Page 1 of 1

What exactly is Client Security Solution doing upon bootup?

Posted: Mon Mar 27, 2006 10:26 pm
by XCoalMiner
Can someone explain exactly what Client Security Solution is doing upon booting the OS on my T41 (Win XP Pro w/ SP2). Here’s the sequence of events:

-- OS boots normally. Everything works without issue.

-- After the desktop draws and is populated with the usual icons, up pops a message from Zone Alarm, “cssauth.exe is trying to access the internet, Destination IP: 127.0.0.1:Port 6060. No concerns so far, Client Security Solution is trying to make a local client/server connection, with the client and server on the same OS. So I usually allow this.

-- Next message from ZoneAlarm, “cssauth.exe is trying to access the internet, Destination IP: 4.79.75.61:DNS”. I have no idea where 4.79.75.61 is (searched for it, pinged it, etc.). I always Deny access to this.

-- Next pops up a small dialog box on the center fo the desktop, in the title bar is “Client Security Solution”. In the middle of the dialog box is a simple animation with a red circle moving left and right across a row of white circles, and the message “Processing, Please Wait”. After 20 seconds or so this dialog box goes away, and I never see anything about Client Security Solution again, until I reboot.


Note that I have purposely not installed Client Security Solution. I did install Rescue and Recovery 3 (exact current version is 3.01.0037.00) and recall something about it ‘needing’ some components of Client Security Solution to work/install properly. So, exactly what is CSS doing upon startup, and what will happen if I allow it to access the DNS IP address. Is there any change ot will lock me out of something, such as my HD?[img]

Posted: Mon Mar 27, 2006 10:32 pm
by ThinkPad R
sounds suspicicous.

probably you ought to re-install it.

Posted: Mon Mar 27, 2006 11:16 pm
by croooowe
This is standard, no need for installation. With RnR only installed and no CSS components enabled (encrypt backups and the like), the CSS core is still running and checking the system, security chip, ect. No biggie but does seem odd nonetheless. If it really disturbs you, people have been known to use MSCONFIG to disable it at start up without any issues.

Posted: Mon Mar 27, 2006 11:25 pm
by XCoalMiner
Do you have any insights as to why the CSS core, even though disabled, would be going out to a DNS server?

Posted: Tue Mar 28, 2006 3:33 am
by christopher_wolf
Did a Sam Spade IP Whois on it

http://www.samspade.org/t/ipwhois?a=4.79.75.61

Looks like it is going to a Level 3 net backbone in Colorado; many net communications go through there.

Code: Select all

 
  OrgName:    Level 3 Communications  Inc. 
  OrgID:      LVLT 
  Address:    1025 Eldorado Blvd. 
  City:       Broomfield 
  StateProv:  CO 
  PostalCode: 80021 
  Country:    US 
  NetRange:   4.0.0.0 - 4.255.255.255 
  CIDR:       4.0.0.0/8 
  NetName:     LVLT-ORG-4-8 
  NetHandle:  NET-4-0-0-0-1 
  Parent: 
  NetType:    Direct Allocation 
  NameServer: NS1.LEVEL3.NET 
  NameServer: NS2.LEVEL3.NET 
  Comment: 
  RegDate: 
  Updated:    2004-06-04 
  OrgAbuseHandle: APL8-ARIN 
  OrgAbuseName:   Abuse POC LVLT 
  OrgAbusePhone:  1-877-453-8353 
  OrgAbuseEmail:  abuse@level3.com
 
  OrgTechHandle: ARINC4-ARIN 
  OrgTechName:   ARIN Contact 
  OrgTechPhone:  1-800-436-8489 
  OrgTechEmail:  arin-contact@genuity.com
 
  OrgTechHandle: TPL1-ARIN 
  OrgTechName:   Tech POC LVLT 
  OrgTechPhone:  1-877-453-8353 
  OrgTechEmail:  ipaddressing@level3.com
 
   ARIN WHOIS database  last updated 2006-03-27 19: 10 
   Enter ? for additional hints on searching ARIN's WHOIS database. 
Seems to me to behave like the Windows Clock synchronizer or other programs that send out a request for a certain server on the net; I think it just wants to check for a certain level of connectivity.

I don't think that denying it access or giving it access does anything; just to be safe, you might want to try to grant it access once and see what happens. I am pretty sure that nothing bad can happen going to that IP, worst case would be a ping timeout waiting for a response.