ntoskrnl.exe permitted/authorized [hard-coded]

Discussion in 'LnS English Forum' started by Phant0m, Oct 6, 2005.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey

    I remember you, Frederic stating ntoskrnl.exe is permitted/authorized (allowing all traffic In-&-Out) by default by Look ‘n’ Stop Application Filtering layer, in-fact it is hard-coded and doesn’t get logged and no custom controls…

    Will this always be the case?
    :doubt:
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Phant0m,

    No, ntoskrnl.exe is not allowed by default. I think you are refering to "kernel32" which is allowed by default, but this is supposed to apply to Win9x/Me only. I don't remember exactly the purpose of that :doubt:

    Not talking about "kernel32.dll" or "kernel32.exe" (which is a virus) I remember an internal windows process having simply "kernel32" as a name.

    May I ask why are you asking that, Phant0m ?

    Frederic
     
  3. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    What protocols is denied from ntoskrnl.exe?
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Sorry I don't understand you question since I just said "ntoskrnl.exe" is not blocked by default.
    I don't know if this application is supposed to connect, and if it does, the protocols it will use.

    Frederic
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Frederic

     
    Last edited: Oct 6, 2005
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Any update regarding this topic? :'(
     
  7. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re: .permitted/authorized [hard-coded]

    As far as i know this is a process used in the boot up cycle standing in the background and not using the network.
    Should not appear in WinTask unless altered by a virus such as w32.bolzano and variants.
    A corrupt boot.ini file or missing boot.ini file would give a message related to this process and prevent booting.

    But i'm also wondering where your question leads to
     
    Last edited: Oct 22, 2005
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    http://soho.sygate.com/alerts/XP_default_TCP445_open.htm

    Also some software firewalls, it sees and offers controls unlike Look ‘n’ Stop currenty, see image attachment…

    As for my question, it is a very appropriate question to ask on the support forum for a firewall product, MickeyTheMan
     

    Attached Files:

    Last edited: Oct 22, 2005
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    I should have answered: there is no default handling (allowing or blocking) for ntoskrnl.exe.
    But anyway I didn't understand your point.

    Now with your last post I understand ntoskrnl.exe is supposed to connect.
    I don't know the reason why Look 'n' Stop doesn't detect it.

    Frederic
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    No problem Fred, you very busy, understandable.
    I appreciate the response, thanks, it clears up a lot.
    Hope to see you address this in the near future, thanks.
     
Thread Status:
Not open for further replies.