MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
April
Sun Mon Tue Wed Thu Fri Sat
9
         
2007
Months
Apr


Mon, Apr 09, 2007 11:01 pm

Anomalous Windows XP Firewall Rules

When checking the firewall settings on a Windows XP Service Pack 2 system tonight, I found several anomalous firewall rules. The system is running the Windows XP firewall.

When I checked the firewall openings with the netsh firewall show state command, I didn't see anything unusual.

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Enable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
135    TCP       IPv4     (null)
137    UDP       IPv4     (null)
139    TCP       IPv4     (null)
138    UDP       IPv4     (null)
9370   UDP       IPv4     C:\Program Files\Logitech\Desktop Messenger\8876480\Pr
ogram\LogitechDesktopMessenger.exe
3389   TCP       IPv4     (null)
445    TCP       IPv4     (null)
22     TCP       IPv4     C:\Program Files\Network\OpenSSH\usr\sbin\sshd.exe

Nor did I see anything unusual when I issued the command netsh firewall show portopening.

C:\>netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
22022  TCP       Enable   OpenSSH
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
3389   TCP       Enable   Remote Desktop

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
3389   TCP       Enable   Remote Desktop

However, when I went to the GUI for configuring the firewall to correct an mistake I noticed in the firewall configuration, I saw DwnMaster listed. I didn't know what that program was nor why it needed a firewall rule.

DwnMaster firewall rule

Double-clicking on DwnMaster showed that the program associated with the firewall rule was syst.exe in C:\WINDOWS\Temp.

DwnMaster using syst.exe

When I checked to see if syst.exe was running, I didn't see evidence of it running.

C:\>tasklist /fi "imagename eq syst.exe"
INFO: No tasks running with the specified criteria.

And when I checked for the existence of the file, however, though I found it, it was only zero bytes in length. I am presuming that it was nullified during an antivirus or antispyware scan of the system.

C:\>dir c:\windows\temp\syst.exe
 Volume in drive C has no label.
 Volume Serial Number is 909B-3E78

 Directory of c:\windows\temp

02/02/2007  03:32 AM                 0 syst.exe
               1 File(s)              0 bytes
               0 Dir(s)  57,556,082,688 bytes free

Looking at the "allowed programs" list for the firewall, I noticed another unusual entry, C:\win.com.

C:\>netsh firewall show allowedprogram


Allowed programs configuration for Domain profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   DwnMaster / C:\WINDOWS\Temp\syst.exe
Enable   TCP / C:\WIN.COM
Enable   Logitech Desktop Messenger / C:\Program Files\Logitech\Desktop Messenge
r\8876480\Program\LogitechDesktopMessenger.exe

Allowed programs configuration for Standard profile:
Mode     Name / Program
-------------------------------------------------------------------
Enable   restorea0 / c:\windows\system32\restorea0.exe
Enable   Remote Assistance / C:\WINDOWS\system32\sessmgr.exe
Enable   Logitech Desktop Messenger / C:\Program Files\Logitech\Desktop Messenge
r\8876480\Program\LogitechDesktopMessenger.exe

The name given to it was TCP, apparently in an attempt to make it less likely to stand out as possible malware.

TCP firewall rule

But I wouldn't expect to find a win.com file in the root directory of a Windows XP system.

TCP using win.com

It was also a zero byte file when I checked for its existence, however, so may also have been nullified by a previous scan of the system with antivirus or antispyware software.

C:\>dir c:\win.com
 Volume in drive C has no label.
 Volume Serial Number is 909B-3E78

 Directory of c:\

02/09/2007  02:47 AM                 0 WIN.COM
               1 File(s)              0 bytes
               0 Dir(s)  57,555,771,392 bytes free

Another allowed program that looked suspicious was restorea0 in c:\windows\system32\. But when I looked for it, I did not see it on the system. So it may have been removed completely by antivirus or antispyware software previously. At FKIYY.EXE Spyware Remove, I found it listed as one of many alternative names associated with malware detected by Prevx.

At SYST.EXE Spyware Remove, Prevx lists syst.exe as being associated with Trojan Downloader Small yt. At WIN.COM Spyware Remove, win.com is linked to Adware Virtumonde

[/os/windows/xp/firewall] permanent link

Mon, Apr 09, 2007 9:47 pm

Allow Rtvscan Access Through Windows XP Firewall

Symantec AntiVirus Corporate Edition 8.0 uses rtvscan.exe on client systems for management of those systems from the antivirus server. Rtvscan listens on UDP port 2967 on the client systems. You can determine if rtvscan.exe is running on a Windows XP or later system with the tasklist command.
C:\>tasklist /fi "imagename eq rtvscan.exe"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
Rtvscan.exe                 1784 Console                 0      9,736 K

From the above information, I can see that rtvscan.exe is running on the system and that it has process ID (PID) 1794. I can verify that the process with PID 1784 is listening on port 2967 on the system using the netstat command.

C:\>netstat -ano | find "1784"
UDP    0.0.0.0:1061           *:*                                    1784
UDP    0.0.0.0:2967           *:*                                    1784

You can create a firewall rule to allow the server to communicate with the client using the instructions at Configuring Windows XP Firewall for Symantec Antivirus Client through either a GUI or the command line. An example using the command line is shown below. The example below presumes the server's IP address is 192.168.0.33.

C:\>netsh firewall set portopening protocol = UDP port = 2967 name = "Symantec A
ntiVirus Client Management" mode = ENABLE scope = CUSTOM 192.168.0.33
Ok.

You can verify the firewall now has the appropriate port opening with the netsh firewall show portopening command.

C:\>netsh firewall show portopening

Port configuration for Domain profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
10280  UDP       Enable   Windows Media Connect
10281  UDP       Enable   Windows Media Connect
10282  UDP       Enable   Windows Media Connect
10283  UDP       Enable   Windows Media Connect
10284  UDP       Enable   Windows Media Connect
10243  TCP       Enable   Windows Media Connect
22     TCP       Enable   OpenSSH
2967   UDP       Enable   Symantec AntiVirus Client Management
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP

Port configuration for Standard profile:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
10280  UDP       Enable   Windows Media Connect
10281  UDP       Enable   Windows Media Connect
10282  UDP       Enable   Windows Media Connect
10283  UDP       Enable   Windows Media Connect
10284  UDP       Enable   Windows Media Connect
10243  TCP       Enable   Windows Media Connect
139    TCP       Enable   NetBIOS Session Service
445    TCP       Enable   SMB over TCP
137    UDP       Enable   NetBIOS Name Service
138    UDP       Enable   NetBIOS Datagram Service
1900   UDP       Enable   SSDP Component of UPnP Framework
2869   TCP       Enable   UPnP Framework over TCP
3389   TCP       Enable   Remote Desktop

Port configuration for Local Area Connection:
Port   Protocol  Mode     Name
-------------------------------------------------------------------
3389   TCP       Enable   Remote Desktop

Or, alternatively, you can use the netsh firewall show state command.

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Enable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
10243  TCP       IPv4     (null)
10280  UDP       IPv4     (null)
10281  UDP       IPv4     (null)
10282  UDP       IPv4     (null)
10283  UDP       IPv4     (null)
10284  UDP       IPv4     (null)
135    TCP       IPv4     (null)
137    UDP       IPv4     (null)
139    TCP       IPv4     (null)
138    UDP       IPv4     (null)
3389   TCP       IPv4     (null)
445    TCP       IPv4     (null)
22     TCP       IPv4     C:\Program Files\Network\OpenSSH\usr\sbin\sshd.exe
1562   TCP       IPv4     C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2869   TCP       IPv4     (null)
1900   UDP       IPv4     C:\WINDOWS\SYSTEM32\SVCHOST.EXE
2967   UDP       IPv4     C:\Program Files\Symantec_Client_Security\Symantec Ant
iVirus\Rtvscan.exe

Additional ports open on Local Area Connection:
Port   Protocol  Version
-------------------------------------------------------------------
3389   TCP       Any

The netsh firewall show state command will show you what program is listening on the port. In this case it shows that Rtvscan.exe is listening on port 2967

References:

  1. Configuring Windows XP Firewall for Symantec Antivirus Client
    Written: May 30, 2005
    MoonPoint Support

[/security/antivirus/symantec/SAV-Firewall] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo