PE Evaluation 1.8 features, socket kill, et al

Discussion in 'Port Explorer' started by peakaboo, Jan 24, 2004.

Thread Status:
Not open for further replies.
  1. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Great looking and running program unfortunately the one feature I really wanted to test run is not available in the evaluation version.

    kill socket

    oh well :(

    seems like I'm able to get the same result for a TCP connection by killing my local proxy process - using PE

    also nice to see the running processes I have are supposed to be (no hidden trojan servers)

    notice after running for awhile resources get really low - no crashes - Killing PE returned about 20% of resources

    bottom line great looking and functioning program - eval version would be better if kill socket was enabled for eval time period.
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:pE Evaluation features - socket kill

    Glad youu like the programme :D

    I have not noticed any issues with resource levels, so it may just apply to the trial version, also the logging settings may alter resources depending on the level of logging one sets.

    The kill socket does work very well in the full version :)

    HTH Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:pE Evaluation features - socket kill

    On my system i noticed since installing PE threads and free space were faster regained, my system works faster. Have not been without more then a few moments between versions during beta testing so can't give numbers and % but it was remarkable.
    remember, PE installed on your system is working all time, even if you don't have the GUI up to look at it. So it's the GUI closing which might give you those resources back, but PE runs still fine in the background.

    It is nice you can kill individual sockets in stead of the whole process, indeed!
     
  4. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:pE Evaluation features - socket kill

    J,

    in the trial version, I have to start PE, it does not run as a service, not sure what yoiu mean by PE is working all the time, unless you mean because of the registry changes the system works better. Please explain.

    [hr]


    P,

    Glad to know in full version socket kill works very well. Is there some technical issue with not allowing socket kill on the trial or just plain business decision?

    re: resources It's the logging, initially PE starts up very light, i'll try clearing the log next time to see if this helps. & yes the Gui close does give back the resources.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:pE Evaluation features - socket kill

    Meaning to say, the *.dll is working all time, even if we don't look at it by opening the GUI.
    You might like to look at your settings in the log and the capture.bin:
    i keep the window log and file log both at the lowest value, and the capture.bin too, clean it often to keep it small and you can save it away with another name from inside the PE directory if you really want to keep some data for any reason.
    You might like to check if this reduces your resources; you might like to try out checking or unchecking memory reducing, all that kind, to have it optimal.
    20% sounds so much, that's why i'm surprised about that value.


    Oh and for the options: yes that is a business decission for the evaluation version, in the registered version are no restrictions of the kind and we can kill away whatever we like in sockets and processes, throttle bandwidth and close or kill all sending/receiving etc.
     
  6. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:pE Evaluation features - socket kill

    Thanks got it:

    dcsws2.dll
    sporder.dll

    also I guess with the stack alteration (stack change gif)there is also some impact without starting the GUI...

    Final thought some times I get some sticky TCP connects Liquid Web for example, prior to loading PE, so far have not seen this... great result

    also re: socket kill - as much as the sockets jump around under live conditions it appears easier to kill the process for me... , once i kill my proxy I am one left click from starting it again... PE does an excellent kill process from what I have seen, of course w/out the socket kill option on eval I can't really tell for sure ;]
     

    Attached Files:

  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:pE Evaluation features - socket kill

    You will love spying on the packets; and for licensed users is sloader available enabling you to spy already on processes before they are actually started.

    When i want to get quicker through the emails, f.e. i leave the basic process in pease, but other sockets creatied with opening emails with images and all those call home links i block their send/receive -- nice quick empty emails with just basic text :) imagine if there would be a not patched exploit in the email and at opening it it would start running and doing bad things, block the socket or kill it etc etc.
    See it as an addition on your AT and trojan detection.
     
  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:pE Evaluation features - socket kill

    Two more Q's if ya don't mind: well really 1 since I answered my own question while posting this

    1) all my ports are stealth per GRC nanoprobe, but if they weren't how would it look in PE, example I noticed mfreeman on the following thread noted his Port 5000 was open using PE - so under status instead of time_wait or listening it would say open?

    http://www.wilderssecurity.com/showthread.php?t=19474

    nevermind question below:

    2) When I uninstall the eval version of PE is it best to have my Aps (firewall av browser tcp/ip connection) up to insure no breakage as I have seen some have trouble with or should I shut them down - my guess is it's ok to have firewall and av up but close the rest - when I use add/remove in control panel - <--- wrong see below by Jooske

    PE help uninstall instructions - does not address so maybe it doesn't matter <--- wrong

    + also looks like care has been taken to do a complete wipe of all that was installed - good job

    I really do not want to go thru what Glan went thru, and maybe this was isolated or maybe he had something running while uninstalling

    http://www.wilderssecurity.com/showthread.php?t=17316


    [hr]

    p.s. I tried socket spy last night - very nice

    very impresive package
     
  9. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Re:pE Evaluation features - socket kill

    established = open (correct me if I'm wrong please)

    BTW I have yet to see an established socket.

    I guess that is good :)
     
  10. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    PE eval 1.8, I de-installed today.

    De-install went well. I used combination of Ctrl+Alt+Del & SSM terminate process to insure nothing (except bare minimum) was running before I de-installed.

    Really enjoyed the PE test drive. :)

    Several observations in addition to those posted already follow:

    PE Positive impact on my pc:

    1) I noticed for some reason that my firewall took less hits while PE was loaded. I'll check tomorrow to get more accurate info but looks like the hits were cut in half

    TCP in blocked today 66
    ICMP in blocked today 6

    2) TCP sticks lessened to virtually nil - this is what I call it when occasionally I have left a web page and the IP Address still shows either listening or time_wait and does not drop off as a dead socket.

    3) re: kill socket - I played around yesterday with a live connection and now I see how the socket kill can be very effective. Noticed once a socket is selected using right mouse one can kill the socket or other since no matter how much the socket jumped around, the socket stayed selected - so kill socket looks to be very effective even when things are jumping - very cool :cool:

    also as noted in a previous post kill process worked for me very effectively on TCP sticks for the PE trial version since kill socket not enabled for trial.

    PE Not so Positive Impact on my pc:

    1) Java stream applet which I run often appeared negatively impacted, causing 100% CPU utilization and sticking there no matter what I tried - no crash but just don't like to run at that level (using Sun JRE)

    2) Noticed Java stream took a long time to refresh upwards of 30 seconds for stream to come back live.

    I de-installed mainly because of these two negative impacts. I may try PE again with a >1.8 version when available.

    Your experience may differ so try it - quality program with some great features.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for your analysis peakaboo, I'm sure DCS will take your comments on board :)
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Peakaboo, I don't see how Port Explorer can be related to any Java-related issues on your system? PE has nothing to do with Java. Can you please submit that Java file to me at wayne at diamondcs.com.au and I'll have a look at it anyway, thanks!
     
  13. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    as promised this is what I noticed today with PE de-installed:

    under roughly the same conditions I noticed an increase in my firewall activity as follows:

    TCP in blocked today 96
    UDP data grams in blocked today 40 (doom worm impact today but not yesterday?)
    ICMP in blocked today 13

    also:

    on the java stream CPU stick - not an issue, did not occur with PE de-installed

    also refresh on java stream was not delayed

    [hr]

    Wayne I'll pm you and provide the info.
     
Thread Status:
Not open for further replies.