Please feel free to ask any questions to learn all about Computer Security.

[Guest]

[Uscom]

Hi,
can someone help me with this:
http://forums.comodo.com/general_security_questions_and_comments_not_product_related/lsassexe_is_trying_to_receive_a_connection-t43678.0.html
?
Please. 

[dangerous951]

hello-
i have accidently blocked one of my applications with comodo..and now i cant use my torrent downloader anymore..anyway i can reverse the problem?

[Ronny]

Well the most brute way would be to find the program in the policy(s) FW and or D+ and remove it so you get a new alert and apply a policy for it. Or you can remove the "block" rule once you have found the application on the network and/or computer policy.

[duoniux]

when i open tray of my CIS, there where is Proactive Defense is writen: "the defence+ has blocked ... suspicious attempt(s) so"
defense+ is blocking my other program, which i am using for usb flah sticks scaning, but the program is runing ok, so what is defence+ blocking? should i worry about that or it is doesnt mater?

there is print screen, check it out, thanks for ansvers.

[Little Mac]

duoniux,

Based on your screenshot, USBGuard.exe is trying to access the memory space of CMDAgent.exe (one component of CIS).

No matter how you set USBGuard (as Trusted App, etc), it will always be blocked from accessing CIS components.  This is a self-protection mechanism of CIS.

If USBGuard is still running fine, and you know that the application is trustworthy, then it probably isn't something to worry about.

LM

[Eragoncia]

I have some questions
1) If a person brought a new laptop or computer and is planning to connect it to the internet. What should be the first thing he/she should do?

2)How does a firewall work. It it one of the most important part of security? Why?

3)What is the difference between security software and hardware?

4)What should a person do when their computer is infected?

5)Why is it important to update your security software?

[Ronny]

I have some questions
1) If a person brought a new laptop or computer and is planning to connect it to the internet. What should be the first thing he/she should do?

Well i always install the system offline, after that i connect a USB drive with CIS on it and install CIS.
Then i connect i to the network and run windows update's as long as needed to get all the updates installed. If you don't follow this procedure and you connected to an non-firewalled internet link you have a large risk of becoming infected because of worm traffic on the internet continuously scanning and looking for hosts to infect, if your not fully patched you run a high risk of getting infected.

2)How does a firewall work. It it one of the most important part of security? Why?

It basically allows you to control any traffic in and out your computer, say a virus has made in in your system and tries to tell it's boss where to find you it has to set up some sort of connection out to the internet, poof the firewall asks you will you allow virus.exe out to internet? you answer NO and you now your infected...

3)What is the difference between security software and hardware?

Complex, a hardware firewall would probably not have caught this virus from communicating because it doesn't know which process belongs to the traffic that's being filtered.
You can perfectly protect your network perimeter with it and provide "general" protection for more systems on a network, but with today's threats you need both... (think mobile, hotspot, hotel etc).

4)What should a person do when their computer is infected?

Depending on the infection, i would suggest to save the important data, use an other system to scan that data to make sure it's clean and start with a complete fresh installation. Viruses tend to change more parameters in your system then most AV's "restore" most of them are only good to remove the active components, but that doesn't fix your changed settings it has done on your registry for example.

5)Why is it important to update your security software?

I would strike "Security" software out of the question, it's important to update all your software.

For a virus/malware to infect you it most of the time aims at vulnerabilities that are present in the OS and other applications like Browsers and their plugin's etc... so if you are running a vulnerable version of FlashPlayer  all they have to do to attack you is send you to a link with a FlashPlayer attack in it and your infected

[triplex]

Ok I figured I would give this a try and post something I am curious about. Net logon and lsass.exe
There a couple questions I had in this post, so I hope that Melih or one of the pros can help answer these questions. Thank you in advance.

I was looking around the net to safe resources and I use Black Vipers site sometimes. On the site it said it was safe to disable Net Logon for the XP Pro Service pack 3.
http://www.blackviper.com/WinXP/Services/Net_Logon.htm
I figured I would include some info about my computer. Its XP Pro, I use a cable modem, this is a home system with no other computers. I am also using the Comodo DNS severs. It was set on manual I set it to disable the Net Logon. Is this ok? Or does the Comodo DNS servers require this?


Now when I was in services, I noticed that Net logon has to do with lsass.exe
So if I disabled Net Logon should lsass.exe be showing up in the task manager and running?
I was curious if it might be the isass.exe virus so I used Process Explorer from Sysinternals to tell me what process it was. It was located in my System32 and it was showing it was Lsass.exe


So with that said it brings me to the next question. I am worried that my browser was hijacked.
Comodo alerted me that a UDP(I think it was UDP)connection was trying to be made with lsass.exe had to do with port 500, should this be happening and do I approve the request?
How do you know if your browser has been hijacked??

This .exe also shows up in my CCleaner sometimes in the registry cleaning section    mstsc.exe
(Microsoft Remote Desktop Connection)
I don't understand why it would show up since I have it disabled..



So as you can see I am a little confused. I appreciate any help.
Thanks

[triplex]

I posted above days ago and noone has responded, did I post in the wrong section?

[Ronny]

Hi Triplex,

DNS Servers do not need the Netlogon, it's only needed if "someone" needs to access your computer "Over the network", So you can safely disable Netlogon on a single user system.

Netlogon only has a dependency with "Workstation Service" so I'm not sure how you go to the lsass.exe link? based on the posts below lsass.exe should alway's be active...

http://support.microsoft.com/kb/885409

NetLogon service is disabled
If you disable the Net Logon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains, but should be carefully evaluated before deployment.

http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service

Local Security Authority Subsystem Service (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

UDP requests with port 500 are normally assigned to VPN connections based on IPSec, do you use that and if not how did you "tweak" your firewall settings and which ip addresses are concerned with this connection? Is one of the two 127.0.0.1?

Can it be that CC can clean some "history" for terminal server client?

If you really don't want it to run it's best to add the executable to the Defense+ My Blocked Files that way it will never be able to start at all.

What symptoms do you see that make you believe your browser is hijacked?
If you search for "free antivirus" do all your legitimate links to avg/avira/avast redirect to "commercial" alternatives?

[SiberLynx]

...This .exe also shows up in my CCleaner sometimes in the registry cleaning section    mstsc.exe (Microsoft Remote Desktop Connection)
I don't understand why it would show up since I have it disabled...

Hi triplex

In addition to what Ronny pointed it would be interesting to see what CCleaner is showing  regarding mstsc.exe

I'm using CCleaner RegSeeker and RegTrash on a regular basis and never saw that one showing up.

Another thing is - despite mstsc indeed may have something to do with   Remote Desktop Connection it is probably not the Remote Connection that you mentioned being disabled

Correct me if I am wrong. You may have (and I have) the following “Remotes” disabled:

Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Procedure Call (RPC) Locator
... and some other "remotes"

At the same time  mstsc.exe is a command line utility (one of them)
that belongs to Terminal Services (TS)
for connecting Terminal Servers / other remote computers. You can edit existing Remote Desktop Connection ...etc

So what about the Terminal Services, is that disabled? That one is disabled here as well.
(not that it would explain yet your “mstsc problem” even it TS is enabled)

Have you seen that mstsc.exe showing up as running?
or it is just the reference in the registry that you see in CCleaner as you mentioned?

Anyway 1st thing 1st - what are the records by CCleaner?

Cheers!

[triplex]

Hi Triplex,

DNS Servers do not need the Netlogon, it's only needed if "someone" needs to access your computer "Over the network", So you can safely disable Netlogon on a single user system.

Netlogon only has a dependency with "Workstation Service" so I'm not sure how you go to the lsass.exe link? based on the posts below lsass.exe should alway's be active...

http://support.microsoft.com/kb/885409
http://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service
UDP requests with port 500 are normally assigned to VPN connections based on IPSec, do you use that and if not how did you "tweak" your firewall settings and which ip addresses are concerned with this connection? Is one of the two 127.0.0.1?

Can it be that CC can clean some "history" for terminal server client?

If you really don't want it to run it's best to add the executable to the Defense+ My Blocked Files that way it will never be able to start at all.

What symptoms do you see that make you believe your browser is hijacked?
If you search for "free antivirus" do all your legitimate links to avg/avira/avast redirect to "commercial" alternatives?

I thought either someone hijacked my browser or someone is remote accessing my computer.
When I searched Free antivirus everything seems to be fine.

Hi triplex

In addition to what Ronny pointed it would be interesting to see what CCleaner is showing  regarding mstsc.exe

I'm using CCleaner RegSeeker and RegTrash on a regular basis and never saw that one showing up.

Another thing is - despite mstsc indeed may have something to do with   Remote Desktop Connection it is probably not the Remote Connection that you mentioned being disabled

Correct me if I am wrong. You may have (and I have) the following “Remotes” disabled:

Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Procedure Call (RPC) Locator
... and some other "remotes"

At the same time  mstsc.exe is a command line utility (one of them)
that belongs to Terminal Services (TS)
for connecting Terminal Servers / other remote computers. You can edit existing Remote Desktop Connection ...etc

So what about the Terminal Services, is that disabled? That one is disabled here as well.
(not that it would explain yet your “mstsc problem” even it TS is enabled)

Have you seen that mstsc.exe showing up as running?
or it is just the reference in the registry that you see in CCleaner as you mentioned?

Anyway 1st thing 1st - what are the records by CCleaner?

Cheers!

I have never seen it running before. It shows up in my CCleaner for the Registry..why would it be there? I didnt run anything to have it show up. Unfortunately I do not have a log of what came up... If it shows up again I will be sure to post.

[Little Mac]

Perhaps I can help provide some explanation...

What you are disabling using BlackViper's settings/recommendations are *services* which are not necessarily the same as *executables.*  In that I mean that a service is something which has at its core an executable and various support structure (DLL, SYS, etc).  It will run according to parameters (Automatic, Manaul, etc).  Disabling various "Remote" services does not mean you have removed executables from the system, nor that they are even connected.  The entry for mstsc.exe should be found in Windows/System32, signed by Microsoft - it is the application for use in Terminal Services (on a server) or Remote Desktop Connection (on a workstation).  If you go to Start/Run and type "mstsc.exe" (no quotes) you will have a window open wherein you would enter an IP address on your network and be able to Connect to that system to log on with appropriate credentials.  Just because mstsc.exe is on your system does not mean that anything is running.  The ability to receive requests for such inbound requests can be controlled by right-clicking My Computer icon, select Properties/Remote and check or uncheck box in lower half of window, "Allow users to connect remotely to this computer." 

As far as lsass.exe (which should also be in Windows/System32 and signed by Microsoft), this is a core/critical Windows executable which should not be messed with.  Finding a way to deny lsass.exe (such as through CIS, or various services) will disable critical system functionality.  Please keep in mind, however, that there are many malwares which try to fool the user into thinking they are the legit lsass.exe, or else attempt to hijack/inject lsass.exe to subvert it for their own use.  In the event of the former, these are usually easy to detect because they won't be in the correct location, the name will be slightly different, and so on.   It's also very easy to get paranoid about the file's authenticity, where it's probably not always warranted - don't go too crazy with it.

Hope that helps some,

LM

[engelis]

Oki im new one in this all
When used Kaspersky Internet security 2010 got hacked 7 emails and all my game accounts.
With COMODO free version is inaf to protect my PC from hackers?
And when i start any game it shows (Instal global hook) and somthing about keyloger.
Is that keyloger or false positive?

Using Windows 7

[SiberLynx]

Oki im new one in this all
When used Kaspersky Internet security 2010 got hacked 7 emails and all my game accounts.
With COMODO free version is inaf to protect my PC from hackers?
And when i start any game it shows (Instal global hook) and somthing about keyloger.
Is that keyloger or false positive?

Using Windows 7

Hi engelis,

Welcome to the forum

Unfortunately that is impossible to answer your question.

1) You did not provide practically any information about your system
Win 7 ... What platform? What parts of Kaspersky were active? Were there any other security in place?
What specifically were you running? Were you using official  servers to play?
Were you using some kinds tweaks & tricks &... probably  cracked game... hmmm
The list of question can be quite extensive..., so I will stop...

2) "That keylogger?" ... What keylogger?  

How can we know what was (is) a suspect as a keylogger?
It was probably not a keylogger? Or you did install it despite some warnings....

3) Kaspersky Suite actually is very good Suite with some extremely sophisticated features. It can protect you IF you learn and know how to use it...
... and if you know how to present information when you are asking questions

4) the same applies to Comodo or any other security

Can Comodo protect you from hackers and keyloggers? - Yes

.... and at the same time definite No - Comodo will not protect you -  it  cannot do that ....

... IF you don't know how to set it up and use.

5) There is no such security out there that can protect you IF you do not follow the rules / setting up rules correctly / and use additional layers of protection ( there are many in addition to what Comodo is offering currently)

6) as for the games in particular, as far as I know the "Game Mode" is still in Comodo's Wish List , - on the contrary other security out there already providing such mode and that works perfectly

Please provide detailed information about what happened, otherwise I can tell you with 100% serenity No - none of the existing security can protect you because 99.999%  depends on users' own experience of correctly using layered security that is correctly set up, plus user's habits of using surfing / gaming / and the Operating System as a whole

My regards

[Tags:]