Tcpip warnings

[Guest]

This is a Defender question in a roundabout kind of way - but I'd never have
noticed it if I hadn't been focusing on Defender issues in the last couple of
weeks - so here goes.

Because I've been looking at Event Viewer frequently, I've noticed that
maybe 2 or 3 times a week - sometimes more, sometimes less - I get a warning
of an ID 4226 event with the source given as Tcpip. I understand that these
warnings are given as a result of more than 10 failed attempts by a process
to connect outwards.

Microsoft suggests a check on which program is attempting this, in case it's
malicious. After much research, I discovered how to open the command prompt
(!), and how to look for processes with open connections using 'netstat -no'
(I was so proud!!). But of course what I see are the processes operating NOW
- not those that triggered the Tcpip warning several hours ago. So I can't
understand how I will ever be able to discover what process is responsible,
because I only ever see the Tcpip warning long after the event occurred. Am I
missing something crucial? Surely I must be?

To be honest, I doubt if this is a malicious process. I've run Symantec,
Kaspersky and Ewido online scanners; I've scanned with Adaware, Spybot,
Defender and the MS malicious software removal tool; and I have Norton and
Defender running in real time. They all detect nothing. But still - I'd like
to track down the blighter that's doing this, just so I can say it didn't
defeat me! Can anyone point me in the right direction, please?

 

[plun]

Hi Alan

Within your firewall you can change rules so you can control all
connections both inbound and outbound. I don´t know the exactly setting
for your firewall, I just adjust a slider to "high security" (TM-PC
Cillin.)

http://service1.symantec.com/SUPPOR...et Security&ver=2005&tpre=eu&src=eu_sg&csm=no

I have for example blocked my WGA connection to MS with a rule for
wgatray.exe within my firewall until they open declares what this is
about.

regards
plun

 

[Guest]

Hi Alan

Within your firewall you can change rules so you can control all
connections both inbound and outbound. I don´t know the exactly setting
for your firewall, I just adjust a slider to "high security"

Thank Plun - I'm sorry, I think I didn't give enough information. I have
Norton Antivirus 2005, and am using the Windows XP firewall - so I don't
think that option is available to me.

 

[Glenn Shumaker]

If your on cable sometimes the cable modem drops your connection and then
restarts, I get these in event viewer from time to time, it happens if you
re-boot the modem too.In my case it's the modem.

 

[plun]

Thank Plun - I'm sorry, I think I didn't give enough information. I have

Norton Antivirus 2005, and am using the Windows XP firewall - so I don't
think that option is available to me.

Hi

Well, then you need a better firewall, XP SP2s firewall is a big
joke.... IMHO (and also One Cares firewall), ALL traffic must be
user controlled, also "calling mum" traffic.....example WGA ;(

This is a good commercial firewall
http://www.sunbelt-software.com/Kerio.cfm

Zone Alarm (please note that it has been trouble with latest version,
please check ZAs forum)

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?dc=12bms&ctry=&lang=sv

Sygate and others
http://www.pcworld.com/downloads/file_description/0,fid,8132,RSS,RSS,00.asp

Testing procedure:
https://www.grc.com/x/ne.dll?bh0bkyd2 > Proceed

and

http://www.grc.com/lt/leaktest.htm

Done.... !

regards
plun

 

[Bill Sanderson MVP]

Plun - I think that the documentation for the released version of WGA
notification is very clear about what it communicates.

--

 

[Bill Sanderson MVP]

OK - then the source of your error message is not a software firewall
preventing something from talking out--the Windows firewall doesn't do that.
--

 

[Bill Sanderson MVP]

This is a "concurrent connection limit" message, right?

Are you running bittorrent, or any other peer-to-peer application?

Are you running software that allows others to use some of your bandwidth at
times--I think examples may include some VOIP applications as well as
peer-to-peer apps?

 

[plun]

Hi Bill

Sweden was one of the first countrys which MS tested this.
It was Sweden, Norway and Denmark as I recalls it.

My wgatray.exe is dated november 2005...... MS has NEVER told me or
any other user about the purpose of this application ie SPYWARE !

Within Swedish forums this was discussed alot, the "Big bang" come
when US got this.

It IS my right to know every single connection, and of course whats
transfered. I do NOT disagree about the problem with pirated software.

This IS stupid with One Care !

http://news.com.com/Microsofts+OneCare+firewall+draws+fire/2100-1029_3-6033589.html


MS must be open and this seems to be old fashioned Gates/Ballmer
"bullshit". I really hope that Ballmer finds something else to do.

I also really hope that Ray Ozzie can make this situation better !!

And perhaps...... this is also about the rubbish with notifys and 3rd
party apps.

http://www.eweek.com/article2/0,1895,1991316,00.asp

It´s high time to leave this junk world !!!!

MS don´t need to "trick users" into "illusions", their software
beats everything and thats it, really great , but something went
wrong....??

regards
plun

 

[Guest]

This is a "concurrent connection limit" message, right?

I believe so (as far as I understand it, which isn't very far).

Are you running bittorrent, or any other peer-to-peer application?
Are you running software that allows others to use some of your bandwidth at
times--I think examples may include some VOIP applications as well as
peer-to-peer apps?

I think the answer to all those questions is no, Bill (I don't know what a
VIOP application is, but I presume I would, if I was?).

Referring back to Plun's comments about the firewall: on a previous computer
I used to run a McAfee firewall, but almost all the questions it used to ask
me, I couldn't answer and just had to guess whether to say yes or no. That
seemed a pointless kind of protection. I had all sorts of problems with it
crashing, too. I never trusted it. So it seemed to me I'd do less damage by
using the Windows firewall.

 

[Bill Sanderson MVP]

VOIP means a voice over IP telephony application. Now I can remember what I
was thinking of--I believe Skype, which is such an app, uses additional
connections to and from your system, even when you aren't using the service.

Now I think of it, Windows Live Messenger has some voice capabilities that
I've never looked at...

I can understand your feelings about the firewall completely--and those are
a major reason why the Windows firewall only deals with incoming traffic.
The Windows Live OneCare firewall does deal with both incoming and outgoing
traffic, and it has those same issues--it compromises by assuming that
signed code is safe to allow out--but I regularly see users perplexed about
why, say Firefox doesn't work suddenly--and the reason is that an update
came in, the versioning on the executables changed, the OneCare firewall
raised a dialog about whether to allow the new version to communicate out,
and the user chose NO--an appropriate knee-jerk reaction, I believe. This
just isn't an easy problem to solve.

I suspect in the end that your log messages will have some mundane cause
that won't be any cause for concern--but I don't have a suggestion for you
about how to spot what app is the root cause--I'm going to dig a bit more
and see if I can spot how to figure this out--but it may not be easy to do
with something this ephemeral.

--

 

[Bill Sanderson MVP]

They've documented the process for removing the beta version:

http://support.microsoft.com/kb/921914/en-us

I'm not sure this link will work properly, but the communication is pretty
well described here, I believe:

http://www.microsoft.com/genuine/downloads/faq.aspx#Question7Label

--

 

[Bill Sanderson MVP]

I read the OneCare piece--old news. Roger Grimes, who is quoted, is another
MVP. I don't disagree that this policy setting seems crude--but there's a
message in these groups that I responded to today, illustrating the
difficulty of having a two-way firewall that is suitable for all levels of
consumers--this just isn't easy to do--and some major differences from what
would be done in a corporate firewall are to be expected.

 

[Guest]

I don't have a suggestion for you

about how to spot what app is the root cause--I'm going to dig a bit more
and see if I can spot how to figure this out--but it may not be easy to do
with something this ephemeral.

Thanks Bill - any ideas gladly received!

In the meantime I'm trying an experiment. I have an ATI graphics card, and I
notice that the ATI Catalyst Centre runs two versions of cli.exe which -
according to my Googling - have a habit of calling home. And indeed I notice
that there are sometimes entries in its log about 'existing connections being
closed by the remote host' when I'd have thought there was no good reason for
such a connection to exist. So I've shut them both down at startup (they seem
completely useless to me as running processes, so far), and I'll see if my
Tcpip warnings stop.

If they don't, then I guess that one way forward might be to install
Zonealarm and watch carefully what programs is requesting outside access at
the time the Tcpip warnings occur.

This whole business is a bottomless pit, it seems to me, in which anyone
could get hopelessly lost. What happened to those good old days when, in my
ignorance, I just used my computer for the things I'd bought it for?

 

[JRosenfeld]

I don't have a suggestion for you

Thanks Bill - any ideas gladly received!

In the meantime I'm trying an experiment. I have an ATI graphics
card, and I notice that the ATI Catalyst Centre runs two versions of
cli.exe which - according to my Googling - have a habit of calling
home. And indeed I notice that there are sometimes entries in its log
about 'existing connections being closed by the remote host' when I'd
have thought there was no good reason for such a connection to exist.
So I've shut them both down at startup (they seem completely useless
to me as running processes, so far), and I'll see if my Tcpip
warnings stop.

If they don't, then I guess that one way forward might be to install
Zonealarm and watch carefully what programs is requesting outside
access at the time the Tcpip warnings occur.

This whole business is a bottomless pit, it seems to me, in which
anyone could get hopelessly lost. What happened to those good old
days when, in my ignorance, I just used my computer for the things
I'd bought it for?

You could use a little sysinternals utility, TCP view, keep it running
always on top for a while, it shows all tcp activity.

http://www.sysinternals.com/Utilities/TcpView.html

Download the zip,extract to a suitable folder, double click on tcpview,exe.
It does not install as such, to remove just delete the files.

 

[Bill Sanderson MVP]

That's an excellent suggestion. The other piece we need--and maybe
something in performance monitor can do this--is something to alert the user
when the 4226 entry is written to the log.

--

 

[plun]

Hi

Well, gentlemen

If this is a "calling mum/home" connection the only way is to
"catch" specific application with a firewall.

Nearly all "real" firewalls can be set in alert mode without
remeberring
a specific application rule, for example to check WGAtray.exe which
makes a short connection directly after start.

With TCP View a user only sees ongoing connections and perhaps
with a little luck it´s possible to identify this connection.

Nevertheless it can be confusing with all ongoing connections for
example with svchost.exe.

I also believes that this is important to know beacuse of all
trojans and downloaders, if a antivirus or antispyware program doesn´t
detect a specific trojan, it´s often possible to block this infest with
a real firewall.

So a firewall is one key for defence in depth with then several
"layers"/shields.

And of course there are a lot of users which runs everything in
"automagic" mode and are happy with that.

regards
plun

 

[Bill Sanderson MVP]

I don't think this is a "calling home" type connection. This error is
raised only when more than 10 "half-open" connections exist from a single
app. This is typical of peer to peer apps, and perhaps other apps that use
similar techniques for spreading the load of a transfer of some sort across
a distributed peer network.

So I suspect that a list of installed or running software might tip us off
to what the source is.

--

 

[Guest]

You could use a little sysinternals utility, TCP view, keep it running
always on top for a while, it shows all tcp activity.

http://www.sysinternals.com/Utilities/TcpView.html

Download the zip,extract to a suitable folder, double click on tcpview,exe.
It does not install as such, to remove just delete the files.

I'll give that a try. Thank you.

 

[Guest]

I don't think this is a "calling home" type connection. This error is
raised only when more than 10 "half-open" connections exist from a single
app. This is typical of peer to peer apps, and perhaps other apps that use
similar techniques for spreading the load of a transfer of some sort across
a distributed peer network.

So I suspect that a list of installed or running software might tip us off
to what the source is.

Bill, how much information would be needed? It's easy enough to copy a list
of the names of running processes from Defender - would that be enough, to
spot a likely candidate?