Port 1025 Open

For various reasons, I uninstalled Norton products and installed Zone Alarm Security Suite v.6.5 today. The only problem so far is that a "Shields Up" scan (grc.com) shows all ports in stealth mode except port 1025, which is open. All firewall settings are at high. The Gibson site recommends (if I understand it correctly) that I block incoming TCP to port 1025. I have done so (also tried outgoing) with no change in the test result. Being technologically challenged, I'm not sure I fully understand other sites, which suggest blocking server access to svchost, yet also state that svchost is a critical component of XP and should not be blocked. Some suggested that port 1025 is open because it is in use by ZASS itself. There were several other "security forums" which seemed to address the issue but were so highly technical that I really didn't follow. Can anyone help? I am very hesitant to start playing with ports I don't truly understand without some sort of guidance. Thanks for any help!

docbombay

 

Hi, docbombay.

TCPView from Sysinternals might help you identify what Process is apparently keeping port 1025 open (and possibly what Remote Address it is connected to).

Near the end of the TCPView page you will see a "Download TCPView and TCPVCon (81 KB)" link. Download the ZIP file, create a folder called "TCPView" anywhere you want on your hard drive (or your Desktop). Then extract the contents of the ZIP file to that folder. The TCPView program is a stand-alone program. (i.e., It does not need to be "installed" like other applications often do.) If you want further assistance with this, feel free to ask.


When you run Tcpview.exe while connected to the Internet, you can identify the local port 1025 connection in the "Local Address" column. It will be
<your computer name>:1025 OR xxx.xxx.xxx.xxx:1025

The x's are numbers (maximum of 3 digits in each section) that represent your IP address that identifies your Internet Service Provider and your computer. Therefore, if privacy is a concern for you, you should replace all those digits with a single X if/when you paste the information into a message. (If you paste TCPView information into a message, I recommend you X those Local Address digits in your post(s) anyway because someone reading this thread might try to attack your computer through your port 1025.)

It may be helpful for us if you leave the Remote Address information as-is though. The Remote Address information might help us identify the cause of your stubborn open port 1025 problem.


In case you want further assistance after running TCPView, you can copy the Local Address port 1025 line to your clipboard for pasting in this thread by right-clicking on that line and then selecting "Copy ".

You can select all lines to copy to your clipboard at once as follows:

• Click on the first entry in TCPView.
• Hold down your Shift key and use your down arrow key to highlight all lines.
• Then right-click on the highlighted contents and select Copy.

You can paste the contents of your clipboard to your message by right-clicking in the message editing section and selecting Paste.

I hope this helps.

 

Hi, mailman--First, thank you for the extremely clear instructions! Even an amateur like me was able to follow them. I am including the results of the TCPview scan, but am still confused in that 1025 does not seem to be in use. I appreciate any further suggestions you or others might have, and will gladly provide any additional information. Thank you!!!

GBTray.exe:752 UDP xxxxxxxx:1026 *:*
iexplore.exe:2624 UDP xxxxxxxx:1066 *:*
isafe.exe:3392 TCP xxxxxxxx:1032 localhost:1038 ESTABLISHED
isafe.exe:3392 TCP xxxxxxxx:1032 localhost:1080 ESTABLISHED
isafe.exe:3392 TCP xxxxxxxx:1033 localhost:1041 ESTABLISHED
lsass.exe:844 UDP xxxxxxxx:isakmp *:*
lsass.exe:844 UDP xxxxxxxx:4500 *:*
msimn.exe:2828 TCP xxxxxxxx:1080 localhost:1032 ESTABLISHED
svchost.exe:1196 UDP xxxxxxxx.wi.rr.com:ntp *:*
svchost.exe:1196 UDP xxxxxxxx:ntp *:*
svchost.exe:1324 UDP xxxxxxxx:1035 *:*
svchost.exe:1324 UDP xxxxxxxx:1036 *:*
svchost.exe:1364 UDP xxxxxxxx.wi.rr.com:1900 *:*
svchost.exe:1364 UDP xxxxxxxx:1900 *:*
System:4 TCP xxxxxxxx:microsoft-ds xxxxxxxx LISTENING
System:4 TCP xxxxxxxx:netbios-ssn xxxxxxxx LISTENING
System:4 UDP xxxxxxxx:microsoft-ds *:*
System:4 UDP xxxxxxxx.wi.rr.com:netbios-dgm *:*
System:4 UDP xxxxxxxx.wi.rr.com:netbios-ns *:*
vsmon.exe:2016 TCP xxxxxxxx:1028 xxxxxxxx LISTENING
vsmon.exe:2016 TCP xxxxxxxx:1038 localhost:1032 ESTABLISHED
vsmon.exe:2016 TCP xxxxxxxx:1041 localhost:1033 ESTABLISHED

I have noticed since earlier today that the TCPview results change with each scan, but 1025 has not appeared in any of them thus far.

docbombay

 

Mailman--I just made one more discovery. I tried turning on the Windows XP firewall in addition to ZASS, and the grc scan is now all stealth. Now the question is whether it is desirable to run both firewalls. So far, no problems but I have not tried too many features yet. I would rather run the ZA firewall alone and close 1025, but if this is an acceptable fix, I can live with it!

docbombay

 

Hi, docbombay.

If I understand correctly, it is generally considered not a good idea to run two software firewalls concurrently because they tend to "fight" each other for control of network traffic. Numerous times, I have seen recommendations on this board to pick ONE software firewall to run.

At the least, I think running two or more software firewalls concurrently could create system unstability and produce crashes. At worst, your system's security may be compromised.

The ZoneAlarm firewall is better than Windows Firewall because ZA monitors both incoming and outgoing traffic and WF monitors incoming traffic only.


If I had your open port 1025 issue, I would be inclined to try to find out what process keeps your port 1025 open when using only ZASS's firewall and figure out how to control that. I suggest giving TCPView a run and see what you can find out. Sysinternals' utilities, including TCPView, have a very good reputation with people on this board. Besides, I have read Microsoft has acquired Sysinternals, so that also seems to imply Sysinternals' stuff is good.


My hunch is there might be some Norton/Symantec stuff left behind that's keeping port 1025 open and/or interfering with your ZASS use/installation. Based on what I have read in various forum threads, Norton/Symantec products seem to be rather difficult for many people to uninstall completely because Norton/Symantec products tend to integrate very intimately with the systems they're installed on. IMHO, Norton/Symantec should provide better uninstallation capabilities in their software to allow the average user to easily remove Norton/Symantec products completely.

=============

If you want additional firewall protection and you want to skip trying to hunt down the cause of your open port 1025 issue, consider purchasing a router with firewall capabilities that matches your existing hardware configuration. Many available routers have such firewall capabilities. If you place a firewall router between your computer and the Internet, the router will filter traffic independently of your software firewall, providing an additional layer of protection.

For example, if you use an external modem and dial-up access for your Internet connection, look for a router that allows your dial-up modem to be connected to the router and configure your router to dial to your ISP. These routers may be a little more difficult to find but they do exist.

The hardware connection order would be as follows:
Computer -> Router -> External Modem -> Internet

I have used such a software/hardware combination with this USR Router (with a 9-pin connector for the my modem cable) and this USR external dial-up modem in the past with no apparent ill effects regarding my dial-up Internet connection. When I was connected to the Internet with this hardware configuration and ZoneAlarm Pro, my ZAPro firewall logs showed VERY little activity. My router blocked most of the incoming traffic (including port 1025).

Your hardware might be different (i.e., an external USB modem instead of an external modem that uses a DB-25/DE-9 cable as in my particular hardware configuration) so you should make sure that your modem and router will mate with each other well.

I do not know if a similar router/modem combination exists for an internal modem. You would probably have to get some additional feedback about that. Maybe someone reading this thread will let us know.

Good luck!

 

OOPS! I just realized you did run TCPView. Sorry about that.

Yes, you are correct. There does not appear to be an open port 1025.

Did you have two firewalls running when you ran TCPView? If so, consider disabling the Windows Firewall so you have only ZASS running and see what results you get.

I would also suggest running another Shields UP! scan during the time you have TCPView running and and see if a different port may be open. Some processes may hold different ports open at different times. If Shields UP! reports an open port, compare that with your TCPView window Local Address ports.

 

Hi again, docbombay.

Yes, TCPView updates it's inventory of ports in use every few seconds. You can adjust that setting via TCPView's View > Update Speed.

 

Hi docbombay,

Bring up ZA and go to the Program Control page via the Program Control tab on the left and make sure there are no programs enabled under Server.

What Server does is allow a program to actively respond to any Net communications and is usually the culprit in holding ports open.

Now for a bit of heresy: I ran XP's firewall alongside both ZAP and Sygate versions with no ill effects for years. This is not the first time that I've seen a post where someone had your problem and running XP's firewall closed a port. I am not advocating running two 3rd party firewalls - that would truely create conflicts, nor am I advising that you keep running WF, the problem is with ZA and should be solved there.

Regards - Charles

 

Hi, Charles. Thanks for jumping in!

I dunno why I didn't think of checking ZA's server permissions.

docbombay, you can be assured that Charles' advice is usually (always?) sound.


BTW, there is a master setting in ZAPro I use to "Block Internet servers ". It is located in ZAPro (and ZASS?) as follows:

• Click on Firewall at the left of your ZAPro screen.
• Click on the Advanced button in the lower right of that screen.
• Place a check mark next to "Block Internet servers ".
• Click the OK button.

Here is what ZAPro's help documentation says:

I think you can find that information as follows:

• Press your F1 key while in ZASS.
• Type Block Internet servers in the "Type in the keyword to find:" field.
• Click the List Topics button.
• Double-click the "Setting general security options" item in the "Select Topic to display:" list.

 

A BIG thank you to mailman and Charlesvar!!! I did, in fact, run TCPview with only ZASS on (disabled XP firewall). Then, as you suggested, I ran TCPview and simultaneously scanned with grc. It took several tries, but a brief change in the TCPview screen showed me that LEXPPS.exe was using port 1025. Coincidentally, for the first and only time during this problem, ZASS itself gave me an alert that LEXPPS.exe ws trying to access the internet. So I did a little homework and found this in a Google Search of LEXPPS:

"This little gem of a process was brought to you by the brilliant engineers at Lexmark. It's run by default when you install the Lexmark and Dell printer drivers (as of this writing, Lexmark makes Dell printers). It insidiously sits in the background and binds to TCP port 1025 in case you'd ever want to set up print services over a windows network. There is no way to disable it to listen for incoming connections, and there is no obvious way to disable it from starting up. Frankly, I don't like mysterious server processes running on my machine, because even if it has no known remotely exploitable vulnerabilities there is always a risk of one being found in the future. Plus, this has been the source of agony for people that have complained loudly on message boards of things like not being able to boot up or having mysterious Ethernet card problems.

Removing this requires a little effort, but is worth it in my opinion. Since the driver automatically loads this program, you can't monkey around in the windows registry to disable it. Instead, find the lexpps.exe file on your system and give it a new extension. I found it hiding in my c:\winnt\system32 directory, but when in doubt use the search feature. Ta-da, no irritating messages from your firewall and you get ~800kb of memory back. I don't share my printers and I've noticed no adverse side effects, but as always YMMV. "

Well, I took a simpler approach--I simply blocked LEXPPS.exe from Access (all are blocked for Server) in ZASS's Program Manager, and rescanned with grc. Lo and behold, I got complete stealth mode!!! And yes, all the while the Windows XP firewall ws closed, so I needn't run both firewalls to close the port.

There is no way I would have known how to approach this problem on my own, and no way I can thank you enough for your time, expertise and effort. I learned a great deal from you in the process. I hope this fix is valuable to others as well.

docbombay

 

Hi Mailman,

Once again - good job I'll take "usually"




Hi docbombay,

Happy you got this problem solved

Regards - Charles

 

That's GREAT news, docbombay! Congratulations! Thanks for your warm compliments too!

BTW, I suggest you not consider monkeying with your registry as the quoted material suggests (and YMMV means "your mileage may vary "). The registry can be a very dangerous place to tinker unless you know exactly what you're doing and how to recover from a mistake.

I'm also glad TCPView proved to be valuable. If we had gone straight to Charles' suggestion you may have not conclusively determined that LEXPPS was the culprit.

This has been a very valuable learning experience for me as well. Thanks, docbombay!

EDIT: For those that like handy links to quoted material, I think this page is where docbombay got the quoted information from.

 

Charles, thanks for your compliment too! My confidence in solving computer issues (without fear of mucking up people's computers even worse) is growing tremendously with the help, encouragement, and compliments of all the wonderful people here at Windows BBS.

Thanks again, all you fantastic Windows BBS users!


docbombay, I must also say your detective work was very well executed. Great job! I look forward to working together with you on any future issues you may run into.