Results 1 to 4 of 4

Thread: Modify Driver shown in OSFirewall Alerts & Logs

  1. #1
    johnnnn Guest

    Default Modify Driver shown in OSFirewall Alerts & Logs

    Hello
    Can I have an explanation of the following line that appears in Alerts & Logs / OSFirewall:Type

    = Driver
    Subtype
    = Modify Driver
    Data

    = MRXSMB
    Program
    = C:\windows\system32\wuauclt.exe
    Specifically what does Modify Driver mean. It suggests to me that Windows Update has download and installed a new mrxsmb.sys driver.
    I m a bit worried and puzzled because although the service Automatic Updates is on Automatic and is Started - I have Turn off Automatic Updates checked in System Properties / Automatic Updates. I specifically checked that box a long time ago, as I don t want Microsoft s automatic buggy security fixes.
    I did a search on files created/modified in the past two days and found a WindowsUpdate.log . I appears to just show initialization and shutdown, it doesn t show any update activity and suggests the feature is off.
    One other thing while I m on about driver messages:
    Frequently at Windows boot time immediately after logon - I can get a ZA Alert saying a program ( the program in question usually varies each time) is trying to remove or install/modify the SysInternal s Process Explorer low level driver (forget the name, something like proc90). Could this be a program putting its hook in some interrupt/address chain. I don t think so, as one of the programs causing the alert is
    a simple
    E-mail notifier. I would see no reason for it to have any connection with SysInternal s driver or any driver.
    Thanks, John

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Pro

  2. #2
    watcher Guest

    Default Re: Modify Driver shown in OSFirewall Alerts & Logs

    Dear Johnnnn:

    The file wuauclt.exe is the executable for the Windows Update program. BTW, if you leave Automatic Updates service on Automatic, it will automatically start up and run in memory each time you boot up. If you don't want it running, set it to Disabled. Ditto for the Background Intelligent Transfer Service. These 2 are used in tandem.
    Once a week I set these 2 services to Automatic, then start each of them, then go to Windows Update and choose Custom, and pick and choose the updates I need. Most of the high-priority updates are ones that you should be downloading and installing, as they patch vulnerabilities of the operating system. Without these, a hacker can circumvent all the security software on your computer. If a patch is for some applet of Windows which you don't use or have removed off your system, then don't bother.

    Security programs sometimes load a service with a random name which, in turn, loads the program. It's done for security reasons. A good example is Sysinternals RootkitRevealer v.1.71. I get an alert from my real-time antispyware utility that services.exe is attempting to install a new service. The service will have a random name and is in all caps. Once I click Allow, ZAPRO will sometimes bring up a Program alert stating that the dummy service is attempting to load the program and I click allow. The program then loads. What you have below for Windows Update is similar. I've never checked this but it's possible that MRXSMB is the dummy service set up for that Windows Update session. Once you've finished, the dummy service should be automatically deleted from services.msc. That's how RootkitRevealer works. However, in the past it has left a few so I had to edit the Registry to delete them.

    I don't see any malicious activity here. You should run weekly scans with your antivirus and antispyware utilities.
    Don't rely on ZAPRO as your only antispyware utility. The top 3 antispyware utilities currently are Spy Sweeper, Spyware Doctor, and CounterSpy. For antivirus, Kaspersky Anti-Virus, Norton Anti-Virus, and B i t D e f e n d e r.

    Hope this helps.

    WATCHER

  3. #3
    johnnnn Guest

    Default Re: Modify Driver shown in OSFirewall Alerts & Logs

    Hi Watcher,Thanks for responding. I appreciate your point that some security (aware) products may disguise certain actions/operations, but I don t think this was the case with MRxSmb and Procexp90 driver alerts from ZA OSFirewall. Mrxsmb.sys is a valid driver as is Sysinternal s Procexp90.
    I found (using Event Viewer) the following error entry in Windows System Error Records:
    Event Type:
    Error
    Event Source:
    MRxSmb
    Description:
    The master browser has received a server announcement from the computer PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7F87495B-4EE5-47A9-A41C. The master browser is stopping or an election is being forced.
    Maybe some hiccup or other resulting in a change of status for that driver, don t know why Automatic Updates was involved though. It s Disabled for the moment, but I m sure when it was running it respected my Disable Automatic Updates setting, nothing to indicate otherwise in its log.
    I used to run both Sysinternal s Process Explorer and my E-mail notifier from the Startup folder. They both would have been initializing at the time of the ZA OSFirewall alert. I suspect ZA OSFirewall was a little confused and played safe with its Alert. It s not my intension here to moan or criticize, it s just a
    personal opinion that ZA OSFirewall is intrusive and
    possibly not totally
    accurate with its alerts. I sometimes turn it off when installing or making changes because I know it will popup and disrupt things. I think it could be improved by some mechanism to allow it to discriminate about what it monitors. An example of this could be a Programs Zone!
    Finally, the following may or may not have a connection with the MRxSmb above:
    A week or so ago, my AVG Anti-virus found what it considered a Trojan:-C:\Windows\System32\kdgqf.exe (64.44KB) - "Trojan horse Generic5.NBR".(AVG is not so good at removing or providing details about what it finds. I could find nothing about that Trojan on the internet)The only problem I had with my Windows was IExplorer would not open any .mspx links when clicked. In an attempt to fix this problem, I followed a Microsoft recommendation to register a few DLLs. After registering the DLLs, IExplorer was totally disabled. I have just finished a Factory Emergency Restore (F11) of Windows and I m currently reinstalling all applications.
    John

  4. #4
    watcher Guest

    Default Re: Modify Driver shown in OSFirewall Alerts & Logs

    Dear Johnnnn:

    I found this article which may relate to your Event Viewer error. You didn't list an EventID but the error message was identical:

    http://weblog.techdad.net/2007/05/09...d-8003-errors/

    Hope this helps.

    WATCHER

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •