Solved

NDIS User Mode I/O Driver Question

Posted on 2002-05-31
17
68,932 Views
Last Modified: 2011-08-18
I am new to firewalls. So, with my Sygate firewall running, I get a lot of information I am unfamiliar with regarding applications that are either trying to get out of my computer (onto the Internet) or get into my computer.

One application that trys (constantly) to get out is NDIS. I can see that it is coming from my system directory. I assume it is a WIN XP application trying to do some harmless activity. But because I am unfamiliar with it, I wanted to get an expert's opinion as to what it is trying to do.

The actual file name is "ndisuio.sys".

Thank you for any help.

Tom Houck
0
Comment
Question by:tomhouck
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 7047701
That driver is just an intermediate level between the user and kernal modes.  Some other program must be using it.
0
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 200 total points
ID: 7047917
This is a system file that makes calls to dynamic link libraries amongst the TCP/IP stack. It uses communication ports and the loopback address in order to make these calls. This is why you see the communication on your firewall. It's not trying to connect to the Internet, just another port on your computer for the purpose of calling instructions.

TooKoolKris
MCSE+I, CCNA, A+

0
 

Author Comment

by:tomhouck
ID: 7048611
ToolKoolKris
Thanks for the reponsse. So is it harmless? How can I determine what application is trying to use it?

Thank you,

Tom
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7048976
You can download a copy of fport from the link below it will tell you the .exe that is using each port. It's a free program as well. Have fun.

http://www.foundstone.com/knowledge/intrusion_detection.html

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7051382
I don't think Fport works on XP.  Great tool though.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051765
Yes you will need to make sure that the psapi.dll file exists on the pc and that it is in the system folder. If not you need to install fport in the same directory as the .dll file or change your environmental settings by adding a path statement for the directory that the .dll is in.

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7051783
Are you saying that you have been able to get fport to produce results on XP?  I an run the app but I does not enmuerate ports and services.  I have repro'd this on multiple systems.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051810
No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 11

Expert Comment

by:geoffryn
ID: 7051822
I have the .dll, and it doesn't work.  Neither does Vision.  
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051828
No, I'm just stating that the program requires this .dll in order to function. I haven't tested it on XP. On W2K that .dll is in the system folder so you don't have to do anything. On NT4 it's in a different folder so it may be that way for XP as well. Does a file search for that .dll file turn up anything in XP? We don't run XP at work yet because most of our company software hasn't been upgraded to support it yet. Were mostly a W2K shop.

TooKoolKris
MCSE+I, CCNA, A+
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 7051841
Oh well then, at any rate it's a harmless system file communicating within the IP stack.

TooKoolKris
MCSE+I, CCNA, A+
0
 

Expert Comment

by:TC_Tomcat
ID: 7317289
firstly I just tried the fport program on XP in a random directory and it does work...

secondly being that I have just gone through this same scenario with this file and warning I have a concern about your answer. You did not ask if there was also communication from an external IP. This would be important as it would signal that it obviously is not merely internal network communication.

The reason I am replying is because there very well could be more to it.

Use this site as a reference
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm

This gives you a listing of some ports that are commonly used for trojan activity. The port listed on my attempted communication is 65432. You can see there is a trojan that is affiliated with that port. While it does not signify that I surely have a trojan which has infected my computer...nonetheless it is a possibility.

I still have not been able to find why someone is trying to communicate to that port and sys file as I used a trojan cleaning program and it did not find anything. Perhaps another program installed it and it is affiliated with that program I am not sure.

Hope this helps
0
 

Expert Comment

by:bastion
ID: 8007252
yes I also  have sygate which I like very much. yeah I have the same popup that says the same thing ,BUT when I look up the traffic log it is connecting to my ISP's DNS server. Plus i just formated and installed the firewall right after my hardware drivers (no virus's on the machine at this time) and it shows up on every formate so I really believe WE have nothing to worry about.
0
 
LVL 3

Expert Comment

by:cduke250
ID: 8193018
I think this is the answer to your original question...

The following applications may need to be set to allow with in the running applications list "mpsrv", "kernel32", "ntoskrnl", "svchost", "NetBeui", and possibly "tcpsvcs", "nwlnkipx.sys", "ndisuio.sys" and "ssdpsrv". These settings will need to be applied to all systems running SPF that require F&P sharing.


On all of the systems you have running Sygate, you will need to change your settings to allow this file.
Goto the Applications tab and allow

ndisuio.sys          <----- bingo!



You will all find http://www.whitehat-security.com/SPF.htm very helpful. =) hope that helps
0
 

Expert Comment

by:SpideyMod
ID: 8279138
Force Accepted

SpideyMod
Community Support Moderator @Experts Exchange
0
 

Expert Comment

by:alka1ine
ID: 9496053
I know this is an old topic but that might not be the problem either...  My ndisuio.sys was constantly dowloading 2-4k and after time it adds up to a lot.  Thats 56k speed downloading all day, every day!  I also did a clean install but that was after I was using the cable modem without a decent firewall like Sygate so something must have gotten in and screwed up my ip status from "secure" to "come on all you hackers, lets have some fun".  I had to go into safe mode and rename the file and now it doesnt download all day.  I still get numerous ping attacks and minor things that the firewall blocks which I assume is all related to my ip getting passed around because it was vulnerable.  I still get pinging from all around the world but now I guess the ndisuio.sys file isn't accessable to intruders anymore....not sure if i'll need it one day either.
0
 

Expert Comment

by:pataphysician
ID: 9842086
Just in case anyone is still watching this:

http://www.iceteks.com/forums/index.php?s=0c61cc87365c1408753b008c8ca04d4c&amp;showtopic=1290&view=findpost&p=14302

I've been looking for an answer for this for ages. Disabling the wireless configuration service stops all of this excess traffic. Doesn't really explain why it was happening in the first place, but at least we know how to kill it now.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now