[unisog] MS alg.exe listening on tcp

John York YorkJ at brcc.edu
Fri Apr 7 19:20:25 GMT 2006


New XP sp2 images with current patches have alg.exe listening on a TCP
port, usually between 1024 and 2000.  Googling shows that alg.exe is MS
application level gateway, and is related to windows firewall and
internet connection sharing(1).  Another document says ALG "provides
support for independent software vendors (ISVs) to write protocol
plug-ins that allow their proprietary network protocols to pass through
the firewall and work behind ICS."(2)  OK.  When something is using ALG,
how do I know what that something is?  TCPview and netstat -abn just
show that alg.exe is using the port.  What told ALG it needed that port?
The doc in (2) also says only FTP has a plug-in that ships with server
2003, no mention of anything for XP.  I did find one link(3) that says
Symantec may kick it off, and we have Symantec AV.

The machines in question do not have ftp installed, and internet
connection sharing is disabled on the network control panel.  When I try
to connect to the port (windows firewall off) using netcat or telnet, I
receive an RST/ACK for every SYN sent--not acting like an open port.
Nmap doesn't show the port open either.  I don't think these machines
are infected, and that I'm seeing normal ops.

Anyway, alg.exe is spooky.  Does it really provide passthrough for
windows firewall?  If so, how do you tell what's using it?  Why does the
port show as listening to TCPView and netstat, but I can't connect to
it?

thanks
John

(1)http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpeh
elp/html/xeconComponentizedWindowsServices.asp
(2)http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
logies/management/svrxpser_7.mspx
(3)http://www.mcse.ms/message1238135.html

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
540.453.2255 



More information about the unisog mailing list