Charles, >I have recently installed Zone Alarm as my firewall. It is very efficient >at letting me know that it has blocked access to my computer. > >A typical message is as follows. > >The firewall has blocked Internet Access to your computer (TCP Port 445) >from 213.78.60.143 (TCP Port 4097)(TCP Flags:S) 1st of 9 alerts. > >It would appear that there is a need, apart from a mischevious one, for >the access. > >Where can I find out what program, if any, does the Source IP address >relate to? What does TCP Flags: S mean? The IP address relates to where the connection was coming from or going to. A program (such as IE or others) would connect to this address. I did lookup the IP address and it is in London, England. The TCP Flags: S means the following: S : SYN - Synchronize; indicates request to start session You didn't say if the port it was trying to access was in incoming or outgoing request for the connection. I did a search for the port 445 and below is what I found. TCP Port 445 Common Use Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections. This is the port that is used to connect file shares for example. Inbound Traffic Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share. If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet. Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example. Lately TCP Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo. Outbound Traffic Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs so that future authorized events will be logged as normal traffic. Hope this is of some help? Art

Art See I knew we needed you. I also use Zone alarm. I am trying to learn to record music so I paid to download music but they wanted me to drop my fire wall being the novice that I am I would not do it. I also received these TCP reports thanks for explaining them Pat ----- Original Message ----- From: "dolphin213" <dolphin213@cox.net> To: <GEN-COMP-TIPS-L@rootsweb.com> Sent: Friday, August 13, 2004 3:34 AM Subject: Re: [Gen-Comp-Tips] Firewall > > Charles, > > >I have recently installed Zone Alarm as my firewall. It is very efficient > >at letting me know that it has blocked access to my computer. > > > >A typical message is as follows. > > > >The firewall has blocked Internet Access to your computer (TCP Port 445) > >from 213.78.60.143 (TCP Port 4097)(TCP Flags:S) 1st of 9 alerts. > > > >It would appear that there is a need, apart from a mischevious one, for > >the access. > > > >Where can I find out what program, if any, does the Source IP address > >relate to? What does TCP Flags: S mean? > > The IP address relates to where the connection was coming from or going > to. A program (such as IE or others) would connect to this address. I did > lookup the IP address and it is in London, England. > > The TCP Flags: S means the following: S : SYN - Synchronize; indicates > request to start session > > You didn't say if the port it was trying to access was in incoming or > outgoing request for the connection. I did a search for the port 445 and > below is what I found. > > TCP Port 445 > Common Use > Microsoft-DS Service is used for resource sharing on Windows 2000, XP, > 2003, and other samba based connections. This is the port that is used to > connect file shares for example. > > Inbound Traffic > Inbound scans are typically systems which are trying to connect to file > shares that might be available on your system and hence these should be > blocked. While most of this traffic is the result of worms or viruses > which can use open file shares to propagate, they also can be the result of > malicious users attempt to connect to your computer. Once connected they > can download, upload or even delete or edit files on the connected file > share. If you use open file shares (including sharing of printers, etc) on > your local network (LAN), then you should be using a firewall such that > your local file shares are not accessible from the internet. Connecting to > open file shares is likely the easiest and most common hack on the internet > and yet one of the most effective for malicious activities like identity > theft or installing RATs (Remote Access Trojans) to take control of systems > remotely for example. > > Lately TCP Port 445 has become the target of LSASS exploiting worms like > Sasser and Korgo. > > Outbound Traffic > Outbound scans if occurring in volume should be considered an indication of > a possible worm infection on the source computer and should be > investigated. If there are systems to which you remotely connect to, then > those systems should be marked as trusted IPs so that future authorized > events will be logged as normal traffic. > > Hope this is of some help? > > Art > > > > ==== GEN-COMP-TIPS Mailing List ==== > DO NOT open unexpected file attachments from people, even if you know them. Verify with the sender first. This may be your only line of defence, other than AV Software, against mail "viruses" > > ============================== > Gain access to over two billion names including the new Immigration > Collection with an Ancestry.com free trial. Click to learn more. > http://www.ancestry.com/rd/redir.asp?targetid=4930&sourceid=1237 > >