 |
|
 |
|
|
 |
NDIS user mode I/O driver |
 |
 |
|
|
01-30-04 03:34 PM
I have Sygate firewall and this application (from windows xp) is always
downloading from the internet. From several ip adresses and from diferent
ports. If i block it in the firewall, it still keeps downloading but the
traffic shows under incoming blocked. Outgoing traffic is zero. I did a few
searches on the web and i still don't understand exactly what this "NDIS
user mode I/O" is for. It's under this path C:\WINDOWS\System32\DRIVERS
\ndisuio.sys
The description of this thing: "Internal Windows driver; performs internal
communications tasks within Windows". Well that doesn't help much. The
thing is my ISP has a monthly download cap, and this thing is downloading
slowly but surely a few megabytes every day. Please, give me some hints how
to resolve this problem. TIA.
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
01-30-04 04:34 PM
Tiago <tiago@not.com> wrote in
news:Xns9480EC6592D83tiagonospamcom@213.228.128.15:
quote:
> I have Sygate firewall and this application (from windows xp) is
> always downloading from the internet. From several ip adresses and
> from diferent ports. If i block it in the firewall, it still keeps
> downloading but the traffic shows under incoming blocked. Outgoing
> traffic is zero. I did a few searches on the web and i still don't
> understand exactly what this "NDIS user mode I/O" is for. It's under
> this path C:\WINDOWS\System32\DRIVERS \ndisuio.sys
I would suspect that it's the Wireless Zero Configuation service using
ndisuio.sys.
Are you using a wireless setup?
You can for sure determine if traffic/packets are leaving your machine by
using a packet sniffer like Ethereal (free use Google) and what IP(s) the
packets are going too.
You can use Active Ports (free) to view connections to remote IP(s). If it
indicates *Established* then there is a connection.
quote:
>
> The description of this thing: "Internal Windows driver; performs
> internal communications tasks within Windows". Well that doesn't help
> much. The thing is my ISP has a monthly download cap, and this thing
> is downloading slowly but surely a few megabytes every day. Please,
> give me some hints how to resolve this problem. TIA.
>
You may have a Trojan or Spyware you may need to find so use Process
Explorer or PRCview (both free) to look at processes running on the
machine, you can look inside a running process to see what's using the
process.
It may be that some spyware is using NIDS to get out.
Go to Administrative Tools/Services and find the Wireless Zero
Configuration and disable it. You can look at the Dependencies and see that
it's using NDIS.
You don't need WZC running on the machine even if you do have a wireless
setup on the machine.
Use IPsec that's on the XP O/S to supplement Sygate, which can be used
block inbound or outbound by IP, port, protocol, DNS etc., etc. I use IPsec
to supplement BlackIce. I use BalckIce to shutdown something like
ndisuio.sys from communicating but allow it to run.
http://www.petri.co.il/block_ping_t..._with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm
You should *harden* the XP O/S to attack and shutdown some of the stuff you
don't need running or accessable.
http://www.uksecurityonline.com/husdg/windowsxp.php
HTH
Duane 
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
01-30-04 07:34 PM
Duane Arnold wrote in
news:Xns9480BB25657C4darnold92insightbbc
o@63.240.76.16:
quote:
> Tiago <tiago@not.com> wrote in
> news:Xns9480EC6592D83tiagonospamcom@213.228.128.15:
>
>
> I would suspect that it's the Wireless Zero Configuation service using
> ndisuio.sys.
>
> [....]
>
> Go to Administrative Tools/Services and find the Wireless Zero
> Configuration and disable it. You can look at the Dependencies and see
> that it's using NDIS.
Thanks a lot for your reply. Disabling the Wireless Zero Configuration did
the trick, after a reboot it doesn't do it anymore. In the dependecies i
have NDIS + Remote Procedure Call (RPC). I reinstalled Windows XP last week
and applied all the updates that are available at microsoft. But even so
maybe i have some kind of exploit in my pc related with RPC? Or is it
normal that RPC is a dependency of Wireless Zero configuration? By the way,
i don't even have a wireless card in my pc.
I also had a few days a go various hits in my security log of the firewall
with this message:"[181] DCE BIND to potentially vulnerable RPC DCOM
interface attempt detected" And then it blocked all traffic automatically.
Later i blocked all incoming and outgoing traffic in port 181 and 135
(because of the logs in sygate) and stopped getting those hits in the
security log. Am not sure if this is in any way related to the NDIS
traffic...
quote:
>
> You don't need WZC running on the machine even if you do have a
> wireless setup on the machine.
>
> Use IPsec that's on the XP O/S to supplement Sygate, which can be used
> block inbound or outbound by IP, port, protocol, DNS etc., etc. I use
> IPsec to supplement BlackIce. I use BalckIce to shutdown something
> like ndisuio.sys from communicating but allow it to run.
>
> http://www.petri.co.il/block_ping_t..._with_ipsec.htm
> http://www.analogx.com/contents/articles/ipsec.htm
>
> You should *harden* the XP O/S to attack and shutdown some of the
> stuff you don't need running or accessable.
>
> http://www.uksecurityonline.com/husdg/windowsxp.php
>
Tomorrow i'm going to look at some of the other stuff you mention. Norton
AV doesn't detect anything strange at least. Not sure if that is a good or
a bad sign. Thanks again.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
01-30-04 08:34 PM
Tiago <tiago@not.com> wrote in
news:Xns948120F09F178tiagonospamcom@213.228.128.15:
quote:
> Duane Arnold wrote in
> news:Xns9480BB25657C4darnold92insightbbc
o@63.240.76.16:
>
>
>
> Thanks a lot for your reply. Disabling the Wireless Zero Configuration
> did the trick, after a reboot it doesn't do it anymore. In the
> dependecies i have NDIS + Remote Procedure Call (RPC). I reinstalled
> Windows XP last week and applied all the updates that are available at
> microsoft. But even so maybe i have some kind of exploit in my pc
> related with RPC? Or is it normal that RPC is a dependency of Wireless
> Zero configuration? By the way, i don't even have a wireless card in
> my pc.
RPC is suppose to be used with WZC, but since you have shutdown the
service, it should not be a problem. RPC should not be a problem if you
have applied the patch and you have a FW protecting port 135.
However, RPC which is RPCRT4.dll running out of Windows\system32 is used
by the O/S for various reasons such as being used by svchost.exe. You can
use Process Explorer and click on svchost.exe and then goto View/Dll(s)
and you will see RPCRT4.dll being used. BTW, if svchost.exe is not
running out of Windows\system32, it's a *Trojan*.
quote:
>
> I also had a few days a go various hits in my security log of the
> firewall with this message:"[181] DCE BIND to potentially vulnerable
> RPC DCOM interface attempt detected" And then it blocked all traffic
> automatically. Later i blocked all incoming and outgoing traffic in
> port 181 and 135 (because of the logs in sygate) and stopped getting
> those hits in the security log. Am not sure if this is in any way
> related to the NDIS traffic...
>
The link I provided about *hardening* the XP O/S gives you some options
on how to disable DCOM on the O/S, if need be.
quote:
>
>
> Tomorrow i'm going to look at some of the other stuff you mention.
> Norton AV doesn't detect anything strange at least. Not sure if that
> is a good or a bad sign. Thanks again.
>
The protection starts with the O/S and everything else in the protection
is secondary to the O/S. The buck stops at the O/S. Use applications like
Active Ports to look for yourself from time to time. Look into using
IPsec to supplement Sygate as malware can take down a host based FW.
A cheap router comes to mind as well that will stop the attacks in front
of the machine and the O/S and FW will not have to react using resouces
on the machine, letting the machine do more productive things. You can
get a router for as much as you paid for Sygate, if not using the free
one. Use Sygate and or IPsec to stop outbound connections behind the
router.
http://www.homenethelp.com/web/explain/about-NAT.asp
Use your common sense in the protection and not have happy fingers that
click on things and you' ll be fine. <g>
Duane
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
02-13-04 04:44 PM
I block the kernel without problems. NDIS if blocked dosn't let me get on t
o certain sites Generic Host Process too. I run this also with zone alarm.
Zone alarm has true vectoring service I block this as well.
I block everything and if something dosn't work trouble shoot. If somone ha
s a better answer please let me know.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
02-14-04 03:33 AM
Unregistered <Guest.11kv8y@mail.webservertalk.com> wrote in
news:Guest.11kv8y@mail.webservertalk.com:
>
> I block the kernel without problems. NDIS if blocked dosn't let me get
> on to certain sites Generic Host Process too. I run this also with
> zone alarm. Zone alarm has true vectoring service I block this as
> well.
Well, it's not svchost.exe/(Generic Host Process service) that needs to
be blocked in the first place, since that's the service's job is to
commnicate on the LAN or WAN for the O/S.
>
> I block everything and if something dosn't work trouble shoot. If
> somone has a better answer please let me know.
>
>
Therefore, blocking everything that svchost does leads to you not being
able to access certain sites when the access to the site may be legit,
because you never took the time to determine what program element or
application on the machine wants to use svchost to communicate, which can
be done by using other utilities to help make that determination, instead
of depending solely upon the FW to tell you what is happening on the
machine and whether or not it needs to be stopped from communicating,
which malware can circumvent and defeat that anyway.
In other words, you're killing the messenger instead of finding out what
is using the messenger and killing it, because the time that you don't
kill the messenger and let it deliver the message is the time anything
else that you were killing the messenger for and didn't know what it was
now has its chance to deliver its message too.
Duane
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
02-14-04 04:33 AM
> I block the kernel without problems. NDIS if blocked dosn't let me get
> on to certain sites Generic Host Process too. I run this also with
> zone alarm. Zone alarm has true vectoring service I block this as
> well.
>
Ndisuio.sys is for Wireless Zero Process.
If you don't have any wireless devices, then that service should be
disabled.
Nothing to do with surfing sites.
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: NDIS user mode I/O driver |
|
|
|
|
02-18-04 05:33 PM
trumpcard <trumpcard.11tz0y@mail.webservertalk.com> wrote in
news:trumpcard.11tz0y@mail.webservertalk.com:
>
> Duane,
>
> thank you for your information,
> it has been a great help to me.
>
>
> trumpcard
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message105745.html
>
>
I am glad I could help.
Duane
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 06:24 PM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
|
 |
|
 |
|
