[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

NDIS User Mode I/O Driver Question

Posted on 2002-05-31
17
Medium Priority
?
69,075 Views
Last Modified: 2011-08-18
I am new to firewalls. So, with my Sygate firewall running, I get a lot of information I am unfamiliar with regarding applications that are either trying to get out of my computer (onto the Internet) or get into my computer.

One application that trys (constantly) to get out is NDIS. I can see that it is coming from my system directory. I assume it is a WIN XP application trying to do some harmless activity. But because I am unfamiliar with it, I wanted to get an expert's opinion as to what it is trying to do.

The actual file name is "ndisuio.sys".

Thank you for any help.

Tom Houck
0
Comment
Question by:tomhouck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 7047701
That driver is just an intermediate level between the user and kernal modes.  Some other program must be using it.
0
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 800 total points
ID: 7047917
This is a system file that makes calls to dynamic link libraries amongst the TCP/IP stack. It uses communication ports and the loopback address in order to make these calls. This is why you see the communication on your firewall. It's not trying to connect to the Internet, just another port on your computer for the purpose of calling instructions.

TooKoolKris
MCSE+I, CCNA, A+

0
 

Author Comment

by:tomhouck
ID: 7048611
ToolKoolKris
Thanks for the reponsse. So is it harmless? How can I determine what application is trying to use it?

Thank you,

Tom
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7048976
You can download a copy of fport from the link below it will tell you the .exe that is using each port. It's a free program as well. Have fun.

http://www.foundstone.com/knowledge/intrusion_detection.html

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7051382
I don't think Fport works on XP.  Great tool though.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051765
Yes you will need to make sure that the psapi.dll file exists on the pc and that it is in the system folder. If not you need to install fport in the same directory as the .dll file or change your environmental settings by adding a path statement for the directory that the .dll is in.

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7051783
Are you saying that you have been able to get fport to produce results on XP?  I an run the app but I does not enmuerate ports and services.  I have repro'd this on multiple systems.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051810
No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7051822
I have the .dll, and it doesn't work.  Neither does Vision.  
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051828
No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051841
Oh well then, at any rate it's a harmless system file communicating within the IP stack.

TooKoolKris
MCSE+I, CCNA, A+
0
 

Expert Comment

by:TC_Tomcat
ID: 7317289
firstly I just tried the fport program on XP in a random directory and it does work...

secondly being that I have just gone through this same scenario with this file and warning I have a concern about your answer. You did not ask if there was also communication from an external IP. This would be important as it would signal that it obviously is not merely internal network communication.

The reason I am replying is because there very well could be more to it.

Use this site as a reference
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

This gives you a listing of some ports that are commonly used for trojan activity. The port listed on my attempted communication is 65432. You can see there is a trojan that is affiliated with that port. While it does not signify that I surely have a trojan which has infected my computer...nonetheless it is a possibility.

I still have not been able to find why someone is trying to communicate to that port and sys file as I used a trojan cleaning program and it did not find anything. Perhaps another program installed it and it is affiliated with that program I am not sure.

Hope this helps
0
 

Expert Comment

by:bastion
ID: 8007252
yes I also  have sygate which I like very much. yeah I have the same popup that says the same thing ,BUT when I look up the traffic log it is connecting to my ISP's DNS server. Plus i just formated and installed the firewall right after my hardware drivers (no virus's on the machine at this time) and it shows up on every formate so I really believe WE have nothing to worry about.
0
 
LVL 3

Expert Comment

by:cduke250
ID: 8193018
I think this is the answer to your original question...

The following applications may need to be set to allow with in the running applications list "mpsrv", "kernel32", "ntoskrnl", "svchost", "NetBeui", and possibly "tcpsvcs", "nwlnkipx.sys", "ndisuio.sys" and "ssdpsrv". These settings will need to be applied to all systems running SPF that require F&P sharing.


On all of the systems you have running Sygate, you will need to change your settings to allow this file.
Goto the Applications tab and allow

ndisuio.sys          <----- bingo!



You will all find http://www.whitehat-security.com/SPF.htm very helpful. =) hope that helps
0
 

Expert Comment

by:SpideyMod
ID: 8279138
Force Accepted

SpideyMod
Community Support Moderator @Experts Exchange
0
 

Expert Comment

by:alka1ine
ID: 9496053
I know this is an old topic but that might not be the problem either...  My ndisuio.sys was constantly dowloading 2-4k and after time it adds up to a lot.  Thats 56k speed downloading all day, every day!  I also did a clean install but that was after I was using the cable modem without a decent firewall like Sygate so something must have gotten in and screwed up my ip status from "secure" to "come on all you hackers, lets have some fun".  I had to go into safe mode and rename the file and now it doesnt download all day.  I still get numerous ping attacks and minor things that the firewall blocks which I assume is all related to my ip getting passed around because it was vulnerable.  I still get pinging from all around the world but now I guess the ndisuio.sys file isn't accessable to intruders anymore....not sure if i'll need it one day either.
0
 

Expert Comment

by:pataphysician
ID: 9842086
Just in case anyone is still watching this:

http://www.iceteks.com/forums/index.php?s=0c61cc87365c1408753b008c8ca04d4c&showtopic=1290&view=findpost&p=14302

I've been looking for an answer for this for ages. Disabling the wireless configuration service stops all of this excess traffic. Doesn't really explain why it was happening in the first place, but at least we know how to kill it now.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question