PDA

View Full Version : windows.security.firewallopenports detected



rk911
2006-09-26, 04:09
hi. in my latest scan using spybot s&d (update file 9/22/06) the scan
detected two problems in the registry, both in:

windows.security.firewallopenports. and both detected problems are identical as far as location in the registry.

i am using the MS firewall.

apparently this is now being scanned by spybot. can someone please explain to me what this is? i've googled this and searched miscrosoft.com but can't seem to find any useful information. is this something to be concerned about or is this some sort of false positive?

thanks,

rich

tashi
2006-09-26, 17:07
Hello

Could you give more information please:

1) Exact message you receive.
2) Security programs installed.
3) Version of Spybot-S&D.

Please open Spybot>Help>About, it will give you the version and latest detection update information.

While the Windows XP Firewall is better than nothing at all; it's functions are limited.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

Please see this article for prevention tips and programs.
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)

rk911
2006-09-27, 01:15
thanks for the response. the info you're seeking is below.

Hello

Could you give more information please:

1) Exact message you receive.

sure.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP

both items found by spybot are exactly the same. i am assuming that the above refers to a TCP connection on port 21. with that in mind, i have rebooted into safe mode and re-run spybot. the same two items are found. what i don't understand is if they are a true infection or a false positive.

2) Security programs installed.

installed and running are the following:
- windows firewall
- spyblaster v3.5.1
- norton system works 2005 which includes norton A/V
- counterspy v1.5.82 with definition file 414
- adsgone 2006 v5.3.3.16

also used on a periodic basis but not left running are:
- ad-aware se personal build 1.06r1
- pest patrol v 12/27/2004 4.4.4.81 with the 9/22/06 database

3) Version of Spybot-S&D.

- v1.3 with the 9/22/06 database

Please open Spybot>Help>About, it will give you the version and latest detection update information.

While the Windows XP Firewall is better than nothing at all; it's functions are limited.

i know that. i normally run ZoneAlarm (free edition) but have had some issues with their v6. i am currently researching whether to revert back to
v5.x or use another product. i'm using the MS firewall in the meantime.

http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

Please see this article for prevention tips and programs.
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)[/QUOTE]

thanks, i will.
i have not allowed spybot to delete the two items. i won't do that until i understand just what they have detected.

thanks again.

rich

md usa spybot fan
2006-09-27, 06:38
Side note:

You should consider upgrading to Spybot 1.4.

tashi
2006-09-27, 08:49
You should consider upgrading to Spybot 1.4.

I agree, then after updating to the latest definitions run another scan and let us know the results:


Version 1.4 :Systems Supported (http://www.safer-networking.org/en/spybotsd/index.html)


Spybot-S&D Version 1.4 Download (http://www.spybot.info/en/download/index.html)


Uninstalling Previous Spybot-S&D (http://www.safer-networking.org/en/faq/27.html)



Tutorial (http://www.spybot.info/en/tutorial/index.html)

rk911
2006-09-28, 00:46
ok, but that doesn't answer my initial question which was is this an actual detection or a false positive? and am i correct in interpreting that the 'hit' is indicating that port 21 is open?

rich

rk911
2006-09-28, 01:35
i phrased that badly. what i'm asking is this. what is spybot detecting? is this windows.security.firewallopenports a setting within windows that i can check? i'm not getting any background info on this via google, a search of microsoft.com or XP help. i realize that you can't tell me if this hit is a false positive but i'm trying to understand what spybot is checking.

rich

rk911
2006-09-28, 03:49
hi. ok, i downloaded and installed v1.4 of spybot S&D, did a scan and got the same results.

thanks.

rich

Spiritsongs
2006-09-28, 06:20
Hi Rich :

Perhaps the question would become moot if you found a "replacement" for
the "half-a-firewall" Windows ; I agree on not using ZA. However, there are
lots of good & FREE ones available; I still use the bought out by Symantec/
Norton Sygate Personal, available for download from :
www.filehippo.com/download_sygate_personal_firewall/ . There is a "Setup
Guide" @ www.kotiposti.net/string/SPF_eng/SPFGuide.html .
After installation, should use the "Shields Up" test at www.grc.com .

In fact, if the "Windows Firewall" is part of the XP SP2 "Security Center",
should consider "disabling" the entire "Center" based on the info at :
www.pcmag.com/article2/0,1759,1639276.00.asp !?

rk911
2006-09-29, 00:47
good evening. can you check that pc mag link...it won't come up.

thanks.

rich

timetc
2007-03-30, 17:52
I notice that your original question about what is reason for
windows.security.firewallopenports being flagged up
was not answered
the other windows security message is AntivirusdisableNotify

I have left both of these to re-occur since I to have no idea what they indicate:sad:

md usa spybot fan
2007-03-30, 20:41
timetc:

It would be better if you posted a log of the actual detections you are getting rather than a general discription. To do that:
Run a scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
The scan results can then pasted (Ctrl+V) to posts in the forum.
--------------------------------------------------------------------------------

Member rk911 (http://forums.spybot.info/member.php?u=12118) only posted a portion of the detection. From the piece they did post:


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\21:TCP
It appears that the Windows Firewall for the Standard Profile has been configured so that Port 21 is open for any TCP protocol communication. Port 21 using TCP protocol is the default FTP control port and is used for services such as FTP Publishing and as a FTP Application Layer Gateway.

Although the Windows XP firewall is better than having no firewall, it only filters incoming traffic and therefore is not as secure as other firewalls that filter both incoming and outgoing traffic. To weaken it further by having open ports is not a good practice unless there was/is a specific reason for doing so.

--------------------------------------------------------------------------------

If this is the other detection that you are getting:


Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
It indicates that the Windows Security Center alert for Virus Protection has been turned off. If you go into Start > Control Panel > Security Center > Resources (on the left hand side of the window expand if necessary) > click "Change the way Security Center alerts me". This brings up an "Alert Setting" window.

There are three possible alerts:
Firewall
Alert me if my computer might be at risk because of my firewall settings
Automatic Updates
Alert me if my computer might be at risk because of my Automatic Updates settings
Virus Protection
Alert me if my computer might be at risk because of my virus protection software settings
I believe that you will find that the Virus Protection alert is unchecked. With that item unchecked Windows Security Center will not notify you if your anti-virus is disabled or the updates are out of date.