Understanding L&S

Hello,

I have purchased L&S and I use it but i would very much like to understand what it does!

As a software developer I know a good deal about windows API in general but very little about internet connection in general.
(I am embarrased to say!)

I hate Norton. To me it is cumbersome bloatware. I hate applications that do all kinds of things without telling me what is going on or even asking for my permission. On this new laptop, first order of business was to REMOVE Norton.

So now I am left with Windows firewall right?
What, if any, protection does that give me?

Then I installed L&S. Now i can see that things like SVCHOST are wanting to connect and a few other executables that i am not sure what they are.
How do I determine which of these are genuine M$ items and which are spyware etc?

Now L&S is operating.
I roam around and connect to wi-fi networks all over the place. different cities every week. I assume L&S will allert me if the owner of the network trys to surf my hard drive?

As I work I get a constant stream of:

UDP: Any Other UDP - Port Destination 1900 Src: 1120

Alerts.
what does this mean?

How do I decode the cryptic log?

When I look in the appplication filtering I see several things I do not recognize:
LASS.EXE - LSA Shell
MQSVC.EXE - Message Queuing Service
MCRDSVC.EXE - MCRD Device Service
ALG.EXE - Application Layer Gateway
SVCHOST.EXE - Generic Host Process.

What are all these?

I recognise SVCHOST but then if I were a virus/spyware developer I would call my .exe something similar to that. How do i know what is genuine and can be trusted?

Finally,
Are all my ports shut by default with L&S?

Many thx

 

HI expialidocious

Good...

Don't be embarassed with this: informatic is now very complex compare to the 70's period. Everybodies are specialized in limited fields from assembler + driver to Php + HTML + Css for web site developpers...

Excellent decision indeed ! :-D

1- About processes in Windows: you have to know that every process is generated by services or applications.

You may access the services like this: start | run | services.msc or add this .msc in a personalised console with mmc.exe...

For the startup programs you may used msconfig but this tool is too much limited.

For processes used this: Process Explorer
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Nota Bene:
There is an option in P.E. to check if processes are genuine or from malwares;
allow P.E. to connect remote port 80 (http) to this MS site:

(crl.microsoft.com =131.107.115.28 )

(Same used by Sigverif utility in system32...)

For startup programs and services:
Starter's Code Stuff:
http://codestuff.mirrorz.com/

Autoruns
http://www.sysinternals.com/Utilities/Autoruns.html

For services and drivers(watch out with this!)

ServiWin
http://www.nirsoft.net/utils/serviwin.html

To have a better knowledge of services check this site :
The Elder GeeK:
http://www.theeldergeek.com/services_guide.htm

To know which process is what:
http://www.liutilities.com/products/wintaskspro/processlibrary/

About malwares:
http://www.castlecops.com/

Now you have good tools and reliable references web sites...

2-
LASS.EXE - LSA Shell !!! This is LSASS
process generated by mandatories 5ervices... check with Process explorer

MQSVC.EXE - Message Queuing Service
Hum... mat be a useless process : check your services configuration...

MCRDSVC.EXE - MCRD Device Service
? don't know: Google is your friend! ;-)

ALG.EXE - Application Layer Gateway
Application Layer Gateway: used by the XP firewall...
Did you still need it ? I Guess no... check your services (Elder Geek site...)

SVCHOST.EXE - Generic Host Process.
Okay.
The Heinz company have 57 varieties and svchost 8... ;-)

The 8 varieties of SVCHOST (SP2):

C:\WINDOWS\System32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k DCOMLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k usnsvc

Mandatories
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs

usefull but leave it in manual mode in services.
Started when needed...
C:\WINDOWS\system32\svchost -k HTTPFilter


C:\WINDOWS\system32\svchost -k LocalService
from Local Network like WebClient etc.
Not needed on a standalone PC

C:\WINDOWS\system32\svchost -k Network Service
Network stuff such as Client DNS : useless.

C:\WINDOWS\System32\svchost.exe -k imgsvc
Windows image acquisition(WIA)
for scanner , digital camera etc.

C:\WINDOWS\system32\svchost.exe -k usnsvc
comes with the new version of Messenger

3-

For Internet Protocols and Ports check those informations in Wikipedia:
search for internet protocols , icmp, udp, tcp, ip ...

If you understand french I write 6 articles about LNS and the internet protocoles (with link to reference sites often in English):
http://climenole.wordpress.com/

Well, this is a vast problem right?
I guess you have enough information here to have a very busy week-end.
Check this and come back in the forum for more questions...

Don't forget to read the LNS documentation too.

Hope this help.
Let us know,



P.S. the constant stream of UDP on port 1900 comes from the useless service
SSDP Discovery Service

Start | run| services.msc
right click on this service, properties, stopped it and put it in manual or disabled startup mode...

Check the other services with The Elder Geek web site...

Nice Week end!

 

Hello expialidocious,

First welcome to this forum!

> So now I am left with Windows firewall right?
> What, if any, protection does that give me?

It helps to prevent attacks from outside (e.g. the SASSER virus, you remember?)

> Then I installed L&S. Now i can see that things like
> SVCHOST are wanting to connect and a few other
> executables that i am not sure what they are.
> How do I determine which of these are genuine M$ items > and which are spyware etc?

This is indeed not easy to answer. If you want to be safe, try surfing with "limited user rights". By doing so no one can change your system files.

> Now L&S is operating.
> I roam around and connect to wi-fi networks all over the > place. different cities every week. I assume L&S will
> allert me if the owner of the network trys to surf my hard > drive?

It is not sooo easy to surf on your harddrive, if you have disabled "file sharing" on your disk drives.

> As I work I get a constant stream of:
> UDP: Any Other UDP - Port Destination 1900 Src: 1120
> Alerts. what does this mean?

I get these packets from my WLAN router. It is normal. Just ignore it.


> How do I decode the cryptic log?
Do you mean the log file? Or the data of one data packet?

> When I look in the appplication filtering I see several
> things I do not recognize:
> LASS.EXE - LSA Shell
I see this, too. Not critical!

> MQSVC.EXE - Message Queuing Service
I have never seen this! Maybe someone else can help with this one

> MCRDSVC.EXE - MCRD Device Service
I have never seen this! Maybe someone else can help with this one

> ALG.EXE - Application Layer Gateway
> SVCHOST.EXE - Generic Host Process.
These two are normal Win-XP activities. Not critical!

> What are all these?
> I recognise SVCHOST but then if I were a virus/spyware > developer I would call my .exe something similar to that. > How do i know what is genuine and can be trusted?
You could load suspious files to:
http://www.virustotal.com/en/indexx.html
They check it online!
My recommendation would be: You should have at least (1.) an up-to-date "on access" (1.) virus scanner and (2.) a "malware scanner" running.

> Finally,
> Are all my ports shut by default with L&S?
Go to
http://www.grc.com/
and follow the link to "ShieldsUP!". Here you can do an online port scan of your computer. Keep in mind that if your notebook is connected "behind" a router w/ firewall, then GRC will scan the firewall of your router instead.

Finally: If you want 99% security, you should consider LINUX as an alternative

Thomas

 

Wow! you guys are GREAT!

Thankyou thankyou for that wealth of info. My first post on the Netstumbler forum was this long and this many questions... I got banned for life!
I gues they dont like deep questions...

I dont need rock solid security, just want to understand more about this subject. I actually have a roof antenna and a powerful new Wi-Fi card so I can check my email from those unsecured wifi points on the road. I am allways travelling.

Unfortunatly in the world we live in, people hunt these down and do malicious things or send a bunch of spam. I just want to check my email. Obviously the unsecured wifi points are risky in that the owner could be malicious, but common sense dictates that IF they are too unsophisticated to enable their WAN security, they are not going to be examining my packets!

Anyway I digress. I

>an up-to-date "on access" virus scanner and
>a "malware scanner" running.
Can you reccomend a good anti-virus. Again something that does not take over my machine!
I like Ad-aware and have been considering it for my run time spyware checker. What do you guys think of that?

> How do I decode the cryptic log?
Do you mean the log file? Or the data of one data packet?
I mean the "log" under the log tab. The rules are not well explained (like the any other packet)
The problem is I get a lot of those so the audio alert is constant. I like the audio alert because it tells me when i need to examine L&S to figure out what is happening but a constant stream of these gets annoying...

 

nod32 and kav are both excellent antivirus. if u want more opinions, u can always post the in the other anti-virus software section

theres better antispyware.

i like ewido anti-spyware and superantispyware for on-demand scanning.

if u want free realtime protection, take a look at spyware terminator.

 

HI expialidocious

1- To check the WiFi connexions I suggest you to used BlueScanner and RogueScanner (Free tools from NetworkChemistry).

You may also download the third one: Packetyzer...

http://www.networkchemistry.com/products/packetyzer.php

2- About Spam:

To avoid it:
a) Don't give your email address to everybodies (including web sites...)
b) use a 3 layer of protection for your email address:
(pop3 or Gmail)
1- one for the poeple you know personnaly
2- one for professionnal or social purpose
3- a third one for the others: a "garbage email" such as
http://spambox.us/
http://www.jetable.org/en/index
http://www.spamgourmet.com/
etc.
Avoid web mail like Hotmail or Yahoo. Prefer Gmail ...
(they have a good spam filter...)

c) Use a mail client with a spam filter such as Mozilla Thunderbird
which can be combined with a good anti-spam such as:
K9
http://keir.net/k9.html
SpamPal
http://www.spampal.org/
Spamihilator
http://www.spamihilator.com/


3 - About AV:
well ... this subject is often a source of forum
and news group "mini-war" ... ;-)

Check this :
Anti-Virus and "Security" Products
"Courtesy of the alt.comp.virus newsgroup participants."
http://www.claymania.com/anti-virus.html

You may used Avast Home edition (Free: you have to register
to have the activation code: no spam or mail from them...)
Light and easy to used. I have it since 3 years with NO problem...
http://www.avast.com/eng/free_software.html

You have to completly uninstall the AV you have presently before instaling a new one... If it's A Symantec Norton tell me: you need a special uninstaller from them...

4- About the LOG:

Cryptic? Check first in the LNS documentation...
Some hints:

logging is enabled in Application filter with the excalmation mark in the 4 th column: no mark= no logging, one != log if blocked, two !! always log ( IMHO: avoid it! Use one ! only...)

logging is enabled in internet filtering by one exclamation mark in the thirds column. I suggest you to have this enable for all rules in order to keep tracks of what's happen and when... (It's seems you like sounds but I guess It must be reserved for few or no rules at all except for debugging purpose or for some rarely and critical rules... These sounds do not drive you crazy)

The details for the Log tab in LNS are set in the option tab...

1- d = download (from internet to your PC)
u = upload (from your PC to internet)
+ = authorised
- = blocked

2- Date and hour of the event

3- The name of the rule executed for the packet

4- The type: (protocol)
Icmp, Udp, Tcp
a letter "F" mean flood control (a good option in advanced options...:
disable this and check... you'll see ;-) )

5- IP address used by the packet or application name...
Optionnaly: URL of this IP (sometimes usefull)

6- Source Port (from which port the packet comes)
and
Destination Port (to which port the packet is send)
Optionnaly: port name(useless IMHO)

Example (simplified) with a connection with a web browser to a web site:

a) you type the Uniform Ressource Locator : www.my_favourite_site.com

b) you PC send a Domain Name request to your ISP DNS server
It choose the first available local port from 1024 to 5000
and
send the request to the remote port 53 of the DNS server
with the protocole UDP
Your received the IP address corresponding to the URL
from the remote port 53 to the same local port used to
start the connection...

Then

c) your PC send a connection request to the web site:
It choose the first avalaible local port from 1024 to 5000
and send to the remote port 80 (Http) a TCP packet with the flag SYN

The server send the answer: a TCP packey with the flags ACK-SYN
from his port 80 to the same port used to initiate the connection...

And so on...

So you'll see thoses packet exchanges corresponding to the rules into the log... You may check also the details of each event...

See the idea?

 

Hi,

For checking emails with your laptop via wi-fi you could try TOR. It encrypts your traffic... if you are using an email client you could use ipig (hxxp://ipig.iopus.com). but it is really slow at this point and they are working on improvements.


concerning antivirus, kaspersky, bitdefender and nod32 are recommended. personally i like nod32 the best, but you will get good protection from all of those.
every once in a decade (lol) i'm running a scan with ewido, a-squared and superantispyware. for realtime protection i have boclean.
however, i could go without all those scanners because of the HIPS program, but it's fun anyway...

as far as logs go, you might look into the help file of lns again, the different options and signs are explained a little. climenole's page also helped me a lot. i translated it via babelfish and the translation was ok...
you can just click on the sound icon and it won't alert you anymore.. do you have advanced options checked? maybe this will be of help?
https://www.wilderssecurity.com/showthread.php?t=140667

best regards,

tt