Sonobe Lab. > > > Lc| Japanese|Ger|Fre|Spa|Por|Ita
** Sonobe Lab for 22nd C!**
How to shut out worms like MSBLAST by blocking ports How to shut out worms like MSBLAST by blocking ports  
* This page is made by "machine translation" program from Japanese to English.





A worm steals in from a port.

They are Windows 2000 and Windows XP all over August, 2003 and the world. The things where a computer repeated shutdown of a system freely occurred.

What was then raged is "MS blast." (MSBALST, a %(%`%(%9 blast, Love Sun, Lovsan, Lovesan, Blaster, Blaster, Poza) $d,
The derivation kind of "Welchia" (Welchia, Sachi, Satie, Welchi, a Welch, Nazi, Nachi, Nachi-A, Nachi.A, the MS blast D, MSBLAST.D, Lovsan.D)
In addition to this (MS blast .B, MSBLAST.B, Blaster.B, Blaster.B, Poza.C, Lovsan.c, Lovesan, Blaster.C, Blaster.C, Blaster-B, Poza.B, MSBLAST.E, BlasterE, Blaster.E, Blaster-E, MSBLAST.F, BlasterF, Blaster.F, Blaster-F) It came out and carried out.

These are not infected by . mail which invades into a computer from the port (entrance) of No. 135 freely, seizes on, the weak point MS, i.e., fault, 03-026 of Windows, and does mischief.
These are classified into a worm type program. (Bad program . of Tati who does self-multiplication not trying to regard the significance of a basis as a worm (worm) .)

Furthermore, another weak point MS 03-039 of Windows "a code is executed by buffer overrun of RPCSS service (824146)" became clear on September 11.
Therefore, it invades from somewhere in ports of 135, 137, 138, 139, 445, and 593.
Sasser (it Worm(s) Sasser, WORM_SASSER.A, WORM_SASSER.B, and W32.Sasser. --) W32.Sasser.B.Worm, W32-/Sasser.worm, and W32-/Sasser.worm.b -- the brittleness of Windows -- "MS 04-011" is abused and it says from TCP port 445

%]!<%H,port

Port (port) $H$O -- it is like the "haven" which a "ship" called the packet which comes to the "state" of your computer from network "sea" frequents
Packet (packet) It is the module of the data which flow the $O Internet.
A port is 0, 1, and 2 as a function of operating system, such as Windows. It is managed for -- and the integer 65535.
A port is also in your computer also as one set.

each port is opened -- $F$$ (open) -- it is in one of those closed (close) conditions
From the port of a serial number where the transmission side computer was decided, various network serviceses, such as HTTP and FTP, send a packet to the port of a serial number where the reception side computer was decided, and are communicating.
a packet is sent from the computer of the assailant whose worm is also a transmitting agency, and a victim's computer which was infected and was made a steppingstone -- if it can do . transshipment -- a packet -- " -- riding -- " -- it comes and badness is committed using the function and weak point inside a computer
If the receiving port has closed, transshipment will fail [ a refusal response ] in a transmitting agency on the contrary.



A port is intercepted.

Then, although it is required as countermeasures, such as a worm like MS blast, to correct an internal weak point (fault), of course, the technique of intercepting the packet passing through the port which you are not using on the way is also effective.

that is, . (the below-mentioned stealth condition) which can be prevented from answering for every port even if it provides the filter which intercepts a packet between a network and a computer (block), a packet comes and it requires transshipment -- since it is visible to the condition same with not existing in this case, it is optimum for fending off the repeated attack of a malicious program

. which is also in that which enables a bad program to open other ports from inside by oneself, and for him to communicate outside from inside, or to communicate from outside once a worm invades into a computer from some port -- if it becomes like this, the kitchen also tends to carry out transfer of a file also by the monitor of an operation

Also about the transmission to an outer network from the program inside a computer, if it intercepts for every port, the transmission which is not meant can be stopped.

Of course, if a port is all intercepted, does normal communication also become impossible entirely?
Then, it is that you yourself set up the conditions extracted to the minimum "you may transmit/receive from the port of what No. from an application program called what in the port of what No.", and security is planned.
%]!<%H,port

Let's see the advantage of this technique, and application. :
(1) Port scan (Scan with attack .scan which finds out one after another which port is vacant, attaches it to a weak point, and is said) It does not $b

(2) A sounding is applied one after another using communication of whether if worms, such as Welchia which is all over the world, made the address from the random number, the computer by which it is moving was hit, and agreement called ICMP (ping command).
It is coming by no less than 100 times of frequency also here now in 1 hour.
If you are intercepting the port, it will be convinced that a computer is not in this address also of such a worm, and it will be given up.

(3) Otherwise, it is Trojan horse. (An assailant's server is the program into which a victim's computer was made to invade, and it is the Aya vine thing) Key logger (Program which is made to transmit freely and reads the operations of a victim including a password) Intelligence agent wear (Program which is made to transmit personal information and a file freely and is stolen) There are etc. and Tati's bad program.
But activities can be stopped, if the port of the transmitting service cannot be accessed even when it is going to transmit to an external computer secretly from the computer by which these invaded.

(4) The technique of intercepting a port is an advantage with the ability of a port to, also prevent [ big ] most of the worm and intelligence agent wear of the new species which has not appeared yet by the way.

(5) Furthermore, even when applying fault correction of a system fails in some reasons, it is taking the measures against a worm by this way first of all, and changes into a safe condition. :

  • The fault MS 03-026 of Windows which MS blast aims at corrects you. (Patch) As the method of $1 "it service-packs to your Windows. (Accumulation file .SP of correction of a curb system) Didn't it become an error that it could not do since $N2? No. has not started yet"?

    In the case of Windows 2000, unless two or more SP has started, correction of MS 03-039 is not applied for correction of MS 03-026 , either. = Refer to each page.
    First of all, unless two or more SP has also started that it will apply by the Windows Update function, these faults do not appear in a selection list.

  • "DCOM (Distributed component object model) Since it was not infected when carrying out $NL58z2=, although the information of Microsoft Corp. of becoming an evasion measure" was read, it carried out it and it was regarded as like, since "It could not cancel in Windows 2000 unless it has already applied three or more service packs SP" etc. was written, wasn't it amazed?

  • if it is it -- $H -- when having installed the service pack, didn't you become a renewal error and didn't installation go wrong?

    [Japanese]
    Service pack 4 Setup error
    The error occurred in renewal of a system.

    [English]
    Service pack 4 setup error
    rred. Select "OK" of An error updating your system has occu

    Copy & paste (stick) became impossible not to be infected with a worm after it.
    Even if it carried out operation of cutting circuit transshipment, it stopped going out.
    If the Office merchandise of Microsoft is started

    "It is necessary to install application for executing.
    Please set up from the place which installed this application first."

    It became the error to say, and it was useless even if just like that.
    MO (Magneto-optical disc) Eye $,FI became that there is nothing.
    Has not the phenomenon to say come out?

  • It is infected with a worm on the way, a reboot is repeated, and a service pack and fault correction are no longer applied.


Probably, it will be good to perform management which does not rub at such time but intercepts a port in a hurry.
If it $=, the rest is that which falls and attaches and it has in a network and which can drop off, and will be able to download correction also again almost slowly.

* Danger of a service pack *

Please judge carefully the accident to which Windows will not start and a personal computer will become useless if the service pack of what and Windows 2000 is carried out about . you risk by which those who are also twice experienced with SP3 and SP4 are broken.

-> PC of my * home, death (Nakatsuma Shigehiro Mr. =All About Japan security guide)


. which has the example of having succeeded without knowing why when carried out from CD-ROM although the renewal error took place even if it carried out the practicing of a service pack twice by the download from a network -- that case -- above Office -- it does not move The phenomenon without a circuit piece which cannot be copied & pasted in which there is no eye MO FI has been solved to why or one effort.

(6) . details which many those who cannot be restored from MS blast infection also require are in the article, although it is unknown.
"Since even the computer which had applied the patch correctly was not protected by the firewall, the case which encountered the damage of Blaster also has it, and it has applied the ring to anarchy."
It is.

(7) . which I consider as it is safer to continue the management which intercepts a port all the time in order to prepare for a strange worm etc., even after correcting material faults, such as MS 03-026 and MS 03-039


Recommended procedure

Then, the procedure to recommend is as follows. :


Sonobe-Laboratory recommended procedure

The infected worm is exterminated with an extermination tool.

* The example of an extermination tool : -> Symantec (portion of a voluntary extermination tool)

=> (Carrying out like the procedure of this article) A port is intercepted.
((Now, infecting with MS blast and Welchia) Although a computer is connected with a network, it has stopped)

=> last-known service pack is applied.
(For example, if it is Windows 2000, now, he can buy last-known SP's4 CD-ROM with 1,000 yen online merchandising from Microsoft Corp. (eye user's registration 4^ time and effort of less than 1 hour), and it will be mailed in about two weeks.)
-> Details (Microsoft Corp. Windows 2000 SP4)
. with the merit in which it can install without tying to a network and a renewal error cannot take place easily, either, if it is this


Fault correction of => MS 03-026 , MS 03-039 , etc. is made.
If the "Windows Update" function uses by your computer and a fault to correct will be chosen and executed by the check box, it can do more simply.





A fire wall intercepts port access.

With this article SPF I introduce the method of intercepting the port which is not used by installing the software to say in its own computer.

It is Personal Firewall (personal fire wall) of Sygate (Sygate) which it abbreviated to SPF here and was written. (Sygate Personal Firewall, SPF) If . literal translation of is done, it will be "a personal fire wall."

Since Windows XP and Windows 2003 build in the "Internet fire wall function", it can also be used without using SPF.
-> procedure details which verify the fire wall function of WindowsXP (ITmedia) (Microsoft Corp.)

In addition, in the software of a fire wall, it is also everything but SPF.

  • The Norton personal firewall of Symantec (Symantec Norton Personal Firewall)

  • Company Norton Internet security of an antivirotic function and one (Symantec Norton Internet Security)

  • The virus buster of Trend Micro (Trend Micro Virus Baster, PC-cillin)
    $N -- like -- advanced -- a charged thing

  • Zone of a zone lab company Alarm (Zone Alarm )
    $N -- like -- simple -- a freebie

etc. -- it is variously

It is that the . feature the fire wall apparatus of hardware is also characteristic does not not much have the reaction of a communication performance or the performance on a computer, and that a fire wall cannot be easily broken by the malicious program.
Probably, cautions will be required since I hear that it does not work unless there is also a merchandise with which the fire wall function is a setup which is not fully committed at the time of a factory shipment and it reads and sets up a covering letter, although there are some which carried the fire wall function with the router.

Although SPF, of course, also has a weak point on account of software, freight free (in the case of non-business utilization) is charm.
.OS with convenient it being easy to use also for an unskilled operator, and a blockage and an allowance being finely specified as an old hand Windows 95 besides Windows 2000 Professional, Windows XP Professional, and Home Edition (OSR2 & OSR2.5), 98, 98SE, Me, NT4.0 (SP4 or subsequent ones), NT 4.0 Terminal Server (SP4.0 or subsequent ones), Windows 2000 Server, Advanced Server, and Data Center are also supported.

[Attention] When a plurality of network pro %H%3%m%k drivers are installed in the computer, it is explained by the Readme file that SPF may be conspicuous and may do the reaction of a performance depression.

It is a line-speed observation site after an induction ( speed.rbbtoday.com etc.), and the direction which line speed worries is (1). The case where SPF is ordinarily used, and (2) Closure ("File" => "Exit Firewall") It comes out with the case where it carries out. effective transmission speed probably, it will be good to scale . -- Norton once The fire wall function of Internet Security (NIS)2002 the sharp transmission-speed depression of 2.5Mbps(es) in 4Mbps(es), 1.2Mbps->0.4 - 0.8Mbps, or 8Mbps(es) by the Windows Me user The crab in which also has those how many indication and the communication of a fire wall generally is not late according to conditions of having caused is . (in addition, this question) which will need to be warned. In cancellation of the fire wall function of NIS, although not repaired, it has improved by uninstallation (article No.579), and the information (article No.570) that it had improved by re-installation of Internet Explorer appeared.

[Attention] I found a problem that the amount of the used RAM memory increases more and more while SPF is running.
It is peevish without "structure" of this point and SPF being good.
the amount of the memory used of SPF -- Windows 2000, XP, etc. -- Shift-Ctrl-Esc -- pushing -- task if a manager is opened -- Smc.exe of the process column -- that is, (it will come out, if there is no column and it will choose by selection (S) of a (Display V) => row), it is visible
That whose amount of . real memory (RAM) used to which the virtual-memory size which was about 12 MBs at first may have swollen also to 380 MBs was also about 6 MBs at first was set also to 64 MBs.
. task which touch that a dispensation velocity depression is [ loading of real memory ] conspicuous in a totality by 256 MBs or less of computer will carry out if it increases like this When it observes by the manager, it is always a page fault for 76 pages / 3 seconds. (Read the portion which was not in real memory from a disk) It $,H/@8 and it is in sight that the amount of the virtual memory used increases at the rate of about 2.8 MB/H in monotone.

SPF free download

As a matter of fact, recovery of memory will take time, when other applications tend to move again if compelled, since SPF always continues taking real memory from other processes. As long as 10 seconds, as for retention of a text etc. being 0. how many seconds usually, it may be heavy to access a disk and to finish only enough etc., and it may be surprised. .
In such a case, if SPF is rebooted as follows, since real memory is released, it will be repaired. : (although a Windows reboot is also repaired, of course)

Starting of circuit severance (attack prevention sake) =>SPF of closure ( following procedure ) =>SPF (the following procedure )

it obtains and - $` and it are troublesome ....

Hereafter, I explain the method of the blockage using SPF of a port.

Even if he understands well neither English nor a network term nor the term of Windows, I want to explain this article carefully also including an example so that a setup of SPF can be performed simply.

[a notice] -- this article is written based on experience performed on Windows 2000 based on SPF 5.1, 5.5 -- since it. mistakes or a Sonobe Laboratory does not take any liability about damage, I ask you to become accuracy in person

1. Install SPF.

(1) The case in the condition that your computer can be infected with MS blast, Welchia, etc. has risk of being infected also with the time (it being grade for 20 minutes - for 70 minutes in 56 or less Kbps of line speed) connected with the network for download.

Probably, it will be safer to download a spf.exe file in the procedure from the following term, to copy to a memory medium by computer [ finishing / the countermeasure of the computer, company, or friend with whom those worms, such as Windows 95, 98, and Me, are not infected / if you want to also prevent it ], and to execute by its own computer.

.MO which is not simply settled in one ordinary floppy disk since there are about 6 MBs (Magneto-optical disc) Probably, it will be OK if it is a $d flash memory.

(2) It connects with the site of Sygate and SPF is downloaded.

First, a lower link is clicked and a page is displayed.


( U.S. Sygate .... . which flies to the above-mentioned page also by "DOWNLOAD & BUY" of the left menu here)
(3) since the page of download and purchase is displayed -- " Sygate Personal Firewall " -- " Free Download " (free download) -- : to click

SPF free download

Since it is thought that the server of Sygate has stopped when the error of a transshipment time-out etc. takes place and is not displayed, even if it clicks, I feel that it has stopped in . U.S. time which sets time and does it again by maintenance in the night on Sunday.
(4) "Download Now" as which the download page of SPF is displayed is clicked.

SPF download by CNET

If it goes to the next screen, when . which specifies suitably the place which downloads spf.exe and clicks O.K. will also have stopped by carrying out, "here" of "click here" of a screen is clicked. :

SPF download by CNET

(5) Although it is next installation since download finished, please wait just for a moment.
Let me surely finish other applications before installation. Please give.

Especially Computer virus countermeasure software, other fire wall software, packet capture software, etc. $O -- please let me end without forgetting by any means
Otherwise, transmission and reception completely become impossible. Since the danger of suiting a fault [ like ] will seemingly be high .... Related information (Mr. SalB)

(If the closure method has "a closure (exit)" in the menu which measure right-clicks on an icon with each software, and comes out, it will carry out the left click of it)

  • (according to Readme) If changing into the condition of having started other personal fire walls of SPF to one computer, and having started more than one to it opts for the induction of .SPF which is not recommended, let's uninstall fire wall software, such as other ZoneAlarm(s), after taking the action of saving a setup and the copy of a log besides the original place, when it set up so that it might not start, or it could do.

  • The above-mentioned Internet par [ to Windows XP, 2003 Server, etc. ] and attached to them Also about a fire wall function, supposing it introduces SPF, the direction which avoided combined use by making it a cancellation will think that it is good because of fault evasion. (Although uninstallation of the Internet fire wall function will not be able to be performed, it OKs) .

  • It is pursuing combined use, although this article's does not describe since it is said that it is very safe and preferable using together custody by the router and custody by such fire wall (software's) when it has a router (apparatus).


(6) The spf.exe file copied to download or the medium is double-clicked and executed.
Then, installation of SPF starts.
The rest follows the indication of a screen.

If the reboot of Windows is directed, it will save, if there is a file under work by other programs, and Windows will be rebooted.

(7) The middle, . name and the e-mail address out of which the screen of user's registration (Registration) comes are written without using the kanji, and it pushes "registering immediately now (Register Now)."
for the time being -- "registering later (Register Later)" -- even if -- OK . . which the direction of it does not become puzzling and is recommendation (. which chooses :"9g$$ which SPF has heard at its own discretion after a setup all finishes, connects a circuit, and inputs and registers a user name and a mail address (Register Now))

SPF%f!<%6EPO?2hLL




2. Starting of SPF, and Method of Closure

* The starting method of SPF

"Start" =>"program" => "Sygate Personal Firewall" => "Sygate Personal Firewall"

The window of a main screen is also opened.

It is the icon of SPF to a task tray. SPF icon It comes out.

* How to erase the window of SPF

the window upper right -- " !_ window close " button is clicked.

or

"File" => "Close" is clicked on the main screen of SPF.

This also resides in memory permanently and SPF is executing the surveillance, the blockage, etc. of a port for it.

* How to take out the window of SPF

(1) When SPF is executed,

It is the icon of SPF to a task tray. SPF icon since it is -- its right-click => "Sygate Personal Firewall" -- a left click

(2) When SPF is not executed, perform the above-mentioned starting procedure.

* The closure method of SPF

The icon of SPF of a task tray SPF icon right-click => "Sygate Personal Firewall" -- a left click

or

"File" => "Exit Firewall" is clicked on the main screen of SPF.

* The forced-termination method of SPF

If OSs are Windows NT, 2000, XP, 2003, etc. when it cannot end by the method [ ordinarily ], it can be made to force by the following method to terminate. :

the process tab of the task manager which pushes Shift-Contol-Esc simultaneously and of which => starting is done -- a click => image name -- Smc.exe -- a click -- the caution of a reversal => "the closure (E) of process" => task manager -- "-- yes, (Y)" is answered


* Supplement

If it carries out


(Although a security engine becomes a cancellation after terminating SPF, may I end truly?)

$H -- since he asks -- "-- yes, (Y)" is clicked

- Also when starting Windows, SPF is set up in the above-mentioned procedure so that it may start automatically.

- Even if it starts SPF

SPF%"%W%j%1!<%7%g%s%(%i!<

. which clicks cancellation (although a dialog disappears in fixed time and starting dispensation is finished even if it does not click), and is again started when $N2hLL can come out and cannot start -- if useless, . SPF which can offer re-installation of .SPF in which installation has probably failed is still uninstalled



3. Learn the Method of All Blockages and All Allowances.

SPF

"Start" =>"program" => "Sygate Personal Firewall" => "Sygate Personal Firewall"

If it comes out and starts, the following main screens will appear. :


Here, if Security is pointed at, the menu of the following three conditions will come out.

spf security

This significance,

  • The mode which intercepts all network transmission and reception by Block All(all blockages) =SPF

    .... It can use also for the emergency which should intercept transmission and reception immediately anyhow, such as being attacked by computer virus and the worm.
    There are also all blockage buttons in a tool bar.

  • The mode usually processed according to a setup of Normal(usually) =SPF

    .... There is no significance which introduced . usually made into this, otherwise, SPF.

  • It is the mode which it all lets pass as Allow All(all allowances) =SPF.

    .... If it is made all allowances when a setup of SPF cannot be used succeeding, it will become as the same as there is no SPF.
    Moreover, it is rejecting to Normal after . which it is made this, is "Logs" => "Traffic Log", and can know a port, when it does not understand in all the port, although some services seem to be intercepted by SPF and to move.

    If Allow All has really visible [ how ]-from the outside crab interest when not using SPF, the port of its own computer can be used for it also when diagnosing the condition.

    Like the time of the SPF program (Smc.exe) not moving, since the period set to Allow All does not have the effective blockage, let's notice it about computer virus or a worm.
    For example, by MS blast, Windows 2000 which has not taken the measures of Welchia, XP, and the 2003 Server machine, since there is risk of infection, let's carry out after correcting.


If this is known, it will be useful in case of emergency.



4. Carry Out Option Setup of SPF.

then, . which should carry out an option setup of SPF simply -- here is material selection of whether what we do with how to protect security

It is the main screen of SPF.

"Tools (tool)" => "Options (option)"

It clicks.

Features that are disabled hese are available in our award-winning and ICSA-certified Sygate Personal Firewall PRO.

("-- in Sygate personal fire wall PRO in which the function which can be used no longer here also won the prize, and ICSA certification has also received it, for continuing the Tel Me More button, please push the O.K. button seeing . detailed information that it gets used to utilization -- the advertisement .")

If $NLd9g$; comes out, a check will be put into "Remember my answer and and do not show this message again (a reply is memorized and it does not display from next time)", and "O.K." will be clicked.

And the following examples of a setting are set as a reference on all tab screens, and "O.K." is clicked.
probably, you may set up as the screen of each following example without, reading a fine setup which wrote to below first of all, if it is a house and is the case where LAN is not being used, either . -- it is unexpectedly easy

* General (across the board) tab :


- If it Enables it to Want to be Able to Take Out Screen with Click of Icon Easily to See Information Transmitted, Received and Attacked as Could See SPF Started by Icon at Any Time, Check Will be Put into Hide Sygate Personal Firewall System Tray Icon (System Tray Icon of SPF is Hidden).

- Since it is More Convenient, Put Check into Automatically Load Sygate Personal Firewall Service at Startup (SPF is Automatically Loaded at the Time of Windows Starting).

- Put Check into Block Network Neighborhood Traffic While Screensaver Mode (Transmission and Reception with Inside of "Network Computer" Said in Adjoining Network, I.e., Windows, at the Time of Screen Saver Mode are All Intercepted) (Check is not Put in when Allowing Others to Use, even if it is Sharing File and Printer by LAN and He is N%@J(ing)).
A help did not show whether access was becoming all blockages from the network besides a "network computer."

- : . Caution Which Does Not Put Check into it since it is not Used to Hide Notification Messages (Caution Pop-up Message is Hidden) Yet is [ : ] Inquiry Which Displays Significance "whether it is Comrades Measure although - Tends to Access -", and Asks "Yes" and "No"



- even if it Sounds in Beep before Notify (Bell Noise is Sounded before Sending Caution Pop-up Message) -- Noisiness -- $H -- if it Considers, it Will Set, without Putting in Check

- Although Check is Put into Password Protection (Password Custody) so that Others May Not Change Setup of SPF when it is Computer Which Others May Also Use, Don't Put in Check.
* Netwark Neighborhood (network computer) tab :


- In Network Interface (Network Interface), if LAN is Used in . Company Which Chooses Network Transshipment Name of Transshipment Recognized as a Network Computer, when He Will Not be Conscious of Especially "Network Computer" by LAN Etc. at . House Considered that What Is Necessary is Just to Choose Transshipment Name Currently Used for the LAN Transshipment, it is Thought that Anything May be Chosen.

- Restrict, when the Function is Being Used for Allowance) for Access to File of Network Computer and Printer from Its Computer by LAN, and Put in Check. [ Allow to Browse Network Neighborhood Files and Printer(S) (]

- Case Where the Function is Being Used by LAN for Allow Others to Share My Files and Printer (S) and (Carrying Out Access to One's File and Printer from Network Computer (it Sharing)) -- as long as -- Put in Check
* Security (secret) tab :


in this tab screen, it is gray and some functions which cannot be used since it is not the merchandise of a PRO version contain -- having -- $F$$ . -- those explanation is not given here

- Put Check into Enable Driver-level Protection (Custody in Driver Stage is Confirmed).
When are carried out like this and protocol drivers (Trojan horse etc.) access a network, it is caught perfectly.

- Enable DLL Authentication (Dynamic Link Library) (List of the function and data which DLL=Windows application uses) If you are not a person not much detailed to DLL of Windows for confirming $NG'>Z, I will think that it is good without putting in a check.
When a caution comes out, this is [ why ] good or is because it may be hard to attach discretion.
When a caution comes out, since it is O.K. since the thing originally connected or a it changed, or it has not changed, this DLL module is carried out in badness, or it will judge and it will correspond.
However, if it checks, since the detection capacity of an information leak increases rather than a Norton personal firewall (2002) (-> cause -- Mr. SalB), it will also be good [ the more detailed one ] for DLL to put in and employ a check.


- Although Check Cannot be Put into it if NetBIOS Protection (Network BIOS Custody) is Allowed Access from Other Computers by LAN of . Company Which is what All Intercepts Transmission and Reception from Computer out of "Subnet" Connected to the Same Gateway Computer as Its Own Computer, in the case of Computer of House, Usually Put in Check.
In AOL or Yahoo! BB, if it remains as it is right [ that ], and there is also a fearful talk are put in by the subnet with many large (? -- unidentified) users and that reading and writing of the file of other computers will be able to be performed and the check is put in here, it is safe.
* E-Mail Nortification (action of E-mail) tab :


- Put Check into Do Not Notify (it Does Not Notify).
When the action function was used and SPF judges that its own computer received the attack, the specified address is sent and told about an E-mail.
For example, what registers the e-mail address of a cellular phone can be performed so that it can know immediately that the computer of a company was attacked at a house or a destination.
Probably, it will be good to use this function, after getting used to SPF.
It is important to vacate an interval for fit, such as 15 etc. minutes, so that a lot may be notified not much for a short time and data may not be blocked.
* Log (log) tab :


If there is no schedule investigated by itself, it will be good with initial value. [ who specify the acquisition size of various kinds of logs and a retention time limit ] [ ., especially the one ]
When the large capacity of a traffic log was taken too much, time could not actually be easily used for a display, having started it, and it was moved by it.

- Don't Put Check into Capture Full Packet (All Packets are Caught).
* Updates (renewal) tab :


- If Automatically Check for New Versions (High Version is Checked Automatically) Wants to Know . Upgrade Which Does Not Put in Check a Little Early, it Puts in Check.

Although an option setup of SPF was finished above Please once terminate SPF and start. This is . which is because there is a fault with which the configuration file of SPF disappears to the timing of a Windows closure occasionally. -- Related information (Mr. SalB)

" !_ window close The program (Smc.exe) of SPF continues moving only by a window closing, even if it clicks" button. . In Order to Terminate SPF, Click "File(File)" => "Exit Firewall (SPF Program is Ended)."
the time of having asked whether I may end truly -- "-- yes, (Y)" is answered

In order to start SPF, "start" => "program" =>"Sygate Personal Firewall" => "Sygate Personal Firewall" is clicked.



5. Carry Out Blockage Setup per Application.

Here, let's all intercept transmission and reception per application about the following application programs.

- The used browser
(For example, Internet Explorer) .
(. which is intercepted, a question springs [ whether it is OK and ], and is explained later although it is natural)

- The browser which can be started even if it does not use usually (for example, even the Netscape group Internet Explorer)

(Probably, the following three pieces start from the beginning)

- "LSA Excutable and Serever DLL" (Export Version)

- "Task Scheduler Engine"

- "NT Kernel and System"


If this is carried out, all port transmission and reception will be intercepted, but since the conditions to which transmission and reception are permitted with the above-mentioned rule are specified exceptionally in the case of a browser, it can communicate.

(1) Although a Hide (it hides) check box is in the upper right of the front portion of a SPF main screen, the display of a part of application is made not to be hidden by turning OFF, while carrying out the following setup during execution.


The check of the upper check box is removed.

(2) If the program of relevance is started, it will appear in Running Application (under execution application) of the lower part of the main screen of SPF.

(3) A browser, above-mentioned LSA--, . that right-clicks and checks "Block (it intercepts)" by each icon of Task--, then an icon become the mark of DO NOT ENTER.
. which will come to ask [ which intercepts each time whenever there is communication / or or ] whether to carry out carriage if "Ask (it asks)" is checked -- it becomes a question mark at this time

It becomes that intercepting by this method is reasonable for the program (Apache etc.) to, for example, the web servers installed on their own computer, to make it access, and the thing considered to others, and quite safe.

In addition, since that is right, transmission and reception of the following application are made into the thing which need to allow and which is not intercepted. :

- "Services and Controller app"

- "Generic Host Process for Win32 Services"

- "EnterNet" (if it is)


(4) if it sets up -- the window of SPF -- " !_ window close " button or "File" A rule setup which may be closed by => "Close" and which it. Continues and is explained below can also be carried out.



6. Carry Out Rule Setup of SPF.

It is the main screen of SPF.

"Tools (tool)" => "Advanced Rules (application rule)"


. out of which the following screens will come if it clicks -- this is empty at first


We recommend you to all set up these seven rules (Add).

. correction added with the Add button is made with the Edit button, and the Remove button performs suppression.

If the Add button is clicked, the next screen will come out. :



The bottom box is sorry about being . English which is the thing which an interesting function explains by making into a text a setup carried out now.

In "application" tab described later, the program currently exactly executed at the time of a setup and the communication program which SPF has recognized in the past come out as alternative as follows, as it has come. :



Then, before performing Add, All the browsers used usually are started. .
There are Internet Explorer, Netscape, Opera, Mozilla, RealOne Player, and others in a browser.
Both will be started if a plurality of versions are used.

The rule will be added, if it sets up about the screen of each five tabs and "O.K." is finally clicked.

Hereafter, since I carry the example of a setting of each seven rule, let's set this as a reference.
You may not perform a setup at once.

(1)
* General (across the board) tab
- Rule Description (rule representation) :
" A transmission is permitted to all browsers. It is entered as ".
(. which will become easy if copy & attachment is carried out from this screen -- since the notation method of this representation column does not commit any kana-kanji conversions other than a user's freedom .IME, the Alt-kanji is pushed, the kanji is inputted and it rejects by the same key)
- Action (operation) :
" Allow this traffic (these transmission and reception are permitted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
" 21,70,80,81,443,1080,1081,1130,1180,8080,8081 " -- it enters
. which is carrying out . blockage, and will be added here if required when [ at which it was not able to access ] there is not necessarily a website using ports other than this -- probably, a check will be good to specify widely like 21-8081, although it becomes sweet, if it is troublesome
- Local Ports Number (one's side port number)
" 024-4999 " -- it enters
- Traffic Direction (the transceiver direction)
" Outgoing (transmission) " -- it chooses

* Scheduling (scheduling) tab
((Do not continue) Put a check into enable scheduling (scheduling is made possible)) It is good without changing.

* Applications (application) tab
. which puts a check into a browser by FileName (file name) -- for example Internet Explorer Since it will be displayed on starting SPF or the past on this tab screen by having been recognized such after starting Internet Explorer if it uses A check is put in. .
:Netscape, Opera, RealOne Player, etc. which similarly will be started and will be registered if the following browsers are used
What is necessary is just to perform Edit (correction) of a rule, after answering, once setting up O.K. and starting a browser later, if not displayed here since it can also add later.

O.K. is clicked and it progresses to the next rule addendum.

(2)
* General (across the board) tab
- Rule Description (rule representation) :
" Reception is permitted to all browsers. It is entered as ".
- Action (operation) :
" Allow this traffic (these transmission and reception are permitted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
" 20 " -- it enters
- Local Ports Number (one's side port number)
" 1024-4999 " -- it enters
- Traffic Direction (the transceiver direction)
" Incoming (reception) " -- it chooses

* Scheduling (scheduling) tab
((Do not continue) Put a check into enable scheduling (scheduling is made possible)) It is good without changing.

* Applications (application) tab
the above-mentioned rule ., i.e., --, similarly set up with (1 "a transmission is permitted to all browsers")

. which puts a check into a browser by FileName (file name) -- for example Internet Explorer Since it will be displayed on starting SPF or the past on this tab screen by having been recognized such after starting Internet Explorer if it uses A check is put in. .
:Netscape, Opera, RealOne Player, etc. which similarly will be started and will be registered if the following browsers are used
What is necessary is just to perform Edit (correction) of a rule, after answering, once setting up O.K. and starting a browser later, if not displayed here since it can also add later.

O.K. is clicked and it progresses to the next rule addendum.

(3)
* General (across the board) tab
- Rule Description (rule representation) :
" A FTP transmission is permitted. It is entered as ".
- Action (operation) :
" Allow this traffic (these transmission and reception are permitted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
" 21,1024-65535 " -- it enters
(. with many sites where a big port number called 44xxx is used when carrying out ftp reception, such as Mado-no-mori, which meets and which needs to be permitted to 65535 in this way since like)
- Local Ports Number (one's side port number)
" 1024-4999 " -- it enters
- Traffic Direction (the transceiver direction)
" Outgoing (transmission) " -- it chooses

* Scheduling (scheduling) tab
It is good without specifying.

* Applications (application) tab
The FTP program currently used for the file transmission to a maintenance and other computers of a web page at FileName (file name) FFFTP, CuteFTP, NextFTP, WS_FTP, FTP Explorer, WinFTP, SmartFTP, and FTP.COM, FTP.EXE, etc. It will be checked if it is.

Moreover, the browser program will also be checked if FTP may be uploaded by the browser.

O.K. is clicked and it progresses to the next rule addendum.

(4)
* General (across the board) tab
- Rule Description (rule representation) :
" FTP reception is permitted. It is entered as ".
- Action (operation) :
" Allow this traffic (these transmission and reception are permitted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
" 20 " -- it enters
- Local Ports Number (one's side port number)
" 1024-4999 " -- it enters
- Traffic Direction (the transceiver direction)
" Incoming (reception) " -- it chooses

* Scheduling (scheduling) tab
It is good without specifying.

* Applications (application) tab
The FTP program currently used for the file transmission to a maintenance and other computers of a web page at FileName (file name) FFFTP, CuteFTP, NextFTP, WS_FTP, FTP Explorer, WinFTP, SmartFTP, and FTP.COM, FTP.EXE, etc. It will be checked if it is.
moreover, . which puts a check into browsers since even a browser may use FTP -- for example Internet Explorer Since it will be displayed on starting SPF or the past on this tab screen by having been recognized such after starting Internet Explorer if it uses A check is put in. .
:Netscape, Opera, RealOne Player, etc. which similarly will be registered since a browser also uses ftp reception at the time of download if the browser is used
Since you can also add later, if not displayed here, once answer O.K.

O.K. is clicked and it progresses to the next rule addendum.

(5)
* General (across the board) tab
- Rule Description (rule representation) :
" LSA is intercepted. It is entered as ".
- Action (operation) :
" Block this traffic (these transmission and reception are intercepted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
It is made a blank.
- Local Ports Number (one's side port number)
It is made a blank.
- Traffic Direction (the transceiver direction)
" Incoming " -- it chooses

* Scheduling (scheduling) tab
It is good without specifying.

* Applications (application) tab
It must be in FileName (file name). "LSA Excutable and DLL" (Export version) Check

O.K. is clicked and it progresses to the next rule addendum.

(6)
* General (across the board) tab
- Rule Description (rule representation) :
" TCP port 1028 is intercepted. It is entered as ".
- Action (operation) :
" Block this traffic (these transmission and reception are intercepted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" TCP " -- it chooses
- Remote Ports Number (partner point computer side port number)
It is made a blank.
- Local Ports Number (one's side port number)
" 1028 " -- it enters
- Traffic Direction (the transceiver direction)
" Both (both transmission and reception) " -- it chooses

* Scheduling (scheduling) tab
It is good without specifying.

* Applications (application) tab
Check needlessness

O.K. is clicked and it progresses to the next rule addendum.

(7)
* General (across the board) tab
- Rule Description (rule representation) :
" UDP port 135 Windows messenger is intercepted. It is entered as ".
- Action (operation) :
" Block this traffic (these transmission and reception are intercepted) " -- it checks
- Apply Rule to Network Interface (rule application to a network interface) :
It is good without changing with "All network interface cards (all Network Interface Cards)."
- Apply this rule during Screensaver Mode (screen saver mode Nakamoto rule application) :
"Both on and off (a screen saver is the rule which also applies ON or OFF)" It is good without changing.
- Record this traffic in Packet Log (the traffic influenced by this rule is recorded on a packet log)
It is good without checking.

* Hosts (host) tab
It is good without changing with "All Addresses (all addresses)."

* Ports and Protocols (port and protocol) tab
- Protocol
" UDP " -- it chooses
- Remote Ports Number (partner point computer side port number)
It is made a blank.
- Local Ports Number (one's computer side port number)
" 135 " -- it enters
- Traffic Direction (the transceiver direction)
" Incoming (reception) " -- it chooses

* Scheduling (scheduling) tab
It is good without specifying.

* Applications (application) tab
Check needlessness

O.K. is clicked and it ends.




7. If Caution Comes Out


(1) Pop-up of new application recognition

If it is made to run SPF and Windows is used, the following dialogs may sometimes come out in the center of a screen. :


(Application called QuickTime Player)
Website qtpix.apple.com [IP address 17.254.3.194]
$N port It is going to connect with No. 80.
Is this program connected with a network?

I hear that this tended to execute communication and the software of relevance is caught in the check of SPF.

If the conditions set as "Ask (it asks)" with the rule of SPF are matched, this inquiry will come out.

. which may be the bad pro GUM's having communicated with the exterior, and having made information flow out, or having just caught the moment of downloading the main part of a bad program when there was no memory -- you become it tense and answer "No"
When a permission may be granted, it carries out whether it carries out whether a check box is checked by whether you want me to ask after that, and "Yes" is answered.

Does the significance which put in SPF thin, if "Yes" is answered without considering anything?
Intelligence agent wear and Trojan horse will miss at the moment of leaking reservation outside.
Therefore, when it does not understand Don't answer "Yes" easily. Let's make "No" into the custom which answers.

Since it is also clear . that you receive reaction when required communication is intercepted even if it calls it .... Don't answer "No" easily, either. .

It is "wanting-, as for this application, to really carry out communication [ what ] by which request kana ?."

It is important to plot the head for a moment and to infer what is said.

Software is communicating not only at when you click a link but at the various times.
For example, they are a time of software, such as MediaPlayer, RealPlayer, QuickTime, Winamp, and AcobatReader, coming that it is also from a server about the newest information, a time of the advertisement included in the web page tying with the server, when virus countermeasure software downloads a virus definition file and %O!<%\%C%H (homepage robot which Sony has distributed) communicates with a server, etc.

please observe "No" carefully tensely in the phenomenon which happens immediately after answering . . which it will mean had attained the purpose if I hear that a bad program sinks into silence and it is -- that is not right and you do -- a way When the work which was being done has gone wrong, please make "Yes" answer and do the work again the . next time which will have apologized for and intercepted communication required for the work.
In this way, SPF gains experience together with you and becomes wiser and wiser.

the rule for every application accumulated in this dialog pushes and looks at the "Applications" button of a SPF main screen -- it can change

(2) Caution pop-up that the program changed

Such cautions may come out in the center of a screen.



(Since you used it at the end, the "program name" (here renewal client of automatic of Windows Update) has been changed.)
It will be generating if you update this program recently.
Details will be displayed if "Detail" is clicked.
Does it permit that this program accesses a network?

Since the icon displayed is not the icon of SPF but an icon of an applicable program, be careful not to have misunderstanding as the applicable program has said some.
This caution is the "checksum" of SPF. (check sum) It happens for a comparison function.
It is comparing whether it has changed, when the file of the application program transmitted and received was changed by computer virus etc., and $i$l$F also calculates the checksum which is the data which can calculate SPF uniquely from a program, it memorizes and there is a startup again.
It can detect, when it is many, although it is not perfect when somewhere in programs part change.

If you update the application, since the reason has clarified, "Yes" will be answered (substitution to a high version, application of a patch, etc.).
"No" will be answered if doubtful.

(3) Pop-up of having intercepted automatically

If it has set up with the General (across the board) tab of an option, the message of a purport with transmission and reception which SPF intercepts appears in the window of a light green color near the system tray, and does not need to put in . check as which it is displayed for several seconds.



(A blockage is operating to application.)
A file name is Apache.exe.



(The port scan attack is recorded)

fastidious -- having -- since . showing the condition of having just received the attack, however access are intercepted, they are safe for the time being

Opening which can intercept the attack which stemmed from an e-mail access, a chat, a web access, an advertising access, program installation, execution, etc., and started, thanks to SPF, and can see it by the pop-up caution is obtained.
When feeling the quote that it is likely to spread, it is vicious or changing to Block All (all blockages) immediately, and investigating each log and last-known computer virus information on SPF.

The icon of SPF which an attack is detected, and a color changes and glitters SPF icon It clicks and SPF is started.
Details are known if a security log and a traffic log are seen.

. which can be specified since the first dispatch yuan will come out to the lowest stage, if back trace (Back trace) is right-clicked and carried out in a differential row in a log -- if the "whois (who)" button is pushed there, that fellow will really [ "] be the computer which who [ what ] has managed -- there is what ?" understands




In the upper example, . back trace which is the example to which the worm of the name of Code Red has attacked in the port of TCP by the security log was carried out, and the sending agency was found.

. he is not necessarily the assailant who merely scattered the worm just because it was the dispatch yuan of malicious access . out of which the provider whom the assailant has only entered may have come -- it does not caution telephone again by . stepping out of the ring unintentionally which may be the computer of the victim in accordance with a worm -- like .

Possibly, when a caution comes out, the things where your computer is already captured, is made a "steppingstone" and is just going to deliver an indiscriminate attack of the others have not happened, either.

Also although it is called SPF, all future vicious programs cannot be prevented 100% now.
There are some fellows who poke the imperfection of your rule setup and work.
(For example, . via the Internet Explorer to which bad DLL trusts you which can carry out bad access when the check is not contained in SPF main screen =>"Tools(tool)" =>"Options(option)" =>"Security (secret) tab" => "Enable DLL authentication (certification of a dynamic link library is confirmed)")



8. E-mail Transmission and Reception

In the above setup, it may not be able to do by intercepting transmission and reception of e-mail.
Then, the mail for a test which is not troubled even if a transmission goes wrong is transmitted to its addressing to a mail address, and it receives.
. which will put in a check and will answer "yes" if the caution pop-up explained for the antecedent party comes out -- the communication allowance of related application is registered into SPF by this, and the e-mail transmission on and after next time comes to pass by it

. thank you for everything which can use SPF now by the preliminaries so far

Finally, a SPF program is started and a window is closed (above-mentioned starting of SPF, and the method of a closure ).



9. Test Effect of SPF.
(Those who do not put in SPF also need to diagnose)

I hear that mischief is not done only by offering communication even if diagnosis is called . attack delivered by delivering a false attack from a site which can trust it besides your computer.
In the case of the computer which is not using LAN at a house, either, it is the fire wall and proxy which were installed there in LAN, such as . which is the thing as which this is sufficient however CATV, and an enterprise. nud (proxy, %W%m%/%7!$6z) The relay computer which is installed for the purpose of security and increase in efficiency, serves as proxy of the computer host inside an organization, and communicates with the Internet The said composition may be taken between $,.
In this case, a false attack may be delivered on its "those who can have" fire wall / proxy, and a false attack may not arrive even to your computer.
Since it will not become a reasonable diagnosis if it does so, how to bend may be good.
If the network administrator of your organization will not be used, does an inquiry come to you?
It diagnoses as follows using a diagnostic site "a Shields rise". :

(1) shields Up A site is displayed. Click the 'Proceed' button.

(2) The middle of a page, "ShieldsUP!! The box of Services" (service) appears. :

shields up


Henceforth, if this button is pushed and diagnosed, it progresses to the next diagnosis with the button of the same box which comes out to that result.
. which a Shields rise is a famous diagnostic site and is not independently what does mischief -- the address of your computer is recognized and a message is sent
During diagnosis, SPF detects that there was an attack and records the phenomenon on a security log.
Moreover, the picture display which expresses under an attack to a task tray if specified by option setup of SPF shields up It carries out and a pop-up message is sent several seconds near the task tray.

shields up


(3) First, "File Sharing" (file sharing) is pushed.

shields up


Then, it will become a diagnostic screen and a result will gather in several seconds.
"Attempting connection to your computer ..." of Mull 1
(It is going to connect with your computer)

It seems that a $N message is good without caring, since he has no =P$C$Q even if diagnosis finishes.

Under it,
"(-) Your Internet port 139 does not appear to exist"!
(Your Internet port 139 seems not to exist from outside)

If it has come out, it will OK first.

Under it,
"(-) Unable to connect with NetBIOS to your computer."
(It is not connectable with your computer by network BIOS)

If it has come out and you will not have coped with success ., either, a caution will come out that it was connectable.

(4) Next, "Common Ports" (often used port) is clicked with the box of a lower button.

shields up


Then, it will become a diagnostic screen and a diagnostic result will come out in several seconds.

It is red as a general comment at the beginning. FAILED A (failure) and green PASSED One of the "stamps" of (success) is pushed with a pompon.

(Since success/failure is not the things for . worm which is a thing for you, it advises)
The table under it expresses the condition of each port.
It is red. Open It is open at $,=P$F$$$k and the time and risk of a worm inroad is just going to be.
It is blue. Closed It has closed at $N=P$F$$$k and the time, and first, although it is OK, since subsistence is in sight from the network, there is concern tried (involved).
MS blast Isn't No. 135 which a worm pokes open?
Green Stealth . which is not understood [ whether it is open by my hearing subsistence of a (stealth) not being visible to a network, and ] whether have closed or not -- it is success if all ports are this

(5) Next, "All service Ports" (all service ports) is clicked with the box of a lower button.

shields up


then, it will become a diagnostic screen, and will come out just for a moment for 1 minute, and the diagnostic result to a port 1055 will come out from a port 0
Red, blue, and green are the same significance as the above.
If it clicks, the representation of the port will come out.
If there is no red, it is safe once, but it will be success if all become green.

(6) Next, click the Messenger Spam button in the button box at the bottom of the page. (%a%C%;%s%8%c!< %9%Q%`)

shields up
Find a long button named "Messenger Spam" in the new screen.
it is (troublesome messenger cable) in the box of a lower button. Change some input boxes on the button to a adequate message (Japanese is also possible), and click a button.

messsenger spam button
(SPAM of what was written here is carried out to me)



This diagnosis should observe the signs besides . that a result is not notified on that screen.
If not intercepted by SPF, it is Windows like the following example. A messenger cable's (Windows Messenger) pop-up window comes out.

Messenger Spam


When it has come out, since the above-mentioned setup of SPF is not corrected, it is thought that the port 135 of UDP is vacant.
On the other hand, if intercepted by SPF, when [ which is success ] . blockage of is done, according to the above-mentioned option setup, the window of having intercepted near the task tray will become whether nothing is displayed or comes out for several seconds.

Since it is forecasted since it is communication of the type which disappears simply when there is an error in the middle of a network, and several copies are sent, if it does not appear in that it should come out by carrying out . which may come out repeatedly, please try once again.

there is a company which abuses this although not used in a messenger cable function, and sends advertising advertisement to it indiscriminately . -- it will become quiet now

yes and the above -- Shields . the diagnosis by rise is [ . ] finally -- it is pleasant if it succeeds
it is not surprised to forget that it was the false attack by itself when a log is seen later -- as -- pleasing .

<>

In addition, it is the main screen of .SPF which can also be diagnosed with "Sygate online service (SOS)."

"Tools" => "Test Your Firewall"

A click displays the page S.O.S. , by the browser.

then, if the "Scan Now" button is pushed, by mist [ this ] beam false attack, .SPF to which diagnosis is performed will recognize it as there having been a port scan attack, and will record . kept waiting before or after . 10 seconds per minute [ about ] -- : which will be a success if displayed as follows

sos ok!% Unable to determine your computer name! Unable to detect any running services!

(. which cannot detect service at all during . execution which your computer name does not understand)

In addition, each diagnosis of the menu on the left of a page (a stealth scan, the Trojan horse scan, a TCP scan, an UDP scan, ICMP) can be tried.

<>

Or [ not becoming precocious as soon as it compares and cooks a result in the time of not considering as the time of defending by SPF ]
Let's change into "Allow All (all allowances)" a security setup of the SPF main screen described above temporarily, and scale by carrying out the above-mentioned diagnosis.
However, it is because . short time which must not carry out such an allowance also has fear of infection when correction of material faults, such as MS blast, has not finished.

spf security

He does not forget to reject to "Normal" later.



10. If Some Programs Cannot be Transmitted and Received but it Becomes Error

(1) The option of above SPF and a setup of a rule are improved.

Readme has management in case "Enterasys Aurorean VPN", "DirectPC", and "Winpopup" do not move.

(2) If required, a rule is added, and qualification is loosened.

(3) If troubled, it will be made "Security(secret)" => "Allow All (all allowances)". [ of the main screen of SPF ] . which finds [ to which which application transmitted to a partner's port of what No. from the port of what No. by TCP/UDP/ICMP etc. by seeing Traffic Log (transceiver log) when it passed / or or ] . to see, then whether reception was carried out -- it It changes into the rule to allow and the mode is rejected by "Security(secret)" => "Normal (usually)."
For example, when it was going to download key information by software called SmartCert (Sm@rtCert) during SPF operation, after Sm@rtCert tended to communicate for 1 to 2 minutes, an error indication called circuit confusion and a host down was given.
It was useless, although the causality was believed and had been retried for 1 hour or more.
when it has recongnized suddenly and the traffic log of SPF was seen, it was the result of .SPF in which enrollment of having intercepted the time TCP access remained .SPF should learn it a part of circuit
. which made it all allowances reluctantly only at the time of download since a SPF setup which merely allows this since the application name of Sm@rtCert is empty was not able to be performed simply -- natural -- it passed readily
(4) as the information on other -- [FAQ] the network communication after installation -- it cannot do -- having become (Mr. SalB) -- it may be help

(5) and also it is in a Readme file about other trouble solution and limitations -- the support page (English) of Sygate -- a case can be read especially by the support forum (English), or a question can be asked

(6) In order to stop starting of SPF, the check of "Tools(tool)" =>"Options(option)" => "General (across the board)" tab [ of a main screen ] => "Automatically load Sygate Personal Firewall service at startup (SPF is automatically loaded at the time of Windows starting)" is removed.
And "File (file) . which clicks => "Exit Firewall (a SPF program is ended)"" !_ window close It does not end, although a window disappears with" button.



11. Re-Installation or Upgrade of SPF

The time of not moving well and the re-installation method when downloading the version with which SPF was upgraded from Sygate are as follows.

(1) The application (computer virus countermeasure software, other fire wall software, packet capture software, in addition to this) of SPF and others is terminated.

(2) If spf.exe is double-clicked and opened, re-installation will start.

(3) Soon

spf security

(Is . upgrade in which the old version of SPF was found continued?)

. which comes out -- although it is strange that this message comes also out of the same version, since it seems that it will come out if it comes to be uninstalled, "O.K." is answered

(4) To a degree

spf security
(Does it use continuing an old setup?)


$H -- since it comes out -- usually -- "-- yes, it is answered as (Y)"

No, if it is answered as (N), since a setup of an option, an application rule, and application etc. will disappear, it will become redo from $$$A.
(. which can be ready for the discommodity and can also try "no" when trying on re-installation however, since SPF causes an error)

(5) Re-installation finishes for a short time, and comes out with Maintenance Complete (the completion of maintenance). :

spf security

(6) In order to carry out an identification of operation readily, a check is put into "Launch Sygete Personal Firewall (SPF is started)."

(7) if it was upgrade, a check is put into "View Sygate Personal Filrewall ReadMe (please read first , is seen)"

(8) An installer will be ended if "Finish (completion)" is pushed.

(9) (to fault prevention sake) Probably, it will be good to once reboot Windows here.


(10) (a setup -- measure) . (setup -- measure) task tray by which SPF is started automatically -- the icon of SPF SPF icon Since it comes out, it checks.

(11) If the "Application (application)" button was pushed and the contents are contained, it will be O.K. first.

(12) Here, probably, an identification of operation may be carried out.

(13) started SPF -- " !_ window close " button is clicked and a window is closed.

* When it does not move well and is troubled, to re-install can also be attempted after uninstalling.
. to which I do not know whether it is that a setup already carried out and the log accumulated in the past will disappear if it uninstalls . which those files have in the folder in which you installed SPF -- it is usually ""C:\Program Files\Sygate\SPF\""



12. Uninstallation of SPF

The uninstallation method is as follows.

(1) SPF is terminated first (reference: starting of the above-mentioned SPF, and the method of a closure ).

(2) other programs -- please especially stop virus countermeasure software and a packet blockage program surely . -- the unexpected fault which is not as if may be suited

(3) After 2 minutes or more pass since SPF discontinuance, it progresses to a degree.

(4) "Start" =>"program" => "Sygate Personal Firewall" It will be uninstalled if => "Uninstall Sygate Personal Firewall" is clicked.

It is [FAQ] when not uninstallable. Perfect uninstallation (Mr. SalB) by manual operation is consulted.


[Trademark] Proper nouns, such as a merchandise name and a corporate name, may be the trademarks or registered marks of each company.

* A reference and related link
allowed to make it a reference -- I do . gratitude

* Talk of spam eaten in fact ( Miyazaki Toyohisa Mr. ton %G%b%$%s%?!<%M%C%H museum )
.... Pleasant origin-of-a-word . SPAM was a special hum from the first.

* Page explaining security: Personal Firewall Review (Mr. SalB)
.... The very detailed review article of "Sygate Personal Firewall 5.0 index" and the collection of PF rule introductory notes which can be used also for SPF are especially connected with this article.

* Fire wall ( Mr. All About Japan Internet security . guide Nakatsuma )
.... . volume article which is the precious link collection of a fire wall was also carried.

* Sygate Personal Firewall ( Sygate ) ( online help ) (English)

* Link collection for SE ( Mr. H&Y )
.... A diagnostic site and the link to a personal fire wall are abundant.

* Fire wall (recruit company key %^%s%: network system network foundation and review important E5)

* Get to know about a fire wall . ( Microsoft )

* Plague category ( PestPatrol and %"!<%/%s )
.... A worm is begun and about 60 kinds of network inaccurate programs are looked through.

* PORT NUMBERS (semantic sight of a port number ) ( The Internet Assigned Numbers Authority (English))

* Port number (semantic sight ) ( Mr. Koara )



 
- Copyright © sonobelab.com, Masayuki Sonobe 2003-2024.
- Updated 1382 days ago: 2020. 6.15 Mon 15:01
- Accesses to the Page since 2003.09.14 00,029,407
- Accesses to Sonobe's since 2002.07.01 05,091,153