Unknown download activity in background - how to determine what it is?

Unknown download activity in background - how to determine what it is?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Unknown download activity in background - how to determine what it is? Doc 07-28-2007
Posted by Kerry Brown on July 29, 2007, 1:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Kerry Brown wrote:
>
>>
>>> Kayman wrote:
>>>
>>>
>>>> and scroll down to:
>>>> Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.
>>>
>>>
>>> That article itself is baloney. It is true that any malware can
>>> circumvent a firewall's outbound protection but it is also true that a
>>> lot of malware is detected by firewall outbound monitoring. The
>>> outbound monitoring also alerts you when otherwise legitimate software
>>> is trying to call home. Perhaps you like it better when things like
>>> Media player call home without your knowledge, a pesky annoyance that
>>> you should be aware of things like that.
>>>
>>> The article states:
>>>
>>> "Speaking of host firewalls, why is there so much noise about outbound
>>> filtering? Think for a moment about how ordinary users would interact
>>> with a piece of software that bugged them every time a program on their
>>> computer wanted to communicate with the Internet..." What a pile of
>>> baloney!"
>>>
>>> Firewall have rules, it appears no one at Microsoft knows this, which
>>> isn't really surprising to tell you the truth. Microsoft's logic is
>>> that "you don't need seat belts if you have airbags". And you don't
>>> need to know what it is that things like Media Player doing. Baloney
>>> indeed!
>>>
>>
>>
>> There is no way a software firewall can guarantee it will stop outbound
>> traffic on the computer it is running on regardless of the OS. Software
>> firewalls can be useful for stopping programs communicating outbound
>> through normal channels. That's it, period. The fact that some firewalls
>> notify you about malware communicating out is a function of how poorly
>> the malware is programmed not the firewall. Intel motherboards can
>> communicate though the onboard NICs at the BIOS level with no OS present.
>> Rootkits can easily modify all traffic going through any NIC in the
>> computer. Malware running in Windows can easily corrupt traffic from
>> legitimate programs. Malware can even create it's own TCP/IP stack and
>> bypass Windows (or other OS') networking stack altogether. Virtual server
>> software is capable of spoofing a MAC and getting multiple IP addresses
>> for one NIC from a DHCP server. What makes you think malware can't do the
>> same type of thing?
>
> All that you say is true and I never said or argued otherwise. But
> software firewalls that monitor outbound connections can be useful and can
> help to keep some applications in check, just because the Microsoft
> firewall can't do it doesn't mean that all others are not good.
>


You said that this: "Myth: Host-Based Firewalls Must Filter Outbound Traffic
to be Safe." was baloney. It is not. You are talking about privacy not
safety. Software firewalls do nothing to improve your safety. They may
actually decrease your safety by giving you a false sense of security. They
can as you say be used to protect your privacy. You went on to say this:
"Firewall have rules, it appears no one at Microsoft knows this" which is
also false. All of the firewalls in Microsoft OS' use rules. Some of them
don't monitor outgoing traffic but they all use rules.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca



Posted by John John on July 29, 2007, 8:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Kerry Brown wrote:

> You said that this: "Myth: Host-Based Firewalls Must Filter Outbound
> Traffic to be Safe." was baloney.

I never said that and don't attribute things that I have not said to me!
Reread my post!

I quoted this from the article:

"Speaking of host firewalls, why is there so much noise about outbound
filtering? Think for a moment about how ordinary users would interact
with a piece of software that bugged them every time a program on their
computer wanted to communicate with the Internet..."

And I said that (quoted material) was baloney! A firewall monitoring
outbound connections will ask you if you want to permanently allow or
disallow the connection, you will not be "...bugged them every time a
program on their computer wanted to communicate with the Internet...".
That is false information in the article, and for some reason or other
and for sometime now Microsoft has been trying to discredit *all*
firewalls except its own. What is it that Microsoft is hiding? Why are
they so adamant that users not be aware of outgoing connections on their
computers?

John

Posted by Kerry Brown on July 29, 2007, 11:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Kerry Brown wrote:
>
>> You said that this: "Myth: Host-Based Firewalls Must Filter Outbound
>> Traffic to be Safe." was baloney.
>
> I never said that and don't attribute things that I have not said to me!
> Reread my post!
>
> I quoted this from the article:
>
> "Speaking of host firewalls, why is there so much noise about outbound
> filtering? Think for a moment about how ordinary users would interact with
> a piece of software that bugged them every time a program on their
> computer wanted to communicate with the Internet..."
>
> And I said that (quoted material) was baloney! A firewall monitoring
> outbound connections will ask you if you want to permanently allow or
> disallow the connection, you will not be "...bugged them every time a
> program on their computer wanted to communicate with the Internet...".
> That is false information in the article, and for some reason or other and
> for sometime now Microsoft has been trying to discredit *all* firewalls
> except its own. What is it that Microsoft is hiding? Why are they so
> adamant that users not be aware of outgoing connections on their
> computers?
>


That may have been what you intended to say but here is the the relevant
snippet from your post:

--------------------------------------
"> and scroll down to:
> Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.

That article itself is baloney. It is true that any malware can
circumvent a firewall's outbound protection but it is also true that a
lot of malware is detected by firewall outbound monitoring. The
outbound monitoring also alerts you when otherwise legitimate software
is trying to call home. Perhaps you like it better when things like
Media player call home without your knowledge, a pesky annoyance that
you should be aware of things like that."
-----------------------------------------

It sure sounds to me like you are calling the whole article baloney.

I don't presume to speak for Microsoft but personally I'm not hiding
anything. Software firewalls are a useful part of a layered security setup.
They can't be relied upon to protect you from malicious outbound traffic.
Anybody who says they can and tries to sell this to you is deceiving you.
They are selling snake oil. Software firewalls became popular because the
current versions of Windows at the time didn't have any firewall. When XP
came out with a firewall the vendors realized that they had to give people a
reason to keep buying their product. This is when they started pushing the
outbound monitoring features. Software firewalls can, and most do, give you
a level of protection against inbound attacks from unsolicited traffic. That
is all they are good for as a defense against malware. Even that can't be
relied on if something does get inside the security perimeter. Once your
security has been breached you can no longer trust anything running on the
computer. Monitoring outbound traffic does have it's uses. One is as you say
to stop legitimate programs from making outbound connections that you don't
want. I don't know why Microsoft didn't include outbound monitoring in the
XP firewall. Personally I don't care as I believe it to be of limited use
anyway. Outbound monitoring is included in the Vista firewall and many other
Microsoft products like ISA server.

This is obviously something I'm passionate about :-) Don't take it as
personal attack. Whenever I see a post espousing the usefulness of software
firewalls I am compelled to point out the fallacy of this approach to
security.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca



Posted by John John on July 30, 2007, 10:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Kerry Brown wrote:

>
>> Kerry Brown wrote:
>>
>>> You said that this: "Myth: Host-Based Firewalls Must Filter Outbound
>>> Traffic to be Safe." was baloney.
>>
>>
>> I never said that and don't attribute things that I have not said to
>> me! Reread my post!
>>
>> I quoted this from the article:
>>
>> "Speaking of host firewalls, why is there so much noise about outbound
>> filtering? Think for a moment about how ordinary users would interact
>> with a piece of software that bugged them every time a program on
>> their computer wanted to communicate with the Internet..."
>>
>> And I said that (quoted material) was baloney! A firewall monitoring
>> outbound connections will ask you if you want to permanently allow or
>> disallow the connection, you will not be "...bugged them every time a
>> program on their computer wanted to communicate with the Internet...".
>> That is false information in the article, and for some reason or other
>> and for sometime now Microsoft has been trying to discredit *all*
>> firewalls except its own. What is it that Microsoft is hiding? Why
>> are they so adamant that users not be aware of outgoing connections on
>> their computers?
>>
>
>
> That may have been what you intended to say but here is the the relevant
> snippet from your post:
>
> --------------------------------------
> "> and scroll down to:
> > Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.
>
> That article itself is baloney. It is true that any malware can
> circumvent a firewall's outbound protection but it is also true that a
> lot of malware is detected by firewall outbound monitoring. The
> outbound monitoring also alerts you when otherwise legitimate software
> is trying to call home. Perhaps you like it better when things like
> Media player call home without your knowledge, a pesky annoyance that
> you should be aware of things like that."
> -----------------------------------------
>
> It sure sounds to me like you are calling the whole article baloney.
>
> I don't presume to speak for Microsoft but personally I'm not hiding
> anything. Software firewalls are a useful part of a layered security
> setup. They can't be relied upon to protect you from malicious outbound
> traffic. Anybody who says they can and tries to sell this to you is
> deceiving you. They are selling snake oil. Software firewalls became
> popular because the current versions of Windows at the time didn't have
> any firewall. When XP came out with a firewall the vendors realized that
> they had to give people a reason to keep buying their product. This is
> when they started pushing the outbound monitoring features. Software
> firewalls can, and most do, give you a level of protection against
> inbound attacks from unsolicited traffic. That is all they are good for
> as a defense against malware. Even that can't be relied on if something
> does get inside the security perimeter. Once your security has been
> breached you can no longer trust anything running on the computer.
> Monitoring outbound traffic does have it's uses. One is as you say to
> stop legitimate programs from making outbound connections that you don't
> want. I don't know why Microsoft didn't include outbound monitoring in
> the XP firewall. Personally I don't care as I believe it to be of
> limited use anyway. Outbound monitoring is included in the Vista
> firewall and many other Microsoft products like ISA server.
>
> This is obviously something I'm passionate about :-) Don't take it as
> personal attack. Whenever I see a post espousing the usefulness of
> software firewalls I am compelled to point out the fallacy of this
> approach to security.

To tell you the truth, Kerry, when a published article from a supposedly
authoritative source contains even only one such blatant outright lie as
the one in the above mentioned article, it casts doubts on the whole
article, one cannot rely on anything said in the article because it is
extremely prejudiced and tarnished by some of the false information it
contains. Serious publishers, researchers or technical writers would
automatically correct the false information or pull such flawed
articles. You won't see companies like Intel publishing seriously
tarnished articles like the one above.

As for "espousing the usefulness of software firewalls", if they are so
useless why did Microsoft include one in XP SP2? I whole heartedly
agree with you that some firewall vendors are making exaggerated claims
in an attempt to sell their products and that some of the firewalls
offered by some companies are crappy products, Microsoft too at times
makes exaggerated claims to sell its products. But long before Windows
XP and Windows 2000 even came out, many users were using firewalls,
several *very* good, free personal firewalls were available and were
being used to protect computers from outside attacks.

Microsoft invented nothing new with its firewall. Companies like Kerio
and Sygate made good free firewalls long before Microsoft decided that
it could no longer ship its operating systems without basic firewall
protection, some companies still make good free firewalls. That there
are shoddy products out there is a fact, but outbound traffic detection
has *always* been one of the tasks that any good firewall does and there
is no reason to label all firewalls that do this as *useless* products
and there are even fewer reasons to label such a feature as a *useless*
feature. Firewalls do not only deal with malware, they deal with *all*
traffic, inbound and outbound, and with *all* applications. If the
firewall doesn't do outbound monitoring then novice users are left on
their own to try and detect these things, with outbound connection
monitoring even advanced experienced users are sometimes surprised to
find out that certain applications are trying to establish outbound
connections.

Sure, there are all kinds of malware that can circumvent this
monitoring, things like rootkits and what not can easily get around
firewalls. That is beside the point, firewalls are not and were never
meant to be used as virus or rootkit detectors, you need special tools
to detect and deal with those insidious pests. Anti virus software
cannot detect all or some of those pests and that is what they are
supposed to do. Should we tar all AV software as useless because they
can't detect rootkits? Strange that most persons would say no but that
they would then insist that firewalls that monitor outbound traffic are
devilishly bad because they can't detect those same rootkits or pests.

I understand that you are passionate on this subject and I don't take
your posts and comments as personal attacks. I hope that you don't take
mine as personal attacks against you or anyone else. I too am
passionate on the issue and I don't like it when good products are all
tarred at the same time with a wide brush. I am also passionate when I
read posts saying that outbound traffic monitoring is completely useless
or that it is completely unnecessary because users should not be
concerned about outbound traffic on their computers, the logic being
that only sloppy uninformed users have applications that call home, or
that you should not be concerned about legitimate applications that
might be calling home even if they have absolutely no valid reason to do
so. I am somewhat vindicated by the fact that Microsoft thought that
this feature was useful enough to be included it in its Vista firewall.

John


Posted by Straight Talk on July 30, 2007, 1:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:

>To tell you the truth, Kerry, when a published article from a supposedly
>authoritative source contains even only one such blatant outright lie as
>the one in the above mentioned article,

What lie?

>it casts doubts on the whole
>article, one cannot rely on anything said in the article because it is
>extremely prejudiced and tarnished by some of the false information it
>contains.

What false information?

> Serious publishers, researchers or technical writers would
>automatically correct the false information or pull such flawed
>articles. You won't see companies like Intel publishing seriously
>tarnished articles like the one above.
>
>As for "espousing the usefulness of software firewalls", if they are so
>useless why did Microsoft include one in XP SP2?

Inbound control was never useless. It's the outbound control that's so
questionable.

>I whole heartedly agree with you that some firewall vendors are making
>exaggerated claims in an attempt to sell their products and that some of the
firewalls
>offered by some companies are crappy products, Microsoft too at times
>makes exaggerated claims to sell its products. But long before Windows
>XP and Windows 2000 even came out, many users were using firewalls,
>several *very* good, free personal firewalls were available and were
>being used to protect computers from outside attacks.

Yes. From *outside* attacks. No one questions that they did a good job
there. But the market for PFW's arose only because MS made the big
mistake of shipping windows with exposed network services.

>Microsoft invented nothing new with its firewall.

Wrong.

>Companies like Kerio and Sygate made good free firewalls

This just shows that you don't know what you're talking about. SyGate
didn't even follow the most basic security recommendations from MS,
thereby making your system even more vulnerable.

>long before Microsoft decided that
>it could no longer ship its operating systems without basic firewall
>protection, some companies still make good free firewalls. That there
>are shoddy products out there is a fact, but outbound traffic detection
>has *always* been one of the tasks that any good firewall does and there
>is no reason to label all firewalls that do this as *useless* products
>and there are even fewer reasons to label such a feature as a *useless*
>feature.

>Firewalls do not only deal with malware, they deal with *all*
>traffic, inbound and outbound, and with *all* applications.

And this is where your argument looses completely.

>If the firewall doesn't do outbound monitoring then novice users are left on
>their own to try and detect these things, with outbound connection
>monitoring even advanced experienced users are sometimes surprised to
>find out that certain applications are trying to establish outbound
>connections.
>
>Sure, there are all kinds of malware that can circumvent this
>monitoring, things like rootkits and what not can easily get around
>firewalls.

Root kits aren't meant to get around firewalls.

>That is beside the point, firewalls are not and were never
>meant to be used as virus or rootkit detectors, you need special tools
>to detect and deal with those insidious pests.

BS. You are right that they weren't meant to *detect* these pests. But
being able to block their attempts to call home is *exactly* what PFW
vendors have claimed their products would do.

>Anti virus software cannot detect all or some of those pests and that is what
they are
>supposed to do.

>Should we tar all AV software as useless because they
>can't detect rootkits? Strange that most persons would say no but that
>they would then insist that firewalls that monitor outbound traffic are
>devilishly bad because they can't detect those same rootkits or pests.

There's a big difference between anti-virus meant to stop a baddie
before it's allowed to run and outbound control meant to deal with the
baddie after it's too late.

>I understand that you are passionate on this subject and I don't take
>your posts and comments as personal attacks. I hope that you don't take
>mine as personal attacks against you or anyone else. I too am
>passionate on the issue and I don't like it when good products are all
>tarred at the same time with a wide brush. I am also passionate when I
>read posts saying that outbound traffic monitoring is completely useless
>or that it is completely unnecessary because users should not be
>concerned about outbound traffic on their computers, the logic being
>that only sloppy uninformed users have applications that call home, or
>that you should not be concerned about legitimate applications that
>might be calling home even if they have absolutely no valid reason to do
>so. I am somewhat vindicated by the fact that Microsoft thought that
>this feature was useful enough to be included it in its Vista firewall.

I'm passionate on the issue too and don't like when the WF is labeled
as useless just because it doesn't implement useless trials to control
outbound connections.

Similar ThreadsPosted
Re: Unknown svchost.exe DNS port 53 network activity December 20, 2006, 4:26 pm
Re: I can't download... November 14, 2008, 6:12 am
"IE Security Download" June 27, 2006, 12:21 am
Where can I get all XP patches in one download September 16, 2006, 11:57 pm
ms download sources - why so many? April 27, 2007, 12:56 am
HD activity 24/7 December 4, 2006, 7:40 pm
download.trojan problem April 15, 2006, 10:20 pm
Virus download for testing June 25, 2008, 5:37 am
aim update download last night put LNK after all my files November 11, 2005, 10:04 am
Strange Virus Activity October 18, 2007, 5:49 pm

The site map in XML format XML site map

Contact Us | Privacy Policy