A request from my system not seen before

Discussion in 'other firewalls' started by marcusa, May 11, 2004.

Thread Status:
Not open for further replies.
  1. marcusa

    marcusa Registered Member

    Feb 16, 2004
    Surrey UK
    Hey guys

    Thanks for all the help you have given in the past, I dont know if you have seen this one, but it was new to me

    My latest little thing from the Sygate Personal Firewall I use is

    crss.exe wanting to talk to IP

    This IP resolves to igmp.mcast.net

    I obviously blocked it and run Spybot S&D to be on the safe side, all this taking me away from watching Gone in 60 Seconds :(

    I have that up to date and have SpywareGuard and SpywareBlaster on this machine, so was not worried about it just suprised when it asked, as I had just turned the machine on.

    Anyway there you go thats my suprise of the day
  2. Paranoid2000

    Paranoid2000 Registered Member

    May 2, 2004
    North West, United Kingdom
    Are you sure about the spelling? There is a process csrss.exe which is the Client Server Runtime SubSystem (one of the Default Processes in Windows 2000) but this should have no need for network access. There is also a trojan Gutta that uses a file with the same name (although Symantec's description seems to suggest that it should not need network access either). In either case, I would suggest blocking it and doing some further investigation.

    If the spelling is correct and the file is in the Windows System folder then I would very suspicious (many malware programs try to use similar spelling to Windows' files) and would suggest a scan with your favoured anti-trojan utility.

    The address is reserved for IGMP membership reports (see RFC 3376 - Internet Group Management Protocol, Version 3 for more details) - IGMP itself is used for transmitting data to a group of other systems. To this extent, no conclusion can be drawn as to whether this traffic is legitimate or not - but unless you are using audio or video streaming software (the main use for IGMP), there is no need for your system to be using it in the first place.
Thread Status:
Not open for further replies.