AutoIt compiled script is trying to send ICMP Type 0 (Echo Reply)

[LoWang]

Hello, I noticed this very strange thing. I have some autoit programs which I created for myself running ony my work laptop and when I tried to ping this machine from the second one I have strange thing happened - one of those programs wanted to reply to that ping and Symantec firewall noticed me about it if I want to allow it or not! Why the heck would my program do this? The one which did it just now has some network functions but they do something only when I click a button in it and otherwise it just loops sleep The second program which did it does not even have any network functions at all. So what the heck is that? Maybe this is normal and I freak out like a noob, so tell me. But I always thought it is the OS which should reply to pinging...

[LoWang]

where are all those valued autoiters who should know this?

[AdmiralAlkex]

Sleeping in the private developer forum?

Lol, but seriously, since it's about a compiled script, I'm not sure how a normal user is supposed to know this.

[water]

Don't know but please wait at least 24 hours before you bump a thread (according to forum FAQ).

[Jos]

I always thought the IP Stack did the reply to an ICMP. So you are actually seeing an ICMP come in and an AutoIt3 script tries to reply?

[Blue_Drache]

I always thought the IP Stack did the reply to an ICMP. So you are actually seeing an ICMP come in and an AutoIt3 script tries to reply?

If I read his babble correctly, he was saying a self-created autoit script is what's initiating the ping.

[LoWang]

Thank you for replying. Well, Blue_drache, you are not reading it correctly I said that I ping my first laptop from the second one I have to see if my wifi works (ping command from the command line) and then suddendly on my first one I see this message from our corporate Symantec Endpoint Protection!

pripojCdrive.exe is my script which I created for myself and colleagues and we use it to connect smb shares in our company and when I get home I sometimes leave it running. But there is absolutely no functionality which should reply to pings from another computers At least none that I know of. It does not matter if I say yes or no to this window - ping works normally and gets response.

And this was not the only case. Also another of my scripts tried to reply to pings and it has no network functions at all (as I wrote before) but I haven't made a photo of that warning window...

Edited January 21, 2012 by LoWang

[LoWang]

bump...

[jvanegmond]

Software firewalls are retarded.

Try another brand.

[LoWang]

Why the heck would SciTE jump want to access my network? I doubt the "problem" is in a firewall ...

Edited January 30, 2012 by LoWang

[guinness]

SciTE Jump doesn't access the Internet.

[jvanegmond]

I doubt the "problem" is in a firewall ...

Software firewalls are retarded.

Very retarded.

[Mobius]

Software firewalls are retarded.

Very retarded.

The worst are those that give very cryptic often verbose descriptions without actually giving information that is useful to the end user (or gives it in a manner that no user, experienced or not can use in an effective way).

Alternatively the worst case scenario is that an author of a tool uses a method they do not fully understand and thus causes such security software to freak out about the most casual of things.

Edited January 30, 2012 by Mobius

[BrewManNH]

Download and fire up WireShark and monitor your network traffic, wait until you get the message from your firewall and see what is actually sending the information to the NIC. Then you'll know where the "problem" actually is.

[LoWang]

Another one

text from the details:

File Version:

File Description: TC_changetext.exe

File Path: C:scriptypokusyTC_changetext.exe

Digital Signature:

Process ID: 0x3ec (Hexadecimal) 1004 (Decimal)

Connection origin: local initiated

Protocol: ICMP

Local Address: 192.168.1.35

ICMP Type: 0 (Echo Reply)

ICMP Code: 0

Remote Name:

Remote Address: 192.168.1.40

Ethernet packet details:

Ethernet II (Packet Length: 74)

Destination: 00-15-00-15-dd-a8

Source: 58-94-6b-79-bf-88

Type: IP (0x0800)

Internet Protocol

Version: 4

Header Length: 20 bytes

Flags:

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset:0

Time to live: 128

Protocol: 0x1 (ICMP - Internet Control Message Protocol)

Header checksum: 0x9dad (Correct)

Source: 192.168.1.35

Destination: 192.168.1.40

Internet Control Message Protocol

Type: 0 (Echo Reply)

Code: 0

Data (36 bytes)

Binary dump of the packet:

0000: 00 15 00 15 DD A8 58 94 : 6B 79 BF 88 08 00 45 00 | ......X.ky....E.

0010: 00 3C 09 88 00 00 80 01 : AD 9D C0 A8 01 23 C0 A8 | .<...........#..

0020: 01 28 00 00 5B 54 02 00 : F8 07 61 62 63 64 65 66 | .(..[T....abcdef

0030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 | ghijklmnopqrstuv

0040: 77 61 62 63 64 65 66 67 : 68 69 | wabcdefghi

[jchd]

Does it need a (user) program running to have the network stack answer an ICMP request, assuming it isn't kept away from doing so by registry settings?

Looks like an automated response which doesn't need user code to happen.

It may simply be that the firewall sees the ICMP being automagically issued by the network stack and (mis)associates it with the PID having had the last user time slot, or something like that. In the vein "some process HAS to be guilty for that".

A comparable answerless question would probably arise if a "DVD reader firewall" tries to associate a user program with the "something caused the DVD tray to open" when a human pressed the eject button of this drive.

Do ping responses occur without any AutoIt script running?

[LoWang]

hm when you say it like this it may be the case. We had some bad experience with symantec products in our company before :-] But did you see the packet dump I pasted? What's with that alphabet in it?! I just continuously ping my primary laptop from the second one to check the wifi network stability and I get normal responses. From time to time - just now for example when I typed this sentence) one of the compiled autoit scripts decides to answer that pinging too! And yes ping still works after I exited all my scripts. But just a second after I launch one of them again it wants to reply to it :-] If I answer no but without remembering it seems not to try again...at least for some time.

I will try wireshark tomorrow because now I will probably go to sleep. (Without having done what I wanted again because of this disturbing mystery :- )

Edited January 30, 2012 by LoWang

[jchd]

I only use Ghost (which is a product Norton got by buying the company which made it) and no other Norton product. The last one I was involved in was their beta and release of the (very good at that time) C/C++ compiler originated by Zortech. Symantec destroyed this product shortly afterwards.

Having seen too many "kits" that teens could use to take control over a Norton/Symantec "protection" on any PC worldwide further kept me forever away from their products (especially what they call security products).

Yet what you report is a bit strange.

[LoWang]

Guess what...

File Version:

File Description: SciTE.exe

File Path: C:Program Files (x86)AutoIt3SciTESciTE.exe

Digital Signature:

Process ID: 0x2260 (Hexadecimal) 8800 (Decimal)

Connection origin: local initiated

Protocol: ICMP

Local Address: 192.168.1.35

ICMP Type: 0 (Echo Reply)

ICMP Code: 0

Remote Name:

Remote Address: 192.168.1.40

Ethernet packet details:

Ethernet II (Packet Length: 74)

Destination: 00-15-00-15-dd-a8

Source: 58-94-6b-79-bf-88

Type: IP (0x0800)

Internet Protocol

Version: 4

Header Length: 20 bytes

Flags:

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset:0

Time to live: 128

Protocol: 0x1 (ICMP - Internet Control Message Protocol)

Header checksum: 0xee9f (Correct)

Source: 192.168.1.35

Destination: 192.168.1.40

Internet Control Message Protocol

Type: 0 (Echo Reply)

Code: 0

Data (36 bytes)

Binary dump of the packet:

0000: 00 15 00 15 DD A8 58 94 : 6B 79 BF 88 08 00 45 00 | ......X.ky....E.

0010: 00 3C 17 37 00 00 80 01 : 9F EE C0 A8 01 23 C0 A8 | .<.7.........#..

0020: 01 28 00 00 13 4B 02 00 : 40 11 61 62 63 64 65 66 | .(...K..@.abcdef

0030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 | ghijklmnopqrstuv

0040: 77 61 62 63 64 65 66 67 : 68 69 | wabcdefghi

[LoWang]

OMG and now it has gone completely crazy. It reports various exe files that are supposedly trying to do ICMP reply. procex64.exe, ProtectionUtilSurrogate.exe (symantec something), SynTPEnh.exe (Thinkpad utility). So the problem is not in autoit it seems...

Now even C:\Windows\System32\csrss.exe. :-]

Edited January 30, 2012 by LoWang