No Name or File Path

Discussion in 'Port Explorer' started by Jo M, Nov 9, 2004.

Thread Status:
Not open for further replies.
  1. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi,

    I just had a panic. I was using Port Explorer and noticed that there were two entries which gave no file name. I was immediately suspicious. So I turned the display to show the File Path, no path either! I used Advanced Process Termination to kill the process, I got a dialogue from Process Guard, but then noticed that Zone Alarm had shut down! Panicked and shut down the internet. Did a TDS scan and an Anti Virus check. Restarted Windows and did an even more thorough TDS scan. Nothing came up.

    This time Port Explorer is not showing the anonymous process! In the panic I had not written down the Process ID (I think it may have been 1069?) It was Established and listening to Remote Port 110 (email) but was not my email client (Thunderbird) or my Spam filter (MailWasher Pro) or the email HTML filter (Benign).

    I had just Updated Zone Alarm to a new version. I had recently updated Thunderbird to the latest version. I had also recently installed PGP.

    Should I be concerned? Any Ideas on what it might have been?

    ;) It would be nice if TDS, Process Guard (and Zone Alarm) gave me the info about process ID's for programs as in this example that was the only information Port Explorer was giving me. ;)

    Without that information I was literally unable to use these tools to do anything further (other than the scans) Clearly Process Guard was protecting it as it resisted being killed and Process Guard's Human interface dialogue wanted confirmation! But I could not check its settings without information about the Process ID's.

    Regards Jo M

    XP pro, sp1, NO Internet Explorer, Outlook Express, Messenger, MediaPlayer....., Zone Alarm Security Suite, TDS 3, Process Guard, Port Explorer, Worm Guard, Firefox 1.0PR, Thunderbird 0.9, Mailwasher Pro, Benign, PGP, Hyper OS, XPlite
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jo M, Could have been ZA phoning home to check the license or something like that? Just a thought as it happened after the new install, this would also explain why it has not happened again.

    Also if thay were * blank these would be loopback connections on 127.0.0. i.e. your pc and are possibly connected to your MailWasher, hence the ref. to port 110 or B9's internal proxy thingy.

    Just guessing. Pilli
     
  3. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Pilli,

    thanks for reply. Yes you could be right. There have been complaints about the "Zone Alarm Phone Home" thing on their Forum. When I "killed" the process it did unload Zone Alarm too! Very suspicious.

    I usually have a much more strict than default setup with Zone Alarm. I don't "share security settings" any more. I deny virtually everything server rights etc. (I think Benign is the only one I have running but even that is denied to keep the port stealthed! It doesn't require Internet connection of the server for Benign to work!!).

    I did have a problem, which I reported on their Forum about Zone Alarm periodically defaulting my security settings. Which was a pain as I have them set up "just so" and manage to keep a full 100% stealth rating on grc.com. I made the extreemly cheeky suggestion that perhaps Zone Alarm was set up to do this if certain supposedly "essential" default Microsoft services were being denied o_O Another user suggested that perhaps Zone Alarm compared your security settings with its web site's recomendations even if you had not opted to share security settings o_O Very naughty if they do!

    I havn't seen this b4 with Mailwasher or Benign and their setup has not changed, although I have been having a lot of misterious failures to log in both in Mailwasher and Thunderbird since I updated from 0.8 to 0.9. Perhaps that's it?

    Would it be OK if I copied a shorter version of the original post onto the TDS3 and Process Guard areas to highlight the request for Process ID info in those (Great) Programs? Or could you (have you already) forwarded the idea?

    Regards Jo M
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jo, Well I hope you get an answer that helps.
    Regarding posting into the PE forum no problem just post the appropriate sentences in the wish list, mention TDS as well and DCS will pick it up.

    Pilli.
     
  5. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Port Explorer: Force Process to declare itself

    Hi Pilli,

    having transfered my idea onto the various area which are relevant I have come back and am asking myself further questions.

    I am assuming that the reason why Port Explorer was not able to display the file name or path info was down to bad programming on the part of the process involved (I still havn't had reply from Zone Alarm as to whether it was responsible)

    ;) However could Port Explorer take a more aggressive stance and FORCE the information even if the process didn't declare itself properly? ;)

    It may be that Windows wouldn't let it but couldn't your team find a way round this? If they could it would be an important part of controlling wayward and potentially harmful programs from using this kind of "Stealthy approach to running"!

    Even if it was Zone Alarm (which I don't know yet) then the people at Zone Alarm are very likely to say "it wasn't us" unless I have concrete information? Especially if it was a stealthy email back to home base without permission!

    This seems to me to be an information loophole which could potentailly be used by malicious programmers to enable "stealthy running".

    Without the info I've just got to trust TDS 3 to do its job

    Regards Jo M
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Re: Port Explorer: Force Process to declare itself

    Sometimes an application with no name will appear because Windows itself reports an invalid (it used to be valid) process ID for a few sockets. This usually occurs on TIME-WAIT status sockets. It isn't really a big concern, if you load up Task Manager or Port Explorer's Process List and see the list of processes you will be able to confirm the PID is nowhere to be seen.
     
  7. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: Port Explorer: Force Process to declare itself

    ...and possibly you'll be able to find the PID in your ProcessGuard logfile, so then you'd know what process it was. (possibly you can find it even in Port Explorer's own logs.)

    Andreas
     
Thread Status:
Not open for further replies.