Do I need to make rules for these to applications?

Discussion in 'other firewalls' started by FireDancer, Jul 27, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    IM back again..... :D

    These two EXE applications popped up on my fire wall

    LEXPPS.EXE
    RPCSS.EXE
    there not connected... do I need rules for these apps?
    I would think so but am not sure :rolleyes:
    Regards,
    FireDancer :D
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    After a search of google it appears the lex app might be for your lexmark printer, and the rpcsse.exe has no business accessing the internet. The localhost loopback rule I gave you in a previous example of should be all it needs, and you can place a blocking rule for this application after the localhost loopback rule.
    Previous Example

    If you have a question about an application check where its located, take records of what it was trying to do like wich ports, and addresses it tried to communicate with if you have any questions. Also search engines like google do reveal quite a bit of information which can help you.

    When it comes to making rules for every application on your system you need to do a little research by doing some searching if needed, where its located on your disk, and watching what it tries to do.
     
  3. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    This is what I found and what I did...

    As far as RPCSS.EXE from what I have read it can be used as a exploit for a Trojan.. Allthough the author states that it would not go unnoticed for long and that there are many other (better) ways to do this i.e. keep the trojan hidden and undetectable for a longer period. link listed below
    http://www.cexx.org/rpc.htm

    What I did was made a rule that looks like this
    Deny RPCSS.EXE TCP/UDP both any port any address

    I placed the rule as you suggested below the loopback rule and above my final rule Block all sys ports.

    As far as the LEXPPS.EXE this is what I found... on Google(copy and paste)

    Lexpps =
    Lexmark Printer Port Scanner. Background task which auto-loads with the rest of the printer drivers and which allows your Lexmark X or Z Series to be shared over a Windows peer-to-peer network using the conventional method of setting up a shared networked printer (without it, you will not be able to share the printer using the conventional Windows method).
    Recommendation :
    This task is a comprehensive nightmare. From preventing your PC from booting up, to interfering with your network card, to asking your Internet firewall for permission to install itself as a server application, to general PC instability, this task has everything to make you instantly return your Lexmark X or Z Series printer and go for something else, and some users have done so !! In order to regain your sanity the first thing to do is to rename LEXPPS.EXE to LEXPPS.EXE.OLD (do it in Safe Mode if you cannot boot your PC normally) this will ensure that this task never loads and will cure all the problems that it causes. If you need to network the printer over a peer to peer network, do not use the standard manner, instead install the printer as a local printer on the remote PC, and then go and change the port from a local port to the network share that the printer is known as.

    Currently both apps are listed in my firewall status like this:
    RPCSS.EXE TCP Localhost 1155 ............... Listening
    RPCSS.EXE TCP ALL:135 ............... Listening
    LEXPPS.EXE TCP Localhost 1156 .............. Listening
    LEXPPS.EXE TCP All 1157 ............... Lisening

    I am still not sure if it is harmfull as it seems it has to do with local networking issues and at this time I DO NOT have print/file enabled... am I wrong?

    Regards,
    FireDancer :cool:
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    As long as rpcss.exe can't be a server, or access the interent then your fine.

    As far as lexapp.exe, run msconfig.exe to disable it in the startup tab, and rename it like the info says. After that it won't bother you anymore, and I wonder why lexmark would make such a application that would bypass normal printer sharing to leave you less secure.

    As far as I know all windows NT services might need loopback communictions so I at least allow them that, but I block them from everything else unless I want to allow one communication which I put above their block rule like using time sync with svchost.exe

    So there you go, a little patience, and research will go a long way :cool:
     
Loading...
Thread Status:
Not open for further replies.