Still wondering about PID alerts from Private Firewall

Discussion in 'other firewalls' started by beethoven, May 28, 2011.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I raised this issue before but did not get any replies. For a while the issue vanished (possibly due to newer build of PW) but recently it has come back.

    I frequently receive FW alerts (as per screenshots) that appear to alert to some potential threat but are devoid of any real information. It does not say which program caused this or which file is suspicious. I googled PID but did not come up with anything useful. Does nobody else get this type of alert. The other irritation is that blocking and ticking "remember" does not seem to have an effect or maybe the memory is very short.o_O I am fairly sure that this is just noise but obviously don't like to see these when I cannot explain them.
     

    Attached Files:

    • pid.jpg
      pid.jpg
      File size:
      148 KB
      Views:
      1,044
  2. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Wow! Never seen that one before.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    PID is normally associated with "Program Identifier". In the windows task manager, you can enable the column/view for the application/process PID number. (There are of course 3rd party programs that will show that info)
    If you are creating a rule to block a specific PID, then that will not block the program, as the PID can change between executions.
    I do not remember seeing a PID number with that many digits, that, along with the alert, does make me suspicious.

    I would certainly make scans of the system to check for malware.


    - Stem
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Although I have no idea what is going on, I hope you BLOCKED those puppies.

    I emailed PFW Tech Support to see if they can cast any light. It's Sunday there already, plus Monday is a holiday in the U.S.A. so it might take them a few days to reply.
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Thanks Guys - did two full scans and nothing is flagged. Given my surfing habits, the use of sandboxie for most stuff and generally cautious behaviour, I would be surprised if something sneaked through.

    I don't understand how/where to make changes in task manager to see the "offending exe" (also have winpatrol if that helps) but noticed now that most of the PID seem to appear after sending an email. So my feeling is that this is somehow related to my email program (The Bat).
     
  6. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    536
    Location:
    Europa

    Do you use e-mail anomaly detection option in the advanced setting of Private Firewall ?

    If yes, try to disable it for a moment and play with you E-mail client to see if alerts are still there.

    Rules.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    To see the PID numbers:

    Open Windows Task Manager:-> View(top menu) -> Select columns. In the popup window, enable(check) "PID"

    - Stem
     
  8. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Rules - I don't use email anomaly and don't have it ticked

    Stem - is this function only available in Win 7? I am still using XP and don't see that option
     

    Attached Files:

  9. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    AFAIK PID's change on each program start under normal circumstances, which is why you're google results didn't show anything.

    It's odd though that there is no application name being displayed...
    Or maybe it's a bug, Best idea is to get in contact with PF and see whats really going on.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Which version of XP? (home/pro). The option is in XP pro, but may be missing from the home version.
    EDIT: I just noticed you are on the "Applications tab"(in task manager). Change to the "Process tab", you should then be able to select "view-> select columns"

    and/or

    Download Process explorer, it is free, and will show various info, including PID.

    http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

    - Stem
     
    Last edited: May 30, 2011
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes. (I mentioned that earlier)
    There is only system idle Process (PID 0) and system (PID 4) that remain the same (well, that I have seen).

    - Stem
     
  12. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    PID collum is avalible in winxp\Home task manager :thumb:
     
  13. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    thanks guys - silly me :oops: - I have now activated the PID column.
    At present they are all only showing 4 digits - let's see what happens next time I get an alert.
     
  14. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Concerning this issue, PFW's Tech Support has said that they will investigate this issue if you wish. To trigger their investigation -- when these PID alerts (or similar) occur again -- please do this right after PFW pops up the alerts :

    A- Open the PFW GUI (Graphic User Interface)

    B- Click "View" in the upper left side of the margin of the GUI. Doing that will get you a drop-down menu.

    C- On the drop down menu click "Advanced Reports". Doing that will get you a report with several stubs listed in the left-hand column.

    D- At the bottom of the left hand column, you will see "Processes Detected for" 1 hour, 1 day, 1 week. Click to view "Processes Detected for Last 1 Hour".

    E- Make a screen shot of the report "Processes Detected for Last 1 Hour" and post that screen shot in this Wilders thread.

    F- Submit a support ticket to PFW Tech Support using the format HERE.

    F1- In the format's block "Product Name/Version Number" be sure and indicate the version of PFW that you are using. (To see version number, right-click PFW's icon (a policeman) in the system tray of your computer's desktop. A menu will pop up. On that menu, click "About Privatefirewall" & you will see PFW's version number.)

    F2- In the block labeled "Detailed problem description", all you need to do is to reference this Wilders thread as shown below. . .

    https://www.wilderssecurity.com/showthread.php?t=300203

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    @beethoven: Please be aware that several of us are following this thread -- not merely to help you -- but because we are deeply interested in learning more about this type of issue.

    In other words -- PLEASE do not give up on digging deeper into this matter. You will be doing all of us a favor.
     
  15. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Bellgamin,

    thank you very much for your assistance - I appreciate that and am quite committed to cooperate as much as I can.

    It appears that this type of alert comes on when sending email - however, I still do not see anything in task manager that matches the PID nor does it appear to come up in processes running. The attached screenshot only shows an alert 10 minutes earlier that related to my HP printer - nothing shows for the PID attached just now.
     

    Attached Files:

  16. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Uninstalled and reinstalled the program - still with the same issues.
    Greg from Privacy Firewall is looking into it.

    It is strange though that the alerts I get are not captured under Advanced Reports nor do they show up in task manager.
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Reference screenshot of PFW alert in post #15 above --

    The PID in referenced screenshot {PID 1413829458} is 10 digits in length! NONE of the PIDs on my computer is longer than 4 digits. I checked via phone with 4 of my friends. Theirs are all 4 digits or less, also.

    IMO, something really weird is going on in Beethoven's computer.
     
  18. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Beethoven, I would suggest you start scanning with some anti-rootkits. That PID looks very suspicious. It seems to be hidden and PFW is alerting to suspect behavior. Err on the side of caution with this and start scanning with anti-rootkits, MBAM, and the usual online scanners. Hopefully it will turn out to be nothing but at this stage it looks highly suspicious.
     
  19. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Downloaded and installed MBAM - nothing found.
    Re the number of digits in the PID, I agree. In my task manager the processes shown all have 4 digits, the alerts that PFW brings up with info also have 4 digits but the special ones are different and do not show up in reporting.
     
  20. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    536
    Location:
    Europa

    Beethoven, could you please run a scan with gmer anti-rootkit http://www.gmer.net/

    I really think PID with more than 4 digits are related from threat (hidden process or hidden rootkit).

    Info of PID : http://www.linfo.org/pid.html

    Also you can run this ms-dos command to see active connection, the command name is netstat (run under ms-dos).

    Rules
     
  21. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    A new version is out which should address this issue - I will test tonight and then report back :D
     
  22. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Running the new version now for a few days and the strange PID alerts have gone :D - Excellent work
     
Loading...
Thread Status:
Not open for further replies.