Solved

Symantec Client Firewall blocks winlogon

Posted on 2004-08-20
4
383 Views
Last Modified: 2013-11-16
Hi,

I have Symantec Client Firewall 5.1 running on Win XP SP2. It's coming up with the following threat warning:

winlogon.exe is attempting to access the Internet
At 18:58 on 19/08/04 the following communication was detected:
Application: \??\C:WINDOWS\system32\winlogon.ece
Protocol: TCP (Outbound)
Remote Address: ncte.ie (169.254.95.115): ldap (389)
Local Address: Service port 1183
The application file could not be found. There is no autoconfiguration data for this application. This application does not have a digital signature or the digital signature is invalid.

I am concerned about this because I was not at the machine at the time referenced and I do not recognise the IP (although ncte.ie is my domain).

I have 3 copies of winlogon.exe on my machine, one in C:\Windows\system32 and 2 in the following folders:
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\ServicePackFiles\i386\

Each around 502kb.

The firewall has mostly the default settings.

I'd appreciate any help. Thanks.
0
Comment
Question by:sdower
  • 2
4 Comments
 
LVL 4

Expert Comment

by:shard26
ID: 11851826
169.254.x.x addresses are fake IP addresses that Microsoft Boxes use when they cant get an IP thru DHCP.

go to this guy's computer and from a command line type

ipconfig /all

then copy the output here.
0
 

Expert Comment

by:mordred607
ID: 11852593
Is this a multi-homed machine (Does it have more than one NIC?) You will get this error if you have a second NIC that is not hooked up; you might want to disable it.
0
 

Author Comment

by:sdower
ID: 11852904

The machine is a notebook connected to a port replicator so has several NIC's.

Here is the output of the ipconfig command:
Windows IP Configuration

        Host Name . . . . . . . . . . . . : SEAN
        Primary Dns Suffix  . . . . . . . : ncte.ie
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ncte.ie
                                            ncte.ie

Ethernet adapter Local Area Connection 2:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Et
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-08-74-3E-99-88

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell TrueMobile 1150 Series M
 Card
        Physical Address. . . . . . . . . : 00-02-2D-BA-87-6B

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : ncte.ie
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Et
Controller (3C905C-TX Compatible) #2
        Physical Address. . . . . . . . . : 00-B0-D0-10-54-78
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.10.105
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.6
        DHCP Server . . . . . . . . . . . : 192.168.10.11
        DNS Servers . . . . . . . . . . . : 192.168.10.11
                                            169.254.254.203
        Primary WINS Server . . . . . . . : 192.168.10.11
        Lease Obtained. . . . . . . . . . : 19 August 2004 17:05:27
        Lease Expires . . . . . . . . . . : 27 August 2004 17:05:27

0
 

Accepted Solution

by:
mordred607 earned 250 total points
ID: 11856600
I'm not sure how you got a 169.254.254.203 address in your DNS server listing, but you might want to try this:

Remove the invalid entry (if there is one) from the DHCP settings (the 169.x.x.x DNS address)

or

Your laptop client is expecting a second DNS server (and auto-creates one thus the 169.x.x.x address). You may want to go to your server and change the DHCP settings to add another DNS server (either another internal DNS server if you have one or an outside DNS server (as secondary)).

or

Set the DNS on the laptop client to 'manual' rather than DHCP and list only 192.168.10.11
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now