Alert : Suspicious behaviour
I want to know some detail about 4 differnt ZA Alerts.
1. SUSPECIOUS BEHAVIOUR
Services and Controller app is trying to load the driver :Registry\Machine\system\CurrentControlSet\
Application : SERVICES.EXE
2. SUSPECIOUS BEHAVIOUR
Spooler Subsystem App is trying to access the internet
Identification : Unknown
Application : spoolsv.exe
Destination IP : 0.0.0.0.DNS
3. SUSPECIOUS BEHAVIOUR
LSA Executive and Sever DLL (Export Version) is trying to communicate with C:\WINNT\System32\svchost.exe - kwugroup by opening its processes
Application : LSASS.EXE
4. SUSPECIOUS BEHAVIOUR
Task Scheduler Engine is trying to act as a server
Identification : None
Application : mstask.exe
Destination IP : 0.0.0.0.Port1025
These alerts are shown mainly at the system starting and sometimes two or three, sometimes all one after one.
Each alert are with allow or deny options at the bottom and in all the cases no smart defense advice is available. I have no idea about what to do with these alerts, what it results if allow or deny, or are these dangerous to the system or not. As a result I cannot do allow or deny with 'remember this setting' checked.
THANKS to ALL.
Operating System:Windows 2000 Pro
Product Name:ZoneAlarm Pro
Re: Alert : Suspicious behaviour
Services.exe is a vital component of Windows. Allow it to function and let the PC enjoy it's labor.
Spool is the printer "component" or service. If no printer is being used or ever will be used then deny all. It never requires internet access unless there is a special internet arrangement to print in a remote machine. It may need trusted access to be used when there is a printer on your LAN and perhaps server rights for the trusted.. If no printer is ever used , then just completely disable the printer service in Start> right click My Computer> Manage> Computer Management> Services and Applications> right click Services> look for Print Spooler> right click and open Properties> select Disabled in the "Startup" dropdown "Chart" and apply and OK ( this works for Xp and may apply to Windows 20000.
Both the lsass.exe and the svchost.exe seem legitimate and are normal PC components of Windows. The k wugroup of svchost is part of the automatic udating.and is part of Windows 2000
Task Scheduler is required for things like scheduled actions of software, System Restore, and certain Windows performances.It should run , but does not need server rights. Actually probably never needs any internet access at all.
Some sites of interest for Windows 2000:
http://www.markusjansson.net/exp.html (this one is very extreme!)
Hope this helps! Oldsod