[shrip] First, I think its not '\??\' that would be prefixed to the path
name of the application. It should be '\\?\'.

Secondly, the appearance of the above prefix may not be anything to worry
about. '\\?\' simply instructs the OS to shut off path parsing. Normally
unicode versions of the complete path name may exceed the length that is set
for them (ie if path parsing is on)... this prefix is normally added to
allow the full path name to exceed this length limit MAX_PATH (I think it
was 260 characters). If this prefix is supplied, the length of just each
component in the path name cannot exceed MAX_PATH).

eg: \\?\C:\WinNT\system32\winlogon.exe is interpreted in the same way as
c:\winnt\system32\winlogon.exe.

Thirdly, winlogon loads zero or more network provider dlls, so it may not be
surprising that it will try to connect to the internet. I am not sure
exactly what denying this to the internet as well as the intranet would
mean.
You may deny it to the internet, but maintain it for the intranet.

Shripal Meghani
Senior Software Engineer
nSecure Software (P) Ltd.

|-----Original Message-----
|From: Aaron Young [mailto:acyoungnysernet.org]
|Sent: Monday, December 31, 2001 9:01 PM
|To: focus-mssecurityfocus.com
|Subject: Zone Alarm and winlogin.exe
|
|
|
|
| Anyone seen this before? In the last month one of the sites I
|manage had an intrusion that forced us to take our server
|offline. After putting Zone Alarm on the Win2K server to see if
|it caught anything roque trying to access the Internet, I found
|the following alert: Do you want to allow
|\??\C:\WINNT\system32\winlogin.exe to access the Internet? Since
|the path to winlogin.exe began with an unknown character (\??\) I
|found this to be suspicious. A.
|

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]