Is Port Explorer Worth Buying?

Discussion in 'Port Explorer' started by worldcitizen, Jan 30, 2005.

  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    I decide to start this thread because often people new to PE wonder what they would use it for & whether it is worth buying. You can see which programs are using which ports - so what? When I 1st bought it I only did so for the fun of it. Later I thought it was useless and complained. Since then I have found it to be the best alert system for me that 'something' is using my internet connection 'inadvertently'.

    OK so you see your internet lights continually being used - 'something' is downloading. 'Something' is accessing your PC and downloading 'something' into it and probably installing it after it has downloaded. Wouldn't you like to know what it was? If you arrived home one night and found the front door of your house wide open wouldn't you be concerned? Would you rather go in yourself or send someone to find out sparing you the possible mess? PE is like that. You find your connection madly downloading 'something' and you can't track it down. It might be legitimate or a dialler preparing itself to use your phone bill. A dialler got into my sister's new PC recently and dialled $100 worth of calls and SHE had to pay the bill. PE could have blocked that dialler from using the connection at all. Then pointed to where the program was so she could have deleted it.

    Anyway this is how my story goes for those maybe interested in purchasing PE but not sure how or when they'd use it. You use it mainly when you get 'suspicious' to find out 'who's snooping' on you or using your internet connection. PE is a spy against other spies and it's job is to 'blow their cover'.

    Many times I would notice my internet connection being used, slowing up my browsing and not knowing what was causing it. Thanks to PE I can quickly check if it is a virus, bug, worm, dialler or a legitimate program in which case I know what's going on. This greatly puts my mind at ease since if I don't like the program using the connection I can easily find out what it is and delete it. One example is the new ATI control panel. I noticed since installing it, my connection was being used a lot. Checking in PE showed me that it was ATI and so I uninstalled it and downloaded the other version which doesn't take up all these unnecessary resources. This is just one instance but there have been times when I've found a bug and quickly ran my AV and got rid of it.

    I like it best out of all the DCS programs because even though at 1st I thought it useless, I now refer to it more than any other DCS program for my peace of mind. I always get worried when my connection is being used and it's not me who's using it and I insist on knowing and consenting to my connection being used remotely so PE gives me more control over what uses my connection. I am now in charge of my downloads not my connection.

    Programs which 'spy' on you and download other malware onto your PC 'cloak' or 'hide' themselves so you normally can't see them in any Windows program. However, Port Explorer will show you ALL the ports being used even the 'cloaked or hidden ones' which are basically working hidden from your eyes to get their material onto your PC without you finding out until it's too late and they've got what they wanted.

    Now, I always have Port Explorer ready and on standby in case I notice my connection being used for lengthy periods or without my permission and can check to see if it's a legitimate program or not and block it if it isn't.

    For me Port Explorer = Peace of Mind

    Dave


    Hope this helps.
     
    Last edited: Jan 30, 2005
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Post by guest hoser removed. O/T


    snowbound
     
  3. S!x

    S!x Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    51
    Location:
    Ohio, USA
    I gotta admit ... i wasn't overly impressed with PE when i first tried the demo a few months back.

    I am not exactly sure what i expected from it - but at first it just seemed like a fancier version of a freeware program i had been running called "Active Ports".

    I use Outpost Pro 2.6 as my firewall (plus i run through a Netgear router) - i also have SP2, and all the current Windows updates ... as well as process guard and NOD 32 (and use no P2P or IRC) - seemingly a tough nut to crack from the outside i would think.

    To make an already long story shorter - i noticed in Outpost a process labeled "n/a" creating network traffic (no pop ups issued asking to permit or deny) and only noticeable under the "Network Traffic" window (nothing in the log's) and only then when it was attempting to get out (about 5-8 seconds and then it would vanish).

    Watching what ports it was using in Outpost, i turned to Active Ports - and it just showed a few instances of Svchost - no big deal - and those instances didn't match the ports in Outpost (none of which were the PID i would have needed anyway) - so out of frustration, i decided to buy PE - and quickly found out it was an instance of svchost not showing up in Active Ports.

    After running TDS 3, Trojan Hunter, and Blacklight (for rootkits) all turned up nothing - So i jotted down the PID's (got them from Blacklight) of every instance of svchost that was running and set the socket spy (packet sniffer) on all of them.

    Sure enough one of the svchost instances was transmitting to 2 IP#'s that i had already blocked in my firewall - but since it had injected itself into svchost (which is an allowed and shared component) it was able to pass right through my firewall and router.

    The IP#'s were -
    napoleon.acc.umu.se - 130.239.18.173
    tutankhamon.acc.umu.se - 130.239.18.137

    Without PE i would still be wondering what the "n/a" process was in Outpost, and would never have known it was secretly transmitting - I couldn't find the .dll or .exe that had allowed the infection, and with no scanners turning up anything - i just re-installed Windows - but no more "n/a" processes running wild :eek:

    My advice is - buy it - ... and learn how to use it :D
     
    Last edited: May 6, 2005
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I agree with everyone's comments.

    Port Explorer is exactly that. It provides valuable information when and if there is a suspected trojan on the system. At that point, it is invaluable since it removes ambiguity and allows the user to zoom right in to locate potential problems. So until there is a problem, it doesn't seem like it is doing much - but when I need info quickly, I go right for Process Explorer.

    Rich
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    OUCH S!x, hope you have wiped that system and installed ProcessGuard !

    In any case, glad to hear PE was able to help :)
     
  6. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi everyone! I'm a new member. I'm a bit overwelmed with this program. How do I know what ports should be open and what should be closed, as well as incoming and outgoing choices? If something malicious was running, I don't think I would be able to recognize it. I'm scared I'm going to do the wrong thing and destroy something, and then I won't know how to undo it.

    Whatever tips all you forum members can forward I would be greatful. Thanks for all your time and expertise.

    Rilla927
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Under the "Settings" menu, you can select "Hide netstat sockets", which will hide the standard windows connections (alternatly you can go to http://www.firewallleaktester.com/wwdc.htm and download WWDC, which will close those ports permanently), after that pretty much the only thing you should see is the internet software that you use (only while you're using it) like your browser, email, etc. And of course you can always start a thread in this forum if you need more help :)
     
  8. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Notok, thanks for your reply! If I follow the link you gave me to close those ports, how does it know what ports to close and will I be able to compute with no problems. Also, when you say permanently, does that mean I could never open them again if needed? I'm sorry bear with me, I don't mean to ask dumb questions. I'm going to learn from you Pro"s.

    Thanks again, Notok
    ~Rilla927~
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, when some ports are needed, your firewall should ask permission for the program to access internet?
    Or you see in the Port Explorer log an application was blocked, so if you know that application you know you can allow it internet access.
    Same way when you see something suspicious, righhtclick and investigate what it is.
    Check the ports for their meaning, you can block, spy, enable connections, etc.
    Pay extra attention to the hidden (red) connections. Do you know them, trust them, should they be there?
    In onme blink of an eye you see what could need some extra attention.
    You can't go wrong with Port Explorer, it's so easy and even with menu's in maybe your own language!
     
  10. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Jooske! If my firewall was to ask me something like that, I still would not actually know what it is. I didn't know PE had a log I could check for blocked access. What exactly does "Spy" mean? I did see some red connections, it was for Trillian Pro, the instant messenger.

    My problem, is learning the language and understanding what to look for, as well as knowing what I'm looking at, when I see it. So, if I see more than one red connection, does that mean somethings up, or maybe I should ask what types of programs would be using that type of port.

    Thank you! I appreciate it, greatly.
    Rilla927
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi there Rilla927,

    Red sockets basically mean the process has nothing visible on-screen. This can be useful to instantly recognise remote access trojans, because they use sockets but don't have any visible components such as windows. There are however legitimate programs, but you'll recognise those - just as you recognised Trillian, for example. So just think red = not visible.

    "Spy" simply means watching the data that is sent/received. It's regularly refered to as 'packet-sniffing', and Port Explorer allows you to listen in on individual ports as well as entire processes. For example, you might like to spy on your web browser when it tries to download a web page to see how it 'talks' to the remote server. :)

    Best regards,
    Wayne
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you see the wonderful written helpfile? It's great and rather informative!

    The logfile you can activate under Settings > file logging > i recommend the smallest size. To see it you see you can click the logfile icon in that same place and see what actually happened on your system.

    Spying on a socket means you can see all the traffic to and from it.
    Rightclick on a socket for instance from your browser or email and enable spying.
    Now in the Utilities > Socket Spy > look if that process is showing already in the main window, or you can click the ... button , search the application you want to spy on, select and OK it, click the Add PID and see it happening after a short while if there is traffic on that one of course: if you blocked or killed it no traffic :)
    Click the Packet data and see what came along.

    Don't let it run too long on a busy socket as the capture.bin can grow very large! You can clean it afterwards or close it, in the Port Explorer directory if you want save it away with another name for instance capture140505.bin so you can check it again later. Port Explorer will make a new one the next time you use it, so no worry if you deleted it.


    If your Trillian was the only red application it was OK as that is a legal process.
    Be glad you didn't see red trojan nasties connecting!
    If you have your browser minimized to systray it will show up red as well, as it is hidden now, click the icon or maximize it again and it's back normal color.
    Etc.

    You will learn! The Helpfile has really very nice explanation and screenshots, you can't go wrong reading it! :cool:
     
  13. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Hi all,

    I hope it doesn't break the flow/hi-jack this thread if I ask for clarification on the following aspects of 'spying' as it's defined in PE.

    Is PE's version of socket/packet sniffing an entirely local operation in the sense of it being an action which wouldn't cause an alert on a remote server/pc or alert an IP that I was seeking more information or monitoring its actions etc?

    Additionally are there any situations when using PE's spying capablilites could adversely affect an otherwise consistently stealthy firewall - or is this an entirely 'passive' operation in the sense that it is invisible to anyone on the other side of my router ?

    It all seems to be taking place on a local/anonymous basis - but I figure its best to check if there's a potential downside that I should be aware of and close if possible.

    To answer the original question - I guess it's a bit subjective, but given that I want to increase my ability to read the network, protect my pc and find that in Western terms at least PE is very reasonably priced - yes it's worth it to me.

    Cheers :)
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi eyes-open,
    Yes it's entirely local, and only monitors what is sent/received to your system, not other systems. It's simply 'eavesdropping', so it's not possible for it to cause alerts on remote systems. This applies to packet-sniffing in general, not just Port Explorer's.

    No, because again it's just eavesdropping - it doesn't actually 'do' anything in the sense of making changes, so you can almost always install packet-sniffers alongside your firewall without any problems at all.

    Best regards,
    Wayne
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Eyes-Open,
    Welcome to the forum!
    Maybe the term "spy" does give some confusion? It's something like the "Port Listen" function in TDS: you just look inside the packets of data sent and received by your system on a specific port or by a specific process. In the TDS function you can even edit them, in Port Explorer Socket Spy you only watch them.
    There is no way anybody or anything outside your computer can know what you do with the packets, look at them or not. Only in the case of the changed packets if you would edit them in TDS Port Listen they could give unexpected results back to sender :cool:
    (I mean: if some intruder would be able to get in and send a data message like "infect this system, report back mission accomplished" and you edit the dangerous part out and reply back something like "thanks, would you like fries with that ma'am?" It's not exactly like this but you understand the way.)
    With TDS you can listen on one port, with Port Explorer on a whole series, application.
     
  16. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    Cheers Wayne & Jooske,

    Nice to be able to come to the forum and receive this sort of speedy and full clarification. :cool:
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    A very nice part is Perth is located many hours advance of my location and maybe half a day from yours, so we have a very good covering in time as well.
     
  18. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Re: Is Port Explorer Worth Buying?

    If you reach the point that you know you need a tool like this,
    it doesn't take very long to find out, it is simply the best out there...!
    -----------------------------------------------------------------

    And as you can see in my previous posts, i am not hired to make advertisements!
     
  19. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    OK, folks, S!X has helped me justify what I keep fearing is simply paranoid schizophrenia. I have hated how svchost seems to have a wholesale passport to do what it wants and can be used by other systems within the computer, and now I see I am justified, but without jumping through hoops requiring the knowledge that S!X had the intelligence to do and at this point I sure as heck do not, how do I disect what svchost is allowing to bypass all the security programs I have runningo_O What other built in backdoors does a typical Windows (r) system have, and how do I check those? I, like S!X, am running what I think is a good soft firewall (Outpost, though I am seriously thinking of going to ZoneAlarm Pro, comments are welcome), an SMC Barricade NAT, P.G., CallerIP, RegRun Gold, WinPatrol, and so on, but I still know I can be dumb enough to blow everything I've done to protect myself to hell and run what appears to be an interesting "free" program, and install the bugger (unintended backdoor) myself...

    Oh, and I have a request in to see if there should be a discount for PE as I did buy PG...(hint for DCS...)
     
    Last edited: Jul 2, 2005
  20. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    brucemc,

    Keep your shirt on mate. Unless you are Osama Bin laden there's no need to worry. There's no-one after you or the slightest bit interested in you unless you are either Bill Gates or Osama so why all this panic? You've got a good enough set up just enjoy it and be happy.

    No matter how many holes Windows may have most of the serious ones are protected by a good AV and firewall. If you have PG you have enough!! and hackers go after very big fish not guys like you so cool it and enjoy life. You don't need any more security software mate. All you need is to have a good time and forget about all this rubbish. No-one is gonna care if you buy 1,000 programs for your PC because no-one is the slightest bit interested in you.

    But I do highly recommend Port Explorer as you will always be able to check and see who or what is connecting to your PC and if you don't like the looks of it you can kill the connection via Port Explorer. Excellent program and has my personal seal of approval. Regardless of many who rave on about how good software is, I will only ever give my personal approval to programs I have verified independently over periods of at least 6-12 months. I don't give ratings to programs based on other users opinions or hype. Port Explorer is a 'must have'


    Dave
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Svchost does handle a lot in Windows XP (time synchronisation, service installation, Universal Plug'n'Play, RPC/DCOM, DNS and DHCP, etc) to the point where it is pretty much a "wrapper" for other programs, but similar comments can be made about RunDLL.exe, .NET Framework, Windows Scripting or Java.
    From a network perspective, setting up strict rules for svchost.exe for your firewall is the best method of controlling it. Since you did mention Outpost, a look at the Outpost forum's Secure Configuration Guide may be useful (section E2 includes detailed recommendations for svchost). Also, closing down unneeded Windows services will reduce the role that svchost plays (see the BlackViper Mirror for more details).
     
  22. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Last week I was assigned a new IP address, which happens about every 6 months, being "static dynamic" as Comcast likes to call it. Happened that it was blacklisted by SpamCop. I went to their site and unleashed a tirade over the stupidity of blacklisting a dynamic IP address as by it's nature it won't be fixed to one person (the spammer), and my great overall objection to SpamCop deciding who can and can not use email freely, without having to contact them and beg clearance to be un-blacklisted.

    Over the next two or three days every IP address that I switched to (by cloning a new MAC to my NAT it forced a new IP) they would catch it within a day and blacklist me once again, I believe I am on my third or fourth IP address at the time (I kept the SpamCop bounce notifications for what evidence it might provide).

    Though I was relativly certain no backdoor spambots were using my computer, I felt the need to be as close to 100% sure, as then this was a clearcut case that the company that puts out SpamBot was intentionally harassing me in response to my criticism. CallerIP brought me close to the 100% mark, but I thought PE would nearly insure that.

    Still, I really would like to know the programs behind svchost, it bothers me that such an easy obvious hole exists for someone crafty enough to exploit it. If in the first day of training PG something early in the bootup process is already corrupt, it would take it's place to pose as an unfettered backdoor. That is where I want to slam the door shut on that few % chance of controllable error.

    Since I posted my recent experience with the SpamCop system (which is employed by quite a number of ISPs) with ICANN, BroadBandReports (despite one gentleman whom I doubt knows the difference between RAM and ROM), and requested Comcast's legal department to get involved, finally the harassment has stopped, but it is still too early to tell for sure, maybe the jerk at SpamCop who was tracking me simply went on vacation for the weekend.

    Oh yeah, one more thing... Gee, I wish the folks at Diamond CS would turn on the icon for my account in the member's area that would enable me to buy PE at my member discount... ;-) ...and... Do you know Steve Irwin? (Sorry, just had to.)
     
  23. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Paranoid 2000: Thanks, I will study both. Any quick observation (I apologize for the forum deviation) on whether I should switch to ZA Pro is also appreciated as I am within a month of due for renewal with OutPost!
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SpamCop do not block emails themselves, they provide a list of addresses from where spam originated. The blocking is done by ISPs or individuals that decide to use the list. In addition, multiple spam submissions are needed for an IP address to go onto the block list (see What is the SpamCop Blocking List).

    However none of this would affect you unless you were running your own mail server rather than using your ISP's. If you are, then you need to take special care to configure and secure it properly (including keeping up-to-date on patches).
    Then it's almost a dead cert that spam is coming from your address. Either one of your machines has been compromised, you are running an open relay mailserver or someone else with access to your network (very possible if you are running a wireless access point without proper security) is sending spam.
    Addresses on the SpamCop blocklist automatically drop out after 24 hours if no further spam is reported. If your system has been compromised then it may be used to spam again and re-enter the blocklist. If you are using a wireless network, then at the very least enable encryption to stop outsiders from hopping on (see this Wireless LAN security guide for more details). Otherwise, use an anti-trojan scanner like TDS-3 to check your systems.
    Outpost does not require renewal. The "one year" licence is for access to upgrades only, you can still run Outpost after this time. If you do want to renew the licence to access future upgrades, then the best advice would be to wait for a major release and renew then - renewals get a 50% discount regardless of whether your licence has expired or not.

    Whether you renew or not, I would advise downloading a copy of Outpost just before your licence expires. That way, you have the latest version on hand should you ever need to reinstall.
     
  25. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    No wireless, but I will run TDS-3 on each and advise; if I am a horse's backside, I will admit it...

    The NAT is only mapped to my computer; the other ones would have had to have something malicious dl'd to them, and that, though possible, is not highly probable, knowing the activity. Will TDS-3 with recent updates be as close to definitive, or would you suggest anything in addition?