Unknown download activity in background - how to determine what it is?

Discussion in 'Virus Information' started by Doc, Jul 28, 2007.

  1. Doc

    BoaterDave Guest

    Had you intended to comment, Peter?

    Nothing seen here.

    BD

    ******************************
     
    BoaterDave, Jul 29, 2007
    #21
    1. Advertisements

  2. Doc

    John John Guest

    Regardless of what you might think I am no slouch at computers and I
    don't use Adware! Did you know that some of the new Sysinternal
    (Microsoft) utilities call home without your knowledge? Did you know
    that these Sysinternal utilities do not tell you that they call home and
    that they provide no inbuilt mechanism to stop this behaviour? Do you
    agree that those applications, amongst others, should be calling home
    without the user's knowledge? Do you agree that users should have no
    easy method to detect and stop these unwanted connections? By the
    contents of your posts I would say obviously not! There are many other
    legitimate applications that call home for no valid reasons, when you
    install these application they don't always tell you that they will be
    calling home and they don't always make it easy to find that out or to
    disable "call home" features. I am sure you didn't know of the
    Sysinternal utilities calling home and I am sure that you are not in
    charge of your computer as much as you thing that you are! But then you
    don't think that users should have a way of being made aware or of
    stopping those outbound connections so who cares about "being in charge"
    of their computers?

    Marketing hype? It appears that you are the one blinded by marketing
    hype! Microsoft marketing hype! The misinformation published in one of
    the Microsoft articles provided by another poster makes it clear that
    Microsoft and its shills are on a mission to discredit all firewalls
    that monitor outbound connections and to insist that the Microsoft
    firewall is somehow or other superior to all others. Quite amusing when
    it's coming from an outfit that until a few years ago didn't even know
    what a firewall was! As for your comments of "waste of resources" it is
    laughable to say the least. It this day and age of fast processors and
    large amounts of RAM this is a non issue. Also, the firewall will be
    using resources just to do its basic job of keeping intruder out, the
    little extra needed to monitor outbound connections is negligible.

    Lets get one thing perfectly clear here, I am not claiming, nor have I
    ever claimed that outbound connection monitoring was an effective method
    of dealing with all sorts of malware. I am simply saying that outbound
    monitoring is a useful tool that can alert you to some not so clever
    malware trying to call home and that it can alert you that something
    like your printer software, or Microsoft components might be trying to
    access the internet for no good reason at all. But then it appears that
    you think that users shouldn't know that these things are calling home.
    Neither you, nor Microsoft, nor anyone else will ever convince me that
    outbound connection monitoring is not a useful feature. Period!

    John
     
    John John, Jul 29, 2007
    #22
    1. Advertisements

  3. Doc

    John John Guest

    I never said that and don't attribute things that I have not said to me!
    Reread my post!

    I quoted this from the article:

    "Speaking of host firewalls, why is there so much noise about outbound
    filtering? Think for a moment about how ordinary users would interact
    with a piece of software that bugged them every time a program on their
    computer wanted to communicate with the Internet..."

    And I said that (quoted material) was baloney! A firewall monitoring
    outbound connections will ask you if you want to permanently allow or
    disallow the connection, you will not be "...bugged them every time a
    program on their computer wanted to communicate with the Internet...".
    That is false information in the article, and for some reason or other
    and for sometime now Microsoft has been trying to discredit *all*
    firewalls except its own. What is it that Microsoft is hiding? Why are
    they so adamant that users not be aware of outgoing connections on their
    computers?

    John
     
    John John, Jul 29, 2007
    #23
  4. Which Sysinternals apps call home?
     
    Gary S. Terhune, Jul 29, 2007
    #24
  5. Doc

    Kerry Brown Guest


    That may have been what you intended to say but here is the the relevant
    snippet from your post:

    --------------------------------------
    "> and scroll down to:
    That article itself is baloney. It is true that any malware can
    circumvent a firewall's outbound protection but it is also true that a
    lot of malware is detected by firewall outbound monitoring. The
    outbound monitoring also alerts you when otherwise legitimate software
    is trying to call home. Perhaps you like it better when things like
    Media player call home without your knowledge, a pesky annoyance that
    you should be aware of things like that."
    -----------------------------------------

    It sure sounds to me like you are calling the whole article baloney.

    I don't presume to speak for Microsoft but personally I'm not hiding
    anything. Software firewalls are a useful part of a layered security setup.
    They can't be relied upon to protect you from malicious outbound traffic.
    Anybody who says they can and tries to sell this to you is deceiving you.
    They are selling snake oil. Software firewalls became popular because the
    current versions of Windows at the time didn't have any firewall. When XP
    came out with a firewall the vendors realized that they had to give people a
    reason to keep buying their product. This is when they started pushing the
    outbound monitoring features. Software firewalls can, and most do, give you
    a level of protection against inbound attacks from unsolicited traffic. That
    is all they are good for as a defense against malware. Even that can't be
    relied on if something does get inside the security perimeter. Once your
    security has been breached you can no longer trust anything running on the
    computer. Monitoring outbound traffic does have it's uses. One is as you say
    to stop legitimate programs from making outbound connections that you don't
    want. I don't know why Microsoft didn't include outbound monitoring in the
    XP firewall. Personally I don't care as I believe it to be of limited use
    anyway. Outbound monitoring is included in the Vista firewall and many other
    Microsoft products like ISA server.

    This is obviously something I'm passionate about :) Don't take it as
    personal attack. Whenever I see a post espousing the usefulness of software
    firewalls I am compelled to point out the fallacy of this approach to
    security.
     
    Kerry Brown, Jul 29, 2007
    #25
  6. You mean it contacts crl.microsoft.com? Uhhhhh.. big deal....
    Why are you running utilities from a company you don't trust? In fact,
    with your obvious hostility towards MS, why are you running windows in
    the first place?
    Any program you didn't code yourself is going to do a lot of things
    without asking you for permission.

    Legitimate programs for obvious reasons don't need to be controlled.

    Furthermore, an outbound control measure is not going to indicate in
    any way if what it's doing is good or bad. You just have a
    preconceived opinion about it being bad (which just proves that you
    are running software you don't trust).

    or they just know their own OS well enough to realize that host-based
    outbound control as a security measure against malware is a lost
    battle.
    In some areas it is.

    Do you realize the number of kernel hooks necessary to accomplish such
    a task? And still it isn't even close to being reliable.

    You probably also never considered the increase in attack vectors
    introduced by PFW's.
     
    Straight Talk, Jul 29, 2007
    #26
  7. Doc

    Andy Walker Guest

    Here is the help description from netstat:

    -b Displays the executable involved in creating each connection or
    listening port. In some cases well-known executables host
    multiple independent components, and in these cases the
    sequence of components involved in creating the connection
    or listening port is displayed. In this case the executable
    name is in [] at the bottom, on top is the component it called,
    and so forth until TCP/IP was reached. Note that this option
    can be time-consuming and will fail unless you have sufficient

    You can use an alternative method through the use of the -o switch.

    -o Displays the owning process ID associated with each connection.

    In order to determine the process name you can run task manger
    (ctrl-alt-del), select view/select columns and add Process Identifier.
    This will allow you to match the process ID output from the netstat
    command with a process name.
    Older versions of the netstat command did not include the -b switch.
    See the -o info above.
    It is the "more" command used to read the file "netstat.txt" created
    when you used the ">" pipe command. Using more allows you to see the
    entire file one page at a time. You could also use a text reader like
    notepad or to stay in the DOS window try "edit netstat.txt".
     
    Andy Walker, Jul 29, 2007
    #27
  8. Doc

    John John Guest

    Click on the help menu and you will find out.

    John
     
    John John, Jul 29, 2007
    #28
  9. Doc

    John John Guest

    If you know how to internally stop the Sysinternal Help utilities from
    calling home please post your findings here. I would also like to hear
    your advice and solutions as to port monitoring and outbound traffic
    in general on Windows operating systems. Should users follow your
    advice and ignore all outbound traffic? Should outbound traffic be
    allowed to outside networks or should it be limited to the local network?

    John
     
    John John, Jul 30, 2007
    #29
  10. Doc

    Kayman Guest

    Never thought you were incompetent. I just provided useful information for
    you kind consideration.
    The ones I use don't call. If I'd feel comfortable with an apps. I wouldn't
    mind.
    Define unwanted; Only install apps. you are comfortable with.
    Far from it, that's what you're assuming, that's it. Read on the line, not
    in between.
    I know, but then again I don't download junk - not even legitimate junk. But
    wouldn't mind a 'home call' from an apps. I am comfortable with.
    Which Sysinternals apps. call home?
    Naw, you don't know what I am thinking, never mind about that.
    If you are not comfortable with this apps. then uninstall and go for an
    alternative.
    It explains how things are in reality. The write-ups are educational and
    non-binding. The authors have considerable credentials. Where are yours?
    And where are the representatives with their credentials of PFW's refuting
    the published arguments? Are you one of them?
    They don't claim superiority, just reality.
    You do underestimate M/S. (Or is it sarcasm?).
    A waste of resources in terms of manpower, spending time on an useless
    (outbound filtering)feature. (Sorry for confusion).
    Alright then; Good luck :)
     
    Kayman, Jul 30, 2007
    #30
  11. What "help menu"? Hey, I just asked a question and I really want to know the
    answer. Which Sysinternal apps call home? I presume you know of at least
    some, or you wouldn't have made that statement.
     
    Gary S. Terhune, Jul 30, 2007
    #31
  12. Doc

    John John Guest

    Preocess Explorer and Autoruns are two that do.

    John
     
    John John, Jul 30, 2007
    #32
  13. It's not the app itself "phoning home". Clearing the
    CodeBaseSearchPath key in the registry (Internet Settings) probably
    does the job. But maybe it's not such a good idea after all.

    Anyway, if you had taken the time to packet sniff the "phoning home"
    instead of letting your PFW drive you paranoid, you would probably
    have realized that it's no big deal and that this big scary MS thingy
    isn't really spying on you.
    App's like CurrPorts and WireShark come to mind.
    Users should think twice before installing all kinds of stuff. And
    they should not let PFW's drive them paranoid. Problem is, neither the
    PFW nor the user understands what's happening. I've seen users freak
    out about app's "phoning home" to IP address 127.0.0.1
    That's for the person in charge of the local network to decide.
    However, there won't be much inter netting without allowing outbound
    traffic.
     
    Straight Talk, Jul 30, 2007
    #33
  14. Doc

    John John Guest

    Yes it is. If you use the help utility it calls an Akamai server. I
    know why it's doing it and I am not saying that it is necessarily good
    or bad. The example was used to demonstrate that there *are* things
    making outbound connections without users being aware. If the
    applications that we think of as "tame" are doing it you can be sure
    that other not so tame applications may also be doing it.


    Clearing the
    Once again, I know what it is doing and I am not saying that anyone is
    spying, that is not the point. The point is that Microsoft and many
    others are consistently saying that monitoring outbound connection is a
    useless firewall feature for *any* reason. I disagree with that. All
    good firewalls have outbound connection monitoring available, the
    Microsoft XP firewall doesn't. When users made mention of this, or if
    they asked why it wasn't available, the response from Microsoft and its
    fans was to embark on a campaign of discrediting all firewalls that do
    outbound monitoring and to claim the feature as absolutely useless.
    When that tactic failed they then decided that anyone who even suggests
    that the firewall should do outbound monitoring should be immediately
    clobbered, it may keep some people quiet but it won't keep me quiet.
    Microsoft customers spoke and asked a valid question. Instead of
    Microsoft saying something as simple as: "We have received requests for
    this feature and are investigating the possibility of including it in a
    future update", they decided that it was best to kill the messengers
    and to proclaim their firewall as superior to all others.

    Brilliant. Give that to novice users. Instead of having the firewall
    do what firewalls usually do have the users dig about and find utilities
    on their own to do the job! And for your information you don't have to
    go out of the Microsoft stable to find port monitoring tools.

    More BS. There are all kinds of computer users and computer users do
    all kinds of things. Good firewalls know what is going on and most
    seasoned users know what the loopback address is. The simple fact that
    the extra ability to detect outbound connections can be a useful
    firewall feature is something that guys like you are insisting on
    denying. You are on a campaign to discredit this as a useful feature,
    but you offer no simple, easy way or alternative for users to even have
    basic outbound connection monitoring.


    No there won't be. But that doesn't mean that everything installed on a
    computer should be calling out and it doesn't mean that firewalls that
    help identifying those "call home" utilities are bad, useless firewalls!
    If that is the case then why would Microsoft include such a useless
    feature in its newest flagship operating system? And then insist that
    it is useless for XP users?

    John
     
    John John, Jul 30, 2007
    #34
  15. Doc

    John John Guest

    To tell you the truth, Kerry, when a published article from a supposedly
    authoritative source contains even only one such blatant outright lie as
    the one in the above mentioned article, it casts doubts on the whole
    article, one cannot rely on anything said in the article because it is
    extremely prejudiced and tarnished by some of the false information it
    contains. Serious publishers, researchers or technical writers would
    automatically correct the false information or pull such flawed
    articles. You won't see companies like Intel publishing seriously
    tarnished articles like the one above.

    As for "espousing the usefulness of software firewalls", if they are so
    useless why did Microsoft include one in XP SP2? I whole heartedly
    agree with you that some firewall vendors are making exaggerated claims
    in an attempt to sell their products and that some of the firewalls
    offered by some companies are crappy products, Microsoft too at times
    makes exaggerated claims to sell its products. But long before Windows
    XP and Windows 2000 even came out, many users were using firewalls,
    several *very* good, free personal firewalls were available and were
    being used to protect computers from outside attacks.

    Microsoft invented nothing new with its firewall. Companies like Kerio
    and Sygate made good free firewalls long before Microsoft decided that
    it could no longer ship its operating systems without basic firewall
    protection, some companies still make good free firewalls. That there
    are shoddy products out there is a fact, but outbound traffic detection
    has *always* been one of the tasks that any good firewall does and there
    is no reason to label all firewalls that do this as *useless* products
    and there are even fewer reasons to label such a feature as a *useless*
    feature. Firewalls do not only deal with malware, they deal with *all*
    traffic, inbound and outbound, and with *all* applications. If the
    firewall doesn't do outbound monitoring then novice users are left on
    their own to try and detect these things, with outbound connection
    monitoring even advanced experienced users are sometimes surprised to
    find out that certain applications are trying to establish outbound
    connections.

    Sure, there are all kinds of malware that can circumvent this
    monitoring, things like rootkits and what not can easily get around
    firewalls. That is beside the point, firewalls are not and were never
    meant to be used as virus or rootkit detectors, you need special tools
    to detect and deal with those insidious pests. Anti virus software
    cannot detect all or some of those pests and that is what they are
    supposed to do. Should we tar all AV software as useless because they
    can't detect rootkits? Strange that most persons would say no but that
    they would then insist that firewalls that monitor outbound traffic are
    devilishly bad because they can't detect those same rootkits or pests.

    I understand that you are passionate on this subject and I don't take
    your posts and comments as personal attacks. I hope that you don't take
    mine as personal attacks against you or anyone else. I too am
    passionate on the issue and I don't like it when good products are all
    tarred at the same time with a wide brush. I am also passionate when I
    read posts saying that outbound traffic monitoring is completely useless
    or that it is completely unnecessary because users should not be
    concerned about outbound traffic on their computers, the logic being
    that only sloppy uninformed users have applications that call home, or
    that you should not be concerned about legitimate applications that
    might be calling home even if they have absolutely no valid reason to do
    so. I am somewhat vindicated by the fact that Microsoft thought that
    this feature was useful enough to be included it in its Vista firewall.

    John
     
    John John, Jul 30, 2007
    #35
  16. Thank you. Strangely enough, when I tried Help on those two apps, the pages
    all failed to load. Go figure.
     
    Gary S. Terhune, Jul 30, 2007
    #36
  17. Doc

    John John Guest

    The Autoruns 8.52 that I have here wants to connect to 207.46.197.16,
    port 80 or 142.176.121.13, port 80 or others in these ranges. Same
    kind of thing with the newer versions of Process Explorer.

    John
     
    John John, Jul 30, 2007
    #37
  18. No. It's windows. And I provided you with a way to stop it.
    So, why is it doing it?
    Hmm. If you don't consider it bad, what's the whole fuss?
    Of course. The net is a resource like anything else. Soon you will see
    app's taking advantage of online services just like if they were a
    part of the app itself.
    Your point being?
    That wasn't my impression.
    Then what was your point of going "are you aware that sysinternals
    utilities phone home"?
    That's actually not what they are saying. Do some more research.
    More *sigh*
    BS argument. A novice user with no basic networking knowledge isn't
    able to properly configure any packet filter whatsoever.
    What exactly do *real* firewalls usually do? They definitely *don't*
    run on an insecure platform together with all kinds of other stuff
    under the control of a clueless user with unrestricted rights!!

    Calling PFW's firewalls in the first place is an insult to real
    firewalls. They are host based packet filters.
    One can't "get the job done" until one understands it. That's why
    novice users should stick to the windows firewall. It's on by default,
    it works, and it requires no further action - which is about the
    maximum you can expect from a novice user.
    I know that perfectly well. I just mentioned some of my favorites.
    Now, THAT is BS, right there. These firewalls have, for obvious
    reasons, NO idea what's going on, which is why they have to ask the
    user.
    But novice users don't. The fact that PFW's even provide pop-up
    messages about the loopback interface shows the developers lack of
    competence.
    Wrong. You simply fail to get the big picture.
    If so, you and your PFW followers are on a campaign of making clueless
    users believe in hype and astrology-like pseudo security.
    Depends. If it provides a false sense of security, it's very bad. If
    it's misconfigured by clueless users, it's very bad. If it interferes
    with what the user is trying to achieve, and the user doesn't
    understand why, it's very bad. Since it mostly doesn't mean more to
    users than that they will temporarily switch it off if something
    doesn't work, it's very bad. If it adds further vulnerabilities to a
    system, it's very very bad.
    They have already explained why. You need to catch up.
    Could it be that Vista provides a slightly better foundation for doing
    so?
     
    Straight Talk, Jul 30, 2007
    #38
  19. Doc

    John John Guest

    You don't know what you are talking about, why don't you monitor one of
    the apps and find out what is going on. It isn't Windows doing the
    calling it's the application itself. Being that you are so smart and
    that I know nothing you should at least do a few tests before you post
    about things you pretend to know of.

    John
     
    John John, Jul 30, 2007
    #39
  20. What lie?
    What false information?
    Inbound control was never useless. It's the outbound control that's so
    questionable.
    Yes. From *outside* attacks. No one questions that they did a good job
    there. But the market for PFW's arose only because MS made the big
    mistake of shipping windows with exposed network services.
    This just shows that you don't know what you're talking about. SyGate
    didn't even follow the most basic security recommendations from MS,
    thereby making your system even more vulnerable.
    And this is where your argument looses completely.
    Root kits aren't meant to get around firewalls.
    BS. You are right that they weren't meant to *detect* these pests. But
    being able to block their attempts to call home is *exactly* what PFW
    vendors have claimed their products would do.
    There's a big difference between anti-virus meant to stop a baddie
    before it's allowed to run and outbound control meant to deal with the
    baddie after it's too late.
    I'm passionate on the issue too and don't like when the WF is labeled
    as useless just because it doesn't implement useless trials to control
    outbound connections.
     
    Straight Talk, Jul 30, 2007
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.