[unisog] MS alg.exe listening on tcp

PaulFM paulfm at me.umn.edu
Sat Apr 8 13:11:05 GMT 2006


The Windows firewall is now part of alg (Application Layer Gateway Service) 
since SP2, so you need it running to use the firewall (and you may need it 
running to use third-party firewalls).

More info on Services and ports (what a mess):
http://www.microsoft.com/smallbusiness/support/articles/ref_net_ports_ms_prod.mspx


And some info on the default settings of services:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_default_settings.mspx



John York wrote:
> New XP sp2 images with current patches have alg.exe listening on a TCP
> port, usually between 1024 and 2000.  Googling shows that alg.exe is MS
> application level gateway, and is related to windows firewall and
> internet connection sharing(1).  Another document says ALG "provides
> support for independent software vendors (ISVs) to write protocol
> plug-ins that allow their proprietary network protocols to pass through
> the firewall and work behind ICS."(2)  OK.  When something is using ALG,
> how do I know what that something is?  TCPview and netstat -abn just
> show that alg.exe is using the port.  What told ALG it needed that port?
> The doc in (2) also says only FTP has a plug-in that ships with server
> 2003, no mention of anything for XP.  I did find one link(3) that says
> Symantec may kick it off, and we have Symantec AV.
> 
> The machines in question do not have ftp installed, and internet
> connection sharing is disabled on the network control panel.  When I try
> to connect to the port (windows firewall off) using netcat or telnet, I
> receive an RST/ACK for every SYN sent--not acting like an open port.
> Nmap doesn't show the port open either.  I don't think these machines
> are infected, and that I'm seeing normal ops.
> 
> Anyway, alg.exe is spooky.  Does it really provide passthrough for
> windows firewall?  If so, how do you tell what's using it?  Why does the
> port show as listening to TCPView and netstat, but I can't connect to
> it?
> 
> thanks
> John
> 
> (1)http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xpeh
> elp/html/xeconComponentizedWindowsServices.asp
> (2)http://www.microsoft.com/technet/prodtechnol/windowsserver2003/techno
> logies/management/svrxpser_7.mspx
> (3)http://www.mcse.ms/message1238135.html
> 
> John York
> Network Engineer
> Blue Ridge Community College
> 1 College Lane, Weyers Cave, VA 24486
> 540.453.2255 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list