Just downloaded the trial of Port Explorer and have a quick question. (Forgive me if the answer's in the documentation somewhere - I've only just glossed over it at this stage). The question relates to displaying use of hidden sockets (displayed as Red): I wonder given the displays quick refresh rate whether a trojan or other process could use a hidden socket to do it's thing and close down without you noticing. Surely this could happen. How long does the warning (red text) remain on screen and is there any audible alrm or some other notification to tell you when such an event happens ? I don't really see reading through the logs at the end of each session as a practical option. How do others manage this situation? Thanks for help.
Hi It'sme, Port Explorer catches all the events which are logged, the refresh rate for the GUI can be set from 1 to 30 seconds. The "show dead sockest" can be set for 1 to 10 seconds. I do not believe that a sound alert would help much as the event will have happened anyway but having said that I suppose having the PE icon flashing if you have a hidden socket opening might be OK as long as it is a switchable function. Remeber any iconised program that connects to the net will show as a hidden socket whilst it is an icon in the sys tray and therefore it's connection events will be shown in red, your email clint is a classic example. Have it open and you get a blue entry in your windows log have it iconised and it will be red HTH Pilli
Thanks Pilli, Don't know if I fully understand what you mean by 'iconised program'. I have have Outlook Express in my Quick Launch bar (vs Systray) and when I launch it, it didn't see it Red on the displays. Some form of notification (a flashing PE Icon would do it) to let you know there had been a potential breach of security would be nice - that would act as a trigger to go to the logs and investigate the circumstances and take whatever action is appropriate. Just my thoughts at this stage without a lot of PE experience under my belt.
If you minimise OE it does not place an Icon in the sys tray but sits on the Task bar. Outllok proper does minimise to the sys tray (also known as the Notification area) as do many other programs, TDS3, PE, Kav etc. Mail Washer is a good example , if set to collect emails servers every so often PE will show it blue if it is open and red when it is minimised to the sys tray.
PE isn't a resident security monitoring tool though - it's an analysis tool for manual human use. For example, you probably have an anti-virus, a firewall etc which keep an eye on things as they happen, and alert you in realtime if anything out of the ordinary happens, such as a virus attempting to execute or an inbound packet that doesn't match any firewall rules. Port Explorer isn't that type of program - it doesn't alert you in realtime, because not many people use it for that type of analysis (it wasn't designed for that). PE is for human analysis - if you ever suspect something suspicious or you simply want to see what's happening with your ports, sockets and the data going through them, then that's where PE comes in. The red-highlighted hidden sockets is just a visual indicator for the human who's using it to analyse what PE shows, but it shouldn't cause alarm (many legit apps use sockets and don't have any visible interface) - it's just something to be aware of, because the majority of remote access trojans will also show up as red. Best regards, Wayne
By setting the "show dead sockets" to 10 seconds, any "quick" sockets which are created, do something, then destroyed, should be seen for a longer time. I guess it is possible that something could do that within the refresh interval of Port Explorer (which is 1 second at the best setting). I think it would have to be a really small operation, a really fast connection and the timing would need to be exact for Port Explorer to miss it still. The logfile (window + file log) should also display ALL actual socket operations (it isn't refresh interval based), so going over what is shown there will also be helpful.
Thanks all for your response and advice - it's given me a jump start. It certainly appears a very useful tool to help understand what's going in and out of your machine. I like the utilities included that allow analysis and follow-up of what you see happening - such as Whois etc. makes the product more of a fully integrated toolkit. Looking forward to using it.
