KRNL386.EXE

Discussion in 'other firewalls' started by FireDancer, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi all,

    I just started seeing KRNL386.EXE in my MD5 listing in Kerio 2.1.5 and I went a did a search on google about this app.
    I found that this particular app is in the system to manage memory, load applications and such. I dont feel its a threat
    as I have not seen any activity with it connecting to anything but I thought I would drop a line as I am not to familiar with it. Any comments are greatly appreciated.

    EDIT: Im running WIN98SE

    Regards,
    FireDancer
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Well its not abnormal for it to be listening under certain cases, what ports is the program listening on, and what kind of communications is it try to make, if any.

    I'll just say this first, if your not running a network, and its listening on ports 137-139 then find vnbt.386 which should be in the windows\system folder, then rename it to vnbt386.ren, then reboot. If you update any adapters windows automatically likes to rebind netbios, and even if your blocking the communications its still better to have a secure os than a secure firewall.
     
  3. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    It is not listening anywhere at the moment but I will tell you about 10 minutes ago my new AV gave me a prompt that said it had corrected my network settings and told me to reboot. I did but immeditaly opened NOD up and found the setting for auto repair network and disabled it.

    Then about 5 minutes after that Windows Critical update tryed to logg onto the internet and I denied it with no rule as of yet and went to shecualed tasks and disabled Windows critical update. Hmmmm not sure if i did right but i felt better saying no now then dealing with something unfamiliar to me.

    Regards,
    FireDancer
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Make a logging rule to block it for now, and lets look at the logs if it tries to communicate again.
     
  5. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Will do :)


    Thanks
    FireDancer
     
  6. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    is this good for now? :)

    FireDancer
     

    Attached Files:

  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Yeah, it will be fine, but it appears you might have installed something which will look for critical updates automatically which might be causing this from the other entries below that block rule.
     
  8. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    I took Windows Critical Update out of Task sheduale after I saw it try to update. I like to update manually about once a week in as much as I dont want it just connecting and updateing while im doing something else the only program I have that I allow to update automaticlly is my AV and I have that set to once a week right now. All my other apps have to be opened up and told to update. I think by disabling it in task shedualer it will not try to connect anymore. It was set to update once every 5 minutes for 24 hours LOL... :D


    Geeeeessh! thats a bit much so I disabled it... hmmmm I will keep an eye on it but I dont think it will try anymore

    FireDancer
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    With the way things have been going lately you might want to update your AV a little more frequently than that ;).

    Regards,

    CrazyM
     
  10. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi CrazyM,

    Long time no see... and yeah your probably right I just purchased NOD32v2 today and am still playing with it.
    As far as the Critical updater I have all updates for Win98SE right now no more available. I will keep the rules up to block and watch logs for a while as I disablled it form task schedual.. I belive that was my problem. I am not sure about KRNL386.EXE tho as I dont find it listening anywhere
    at the moment. I might just keep that block rule up for a good long time as I am still not familiar with the app.


    I do know it is used to manage Memory, Load applications
    and what not and I belive it is just a local app. I am not sure it has the capabilitys to accsess the net tho.

    Best Regards,
    FireDancer
     
  11. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Fire Dancer

    To go back to your image, its a good idea to have blocking rules logging, unless your logging things you can't control, and are tired of looking at. For example, I know I'm blocking all these port 135, and icmp(:cool: packets which are flooding the internet right now, but I don't log them right now since I'm tired of them filling my logs. Very few of my blocking rules don't log, and its always for a reason.

    Now that program is used for certain networking functions when its listening in most cases, like running netbios for your home networks, but it does have other functions.
     
  12. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    I have several rules logging and I am making it a habit of checking logs everyday to see what activity has taken place. I did go back to the three rules and only one is logging the KRNL386.EXE block rule. I feel I need the logs to better understand not only how to read what is junk and what is importaint but to be in the habit of looking :) My block ICMP 3 rule is logging as well and my net bios rule logs.. but my block all lower ports rule is not as I found that rule goes off if ya look at it wrong :) It seemd to be redundant to the point that every time I opened a app that didnt have a specific port ruled out for it it would set off the block lower ports rule .. at least till I made a rule defining the port it could use. I am not haveing to much in logs right now and am comfortable with what I have.
    EDIT: BTW I do not have a network set up I do tho let my oldest daughter use the cable connection via the router to accsess the net.

    If you think I should trim it back or add to logging then I will. I hope I have understood you right. :)

    FireDancer
     

    Attached Files:

  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Ok, it just wasn't clear that you label one rule, and didn't label another as logging ;)

    Just like your lower ports rule, its logging many things you can't control which happen to be many probes. So it seems you have things under control ;)
     
  14. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Thanks to you :D

    Like you said... learning continues forever :)

    FD
     
Thread Status:
Not open for further replies.