ntoskrnl.exe permitted/authorized [hard-coded]

Discussion in 'LnS English Forum' started by Phant0m, Oct 6, 2005.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Hey

    I remember you, Frederic stating ntoskrnl.exe is permitted/authorized (allowing all traffic In-&-Out) by default by Look ‘n’ Stop Application Filtering layer, in-fact it is hard-coded and doesn’t get logged and no custom controls…

    Will this always be the case?
    :doubt:
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,353
    Location:
    France
    Hi Phant0m,

    No, ntoskrnl.exe is not allowed by default. I think you are refering to "kernel32" which is allowed by default, but this is supposed to apply to Win9x/Me only. I don't remember exactly the purpose of that :doubt:

    Not talking about "kernel32.dll" or "kernel32.exe" (which is a virus) I remember an internal windows process having simply "kernel32" as a name.

    May I ask why are you asking that, Phant0m ?

    Frederic
     
  3. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    What protocols is denied from ntoskrnl.exe?
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,353
    Location:
    France
    Sorry I don't understand you question since I just said "ntoskrnl.exe" is not blocked by default.
    I don't know if this application is supposed to connect, and if it does, the protocols it will use.

    Frederic
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Frederic

     
    Last edited: Oct 6, 2005
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Any update regarding this topic? :'(
     
  7. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    Re: .permitted/authorized [hard-coded]

    As far as i know this is a process used in the boot up cycle standing in the background and not using the network.
    Should not appear in WinTask unless altered by a virus such as w32.bolzano and variants.
    A corrupt boot.ini file or missing boot.ini file would give a message related to this process and prevent booting.

    But i'm also wondering where your question leads to
     
    Last edited: Oct 22, 2005
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    http://soho.sygate.com/alerts/XP_default_TCP445_open.htm

    Also some software firewalls, it sees and offers controls unlike Look ‘n’ Stop currenty, see image attachment…

    As for my question, it is a very appropriate question to ask on the support forum for a firewall product, MickeyTheMan
     

    Attached Files:

    Last edited: Oct 22, 2005
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,353
    Location:
    France
    I should have answered: there is no default handling (allowing or blocking) for ntoskrnl.exe.
    But anyway I didn't understand your point.

    Now with your last post I understand ntoskrnl.exe is supposed to connect.
    I don't know the reason why Look 'n' Stop doesn't detect it.

    Frederic
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    No problem Fred, you very busy, understandable.
    I appreciate the response, thanks, it clears up a lot.
    Hope to see you address this in the near future, thanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.