Results 1 to 5 of 5

Thread: Seeking sbNet Port Listeners Backround

  1. #1
    Junior Member
    Join Date
    Jan 2023
    Posts
    2

    Default Seeking sbNet Port Listeners Backround

    Hello to the Community:

    This is my first post. I also wish to introduce myself as Ant1c0rr3lat10n, or A-C.

    I was getting ready to purchase Spybot SD, and thought I would take a close look at my workstation the free version was installed on, just to see what changed from a system-level perspective.

    I stumbled onto several notifications in the Win logs:

    Data = Source: 127.0.0.1 URI: Message: Listening on port 21331

    The source is the Application channel, level is "information" with the keyword 0x0080000000000000

    All the other messages contained specific ports (21327; 21322; 21323; 21327; 21331; 21321) that were being listened to with two iterations over a three hour period.

    I am respectfully asking if the community or any crawlers what sbNet is, e.g., what it listens for, what it reports, and what its purpose is. Oh, and of course what privilege it runs under. Aside from full-disclosure (which does not really ever happen) one must trust, but verify.

    Several interweb searches revealed more about the potential to have misspelled "subnet" than anything else that would make sense. It showed up shortly after the install, and being not exactly sound of mind, I am asserting that the "sb" in "sbNet" is directly related to Spybot. I could be on Mars on the topic due to little or no usable information about sbNet.

    I looked through the materal from Safer Networking in a cursory manner and did not see anything about sbNet. It concerns me because of the lack of information or disclosure on the matter. I hope that I did not miss it if it exists.

    My next task is to see what Sysinternals Procmon64 and Wireshark tell me.

    Forgive my pedantic nature, but I have a profound and passionate curiousity of computer science, sprinkled with a molar amount of paranoia.

    I used SB SD in another lifetime religously, and I liked it, and thought I would take a look at how much it has advanced since the 2000's. It identified and took care of certian items that the bloated and laughable Symantec and McAfee antivirus packages rolled over on. That was good enough.

    I genuinely thank everyone who reads this post, and an even deeper thanks in advance for any replies with intelligence on sbNet. You know, I look at my web-facing PCs as extensions of my home. When I invite someone to come in, I anticipate that with some due diligence, that person will leave with all they came with. It has become impossible to know. I guess if Microsoft is doing it, it must be OK. Right?

    Best regards and wishes for all to dwell in Peace.

    <>

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,414

    Default

    You could ask technical support about sbnet. There's a contact link here.
    https://www.safer-networking.org/support/#contactform

  3. #3
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,587

    Default

    Spybot communicates with background services using ports in that range. Using a standard protocol makes things easier for IPC, and allows cross-platform compatibility (the original "sbNet" was a Windows and Linux based intranet update and configuration server).

    Updates are important, but need elevation (placed in Program Files, to avoid regular user accounts and software run under them being able to tamper with them), and you might not trust every user account the right to elevate, so a background service helps to solve that situation.

    Scanning and fixing is also easier with more privileges, looking at how some malwares hide using e.g. rootkit technology.

    The On Access stuff also uses these ports for IPC - it wouldn't do performance wise to load the whole database on each scanned file, it needs to be kept in memory for that - by a background process.

    All services are of course designed to not allow them to be misused by others to manipulate the system, so their interface is quite limited to high level tasks (you might have already seen with Wireshark).
    Last edited by PepiMK; 2023-01-18 at 10:09.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  4. #4
    Junior Member
    Join Date
    Jan 2023
    Posts
    2

    Default Many Thanks Zenobia and PepiMK

    Quote Originally Posted by Zenobia View Post
    You could ask technical support about sbnet. There's a contact link here.
    https://www.safer-networking.org/support/#contactform
    Thank you Zenobia. I see that before I could extend myself to tech support, PepiMK replied with an explanation that makes perfect sense.

    I will assume that "Reply to Thread" satisfies all posted responses (so far). I could be wrong so I will apologise ahead of time.

    ********

    Thank you PepiMK for a concise explanation. You must have some tight appsec to ensure the high-level background processes stay isolated and lack vulnerability to SEH overwrites / exploits, buffer overflows and the usual suspects. Aside from rootkits, does Spybot have the capability to detect the fileless species of malware using IOA's?

    I am unsure of specific IOA mechanisms for fileless detection, but could high-level listeners as you describe be used for abnormal behavior detection on certian ports? That is network layers as opposed to memory?

    I will let this rest as I could ask 10000 questions; fascinating stuff, this.

    I look forward to exploring different threads in the community and starting new ones.

    Thanks to both again for responding to and clarifying the purpose of sbNet.

    In Peace

    <>

  5. #5
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,414

    Default

    You're welcome.
    I will assume that "Reply to Thread" satisfies all posted responses (so far).
    Yes, it does. to the forum.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •