Results 1 to 4 of 4

Thread: For the past several weeks, about a month, I get this eve...

  1. #1
    zaswing Guest

    Default For the past several weeks, about a month, I get this eve...

    For the past several weeks, about a month, I get this every single day, once soon after I login:
    PE,2008/04/03,20:02:54 -4:00 GMT,Windows Explorer,C:\WINDOWS\explorer.exe,127.0.0.1:1038,N/A
    ACCESS,2008/04/03,20:02:54 -4:00 GMT,Windows Explorer was unable to obtain permission for connecting to the local zone (127.0.0.1:Port 1038); access was denied.,N/A,N/A
    ACCESS,2008/04/03,20:03:10 -4:00 GMT,Windows Explorer was denied Internet access because of one or more modules (127.0.0.1:Port 1038).,N/A,N/A

    Local host is trusted. WindowsExplorer has 3 green bars and two green checks. Last modified is June 2007.

    How do I go about finding out the "changed module" when it is not identified in the log?

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: For the past several weeks, about a month, I get this eve...


    <blockquote><hr>zasuiteuser wrote:
    For the past several weeks, about a month, I get this every single day, once soon after I login:
    PE,2008/04/03,20:02:54 -4:00 GMT,Windows Explorer,C:\WINDOWS\explorer.exe,127.0.0.1:1038,N/A
    ACCESS,2008/04/03,20:02:54 -4:00 GMT,Windows Explorer was unable to obtain permission for connecting to the local zone (127.0.0.1:Port 1038); access was denied.,N/A,N/A
    ACCESS,2008/04/03,20:03:10 -4:00 GMT,Windows Explorer was denied Internet access because of one or more modules (127.0.0.1:Port 1038).,N/A,N/A

    Local host is trusted. WindowsExplorer has 3 green bars and two green checks. Last modified is June 2007.

    How do I go about finding out the "changed module" when it is not identified in the log?
    <hr></blockquote>


    Message Tracking Query Protocol is the label for port 1038 according to IANA.
    As some protocols are port dependant (the protocols based on the TCP/IP protocol), the ZA maybe seeing the connection to the localhost port as a possible unusual protocol and is stoppng it for security.

    Check the "Allow uncommoon protocols at high security" in the Advanced of the Firewall. See if this fixes it.

    Maybe check the first two items listed in the Options.

    Then again perhaps the explorer just needs to have the Trusted server allowed in the Program listing. The 127.0.0.1 connecting to the 127.0.0.1 is really a possible server attempt by the explorer.exe (on the localhost itself). It maybe connecting to the localhost via port 1038 and then connecting back to the localhost from 1038 - this would be a genuine server connection. Perhaps then allowing the explorer.exe to have server rights for the trusted zone will eliminate the blocked event (and the logs and alerts). Probably this will fix it up to a proper configuration.

    You may like to make expert rules for explorer.exe to allow both 0.0.0.0 and 127.0.0.1 in the first rule for both destination and source (using Protocol with Any for the TCP and UDP) in the first rule.
    A little tighter rule would be source of 127.0.0.1 and the destination of both 127.0.0.1 and 0.0.0.0. (the loopback and the nonroute could be used in the groups of the firewall and this makes things easier).

    The other remaining rules should be for the ICMP (either using the icmp in the predetermined in the groups or just use the default Any and with alert and log), DNS, possible dhcp if your lan/pc needs it (dhcp and dhcp client and maybe others depending), http&https&ftp (with alert and log) and a final block all rule (with alert and log).

    Oldsod.
    Best regards.
    oldsod

  3. #3
    zaswing Guest

    Default Re: For the past several weeks, about a month, I get this eve...

    Hi Oldsod,
    The local port changes, it can be 1032+
    It's not causing me ANY problems whatsoever. I'm just baffled still about the alert itself and don't want to change/build new rules till I get what's going on. I haven't figured it out yet, I'll post back when I do. I suspect wmediaplayer update 'cause there was something about messaging even though I've killed windows messenger. I'll be back

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: For the past several weeks, about a month, I get this eve...

    It could be the explorer.exe is blocked off as an associated process of the a parent such as the windows media player.
    But if the windows media player is restricted to just the PC and not the local network or the internet, then this idea is not valid.
    If the windows media player is restricted to just the local host, then the ZA will alert and log just the blocked attempts to the additional outbound attempts.

    I have it like this:

    Windows media player for source and destination of 127.0.0.1 allow and not log/alert and a second block rule with log and alert.

    Windows explorer (explorer.exe) with source (127.0.0.1 and 0.0.0.0) and destination (127.0.0.1 and 0.0.0.0) with no alert or log.
    Second rule is the icmp with alert and log.
    Third rule is the dns (source and destination of the my computer and the dns IPs), with both tcp/udp out to the dns port and udp in from the dns servers. No log or alert.
    Fourth is the ftp data ftp, https from my computer to the Internet with log and alert.
    Fifth is a http rule and just log but no alert.
    Last is the block all with default Anys with log and alert.

    The expert rule in the Expert of the Firewall for any kind to do with http traffic is set for log and no alert.

    Yes i get tons of logs. But the alerts are at a mimimum and the ZA is fairly quiet with just alerts for for more signifigant events.
    I may yet change the logging settings and reduce it down since it is probably more logging than I really need (plus the protowall and the router are logging all traffic).

    Cheers.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •