Yes, I've already tried leaving this question on the Zone Alarm forums but
the Administrator there immediately removed it.

Been running WD under WinXP SP2 for some time. I've configured WD for me to
do manual updates and that function works. But in my ZAFree firewall, I'm not
sure what Program Control settings I should configure for a) WD Command Line
Utilty and b) WD User Interface. I refer to the four settings under Access
and Server. Anyone know what these should be?

That said, I'm currently having trouble with MpCmdRun.exe constantly
attempting to make outward connections with all manner of websites I've
visited. I see these listed in ZA's Alerts & Logs. Is this legitimate,
bearing in mind that I get my WD updates manually (via the Help function in
the main WD window)? And yes, I have configured WD itself to get the updates
manually. At present, I've got all these attempted connections blocked in ZA.
Is MpCmdRun.exe trying to discover the IP addresses of those websites, or
what exactly?

Something is being reported incorrectly, I suspect.

mpcmdrun should be contacting Microsoft's update servers, or the servers
involved in Spynet reporting, perhaps, and nothing else.

In options, have you turned off the option of checking for definition
updates before running a scheduled scan?

Have you unjoined Spynet (if you had ever joined it?)

I think with these settings changes, mpcmdrun should not be talking to
anything.

I'm still looking for a KB article which I think exists that gives the
servers that it needs to connect to.


"microman" <(E-Mail Removed)> wrote in message
news:9036B875-53CF-4980-B030-(E-Mail Removed)...
> Yes, I've already tried leaving this question on the Zone Alarm forums but
> the Administrator there immediately removed it.
>
> Been running WD under WinXP SP2 for some time. I've configured WD for me
> to
> do manual updates and that function works. But in my ZAFree firewall, I'm
> not
> sure what Program Control settings I should configure for a) WD Command
> Line
> Utilty and b) WD User Interface. I refer to the four settings under Access
> and Server. Anyone know what these should be?
>
> That said, I'm currently having trouble with MpCmdRun.exe constantly
> attempting to make outward connections with all manner of websites I've
> visited. I see these listed in ZA's Alerts & Logs. Is this legitimate,
> bearing in mind that I get my WD updates manually (via the Help function
> in
> the main WD window)? And yes, I have configured WD itself to get the
> updates
> manually. At present, I've got all these attempted connections blocked in
> ZA.
> Is MpCmdRun.exe trying to discover the IP addresses of those websites, or
> what exactly?

On Sun, 2 Dec 2007 04:33:00 -0800, microman wrote:

> Yes, I've already tried leaving this question on the Zone Alarm forums but
> the Administrator there immediately removed it.
>
Do yourself a favor and uninstall ZA in 'Add or Remove Programs' or use
http://zonealarm.donhoover.net/uninstall.html
If the ZA removal tool doesn't work satisfactory use this:
Revo Uninstaller Freeware - Remove unwanted programs and traces
easily
http://www.revouninstaller.com/
and/or
RegSeeker
http://www.hoverdesk.net/freeware.htm
RegSeeker will remove all associated detritus (registry keys,files
and folders) from any application. I found this application user
friendly and very effective but suggest *not* to use the 'Clean the
Registry' option.
Click onto 'Find in registry' and in the 'Search for' box type
*ZA and/or ZoneAlarm*; The pertinent registry keys can then be safely
deleted (just in case, ensure that the 'Backup before deletion' is
checked).
Repeat the task by typing in the Search for' box *ZoneAlarm*. You can
then go on search and remove associated files as well.
Then use NTREGOPT to compact the registry; Follow instructions.
http://www.larshederer.homepage.t-online.de/erunt

Activate and utilize the Win XP SP2 built-in Firewall; Uncheck *all*
Programs and Services under the Exception tab.
Read through:
Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/u...2_wfintro.mspx

Using Windows Firewall.
http://www.microsoft.com/windowsxp/u...nfirewall.mspx

In conjunction with WinXP SP2 Firewall use:
Seconfig XP 1.0
http://seconfig.sytes.net/
(http://www.softpedia.com/progDownloa...oad-39707.html)
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.)

WindowsDefender isn't a bad application
http://www.pcworld.com/article/id,136195/article.html
"...Windows Defender did excel in behavior-based protection, which detects
changes to key areas of the system without having to know anything about
the actual threat."

Suggest you focus more on SECURITY instead of 3rd party software!
--
Security is a process not a product.
(Bruce Schneier)

"Bill Sanderson" wrote:

> Something is being reported incorrectly, I suspect.
>
> mpcmdrun should be contacting Microsoft's update servers, or the servers
> involved in Spynet reporting, perhaps, and nothing else.
>
> In options, have you turned off the option of checking for definition
> updates before running a scheduled scan?
>
> Have you unjoined Spynet (if you had ever joined it?)
>
> I think with these settings changes, mpcmdrun should not be talking to
> anything.
>
> I'm still looking for a KB article which I think exists that gives the
> servers that it needs to connect to.
>
>
> "microman" <(E-Mail Removed)> wrote in message
> news:9036B875-53CF-4980-B030-(E-Mail Removed)...
> > Yes, I've already tried leaving this question on the Zone Alarm forums but
> > the Administrator there immediately removed it.
> >
> > Been running WD under WinXP SP2 for some time. I've configured WD for me
> > to
> > do manual updates and that function works. But in my ZAFree firewall, I'm
> > not
> > sure what Program Control settings I should configure for a) WD Command
> > Line
> > Utilty and b) WD User Interface. I refer to the four settings under Access
> > and Server. Anyone know what these should be?
> >
> > That said, I'm currently having trouble with MpCmdRun.exe constantly
> > attempting to make outward connections with all manner of websites I've
> > visited. I see these listed in ZA's Alerts & Logs. Is this legitimate,
> > bearing in mind that I get my WD updates manually (via the Help function
> > in
> > the main WD window)? And yes, I have configured WD itself to get the
> > updates
> > manually. At present, I've got all these attempted connections blocked in
> > ZA.
> > Is MpCmdRun.exe trying to discover the IP addresses of those websites, or
> > what exactly?
>
>

Bill,

Why should MpCmdRun.exe be trying to contact any Microsoft update servers at
all, since I've always elected to do my updates manually, using the option in
Help? Hmm, I'm beginning to think that I'm assuming something wrongly about
that.

Perhaps there's a subtle thing going on here. I don't opt to have WD do
regular scans, since (again) I do all my scans manually. In Options, this has
left the WD setting "Check for updated definitions before scanning" enabled
but greyed out. So, perhaps what I need to do is temporarily enable
auto-scanning, then untick that "Check for ...." option, then disable
auto-scanning again? I'll give it a try and report back.

Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the whole,
ZA works quite well (when configured properly). I've been using ZA for some
years.

The really pertinent query I have, though, is why MpCmdRun.exe should be
connecting to the various URLs/websites that I see in the ZA log. I've been
Googling those, BTW, and as far as I've been able to tell, they're
trustworthy sites. Could these be genuine attempted connections, concerned
with obtaining the IP address and general signatures of those sites, prior to
connecting to SpyNet? To me, that'd be a key bit of information that'd put my
mind at rest. Please let me know if I'm thinking along the right lines.

Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
from Basic membership to Non-membership, to see if it'd stop the attempted
MpCmdRun connections, but it hasn't. (As far as I could tell, from notes that
I found on WD, you can opt in and out of Basic SpyNet membership. I trust
that's true).

In the meantime, had

"microman" <(E-Mail Removed)> wrote in message
news:EAB88AB2-48C6-4EBD-BF21-(E-Mail Removed)...
>
> Bill,
>
> Why should MpCmdRun.exe be trying to contact any Microsoft update servers
> at
> all, since I've always elected to do my updates manually, using the option
> in
> Help? Hmm, I'm beginning to think that I'm assuming something wrongly
> about
> that.
>
> Perhaps there's a subtle thing going on here. I don't opt to have WD do
> regular scans, since (again) I do all my scans manually. In Options, this
> has
> left the WD setting "Check for updated definitions before scanning"
> enabled
> but greyed out. So, perhaps what I need to do is temporarily enable
> auto-scanning, then untick that "Check for ...." option, then disable
> auto-scanning again? I'll give it a try and report back.
>
> Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the
> whole,
> ZA works quite well (when configured properly). I've been using ZA for
> some
> years.
>
> The really pertinent query I have, though, is why MpCmdRun.exe should be
> connecting to the various URLs/websites that I see in the ZA log. I've
> been
> Googling those, BTW, and as far as I've been able to tell, they're
> trustworthy sites. Could these be genuine attempted connections, concerned
> with obtaining the IP address and general signatures of those sites, prior
> to
> connecting to SpyNet? To me, that'd be a key bit of information that'd put
> my
> mind at rest. Please let me know if I'm thinking along the right lines.
>
> Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
> from Basic membership to Non-membership, to see if it'd stop the attempted
> MpCmdRun connections, but it hasn't. (As far as I could tell, from notes
> that
> I found on WD, you can opt in and out of Basic SpyNet membership. I trust
> that's true).
>
> In the meantime, had

I quite agree that I see no reason either why mpcmdrun should attempt to
connect to a non-Microsoft site, or even a Microsoft site if you are not
doing scheduled scans, and have not joined Spynet. I'm quite certain that
it does not do any form of analysis of web sites visited, etc. Thats why I
suggested that something is being mis-reported. I have a very distant
memory of some issue like this from the beta, but far to distant to recall
how we resolved what was really happening.

Are you running both the Microsoft Firewall and Zone Alarm, by any chance?
If so, try turning off the Microsoft Firewall.

"Bill Sanderson" wrote:

>
> "microman" <(E-Mail Removed)> wrote in message
> news:EAB88AB2-48C6-4EBD-BF21-(E-Mail Removed)...
> >
> > Bill,
> >
> > Why should MpCmdRun.exe be trying to contact any Microsoft update servers
> > at
> > all, since I've always elected to do my updates manually, using the option
> > in
> > Help? Hmm, I'm beginning to think that I'm assuming something wrongly
> > about
> > that.
> >
> > Perhaps there's a subtle thing going on here. I don't opt to have WD do
> > regular scans, since (again) I do all my scans manually. In Options, this
> > has
> > left the WD setting "Check for updated definitions before scanning"
> > enabled
> > but greyed out. So, perhaps what I need to do is temporarily enable
> > auto-scanning, then untick that "Check for ...." option, then disable
> > auto-scanning again? I'll give it a try and report back.
> >
> > Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the
> > whole,
> > ZA works quite well (when configured properly). I've been using ZA for
> > some
> > years.
> >
> > The really pertinent query I have, though, is why MpCmdRun.exe should be
> > connecting to the various URLs/websites that I see in the ZA log. I've
> > been
> > Googling those, BTW, and as far as I've been able to tell, they're
> > trustworthy sites. Could these be genuine attempted connections, concerned
> > with obtaining the IP address and general signatures of those sites, prior
> > to
> > connecting to SpyNet? To me, that'd be a key bit of information that'd put
> > my
> > mind at rest. Please let me know if I'm thinking along the right lines.
> >
> > Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
> > from Basic membership to Non-membership, to see if it'd stop the attempted
> > MpCmdRun connections, but it hasn't. (As far as I could tell, from notes
> > that
> > I found on WD, you can opt in and out of Basic SpyNet membership. I trust
> > that's true).
> >
> > In the meantime, had
>
> I quite agree that I see no reason either why mpcmdrun should attempt to
> connect to a non-Microsoft site, or even a Microsoft site if you are not
> doing scheduled scans, and have not joined Spynet. I'm quite certain that
> it does not do any form of analysis of web sites visited, etc. Thats why I
> suggested that something is being mis-reported. I have a very distant
> memory of some issue like this from the beta, but far to distant to recall
> how we resolved what was really happening.
>
> Are you running both the Microsoft Firewall and Zone Alarm, by any chance?
> If so, try turning off the Microsoft Firewall.
>
>

No, definitely not. Never have done. I check in XP's Security Centre from
time to time. I think ZA would object if two software firewalls tried to
operate.

In one or two googles I've done, some people have suggested that MpCmdRun
should be enabled in any firewall regardless. However, with my ZA saying that
it's trying to connect with a whole variety of websites/URLs, I'm not jkeen
to do that unless and until I can find out exactly how WD is meant to work in
this respect.

In the Join MS SpyNet part of WD, under Basic membership, it does say this:

"WD sends basic information to MS about software it detects, including where
it came from, and actions that you apply .....".

"microman" wrote:

>
>
> "Bill Sanderson" wrote:
>
> >
> > "microman" <(E-Mail Removed)> wrote in message
> > news:EAB88AB2-48C6-4EBD-BF21-(E-Mail Removed)...
> > >
> > > Bill,
> > >
> > > Why should MpCmdRun.exe be trying to contact any Microsoft update servers
> > > at
> > > all, since I've always elected to do my updates manually, using the option
> > > in
> > > Help? Hmm, I'm beginning to think that I'm assuming something wrongly
> > > about
> > > that.
> > >
> > > Perhaps there's a subtle thing going on here. I don't opt to have WD do
> > > regular scans, since (again) I do all my scans manually. In Options, this
> > > has
> > > left the WD setting "Check for updated definitions before scanning"
> > > enabled
> > > but greyed out. So, perhaps what I need to do is temporarily enable
> > > auto-scanning, then untick that "Check for ...." option, then disable
> > > auto-scanning again? I'll give it a try and report back.
> > >
> > > Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the
> > > whole,
> > > ZA works quite well (when configured properly). I've been using ZA for
> > > some
> > > years.
> > >
> > > The really pertinent query I have, though, is why MpCmdRun.exe should be
> > > connecting to the various URLs/websites that I see in the ZA log. I've
> > > been
> > > Googling those, BTW, and as far as I've been able to tell, they're
> > > trustworthy sites. Could these be genuine attempted connections, concerned
> > > with obtaining the IP address and general signatures of those sites, prior
> > > to
> > > connecting to SpyNet? To me, that'd be a key bit of information that'd put
> > > my
> > > mind at rest. Please let me know if I'm thinking along the right lines.
> > >
> > > Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
> > > from Basic membership to Non-membership, to see if it'd stop the attempted
> > > MpCmdRun connections, but it hasn't. (As far as I could tell, from notes
> > > that
> > > I found on WD, you can opt in and out of Basic SpyNet membership. I trust
> > > that's true).
> > >
> > > In the meantime, had
> >
> > I quite agree that I see no reason either why mpcmdrun should attempt to
> > connect to a non-Microsoft site, or even a Microsoft site if you are not
> > doing scheduled scans, and have not joined Spynet. I'm quite certain that
> > it does not do any form of analysis of web sites visited, etc. Thats why I
> > suggested that something is being mis-reported. I have a very distant
> > memory of some issue like this from the beta, but far to distant to recall
> > how we resolved what was really happening.
> >
> > Are you running both the Microsoft Firewall and Zone Alarm, by any chance?
> > If so, try turning off the Microsoft Firewall.
> >
> >
>
> No, definitely not. Never have done. I check in XP's Security Centre from
> time to time. I think ZA would object if two software firewalls tried to
> operate.
>
> In one or two googles I've done, some people have suggested that MpCmdRun
> should be enabled in any firewall regardless. However, with my ZA saying that
> it's trying to connect with a whole variety of websites/URLs, I'm not jkeen
> to do that unless and until I can find out exactly how WD is meant to work in
> this respect.
>
> In the Join MS SpyNet part of WD, under Basic membership, it does say this:
>
> "WD sends basic information to MS about software it detects, including where
> it came from, and actions that you apply .....".


Bill,

I've changed that Option setting in WD and have monitored MpCmdRun.exe in
ZA. Unfortunately, it's not made any difference at all. MpCmdRun has,
according to ZA, made attempts to connect with the few websites that I've
just visited in the last 10 minutes or so - actually three websites, of which
ZA fully identifies one but leaves the other two blank.

Like I say, I want to know what's going on here. Why is MpCmdRun attempting
to connect with these sites?

"microman" <(E-Mail Removed)> wrote in message
news:0E9585B1-AB92-4519-AAA9-(E-Mail Removed)...
>
> No, definitely not. Never have done. I check in XP's Security Centre from
> time to time. I think ZA would object if two software firewalls tried to
> operate.
>
> In one or two googles I've done, some people have suggested that MpCmdRun
> should be enabled in any firewall regardless. However, with my ZA saying
> that
> it's trying to connect with a whole variety of websites/URLs, I'm not
> jkeen
> to do that unless and until I can find out exactly how WD is meant to work
> in
> this respect.
>
> In the Join MS SpyNet part of WD, under Basic membership, it does say
> this:
>
> "WD sends basic information to MS about software it detects, including
> where
> it came from, and actions that you apply .....".

WD does send information about detections and the users choices in relation
to detections, but onlu when you join SpyNet. So--with that unchecked, I
think it not be connecting out, but I might be missing something--this is
puzzling: It shouldn't be active at all, I'd think, and it definitely
shouldn't be trying to connect to random web sites.

If I get some time later tonight, which I may not, I'm afraid--I'll see if
by digging onto the privacy links or KB articles, there's any further
description of the interactions involved--sometimes there's a good bit of
detail if you click on the privacy links.

"Bill Sanderson" wrote:

> "microman" <(E-Mail Removed)> wrote in message
> news:0E9585B1-AB92-4519-AAA9-(E-Mail Removed)...
> >
> > No, definitely not. Never have done. I check in XP's Security Centre from
> > time to time. I think ZA would object if two software firewalls tried to
> > operate.
> >
> > In one or two googles I've done, some people have suggested that MpCmdRun
> > should be enabled in any firewall regardless. However, with my ZA saying
> > that
> > it's trying to connect with a whole variety of websites/URLs, I'm not
> > jkeen
> > to do that unless and until I can find out exactly how WD is meant to work
> > in
> > this respect.
> >
> > In the Join MS SpyNet part of WD, under Basic membership, it does say
> > this:
> >
> > "WD sends basic information to MS about software it detects, including
> > where
> > it came from, and actions that you apply .....".
>
> WD does send information about detections and the users choices in relation
> to detections, but onlu when you join SpyNet. So--with that unchecked, I
> think it not be connecting out, but I might be missing something--this is
> puzzling: It shouldn't be active at all, I'd think, and it definitely
> shouldn't be trying to connect to random web sites.
>
> If I get some time later tonight, which I may not, I'm afraid--I'll see if
> by digging onto the privacy links or KB articles, there's any further
> description of the interactions involved--sometimes there's a good bit of
> detail if you click on the privacy links.
>
>

Bill,

Yes, I'd be grateful if you could dig deeper on this. I myself have already
done some searches of KB articles but have not turned up anything that refers
to this particular problem.

This morning I've had three more attempted outgoing connections by MpCmdRun
- one to an unspecified DNS, one to vwrpx2.Ihr.xpc-mii.net, and the other to
980707.websites.xs4all. I tried googling those addresses but came up with
zilch. Some destinations that get listed against MpCmdRun are genuine
websites but there are quite a few where they appear to be unknowns, like the
two I've mentioned.

I've naturally wondered whether my MpCmdRun.exe might have been hijacked by
some sort of intrusion but I've done a search on my machine for that program
and the only place it's residing is where it should be, in Program
Files\Windows Defender. I've also scanned my PC with WD itself and with my
antivirus client, both of which I update manually but nonetheless keep bang
up-to-date, and found nothing untoward.

This strange behaviour by MpCmdRun could, I suppose, be due to a shortcoming
in ZA, rather than in the exe itself attempting to make external connections.
However, there's no way of knowing that.

ZA blocks these outward connections, except in the case where I'm doing a
manual update of WD definitions. I'm not to know, however, if there might be
other outward connections taking place that are not shown.

In other respects of general usage of my PC, I've not noticed any peculiar
behaviour (slowdowns or changes to webpages) but my router has logged a
couple of TCP Port Scan attempted intrusions and several dozens of UDP Null
Port attempted intrusions. However, those might have accrued over several
months and are probably regarded, anyway, as just 'background noise' at the
WAN interface.

"microman" wrote:

>
>
> "Bill Sanderson" wrote:
>
> > "microman" <(E-Mail Removed)> wrote in message
> > news:0E9585B1-AB92-4519-AAA9-(E-Mail Removed)...
> > >
> > > No, definitely not. Never have done. I check in XP's Security Centre from
> > > time to time. I think ZA would object if two software firewalls tried to
> > > operate.
> > >
> > > In one or two googles I've done, some people have suggested that MpCmdRun
> > > should be enabled in any firewall regardless. However, with my ZA saying
> > > that
> > > it's trying to connect with a whole variety of websites/URLs, I'm not
> > > jkeen
> > > to do that unless and until I can find out exactly how WD is meant to work
> > > in
> > > this respect.
> > >
> > > In the Join MS SpyNet part of WD, under Basic membership, it does say
> > > this:
> > >
> > > "WD sends basic information to MS about software it detects, including
> > > where
> > > it came from, and actions that you apply .....".
> >
> > WD does send information about detections and the users choices in relation
> > to detections, but onlu when you join SpyNet. So--with that unchecked, I
> > think it not be connecting out, but I might be missing something--this is
> > puzzling: It shouldn't be active at all, I'd think, and it definitely
> > shouldn't be trying to connect to random web sites.
> >
> > If I get some time later tonight, which I may not, I'm afraid--I'll see if
> > by digging onto the privacy links or KB articles, there's any further
> > description of the interactions involved--sometimes there's a good bit of
> > detail if you click on the privacy links.
> >
> >
>
> Bill,
>
> Yes, I'd be grateful if you could dig deeper on this. I myself have already
> done some searches of KB articles but have not turned up anything that refers
> to this particular problem.
>
> This morning I've had three more attempted outgoing connections by MpCmdRun
> - one to an unspecified DNS, one to vwrpx2.Ihr.xpc-mii.net, and the other to
> 980707.websites.xs4all. I tried googling those addresses but came up with
> zilch. Some destinations that get listed against MpCmdRun are genuine
> websites but there are quite a few where they appear to be unknowns, like the
> two I've mentioned.
>
> I've naturally wondered whether my MpCmdRun.exe might have been hijacked by
> some sort of intrusion but I've done a search on my machine for that program
> and the only place it's residing is where it should be, in Program
> Files\Windows Defender. I've also scanned my PC with WD itself and with my
> antivirus client, both of which I update manually but nonetheless keep bang
> up-to-date, and found nothing untoward.
>
> This strange behaviour by MpCmdRun could, I suppose, be due to a shortcoming
> in ZA, rather than in the exe itself attempting to make external connections.
> However, there's no way of knowing that.
>
> ZA blocks these outward connections, except in the case where I'm doing a
> manual update of WD definitions. I'm not to know, however, if there might be
> other outward connections taking place that are not shown.
>
> In other respects of general usage of my PC, I've not noticed any peculiar
> behaviour (slowdowns or changes to webpages) but my router has logged a
> couple of TCP Port Scan attempted intrusions and several dozens of UDP Null
> Port attempted intrusions. However, those might have accrued over several
> months and are probably regarded, anyway, as just 'background noise' at the
> WAN interface.

Bill,

I don't know if this gives us a clue or not but I've discovered that if I
expose all protected OS files in Windows Explorer, then I see some 35
instances of the inclusion of MpCmdRun.exe. In other words, MpCmdRun.exe is
actually where it normally should be, in C:\Program Files\Windows Defender,
but it's also in C:\Windows\Prefetch and is also part of a file called
MPCMDRUN.EXE-177DBF1A.pf. Further, it appears in several different guises in
temporary Internet files, in Docs & Settings.

I've no idea what the Prefetch folder normally does, or why MpCmdRun should
be referenced throughout all my Internet sessions via the Temporary Internet
files - but perhaps you do!