Hidden Sockets Warning

Discussion in 'Port Explorer' started by It'sme, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. It'sme

    It'sme Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    52
    Location:
    Middle Earth, NZ
    Just downloaded the trial of Port Explorer and have a quick question.
    (Forgive me if the answer's in the documentation somewhere - I've only just glossed over it at this stage).

    The question relates to displaying use of hidden sockets (displayed as Red):

    I wonder given the displays quick refresh rate whether a trojan or other process could use a hidden socket to do it's thing and close down without you noticing. Surely this could happen.

    How long does the warning (red text) remain on screen and is there any audible alrm or some other notification to tell you when such an event happens ? I don't really see reading through the logs at the end of each session as a practical option.

    How do others manage this situation?

    Thanks for help.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi It'sme, Port Explorer catches all the events which are logged, the refresh rate for the GUI can be set from 1 to 30 seconds.
    The "show dead sockest" can be set for 1 to 10 seconds.
    I do not believe that a sound alert would help much as the event will have happened anyway but having said that I suppose having the PE icon flashing if you have a hidden socket opening might be OK as long as it is a switchable function.
    Remeber any iconised program that connects to the net will show as a hidden socket whilst it is an icon in the sys tray and therefore it's connection events will be shown in red, your email clint is a classic example. Have it open and you get a blue entry in your windows log have it iconised and it will be red :)

    HTH Pilli
     
  3. It'sme

    It'sme Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    52
    Location:
    Middle Earth, NZ
    Thanks Pilli,

    Don't know if I fully understand what you mean by 'iconised program'. I have have Outlook Express in my Quick Launch bar (vs Systray) and when I launch it, it didn't see it Red on the displays.

    Some form of notification (a flashing PE Icon would do it) to let you know there had been a potential breach of security would be nice - that would act as a trigger to go to the logs and investigate the circumstances and take whatever action is appropriate. Just my thoughts at this stage without a lot of PE experience under my belt.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If you minimise OE it does not place an Icon in the sys tray but sits on the Task bar. Outllok proper does minimise to the sys tray (also known as the Notification area) as do many other programs, TDS3, PE, Kav etc.
    Mail Washer is a good example , if set to collect emails servers every so often PE will show it blue if it is open and red when it is minimised to the sys tray.
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    PE isn't a resident security monitoring tool though - it's an analysis tool for manual human use. For example, you probably have an anti-virus, a firewall etc which keep an eye on things as they happen, and alert you in realtime if anything out of the ordinary happens, such as a virus attempting to execute or an inbound packet that doesn't match any firewall rules. Port Explorer isn't that type of program - it doesn't alert you in realtime, because not many people use it for that type of analysis (it wasn't designed for that). PE is for human analysis - if you ever suspect something suspicious or you simply want to see what's happening with your ports, sockets and the data going through them, then that's where PE comes in. The red-highlighted hidden sockets is just a visual indicator for the human who's using it to analyse what PE shows, but it shouldn't cause alarm (many legit apps use sockets and don't have any visible interface) - it's just something to be aware of, because the majority of remote access trojans will also show up as red.

    Best regards,
    Wayne
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    By setting the "show dead sockets" to 10 seconds, any "quick" sockets which are created, do something, then destroyed, should be seen for a longer time. I guess it is possible that something could do that within the refresh interval of Port Explorer (which is 1 second at the best setting). I think it would have to be a really small operation, a really fast connection and the timing would need to be exact for Port Explorer to miss it still.

    The logfile (window + file log) should also display ALL actual socket operations (it isn't refresh interval based), so going over what is shown there will also be helpful.
     
  7. It'sme

    It'sme Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    52
    Location:
    Middle Earth, NZ
    Thanks all for your response and advice - it's given me a jump start.
    It certainly appears a very useful tool to help understand what's going in and out of your machine.

    I like the utilities included that allow analysis and follow-up of what you see happening - such as Whois etc. makes the product more of a fully integrated toolkit.

    Looking forward to using it.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Our pleasure - we hope you enjoy using the program and the power it gives you. :)
     
Thread Status:
Not open for further replies.