traffic and winlogon.exe

Hi.
I'm using Za Pro 4.5 w/web filtering.
I'm also using Windows XP Home and all the time, za pro block the acces (because I block it) to a aplicattion named winlogon.exe. winlogon try to connect to Internet every 1 hour aprox and also ask me for server rights, I block all type of Internet connections to this file. It's a windows xp file, but why it ask me for internet acces?
Thanks.

 

It's the info from ZA:
Direction: Outgoing (connect)
Type: Porgram access
Rating: Medium
Action taken: Blocked
Destination IP: 200.27.66.77:67
Count:1 (But I've the same alert many times)
Program: Aplicación de inicio de seión de Windows NT (I've windows in spanish)
The location: C:\WINDOWS\system32\winlogon.exe

It's the propiertie of the file:
Languaje: Español (alfabetización internacional)
Name of the product: Sistema operativo Microsoft®
Windows®
Intern name: winlogon
original name: WINLOGON.EXE
Organization: Microsoft Corporation
Version of the file: 5.1.2600.1106 (xpsp1.020828-1920)
Version of the product: 5.1.2600.1106
The size of the file is: 520.192 bytes

PS: I format many times mi computer, however the file is all the time the same, if you want, I can send you the file.

Thanks.

 

Do the log entries indicate the protocol?
Do you know if that particular IP is one of your ISP's DHCP servers?

Regards,

CrazyM

 

Hi,
Not, ZA don't indicate the protocol, the field appear blank.
This IP is from my ISP, but the only that I know is that isn't my 3 DNS servers.
Thanks.

 

Not sure if I am missing the point but doesn't :67 indicate it is BOOTPS/DHCP?

[late edit - Lol, I got sidetracked and LWM beat me to it again!]

 

You are so right. I misread his post to be inquiring after DNS servers and not DHCP. My apologies...

And it is curious about winlogon doing anything with DHCP. I thought that was handled by one of the services.exe processes but maybe it is different on non-2k systems?

 

Hi,
Yes, the IP listed above is the IP of my DHCP server.
What's it?, I block it from access to the Internet, and my connection work OK.
I connect via a cable modem without router, etc.
Thanks.

 

You can add that to the trusted IP's as you did your ISP's DNS servers.

Does your ZA have any specific settings that refer to Bootp/DHCP (UDP ports 67/6?
The traffic being blocked would appear to be associated with this. Bootp/DHCP traffic is used to obtain your IP from your DHCP server.

Regards,

CrazyM

 

Hi,
No, I don't have any rule or setting referred to the DCHP servers.
Other question: Why all the time, I'm receiving differents alert from PC that are in my ISP?, the protocol are the same: UDP and TCP.
Thanks.