Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
in [Firewalls]
|
Prev: Fortigate Experiance / Review
Next: mcafee security center automatic update won't install (and kills system restore?)
From: Susan on 19 Feb 2006 11:10 How do I interpret this Sygate Personal Firewall traffic log? Daily, I see hundreds of blocked incoming requests from NDISUIO.SYS. After googling for the keywords, I'm *still* almost as confused as I was before. The googling showed that the incoming requests are from something called a wireless zero configuration (yes, I am using a wireless card on Windows XP). My basic home network has a NAT router and only one WinXP computer which is set up to be wireless. What confuses me is the Sygate Personal Firewall blocked traffic log shows certain patterns, namely that these NDIS User Mode IO driver requests come from a variety of "Remote Host" IP addresses & a variety of "Remote Port" and "Local Port" addresses but always with the same "Remote MAC". I'm having trouble making any sense of this data. A typical blocked traffic log line (out of hundreds daily) would be: Action = Blocked (note it always reports blocked) Severity = 10 (the severity is always the same) Direction = Incoming (the direction is always the same) Protocol = UDP (most are UDP but many are ICMP if that matters) Remote Host = 196.206.235.196 (many different IP addresses are found) Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac) Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc) Local Host = 192.168.0.10 (only a few ip addresses show up here) Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up) Local Port = 15744 (other ports show up eg 2049, 1032, 137, 138, etc) Application Name = C:\WINDOWS\system32\DRIVERS\ndisuio.sys (always same) Searching the registry I see NDIS Usermode I/O Protocol is found in HKLM\SYSTEM\ControlSet001\Services\Ndisuio (and others) Based on my googling, this ndisuio.sys file seems it might be related to the Nortel Extranet Access Protocol which reminded me that years ago a Nortel VPN program was installed but there is no vestige of it in the Windows XP Add and Remove Programs or in the Program Files directory so it must have been deleted long ago. A reverse IP search of each of the suspect addresses doesn't tell me much. http://ws.arin.net/whois/?queryinput=196.206.235.196 search OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096, Amsterdam, 1001EB, NL What confuses me the most is that the googling says ndisuio.sys is for wireless and it should not be blocked but I see no ill effects when I set my Sygate Personal Firewall to automatically block it. The windows xp machine and the wireless networking seems to be working just fine even with all these requests blocked. Can someone help me understand what the purpose of this driver is and how to stop it from making incoming requests hundreds of times a day? Should I just deleted the HKLM\SYSTEM\ControlSet001\Services\Ndisuio and related lines in the windows registry? Should I just delete the C:\WINDOWS\system32\DRIVERS\ndisuio.sys file? I'd prefer to understand at least a little bit about what's going on before getting itchy fingers to delete the registry and file. Any ideas?
From: bumtracks on 19 Feb 2006 13:01 that remote MAC address is a Dlink product, who makes your router >? Look at its MAC's and see if one matches. NDisuio, you might want to right click it and choose properties and see who wrote that file. Think you'll see it is a Microsoft file and installed date is probably the date you or the manufacturer loaded windows. You really should find yourself a Sygate forum. "Susan" <miraweb(a)nihongo.org> wrote in message news:1i08n2w088rn7$.1ntr15vcvg8h4.dlg(a)40tude.net... > How do I interpret this Sygate Personal Firewall traffic log? > > Daily, I see hundreds of blocked incoming requests from NDISUIO.SYS. After > googling for the keywords, I'm *still* almost as confused as I was before. > The googling showed that the incoming requests are from something called a > wireless zero configuration (yes, I am using a wireless card on Windows > XP). My basic home network has a NAT router and only one WinXP computer > which is set up to be wireless. > > What confuses me is the Sygate Personal Firewall blocked traffic log shows > certain patterns, namely that these NDIS User Mode IO driver requests come > from a variety of "Remote Host" IP addresses & a variety of "Remote Port" > and "Local Port" addresses but always with the same "Remote MAC". I'm > having trouble making any sense of this data. > > A typical blocked traffic log line (out of hundreds daily) would be: > > Action = Blocked (note it always reports blocked) > Severity = 10 (the severity is always the same) > Direction = Incoming (the direction is always the same) > Protocol = UDP (most are UDP but many are ICMP if that matters) > Remote Host = 196.206.235.196 (many different IP addresses are found) > Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac) > Remote Port = 63875 (other ports show eg 11, 5093, 1900, 53, 137, etc) > Local Host = 192.168.0.10 (only a few ip addresses show up here) > Local MAC = 00-0D-60-34-5A-23 (only this & FF-FF-FF-FF-FF-FF show up) > Local Port = 15744 (other ports show up eg 2049, 1032, 137, 138, etc) > Application Name = C:\WINDOWS\system32\DRIVERS\ndisuio.sys (always same) > > Searching the registry I see NDIS Usermode I/O Protocol is found in > HKLM\SYSTEM\ControlSet001\Services\Ndisuio (and others) > > Based on my googling, this ndisuio.sys file seems it might be related to > the Nortel Extranet Access Protocol which reminded me that years ago a > Nortel VPN program was installed but there is no vestige of it in the > Windows XP Add and Remove Programs or in the Program Files directory so it > must have been deleted long ago. > > A reverse IP search of each of the suspect addresses doesn't tell me much. > http://ws.arin.net/whois/?queryinput=196.206.235.196 search > OrgName: RIPE Network Coordination Centre > OrgID: RIPE > Address: P.O. Box 10096, Amsterdam, 1001EB, NL > > What confuses me the most is that the googling says ndisuio.sys is for > wireless and it should not be blocked but I see no ill effects when I set > my Sygate Personal Firewall to automatically block it. The windows xp > machine and the wireless networking seems to be working just fine even > with > all these requests blocked. > > Can someone help me understand what the purpose of this driver is and how > to stop it from making incoming requests hundreds of times a day? > > Should I just deleted the HKLM\SYSTEM\ControlSet001\Services\Ndisuio and > related lines in the windows registry? > > Should I just delete the C:\WINDOWS\system32\DRIVERS\ndisuio.sys file? > > I'd prefer to understand at least a little bit about what's going on > before > getting itchy fingers to delete the registry and file. Any ideas?
From: Susan on 19 Feb 2006 14:43 On Sun, 19 Feb 2006 18:01:22 GMT, bumtracks wrote: > that remote MAC address is a Dlink product, who makes your router >? Look > at its MAC's and see if one matches. > NDisuio, you might want to right click it and choose properties and see who > wrote that file. Think you'll see it is a Microsoft file and installed date > is probably the date you or the manufacturer loaded windows. > > You really should find yourself a Sygate forum. Hello bumtracks, You are right on the money! Yes, I have a Dlink router. How did you know that? And that is it's MAC address. Now why would my Dlink router be attacking me? And you are right that the ndisuio.sys file appears to be from Microsoft (although google searches show it's related to the Nortel c:\windows\system32\drivers\eacfilt.sys somehow). Even if I wasn't using Sygate, these attacks from eacfilt.sys & ndisuio.sys would still be occurring (wouldn't they?) - so I don't see how it's Sygate related.
From: Dom on 19 Feb 2006 15:01 > My basic home network has a NAT router and only one WinXP computer > which is set up to be wireless. The nat router is a wireless nat router and the xp machine connects to the router wirelessly? > Remote Host = 196.206.235.196 (many different IP addresses are found) > Remote MAC = 00-80-C8-A0-43-9B (this is always the same remote mac) Sounds like spoofing. Like bumtracks said, identify the device with the above MAC address. > Local Host = 192.168.0.10 (only a few ip addresses show up here) What are the few?
From: Dom on 19 Feb 2006 15:25
> Now why would my Dlink router be attacking me? There is nothing to indicate that these are attacks or originating from the Dlink router. Many routers employ netbios features (ports 137 & 138). > Even if I wasn't using Sygate, these attacks from eacfilt.sys & > ndisuio.sys This traffic is not from ndisuio.sys, but received by it. Short of having a node which is capable of protocol analysis in place of the Dlink, I'm afraid that any theory concerning the source of the traffic would be mere speculation. You could try connecting your computer directly to the modem and examining what sort of traffic it receives. |