Event 4226

[Guest]

On my WinXP I saw an event of ID 4226: "TCP/IP has reached the security limit
imposed on the number of concurrent TCP conncect attempts."

I followed the suggestion on http://go.microsoft.com, and used "netstat -no"
to see which processes is opening so many TCP connections. To my surprise, I
found that it was the PID 0 (System Idle Process). The many connections are
in TIME_WAIT state (not SYNC_SENT state as suggested by the microsoft
article).

Is my machine infected by a malicious program? The machine is being
protected by Norton Internet Security with the latest data file (last update
on Sept 18).

Thanks!

 

[Steven L Umbach]

I have seen that on healthy computers on mine from time to time and usually
it clears itself or a reboot does. Probably the best way for most users to
try to determine if their computer has a malicious program on it is to do
both a virus scan and spyware scan making sure that the latest definitions
are used for whatever you scan with. If you are using cable or DSL for your
internet then I also highly recommend that you use an "internet router" to
protect your network. Software/host firewalls are great but too often I have
seen them disabled or misconfigured by the user, software conflicts, or
malware. Having an internet router as your first line of defense will mean
that you are not vulnerable to inbound traffic that is not in response to
traffic initiated by your computer known or unknown by you. You can use free
programs such as TCPView from SysInternals/Microsoft to see what
applications are using a port on your operating system and if you did have a
malicious application installed it would most likely then be shown if it was
using a port. Netstat -anb can also show more detail of port use including
the related executable but I am not sure if SP1 has that feature.

Steve

http://www.microsoft.com/athome/security/protect/ --- Protect Your PC tips
from Microsoft
http://www.sysinternals.com/Utilities/TcpView.html --- TCPView