andy_c
join:2001-01-31
Louisville, CO
 ·ViaTalk
| Win Explorer wants to connect to sa.windows.com?
Hi all,
I just changed my default browser setup in WinXP to use Mozilla instead of IE. I was previously using IE together with Proxomitron and Kerio Personal Firewall. I had Kerio set up to allow Proxo full access but block IE from trying to go around the proxy. After installing Mozilla, I decided to prevent IE from connecting to the internet at all, so I went into the IE proxy settings and removed the proxy settings altogether, thus allowing Kerio to block it. As a test, I tried to connect to the internet with IE and sure enough Kerio popped up with a message warning me about the connection attempt. Fine so far. But a few minutes later I did a file search using Explorer (not Internet Explorer - just right-clicking on a folder and choosing "search"), and Kerio popped up with the message to the effect that explorer was trying to connect to sa.windows.com [207.46.226.40:80]. This bothers me! Why in the world should a local file search trigger a connection attempt to an outside machine? Has anyone else seen this? After having this happen, I'm actually very happy that I've disabled IE from connecting to the internet altogether. I've since set up a rule which prevents Windows Explorer from connecting to the internet as well.
Thanks,
Andy C |
|
radical1
join:2002-05-24
Macon, GA | Yeah my xp pro did the same thing so i blocked it. I dont know why microsoft choose to do that but i make sure it is blocked.
You have an excellant firewall--myself i choose tiny 4.0
Never trust microsoft!!
cheers |
|
dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
| reply to andy_c
Re: MS yap-ware
This should help. 
»www.xpantispy.de/
Click on the British Flag for English.
--
"...nailed to a cross of Reason...":) |
|
andy_c
join:2001-01-31
Louisville, CO
·ViaTalk
| Hi dja,
I had AntiSpy installed already, but just to be sure, I re-ran it, disabling all the available items except balloon help, the scheduler and the clearing of the paging file. I still have the attempted connection, so it doesn't seem to help this problem.
I'm also seeing Media Player attempting to connect to adserv.internetfuel.com [209.132.218.66:80] now. It seems that if a proxy such as Proxo is set up in the IE proxy settings, many other programs besides IE end up finding out about this and using the proxy as well. So allowing Proxo unlimited access through Kerio was covering up some of these attempted accesses by programs other than IE that I had no idea were happening. I guess this is a double-edged sword. I was able to neuter the ads of Kazaa and RealPlayer by putting their respective URLs in Proxo's URL killfile.txt. This doesn't work anymore, so I guess I'll revert to the HOSTS file.
I must say that this experience has been an eye-opener for me. I don't think I'll ever enable IE to connect to the internet again, except temporarily for a possible download of MS security fixes. |
|
ClmsnTgrFan
Thrifty, Not Cheap
Premium
join:2001-06-02
Crestview, FL
clubs:
| reply to andy_c
Re: Win Explorer wants to connect to sa.windows.co
Yeah, this is known behavior. I won't say expected behavior, because I agree it is not expected. Here is an article at the Register about it.
In and of itself, it doesn't seem too bad, but why would it do that by default? Seems like something the user should have to want it to do. |
|
andy_c
join:2001-01-31
Louisville, CO
·ViaTalk
| Thanks for that article reference. It covers what I was seeing with Media Player as well.
This all came about when I started thinking about an issue that came up at work. I work for a company that makes a very expensive (5 figures) piece of software. It uses a third-party protection scheme which is known to have been defeated by crackers. Our code actually uses the IWebBrowser COM interface to Internet Explorer to connect to a web site, and upload and log IP address and registration key information in an attempt to identify known cracked license keys. Even people who have personal firewall software will usually still allow Internet Explorer full access, so this process will typically go undetected. I realized that this whole IWebBrowser interface issue represented what I consider to be a significant risk, if not to security, then at least to privacy. So I decided that connecting through Internet Explorer was something I didn't want my system to do at all.
Getting back to these MS programs connecting without my consent, there's another thing that's still bugging me: I wasn't getting these messages when I allowed Proxomitron (and thus IE through HTTP) full access. So this says these programs are trying to connect in two different ways - first through the back door of IE (probably using the IWebBrowser interface), then using code within the program itself. This sure looks to me like "Try the least easily detected technique first, and if that doesn't work, try the more efficient but more easily detected approach of using code that's within the program itself". As a developer myself, I can't think of a good explanation for attempting a less efficient approach first, other than just being sneaky.
Andy C
[text was edited by author 2002-11-25 12:41:06] |
|
ClmsnTgrFan
Thrifty, Not Cheap
Premium
join:2001-06-02
Crestview, FL
clubs:
| Glad the article was useful.
Do you have any references for the IWebBrowser thing? I haven't heard of it before, but it sounds like a huge security hole. I did a few quick web searches, but found nothing that really explains it.
Thanks. |
|
andy_c
join:2001-01-31
Louisville, CO
·ViaTalk
| Here's the MSDN info: http://msdn.microsoft.com/library/default.asp?url=/workshop/browser/prog_browser_node_entry.asp
The method for sending data to a web server is the IWebBrowser2::Navigate() method described here:
http://msdn.microsoft.com/workshop/browser/webbrowser/reference/IFaces/IWebBrowser2/Navigate.asp
Notice the fourth argument, "PostData". That's the data to send to the server. Here's the description: "PostData [in] Pointer to data to send with the HTTP POST transaction. For example, the POST transaction is used to send data gathered by an HTML form."
Andy C
[text was edited by author 2002-11-25 13:46:57] |
|
