Results 1 to 2 of 2

Thread: Alert : Suspicious behaviour

  1. #1
    jenaguru Guest

    Default Alert : Suspicious behaviour

    Hello all.

    I want to know some detail about 4 differnt ZA Alerts.

    1. SUSPECIOUS BEHAVIOUR
    Services and Controller app is trying to load the driver :Registry\Machine\system\CurrentControlSet\
    Services\IPSEC
    Application : SERVICES.EXE

    2. SUSPECIOUS BEHAVIOUR
    Spooler Subsystem App is trying to access the internet
    Identification : Unknown
    Application : spoolsv.exe
    Destination IP : 0.0.0.0.DNS

    3. SUSPECIOUS BEHAVIOUR
    LSA Executive and Sever DLL (Export Version) is trying to communicate with C:\WINNT\System32\svchost.exe - kwugroup by opening its processes
    Application : LSASS.EXE

    4. SUSPECIOUS BEHAVIOUR
    Task Scheduler Engine is trying to act as a server
    Identification : None
    Application : mstask.exe
    Destination IP : 0.0.0.0.Port1025

    These alerts are shown mainly at the system starting and sometimes two or three, sometimes all one after one.
    Each alert are with allow or deny options at the bottom and in all the cases no smart defense advice is available. I have no idea about what to do with these alerts, what it results if allow or deny, or are these dangerous to the system or not. As a result I cannot do allow or deny with 'remember this setting' checked.

    PLEASE advice.
    THANKS to ALL.

    Operating System:Windows 2000 Pro
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Alert : Suspicious behaviour

    Hi JenaGuru

    Services.exe is a vital component of Windows. Allow it to function and let the PC enjoy it's labor.


    http://www.processlibrary.com/direct...ices/index.php


    Spool is the printer "component" or service. If no printer is being used or ever will be used then deny all. It never requires internet access unless there is a special internet arrangement to print in a remote machine. It may need trusted access to be used when there is a printer on your LAN and perhaps server rights for the trusted.. If no printer is ever used , then just completely disable the printer service in Start> right click My Computer> Manage> Computer Management> Services and Applications> right click Services> look for Print Spooler> right click and open Properties> select Disabled in the "Startup" dropdown "Chart" and apply and OK ( this works for Xp and may apply to Windows 20000.


    http://www.processlibrary.com/direct...pool/index.php

    Both the lsass.exe and the svchost.exe seem legitimate and are normal PC components of Windows. The k wugroup of svchost is part of the automatic udating.and is part of Windows 2000

    http://www.processlibrary.com/directory/files/lsass/


    Task Scheduler is required for things like scheduled actions of software, System Restore, and certain Windows performances.It should run , but does not need server rights. Actually probably never needs any internet access at all.

    http://www.liutilities.com/products/...ibrary/mstask/


    Some sites of interest for Windows 2000:

    http://mywebpages.comcast.net/Suppor...imize2000.html

    http://lists.thedatalist.com/pages/Windows_2000.htm

    http://www.markusjansson.net/exp.html (this one is very extreme!)

    http://en.wikipedia.org/wiki/Windows_2000

    Hope this helps! Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •