ntoskrnl blocked with spf pro

Discussion in 'other firewalls' started by Bfarber, Oct 1, 2002.

Thread Status:
Not open for further replies.
  1. Bfarber

    Bfarber Guest

    :doubt: I have spf pro and lately it keeps blocking my ntoskrnl.exe from broadcasting out ON SOME OCCASIONS. It allows outgoing with udp on ports 137 and 138 and then allows incoming responses, and then four or five minutes later I get a message that it was blocked outgoing with same protocol, same port (sometimes it will be blocked on both ports). SPF official forum has same question asked with no responses and I have checked everything, tried configing advanced rules to allow it, tried just blocking the app to get rid of the message and no matter what I do, I still get the message every few minutes. Beautiful firewall but I would like to fix this problem.

    Any suggestions?
     
  2. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi Bf !
    I blocked NTOSKRNL.EXE when using Sygate with no ill effects.

    Go here and search for ntoskrnl.exe....

    http://www.dslreports.com/information/siteguide

    Sorry, I couldn't get the link to work properly !




    regards,
    bill :)
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Are you sure this is a problem just with your firewall...what you are describing leads me to think you system has been compromised. May I ask if you have a current AT product or AV product running on your system?

    And could you telll me what OS your are running at this time?
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  5. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Primrose,
    very good point !! :)
    thanks,
    bill
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    When taking into consideration DDOS and attacks going on now..I would also draw your attention to these links....


    THIS ONE IS NOT IN ENGLISH BUT IT CONCERNS ntoskrnl.exe


    udp/137 activity may be tied to scrsvr.exe malware
    Name: PE_Funlove.4099
    Type: Infector of Win32 archives Alias: W32/Funlove, So large W32/Flcss: 4,099 bytes This one is a virus that infects EXE, SCR, and archives OCX of 32 bits, in the local computer and if its PC is connected to a network, to any PC connected to that network, to which you have reading access. If Windows NT 4,0 with Service Pack 3 or 4 is being executed, the virus will change NTLDR and NTOSKRNL.EXE to give access without restrictions to all the users. Asegúrese to recover all the archives if you one is infected by this virus.



    http://www.dslreports.com/forum/remark,4571484~root=security,1~mode=flat

    _______________________________

    Currently port 445 is a problem also see here:
    Microsoft Directory service
    I did not make a big deal on your port 445 but if you are interested about more of what is out there......
    http://www.dslreports.com/forum/remark,4307676~root=security,1~mode=flat


    _______________________

    And here is an old warning from Sygate.

    Sygate Security Alert

    Windows XP default install with TCP 445 open

    Description:

    TCP/UPD port 445 (used for filesharing and is opened by ntoskrnl.exe) is open by default on a freshly installed XP box. The attack is serious since it work remotely and can make the CPU usage 100% in less than 20 Seconds.

    Impact:

    Remote DOS attacks with SYN Flag. Make CPU usage 100%

    Sygate Recommendations:

    Sygate SSE and SPF Security Agents will block all ports and protocols exposed to the internet by ntoskrnl.exe. DOS attacks aimed at port 445 including SYN floods are denied with no adverse affect to Windows XP. Thanks to www.safehack.com for the disclosure of this serious exploit.
    http://soho.sygate.com/alerts/XP_default_TCP445_open.htm
     
  7. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Whenever I install a new firewall, the first rules I make are to block ports 135-139, TCP and UDP in and out.
    I have never come across anybody that said they needed to allow traffic on those ports.
    I don't know whats going on with SPF, but I would hope it blocked those ports by default and I don't understand why it would be allowing anything out, let alone in on those ports. I too would suspect foul play.
    I also think that anytime a firewall does something inconsistantly, you have a problem. A rule is a rule is a rule.
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Primrose - thank you for those links. This ntoskrnl.exe thing is still driving me bats trying to figure it out.

    but i noticed something the other night when i was trying to understand my router's set up and how Sygate Personal Firewall talks with it (ooh confusing)...if i go through my Control Panel --->Network and Internet Connections --->Network Connections, and under the "Other Places", i click my mouse just once on the "My Network Places" (it is blank; i don't have my pc's networked together).....then if i check Sygate's log i see about 30 lines of outgoing, with Destination Port 137 and 138, Source Port 137 and 138 (all blocked) and from WINDOWS\System32\ntoskrnl.exe. The Source IP is my pc's...and the Destination IP is exactly the same except for the last 3 numbers (i'm thinking my pc is talking to my router and the router isn't answering back because Sygate is blocking the outgoing conversation)

    i just thought it strange that all it took was me clicking my mouse on those words in "My Network Places" to trigger all those outgoing lines in Sygate's log.

    sidenote: i did watched my router's log over this past week to see if i was getting any on port 137 from outside, but not a one.....odd?

    snap

    *opps...sorry Bfarber, i meant to add that Sygate was blocking ntoskrnl.exe every time that i could see...but i still put it on block with the red line going through it...just in case. ;)
     
Loading...
Thread Status:
Not open for further replies.