Firewall Messages
-
How do you decrypt meaningless firewall messages? I'm getting a ton of them today with informative content like "LSASS.EXE is attempting to access the DNS Server at xxx.xxx.xxx.x using port 53. Do you want to allow this program to access the network?" When I search for LSASS.EXE in the running tasks window, there are a dozen entries, each doing different inadequately-explained things. How do you interpret this stuff? Most of the active processes are talking to my machine locally, either from the public IP address to 0.0.0.0 or the loopback at 127.0.0.1, or the opposite direction, and so I let them chat with each other. The only ones I feel leery of are those that are talking to remote IP addresses, and they're scary enough. A few are obviously okay - if Trillian is running it needs to phone home; same with Sonork, but others are just plain mysterious. What do you block, and what pattern do you look for to give you a hint that something unpleasant is going on? Is there a website that details all the processes normally running on Win2K Server? "Your village called -
They're missing their idiot." -
How do you decrypt meaningless firewall messages? I'm getting a ton of them today with informative content like "LSASS.EXE is attempting to access the DNS Server at xxx.xxx.xxx.x using port 53. Do you want to allow this program to access the network?" When I search for LSASS.EXE in the running tasks window, there are a dozen entries, each doing different inadequately-explained things. How do you interpret this stuff? Most of the active processes are talking to my machine locally, either from the public IP address to 0.0.0.0 or the loopback at 127.0.0.1, or the opposite direction, and so I let them chat with each other. The only ones I feel leery of are those that are talking to remote IP addresses, and they're scary enough. A few are obviously okay - if Trillian is running it needs to phone home; same with Sonork, but others are just plain mysterious. What do you block, and what pattern do you look for to give you a hint that something unpleasant is going on? Is there a website that details all the processes normally running on Win2K Server? "Your village called -
They're missing their idiot."Here's some information: http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/[^] -- I'm your turbo lover. Better run for cover![^]
-
How do you decrypt meaningless firewall messages? I'm getting a ton of them today with informative content like "LSASS.EXE is attempting to access the DNS Server at xxx.xxx.xxx.x using port 53. Do you want to allow this program to access the network?" When I search for LSASS.EXE in the running tasks window, there are a dozen entries, each doing different inadequately-explained things. How do you interpret this stuff? Most of the active processes are talking to my machine locally, either from the public IP address to 0.0.0.0 or the loopback at 127.0.0.1, or the opposite direction, and so I let them chat with each other. The only ones I feel leery of are those that are talking to remote IP addresses, and they're scary enough. A few are obviously okay - if Trillian is running it needs to phone home; same with Sonork, but others are just plain mysterious. What do you block, and what pattern do you look for to give you a hint that something unpleasant is going on? Is there a website that details all the processes normally running on Win2K Server? "Your village called -
They're missing their idiot."Here is another Windows Task List Programs[^] Steve
-
Here's some information: http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/[^] -- I'm your turbo lover. Better run for cover![^]
Interesting product!:-D "Your village called -
They're missing their idiot." -
Here is another Windows Task List Programs[^] Steve
What a handy site! I've bookmarked it for future reference. It's amazing to see what's really running here, such as multiple services I didn't know about in IIS, LDAP is in several processes, and some ancient TCP/IP services (ECHO, Quote of the Day, etc) are constantly on, though there's no indication that they've ever been used. This site provides great info! Thanks...:-D "Your village called -
They're missing their idiot." -
How do you decrypt meaningless firewall messages? I'm getting a ton of them today with informative content like "LSASS.EXE is attempting to access the DNS Server at xxx.xxx.xxx.x using port 53. Do you want to allow this program to access the network?" When I search for LSASS.EXE in the running tasks window, there are a dozen entries, each doing different inadequately-explained things. How do you interpret this stuff? Most of the active processes are talking to my machine locally, either from the public IP address to 0.0.0.0 or the loopback at 127.0.0.1, or the opposite direction, and so I let them chat with each other. The only ones I feel leery of are those that are talking to remote IP addresses, and they're scary enough. A few are obviously okay - if Trillian is running it needs to phone home; same with Sonork, but others are just plain mysterious. What do you block, and what pattern do you look for to give you a hint that something unpleasant is going on? Is there a website that details all the processes normally running on Win2K Server? "Your village called -
They're missing their idiot."When you know a program is supposed to be accessing your ISP's DNS server or whatever then all is well. But remember to check the path of the program. A trick sometimes used is to copy the name of a known exe and run it from another place or even spell it wrong in a way you don't immediately notice. Even something as simple DNS can lead to problems. Make sure your computer is only receiving DNS from your ISP's legitimate DNS server(s). That is easy to setup on most software firewalls, especially if it features a learning or "ask first" mode. I would put money on a new Windows DNS related exploit emerging in the near future :suss: :)