LMS.exe Help

patsfan03 · January 4, 2011, 10:16pm

Hi:
Could someone please advise me on this topic? I have recently installed Comodo Fire Wall on 4 Computers, all on a home network. The firewall active connection list for the desktop has LMS.exe listening on 978 different ports? (C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [1936]).

None of the other laptops show LMS listening at all. All 4 have intel processors. 2 have Core i3’s, 1 has a Core i5 and the last is a Duo2. The desk top is one of the i3’s. I mention this because I understand LMS.exe is an intel process.

Does anyone have any ideas? I’ve Googled LMS.exe and I seen some info on it listening on a couple of ports, but 978 different ones doesn’t seem right. Any help is much appreciated.
Thanks,
DS

_{Edit by EricJH: I removed the underlines and made a basic paragraph structure for an easier and more efficient read}

Jacob · January 4, 2011, 10:22pm

Hello; do you have any other security software installed?

Jake

patsfan03 · January 4, 2011, 10:38pm

Hi Jake: I have Ad-Aware Free 9.0 & Malewarebytes. These are on the other computers also. I’ve scaned with these too.
Thanks,
DS

Citizen_K · January 5, 2011, 1:50am

978 ports? That’s a lot. Are all computers using the same version of LMS.exe?

Can you check with the Comodo Cloud to see if it a safe program? Try uploading it to Virus Total and see what 40+ scanners think whether it is malicious or not.

In case LMS.exe is a digitally signed application you can check its signature. See attached image.

[attachment deleted by admin]

patsfan03 · January 5, 2011, 6:23pm

978 ports? That’s a lot. Are all computers using the same version of LMS.exe?

Can you check with the Comodo Cloud to see if it a safe program? Try uploading it to Virus Total and see what 40+ scanners think whether it is malicious or not.

In case LMS.exe is a digitally signed application you can check its signature. See attached image.
Thanks for the Reply Eric:

Cloud and Virus Total came out clean.
both Core I3 Machines have LMS.exe ver. 6.0.0.1184 256kb 9/30/2009. They both came with Windows 7 Home Premium 64 bit, however I did upgrade the Desktop (the one with the issue) to Proffesional so I could install Windows Virtual PC and XP mode. Both of these computers were bought on the same day 5/30/2010. The desktop is connected to router by cable. All the others are wireless.
The Core I5 laptop has LMS.exe ver. 6.0.0.1189 262kb 11/4/2009. This laptop came with Windows 7 Proffessional. Neither of the laptops show LMS.exe listening.

patsfan03 · January 5, 2011, 6:38pm

Sorry for the second post but I got timed out before so I figured I would split it in two.
I did a reboot about an hour ago. LMS.exe showed up listening on 3 ports right away. Within 5 minutes it was up to 36, although port 16992 was listed 10 times (separate entries), within 15 min. it was up to 42, a 1/2 hour it was up to 82, and at 1 hr. itwas at 122. As far as I can tell 16992 was the only one that was repeated. Now it is at 152 seperate entries of LMS.exe listening. A lot of time it list a sequential port, like 56459 then 56450, but not all the time. UNS.exe is also listening on port 49183. I understand this is another Intel Product. LMS or UNS are not listening on any of the other computers. Any ideas?
Thanks,
DS

Jacob · January 5, 2011, 7:50pm

Hello patsfan03

I apologize for the late response;

Can you run the this : Comodo Forum

and this: Speccy - Free Download (After downloaded Please go to File > Save as Txt

and attach it to your next reply;

I’m going to do a little more research; so far you can disable LMS temporarily of course.

Jake

patsfan03 · January 5, 2011, 9:12pm

Hi Jake: I just did another reboot and here is how the LMS.exe entries came up.
Listening on port 49180, then 49181, then 4 entries in a row for port 16992, then 49191, then…92, then 4 time again for 16992, then 49220, then…21

I googled port 16992 and found out that “Intel AMT listens on TCP ports 16992”

The reports are attached:

Thanks for your help,
DS

Edit: Removed Attachments for Privacy Concerns but I have downloaded them - Jacob

Jacob · January 5, 2011, 11:50pm

Hi;

How do you connect to the internet? Ethernet? Wifi/Wireless?

If you do not use any of the following features then you can simply disable the feature in your BIOS(Start PC > Del/ or F2 or F12) and/or Services (Start > Run services.msc)

[i] * Management over the Network * Remote Asset (Hardware and Software ) Inventory * Remote Diagnostic and repair (even if laptop is off or down) * Agent Presence Checking (isolate corrupted laptops) * Encrypted software update (w/ remote power-on). * System isolation and recovery (Use hardware to filter inbound and outbound traffic, except management traffic) * Dedicated Flash memory (Firmware + Inventory + ISV Data)[/i]

If you do use wireless intel app then you’ll have to use Windows Built-in wireless connection wizard if you disable this service.

From what i see of the PSC-Exam; Your system is clean (Few things could be disabled for better performance but lets not get into that)
The other log was to see your motherboard that is all

Hope this helps

Any questions?

Jake

patsfan03 · January 6, 2011, 2:27am

The desktop connects by ethernet cable to a D-Link Dir-655 Router. Laptops are WiFi private network with file sharing.
Defense + gave me these warnings in the begining

2011-01-03 15:56:27 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe Scanned Online and Found Safe
2011-01-03 15:54:30 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe Modify File \Device\Afd\Endpoint
Here are some activity screen shots of all firewall activity.
Thanks again,
DS

[attachment deleted by admin]