Hi,

we noticed that pafilesight.exe proces is sending syn packets to mail.poweradmin.com. Why this happens and how can we disable it?

Thank you and best regards,

Bojan

asked 15 Jan '15, 08:06

Bojan's gravatar image

Bojan
310235
accept rate: 0%


Hi Bojan --

I'm assuming you mean the FileSightSvc.exe (there is no pafilesight.exe process that we make). We can't think of any reason it should be sending any packets at all to mail.poweradmin.com. In fact, we just scanned the source code and that host name doesn't appear anywhere.

Our only guess is one of your email actions is trying to use mail.poweradmin.com to send messages, but I really doubt that would work as you don't have an account on our mail server. This one is a huge mystery to us.

link

answered 15 Jan '15, 10:10

Doug's gravatar image

Doug ♦♦
10.1k112037
accept rate: 22%

Hi Doug,

you're correct, it's the FileSightsvc.exe process. We are monitoring tcp traffic on our host, and we discovered TCP traffic to port 443 (and 80) to IP 216.157.78.172, which resolves your servers...

We're using Pa FileSight Console version 5.5.0.147.

Regards, Bojan

link

answered 16 Jan '15, 06:14

Bojan's gravatar image

Bojan
310235
accept rate: 0%

Hi Bojan --

There is an update check that happens about once a month that goes to our web server. You can disable that if you want in the Settings dialog. Also, when you activate a new license a one-time request is sent to the server. During install of a new version you are prompted to see if you want to check for an upgrade license (to see if Support & Maintenance is active) but that's just during install and you're prompted about it.

Since these are going to port 80, can you see what URL is being queried? That would tell us for sure what the request is.

Doug

link

answered 20 Jan '15, 10:26

Doug's gravatar image

Doug ♦♦
10.1k112037
accept rate: 22%

Hi Unfortenatelly, I couldn't find the settings window for disabling monthly update. Can you point me, where can I set up this option? We're using PA File Sight version 5.6.0.163 now. I want to try this option first and report back after a while.

And,

today we noticed this activity, this time for port 443:

NCM TIMESTAMP=21.1.2015 12:16:06 EVENT=CLOSE ORIGIN=neptun PROTOCOL=TCP LOCALIP=10.0.0.33 LOCALPORT=58552 REMOTEIP=216.157.78.172 REMOTEPORT=443 DIRECTION=OUT PID=716 PNAME=FileSightSvc.exe STATE=SYN_SENT OPENTIME=21.1.2015 12:16:00 0100 CLOSETIME=21.1.2015 12:16:05 0100 DURATION=0:00:00:05

NCM TIMESTAMP=21.1.2015 12:16:00 EVENT=OPEN ORIGIN=neptun PROTOCOL=TCP LOCALIP=10.0.0.33 LOCALPORT=58552 REMOTEIP=216.157.78.172 REMOTEPORT=443 DIRECTION=OUT PID=716 PNAME=FileSightSvc.exe STATE=SYN_SENT OPENTIME=21.1.2015 12:16:00 0100

NCM TIMESTAMP=21.1.2015 11:15:59 EVENT=CLOSE ORIGIN=neptun PROTOCOL=TCP LOCALIP=10.0.0.33 LOCALPORT=58360 REMOTEIP=216.157.78.172 REMOTEPORT=443 DIRECTION=OUT PID=716 PNAME=FileSightSvc.exe STATE=SYN_SENT OPENTIME=21.1.2015 11:15:54 0100 CLOSETIME=21.1.2015 11:15:59 0100 DURATION=0:00:00:05

NCM TIMESTAMP=21.1.2015 11:15:54 EVENT=OPEN ORIGIN=neptun PROTOCOL=TCP LOCALIP=10.0.0.33 LOCALPORT=58360 REMOTEIP=216.157.78.172 REMOTEPORT=443 DIRECTION=OUT PID=716 PNAME=FileSightSvc.exe STATE=SYN_SENT OPENTIME=21.1.2015 11:15:54 0100

Regards, Bojan

link

answered 21 Jan '15, 07:06

Bojan's gravatar image

Bojan
310235
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8
×1

Asked: 15 Jan '15, 08:06

Seen: 3,389 times

Last updated: 21 Jan '15, 07:06