Hi all, I just started seeing KRNL386.EXE in my MD5 listing in Kerio 2.1.5 and I went a did a search on google about this app. I found that this particular app is in the system to manage memory, load applications and such. I dont feel its a threat as I have not seen any activity with it connecting to anything but I thought I would drop a line as I am not to familiar with it. Any comments are greatly appreciated. EDIT: Im running WIN98SE Regards, FireDancer
Well its not abnormal for it to be listening under certain cases, what ports is the program listening on, and what kind of communications is it try to make, if any. I'll just say this first, if your not running a network, and its listening on ports 137-139 then find vnbt.386 which should be in the windows\system folder, then rename it to vnbt386.ren, then reboot. If you update any adapters windows automatically likes to rebind netbios, and even if your blocking the communications its still better to have a secure os than a secure firewall.
BlitzenZues, It is not listening anywhere at the moment but I will tell you about 10 minutes ago my new AV gave me a prompt that said it had corrected my network settings and told me to reboot. I did but immeditaly opened NOD up and found the setting for auto repair network and disabled it. Then about 5 minutes after that Windows Critical update tryed to logg onto the internet and I denied it with no rule as of yet and went to shecualed tasks and disabled Windows critical update. Hmmmm not sure if i did right but i felt better saying no now then dealing with something unfamiliar to me. Regards, FireDancer
Yeah, it will be fine, but it appears you might have installed something which will look for critical updates automatically which might be causing this from the other entries below that block rule.
I took Windows Critical Update out of Task sheduale after I saw it try to update. I like to update manually about once a week in as much as I dont want it just connecting and updateing while im doing something else the only program I have that I allow to update automaticlly is my AV and I have that set to once a week right now. All my other apps have to be opened up and told to update. I think by disabling it in task shedualer it will not try to connect anymore. It was set to update once every 5 minutes for 24 hours LOL... Geeeeessh! thats a bit much so I disabled it... hmmmm I will keep an eye on it but I dont think it will try anymore FireDancer
Hi FireDancer With the way things have been going lately you might want to update your AV a little more frequently than that . Regards, CrazyM
Hi CrazyM, Long time no see... and yeah your probably right I just purchased NOD32v2 today and am still playing with it. As far as the Critical updater I have all updates for Win98SE right now no more available. I will keep the rules up to block and watch logs for a while as I disablled it form task schedual.. I belive that was my problem. I am not sure about KRNL386.EXE tho as I dont find it listening anywhere at the moment. I might just keep that block rule up for a good long time as I am still not familiar with the app. I do know it is used to manage Memory, Load applications and what not and I belive it is just a local app. I am not sure it has the capabilitys to accsess the net tho. Best Regards, FireDancer
Fire Dancer To go back to your image, its a good idea to have blocking rules logging, unless your logging things you can't control, and are tired of looking at. For example, I know I'm blocking all these port 135, and icmp( packets which are flooding the internet right now, but I don't log them right now since I'm tired of them filling my logs. Very few of my blocking rules don't log, and its always for a reason. Now that program is used for certain networking functions when its listening in most cases, like running netbios for your home networks, but it does have other functions.
BlitzenZues, I have several rules logging and I am making it a habit of checking logs everyday to see what activity has taken place. I did go back to the three rules and only one is logging the KRNL386.EXE block rule. I feel I need the logs to better understand not only how to read what is junk and what is importaint but to be in the habit of looking My block ICMP 3 rule is logging as well and my net bios rule logs.. but my block all lower ports rule is not as I found that rule goes off if ya look at it wrong It seemd to be redundant to the point that every time I opened a app that didnt have a specific port ruled out for it it would set off the block lower ports rule .. at least till I made a rule defining the port it could use. I am not haveing to much in logs right now and am comfortable with what I have. EDIT: BTW I do not have a network set up I do tho let my oldest daughter use the cable connection via the router to accsess the net. If you think I should trim it back or add to logging then I will. I hope I have understood you right. FireDancer
Ok, it just wasn't clear that you label one rule, and didn't label another as logging Just like your lower ports rule, its logging many things you can't control which happen to be many probes. So it seems you have things under control