Why does these files need access to the net

  • Thread starter Thread starter abdulrahman004
  • Start date Start date
  • Replies Replies 3
  • Views Views 1,576
A

abdulrahman004

Today after reading pupudada's post i installed sygate firewall on my system (zone alarm link dead). After installing it on my system i had seen that some windows files continioulsy try accessing the network. The three files are svchost.exe ,ntoskrnl.exe,lsas.exe. Why are these files trying to access the internet ? I have switched off automatic updates.There is another thing i have noted. My Ip address is 59.93.64.xxx (hyd) and i in the traffic logs i have seen addresses like 59.93.78.xx and 59.93.174.xx trying to access my n/w . Why is it so?P.S. I have Win Xp prof with sp2 installed on my system
 
As for svchost.exe, its the Windows Services Host! It depends what services you have installed! On my windows firewall it has never asked that! Maybe it is blocking svchost.exe from accessing the local network (LAN) itself! So Sygate may be strict enough to block! I suggest you unblock it coz it wont be accessing your internet! Its not those files which autoupdate! ntoskrnl.exe is the system kernel but i don know why would access a network! Also lsass.exe (thats wat its supposed to be) is a system process and i recommend you unblock them! They wont harm your computer and you will face less hinderances with normal operation of your computer.As for the ip addresses, have they appeared more then once? Are they your ISP's DNS servers?Regards,Pawan
 
On windows 2000 svchost.exe is also required for dns resolution (not 100% sure 😛 ) . You can also disable DNS reolution service from services.msc ( it wont give u any prob as after disabling it all programs to go dns servers themseleves for name resolution ). lsass.exe opens port 445 and 139 and can be blocked if u do not use file sharing .. You can safely block ntoskrnl.exe tooo .. In sygate go to advanced rules and make 2 rules to block incoming traffics on port 139,445,1025,1026,5000,135,137 ( UDP as well as TCP) and u dont have to worry much as this are onlyy vulnerable ports windows has by default ..
 
Originally posted by pawanrh@Sep 20 2005, 06:10 PM
As for the ip addresses, have they appeared more then once? Are they your ISP's DNS servers?
Regards,
Pawan
[snapback]25743[/snapback]
Click to expand...
[/quote]
I think the 3 files are used to connect to the internet when IE is opened and also to export the seetings of a comp. to a difff n/w

Reg the Ip address these are not the my DNS server but they are addresses from other locations . I have tracked them The are from calcutta and i m from hyd and one more thing is that my udp ports have been scanned twice one from BSNL adress 59.xx.xx.xx and the other from some host in USA 147.135.xx.xx . Why is it so ?
 

Top