SAS Open Ports

Discussion in 'other anti-malware software' started by Rainwalker, Feb 15, 2008.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Long after ( at least 5 minutes ) i receive the update there are still at least four ports established with SAS......this ONLY happens with SAS updates and no others o_O
    Uncomfortable
     
  2. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Which version of SAS? Free or Pro? And how do you check this?
     
  3. SinisterSam

    SinisterSam Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    56
    Location:
    northern hemisphere
    i believe you mean 'active connections' rather than 'open ports'. they should time out and close after a period of inactivity.

    what are you monitoring the connections with? = port explorer?
     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    I am using paid for version. The ports are not on a Time Wait status as one would expect, but 'Established' and for an inordinate amount of time. This has been the case for many weeks, although it stopped behaving this way after my post.
     
  5. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Just checked using version 4.0.1138 and my database was up to date. The connections all closed down within a few seconds of the answer back from SAS server. Does this occur on yours when you have an update or anytime you check updates. I have mine set to manual updates only.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    If SAS auto updates then fine. If I initiate an update they stay on Established until I close the no update window or until SAS finishes the updating then they stay on Close_Wait forever unless I exit the program. (Nick I've asked about this awhile back)

    Port Explorer 20 mins after an update...
     

    Attached Files:

  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The Close_wait is showing that the program as received a FIN from server (to close connection) but the OS is waiting for the program to actually close its connection (There is no time_out to this that I know of anymore, so it will remain in this state until the actual application closes (or forced to close by user) the connection.

    It would indicate a problem/bug.
     
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    I receive updates manually. Just now i allowed the connection to remain established for a full three minutes before manually closing it. There is no Close_Wait time. Occasionally the connection will behave as it should, but not very often. and again, i have only seen this behavior w/SAS.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Establised connections do have a timeout, but I need to check as there are various. Normally, established connections are terminated by Program/server.

    EDIT:
    Have these problems been reported directly to vendor?
     
    Last edited: Feb 16, 2008
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    OK...
    btw..good morning
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, good morning.

    I will try to find time later to look at this on VM,...

    EDIT:

    I can take an hour now to look at this, I will download the "Free Version" and check the connections/timeouts made,
     
    Last edited: Feb 16, 2008
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I will give Nick a mail @SAS HQ.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry, I cannot check this today,... have been interrupted/called away. I will look at this as soon as I can.

    Regards,
     
  14. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    OK....i have not reported to vendor. I check in here before reporting problems.
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have installed SAS (free version), it did close all connections correctly after the initial update.

    I will leave it installed for a day or 2 to keep a check.

    [It is currently listening on localhost UDP 1077.]
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Just to clarify,

    Was it the main program that kept the connection, or was it the SSUPDATE.exe that is in the temp folders.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    After a re-boot I am now seeing the same as reported.

    The connection is being left active.
    The end of data is acknowledge, but the program is not then sending a ack/rst to close the connection.

    It does need reporting to vendor.
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Both
    I saw your post #17 Stem.....for the time being i have dropped the program.......i would think he has seen this thread.
    Thank you for your concern.
     
  19. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Does this also happen with the 3.9 version or is it just the 3.9 version that does this?
     
  20. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    The programs i was using were the last four betas.
     
  21. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    OK, that would be v4 ReleaseCandidates.
    I can't see it in 3.9, but perhaps other users can.
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I was looking at the latest (free) release from vendors site. (file version 3.9.0.100:cool:
     
  23. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    I saw the same issues with free version 3.9 and i am thinking the Pro version also.
     
  24. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    WININet (the built-in windows library) that we use to do our Internet transfers is the one leaving those ports "open" - they are doing nothing and cannot harm your system or explose your system to any danger. Windows appear to try and "cache" the port access to they appear to be left open even after our application has properly closed the ports.
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Your application is not closing the connections. I have full logs on this.

    First log after manual update. The connections are closed. (duration < 1 sec)
    closed.jpg


    Second log after re-boot. Manual update. The top 3 connections are not closed by your application. The last packets sent are "ack" (duration 6.5 minutes)
    left.jpg

    On each manual update since, the connections are not closed by the application.


    I can post full packet info if required.
     
Loading...
Thread Status:
Not open for further replies.