NetBios Messenger

[Guest]

90% of the time when i log on to windows i receive a warning that the netbios
messenger service is running. While i realize that in some cases this is
dangerous and most cases not, my computer is clean (just fresh of a
format/reinstall) Now, i go ahead and tell it to block the messenger
service, i don't need it, why have it running. And i tell it to remember my
setting, but it never remembers, and never stops the service from running.
Is this a known problem, or just something not quite right. It has occurred
over 2 releases of beta 1, i was hoping it would be fixed in this latest
release. Any ideas?

 

[Bill Sanderson]

This isn't a "known issue." What Microsoft Antispyware should be doing when
you answer this prompt is setting the startup for the messenger service to
disabled. You can easily do this yourself:

Start, run, services.msc <enter>

Look for the Messenger service, with description "Transmits net send and
Alerter....."
Right click, choose properties, and set startup type to disabled.

A freshly reformatted and reinstalled machine is actually at greater risk,
in terms of security patches, than one that has been operating and kept
patched via autoupdate.

You don't mention Service Pack 2--which should also offer to disable this
service, I believe.

Are there other settings or history details--time of last scan, for
example--which aren't being "remembered" by Microsoft Antispyware in this
install?

 

[Guest]

Well, netbios is currently set to disabled in services, which means i
"theoretically" never should see the message again, because the service
should never run. And any depending programs or services should fail to
start, and also not be able to activate the service without explicit
permission, i do believe antispyware would notify me if something changed my
service settings.

And while yes a truly fresh install is more at risk, A, this more exactly is
an image, think of it like a corperate image in a corperation with many
computers. Our campus has an image they maintain monthy with the latest
patches and drivers for when a student needs their computer to be reloaded
for some reason, because we all have the same machine and model. and B, i'm
a patch freak and find every little minor update that ever existed. I also
trust my Norton Internet security to keep me protected in the meantime
between patches, which is properly configured. Needless to say my statement
that my machine was clean was mearly to state that it isn't spyware that is
activating the messenger service. The only thing i could think of is if
somewhere in my user hive, the service settings are being saved. But that's
not reasonable because i don't have any other problems with any other service
reenabling.

Also, i don't believe i can "uninstall" the service because without NetBios
i can't use the campus network. Now, this is unrelated, but it may have some
relevance. In the dorm we have a switch, and the switch indescriminantly
choses a computer to manage the some table. A table of netbios names or DNS
or something like that, i dont' quite remember how it is exactly. And what
happens is that machine keeps track of the other computers our portion of the
network. With that, my computer was sending UDP netbios information and
other session packets to another student on the dorm and was therefore
causing an alert on his firewall. What we and the admins believed to be the
case was that the switch on the dorm is picking my computer for some reason
to manage this table. I'm not up on my NetBios or TCP/IP, so i'm not exactly
sure how it all works, but could that be reenabling my messenger service?
Also, the campus is on a domain, but none of the machines log directly into
the domain(but they can, we have a domain account on our machine if we want
to use it), but we log onto our laptop's local machine, if that makes sense.
I use antispyware on 5 different machines and this is the only one with a
problem. Hope that helps, um some machine info

HP nw8000 XP SP2 (Bios F.16)
AntiSpyware ver. 1.0.701, Sypbot, Adaware, Norton Internet Security 2006

 

[Bill Sanderson]

The netbios messenger service is not the same thing as using netbios over a
networking protocol, typically TCP/IP. There's no need to uninstall the
messenger service--in fact, you can't easily do that--it's part of windows.
There's also no harm in leaving it set to disabled--you are
correct,--nothing will be able to start it, and changing it to enabled will
get you an alert from several souces, perhaps--SP2 and Microsoft
Antispyware.

This service can serve a useful purpose in some situations--as an
administrative notification service--typically for alerts from UPS software
or backup software. However, it has also been used to distribute
unsolicited ads--and these ads are the reason behind the recommendation to
shut it off.

Yes--reinstalling from an image that is kept up to date is quite different
from reinstalling from the original media after a reformat--this sounds like
a good procedure, in your case.

The settings for netbios in networking are completely separate from the
messenger service--they aren't related at all and don't influence each
other. The messenger service is extraneous to most people, whereas netbios
networking is something many people make regular use of.


--

 

[Guest]

Okay, i understand that now. But that doesn't solve why antispyware tells me
when i boot up that the messenger service is running. Even though, during
the session before that, and before that one, and before that one i've told
it to block and remember to block. I currently have 42 agent events in
antispyware, 8 of them are netbios messenger distributed from 1/6/06(reload
date) to 1/14/06. They all read the standard message. "the user localmgr,
has decided to stop the windows messenger service from running and prevent it
from running in the future." Now if this was true, i should only have one
event on one day. But, a few on them are even on the same day. It doesn't
make sense, but i believe it cause i clicked stop service each time. But
since you say the protocal and the messenger service aren't the same, then
the only explination i could provide as to why probably isn't right. Using
Sysinternal's TCP viewer, the only thing on my computer running anything
obviously related to NetBios at all is Open AFS or Andrew File System, much
like microsofts server file system. We use this program along with MIT
kerberos to access various network resources. Namely, our server space on
campus. At all times when the computer is on, AFS is connected to the
loopback adapter through a netbios connection. And that's the only thing i
could think that might prompt the messenger service to start, is that if AFS
has some sort of internal messaging system to prompt the user about errors
and other fatal exceptions when connected through the adapter. But that's
only a guess. For more info their website is http://www.openafs.org, think
that might be it? If so, i can contact one of the admins who specilizes in
AFS and see what he thinks. All of your help is much appreciated.

 

[Bill Sanderson]

are we talking apples and oranges here?

The Windows Messenger service may be Windows Messenger--the Instant
Messaging app. this is a completely different critter from the netbios
messenger service.

You can uninstall Windows Messenger in add or remove programs, windows
components.

--

 

[Guest]

While the intneral message says "windows messenger", the title of the "event"
is. "Windows NetBIOS Messenger Service Alert". So yes, this is apples and
apples.

 

[Bill Sanderson]

I'm pretty sure I don't understand what's going on here at all.

Are you on a managed network, where it is possible that some administrative
process overnight might be enabling and starting the netbios messaging
service--that it is viewed as required software, in your environment? If
that's the case, I'd recommend trying to spot what agent and checkpoint in
Microsoft Antispyware is calling this out, and disabling that checkpoint.

Otherwise, I'd wonder whether some malicious process or software is involved
which simply looks like the Netbios messenger service. Having never heard
of such a thing, I'd tend towards the first explanation--that the messenger
service is getting re-enabled by group policy settings on a managed network.
I'm sure there are more possibilities--"goback" software of some kind that
thinks it needs to revert the settings for the service--not sure what
else....


--

 

[Guest]

Actually, since we are on a Domain. And our domain uses Active Directory.
I'm aware that there is some type of domain update feature, that i do
believe gets operated at night, at some point. Whether it's nightly, or
every other night. And since our group policy permits the admins to do this
"update", as best i understand it. This could very well be the case. The
open AFS program i spoke of isn't required but without it it makes accessing
files very difficult on your server space, so it is essentially required. So
what i'll do is talk to one of our admins tomorrow and post if i find out
anything.

 

[Bill Sanderson]

Thanks - This sounds like a good possibility, given the observed behavior.
There's also a good chance that the messenger service is not really doing
anything useful on all those machines--who knows, maybe they'll consider not
running it?

--

 

[Guest]

In speaking with the admins, the domain does update nightly. But nothing
activates the netbios messenger explicitly. The admin himself is
experiencing the same problem i have, but upon his investigation, before he
proceeded to continue to block the service, he ensured the service was not
running before blocking it. He confirmed that the service was in fact
disabled and stopped. And the message was still being displayed. It sounds
like antispyware isn't properly detecting this service.

 

[Bill Sanderson]

Interesting. Is he also running the open AFS program on his system?

I don't have an Andrew File System to connect to, but I'll see if I can find
that software and try installing it.

OK - I'm going with an MSI file from here:

http://www.openafs.org/release/latest.html


--

 

[Bill Sanderson]

Hmm - I've got Open-AFS installed, but no alarms, either in regular activity
or scanning. 'course, I'm not connected to anything, so it isn't doing
much!

--

 

[Guest]

Yes, he would also be running AFS, there is only two difference at this
point. One, there is a program we use as a helper called AFS drive mapper.
It's not officially supported by AFS, but because of how our laptops are set
up, it is very painful/harmful to have the AFS service running when we don't
have an internet connection established(everything gets slow, we're seriously
looking into the microsoft DFS so we won't have that problem anymore).
However, the reason i doubt that this additional program is causing the
problem is because the admin i've been in contact with personally wrote the
AFS drive mapper program himself, and hence would know if he used any such
code that would alter the messenger service, which he assures me he hasn't.
The second program we use to manage our AFS client is MIT Kerberos/Leash,
it's a ticket manager and is our network's authentication protocal. Also,
Antispyware reports nothing suspicious from these 3 programs. I also have an
update on the specific condition of this computer. When i went and checked
the services list before blocking the messenger. It was listed as "manual",
the service had not started and was stopped. When i clicked block and
refreshed the services console. The service proceeded to be blocked.
Something is changing this service back to manual sometime durning uptime.
No iease as of yet.

 

[Bill Sanderson]

If a service is set to manual, it can be started programatically--if you
look at the services list--you'll probably see a number of manual services
that are started without your direct choice to start them.

Stepping back--I don't recall that any known malware makes use of the
netbios messenger. It was widely theorized when it became popular for
putting up ads on unsuspecting users who were either not behind a firewall,
or behind one not properly secured, or on a large enough network that
somebody was blasting ads out in-house--that there would be some
vulnerability found, but I don't think that ever happened--it was an
annoyance--ads popped up--and in some cases, the ads might have contained
URLs which were genuinely dangerous.

However, in and of itself, the messenger service isn't a danger--and I keep
it running on some machines in domains where there are services--ups
monitoring, or backup--that make use of it.

Can you start over again from scratch and lay out the scenario again--so I
can get it right in my mind?

You walk in the door in the morning. The machine is
(off?)--asleep-whatever--and you turn it on, or log in, and what happens?
What color is the dialog, what does it say? Does it allow a response--how
do you respond? When does it recur?

Maybe this is an issue of the program not properly recording your choice,
and thus the recurrence.


--

 

[Guest]

Okay, yes i understand if it is set to manual. And i'm also certain this
isn't spyware. So here's the deal from the beginning. The machine is
shutdown, i turn it on when i logon and get to the desktop. Antispyware pops
up a blue message screen stating. "The windows netbios messenger service is
running." From this is goes into detail about how SP2 doesn't need the
service and it's recommended i stop the service. It gives me 2 options, stop
service and ignore. And a checkbox to say remember my selection. I say stop
service. I check the services console and see the messenger service is
properly disabled and proceed on with daily life. So antispyware makes a log
stating that i took this action and marks it in its logs. The next time i
reboot, the same message shows up again. Before i select an action i check
the services console and now messenger is set to manual, though not started
or running. I say stop the service, refresh the console. And the service is
now disabled as it should be. Either way the service is changing from
disabled to manual. And this viscious cycle continues.

 

[Bill Sanderson]

That's real clear. My gut feeling is that we're going to have to find the
checkpoint that's doing this work and disable it in your environment.

I think there's at least one bug here--I think Microsoft Antispyware does
not distinguish between "manual" (and not, in fact, started) and
"started.)--I haven't checked this out but that wouldn't surprise me--it is
looking for disabled, and that's the only "safe" setting it is going to
accept--but the wording of the prompts doesn't make that clear at all.

Something is setting the service from disabled to manual on your
system(s)--I don't know what that is--but I'm reasonably sure that it isn't
Microsoft Antispyware--I don't know why it would ever do that, unless there
was an option for a temporary reversable blocking action--which isn't what
you're describing.

In fact--when I look at the system I'm checking to get syntax info--which is
an SBS-2000 server, I see that I've disabled that checkpoint.

Tools, real-time protection, Internet Agents, Windows Messenger Service--hit
"deactivate checkpoint" at the lower right.

This should be effective--and I'm sorry I didn't just suggest it right off
from the start.

Usually when I recommend deactivating a checkpoint I have to add some CYA
phrase such as "taking this action will remove the protectiong against xyz
threats provided by this checkpoint."--however, in this case, the only risk
is "messenger spam" as described in the checkpoint description:

Windows Messenger Service
atus: In-active

Description: Prevents unauthorized changes to your Windows Messenger
Service.

The messenger service is sometimes used in corporate networks to send
information from the administrator to its users. However, this service has
been a wide source for pop-up message spam. Most users who are not on a
corporate network turn off and disable Windows Messenger Service. It can be
re-enabled in your control panel services if needed.

I wouldn't hesitate to disable this checkpoint in your situation.



--

 

[Guest]

Yeah, i agree with that. It would seem that the service is getting set to
manual on shutdown since my machine has been up for more than 24 hours any
domain update that would cause this should already take effect by now. I
don't think it's antispyware that's changing the setting. That doesn't make
much sense. And I'm not aware of anything that would alter the setting
installed on my machine. With as little as is currently installed on it. It
could simply be one of those machine demons that you run across every once in
a while. Like a video driver that just happens to blue screen your computer
and no one elses. I appreciate all of your input on this. And even though
the answer is, "ignore the problem", and while i have many tools i can use,
nothing is sophisticated enough to tell me, "your services have been
altered". Anyways, you're help is appreciated, and i look forward to the
advances in antispyware.

 

[Bill Sanderson]

I'm asking in another group for suggestions about software that can monitor
for changes in service startup settings.
--

 

[Bill Sanderson]

Here's the response I got to a post looking for a "service canary"
---

Does anybody have a suggestion for something that will monitor
and alarm or log in real time changes to service startup state settings?

Hmm

http://healthmonitor.sourceforge.net

and

http://maxcomputing.narod.ru/ssme.html?lang=en

not exactly for the faint hearted btw, but the above
may be of some help

also, don't forget about creating a different account
with admin privileges on the machine and logging
on with such an account