"Active Connections" list showing bogus listeners

(I also posted this on the forum topic for CIS 3.10 issues, as noted in the sticky post above).

Hi guys. I think I have a bug here, with the “View Active Connections” window.

It shows listening ports that aren’t real. The app is shown as “Windows Operating System”, the protocol is TCP, and then it’ll say “Listening: 1030”, for example, where 1030 is the port number.

When I run “netstat -an”, there’s no evidence of these listeners, so it appears to be a bug in CIS’s “Active Connections” window.

Note the port number, 1030. Other example ports have been 1055, 1071, 1095… which look like “ephemeral” port numbers that some app probably used in the recent past to make a connection to somewhere, a connection that’s long since closed and gone, but which CIS is somehow now showing as a currently-active listener.

This happens only occasionally, and has only happened since the 3.10 CIS upgrade. When it happens, I usually get several of these bogus listening entries (4 of them is common). Can someone have a look?

I’m running CIS 3.10.102363.531 on 32-bit Win XP Media Center Edition, SP3.

Thanks!

Hi puddingpants.

If you want to find out a little more about these processes, take a look here:

Windows Operating System / System Idle Process in Logs [Merged Threads]

There’s quite a few pages, but it should help clarify the situation.

Okay, this is definitely a CIS bug, it seems.

When you start Firefox, it opens 2 listeners on localhost. I have no idea why, but it does.

When you exit Firefox, they’re closed, and ordinarily they immediately disappear from CIS’s “Active Connections” list.

For me, today, they weren’t disappearing. Each time I closed Firefox, both listeners closed in reality, but one of the two would remain showing in the CIS “Active Connections” list, often with its “owner” name changing (for example, to “Windows Operating System”).

I had 4 of these bogus listeners displayed, because I had likely closed Firefox 4 times already that day.

The real evidence came when I closed my 5th Firefox session. Firefox closed and both its listeners closed in reality, as usual. But one of its two listeners then became “stuck” in the CIS “Active Connections” screen just like what had happened the last 4 times, but unlike the other 4, it still showed “Firefox” as its owner… even though Firefox wasn’t running anymore.

I logged out of my XP account and back in. Still had 5 bogus listeners, but now all 5 were owned by “Windows Operating System”.

I logged out and into another XP account, and still had the 5, but now the older 4 were “Windows Operating System” and the latest was now incorrectly shown as “cfp.exe”, part of CIS itself!

So this seems to definitely be a CIS bug with handling connection data and generating this list for display.

I rebooted the machine, and it’s fine now. Both Firefox listeners now disappear from the “Active Connections” list whenever I exit Firefox.

However, this has happened before. Can someone look into it, and fix it? It’s mostly an annoyance, but it makes me worry what ELSE may not be working in CIS that isn’t so obvious…

Thanks.