activity in background - how to determine whatit is?

The Autoruns 8.52 that I have here wants to connect to 207.46.197.16,
port 80 or 142.176.121.13, port 80 or others in these ranges. Same
kind of thing with the newer versions of Process Explorer.

John


Gary S. Terhune wrote:

Thank you. Strangely enough, when I tried Help on those two apps, the pages
all failed to load. Go figure.


  #35  
Old July 30th 07, 06:02 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
John John
external usenet poster
 
Posts: 3,149
Default Unknown download activity in background - how to determine whatit is?

Straight Talk wrote:
On Mon, 30 Jul 2007 09:43:12 -0300, John John
wrote:


Straight Talk wrote:

On Sun, 29 Jul 2007 20:18:45 -0300, John John
wrote:



If you know how to internally stop the Sysinternal Help utilities from
calling home please post your findings here.


It's not the app itself "phoning home".


Yes it is.



No. It's windows.


You don't know what you are talking about, why don't you monitor one of
the apps and find out what is going on. It isn't Windows doing the
calling it's the application itself. Being that you are so smart and
that I know nothing you should at least do a few tests before you post
about things you pretend to know of.

John

  #36  
Old July 30th 07, 08:37 PM posted to microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus
John John
external usenet poster
 
Posts: 3,149
Default Unknown download activity in background - how to determine whatit is?

Straight Talk wrote:

On Mon, 30 Jul 2007 14:02:49 -0300, John John
wrote:


You don't know what you are talking about, why don't you monitor one of
the apps and find out what is going on.



That's what I did.


You did no such thing with the newer Sysinternal apps mentioned
elsewhere, if you had you would have seen that the utilities establish
outbound connections if you use the help files. Why and for what
reasons you now chose to post lies is something that only you know.
Being that you now insist on lying my discussion with you is over.

John


  #37  
Old August 2nd 07, 05:00 AM posted to microsoft.public.windows.mediacenter,microsoft.public.windowsxp.general,microsoft.public.windowsxp.help_and_support,microsoft.public.security.virus,alt.privacy.spyware
dc[_2_]
external usenet poster
 
Posts: 4
Default Unknown download activity in background - how to determine what it is?


"Andy Walker" wrote in message
...
dc wrote:

Andy,

What does the -b parameter do?


Here is the help description from netstat:

-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient

You can use an alternative method through the use of the -o switch.

-o Displays the owning process ID associated with each connection.

In order to determine the process name you can run task manger
(ctrl-alt-del), select view/select columns and add Process Identifier.
This will allow you to match the process ID output from the netstat
command with a process name.

I couldn't find it, and when I included it, I got the help legend.


Older versions of the netstat command did not include the -b switch.

After looking at the legend, I did this...
c:\netstat -na netstat.txt
Did you mean to use another pararmeter
and if so, what is the command


See the -o info above.

What is this for? c:\more netstat.txt


It is the "more" command used to read the file "netstat.txt" created
when you used the "" pipe command. Using more allows you to see the
entire file one page at a time. You could also use a text reader like
notepad or to stay in the DOS window try "edit netstat.txt".



Thank you Andy,
Appreciate your taking the time

dc


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 10:11 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.