System 32 accessing the internet??

Discussion in 'other firewalls' started by ghodgson, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    o_O Dear All at Wilders,
    I have Win XP running, and I am a little puzzled because my firewall reports that Sys 32 svchost.exe, sys32.Isass.exe and alg.exe are connecting to the internet. Could someone enlighten me is this usual?? or Is something going on here I dont know about.
    Thanks Gordon
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Gordon,

    Welcome to Wilders Security! :)

    Actually yes, that can be totally normal. By default, XP has a lot of processes that will either access out to the Internet or listen for connections coming in from the Internet. Most personal firewalls installed on an XP system that has not been adjusted (at all) from its original installation, will give out a number of such alerts.

    Now, it is possible to tweak different settings on the system so that much less will connect out or listen for incoming stuff, but it takes a little effort to make these adjustments. On my XP system, of the items you listed, the only one I have to allow is svchost.exe, and in its case, I only need to let it access outward.

    The other programs have been disabled by various tweaks I've applied over time as I secured my system more and more.

    If you want to provide more facts, such as what firewall you are using and exactly what each alert says, people here can advise you as to adjustments you could make to better secure things, or at the least quiet the alerts so they don't disturb you.
     
  3. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    :)
    Dear Administrator, Many thanks for your reply, I feel much happier now and will adjust my firewall according to what you suggest.
    I am happy tweaking my firewall which came pre installed on my system, dare I say it!!--- Norton internet security with Antivirus programme. [After having read some of your members reports on this] but I have to say it has worked well for me so far.
    Thanks again Gordon
    PS. Could I also say that I also run Ad aware 6, Spybot S+D, spyware blaster and spyware guard, and I would like to thank all those involved in the development of these excellent programmes.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Gordon

    With NIS are you actually being prompted for rules for these?
    Or are you just seeing something like the following in the firewall log:
    "An instance of "C:\WINNT\system32\svchost.exe" is preparing to access the Internet for the first time"
    "An instance of "C:\WINNT\system32\lsass.exe" is preparing to access the Internet for the first time"

    Regards,

    CrazyM
     
  5. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    :)
    Dear Crazy M ,
    Thanks for your reply.
    Yes it is the latter, from the log file..........
    ''an instance of svchost [ or whatever] is about to access the internet for the first time''.
    Thanks Gordon
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Gordon

    These log entries in NIS can mean a couple of different things.
    [*] Something is accessing the network/Internet and establishing an outbound connection.
    [*] Something is accessing the network/Internet and listening for connections.
    …or both.

    In either case, rules would have to be in place before any communication is permitted.

    In the case of svchost.exe, your System/General rules would already be allowing most communication it would be doing.

    lsass.exe would be an example of a running application/service listening for connections on a specific port. As noted above, even though it is listening, you would have to have a rule permitting any inbound connections and NIS would prompt for any outbound connection attempts (unless NIS has automatic rules and that feature is enabled – which it is by default).

    Regards,

    CrazyM
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Dear Crazy M,
    Thanks again for your reply, I changed auto rules for NIS some time ago and only I can configure rules now. I have completely blocked internet access for Isass.exe [in and out], and everything seems fine and I only allow outbound connections for alg.exe and svchost.exe am I mistaken here??
    Thanks Gordon
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That should be fine as long as logging is enabled to keep you informed of any activity. In my normanl use, I have not experienced lsass trying to do anything other than listen. An alternative would be to change the IPSec Policy Agent Service to manual or disabled and that should stop lsass from establishing a listening connection.

    Not using XP here, so not much experience with alg.exe, how often and what type of connections is it wanting to make?

    You should not require rules for svchost.exe, as most of those communications should be covered by your default System/General rules.

    Regards,

    CrazyM
     
  9. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Dear CM, Well it appears alg.exe is MICROSOFT APPLICATION LAYER GATEWAY SERVICE, [ whatever that is ] and that it seems to listen only and my firewall log suggests it only makes one attempt per dial up session. Things have got a little more intriguing, as I recently downloaded some critical security updates from MS and I see some changes. svchost.exe has reconfigured itself, my FW log states ''rule was automatically created using pre configured rule'', which I imagine was something to do with the updates. Best left well alone I think!
    There is also a new Internet enabled program that has appeared called ''Microsoft VM Command line interpreter'', for which I have asked to be notified by NIS when it tries to access the net.
    Curiouser and curiouser!
    Cheers Gordon
     
Loading...
Thread Status:
Not open for further replies.