Blocking file transfers in messenger

[Avalanche 0]

I guess the subject header says it all. I'd like to know if there's a way to block people from sending and receiving files through msn/windows messenger on a Win2k Pro machine, without blocking all messages.

 

See this is for my mom's system, where there is a bunch of teenaged girls that use messenger all the time and like to trade around neat things they find on the net.

 

Well yesterday I was asked to come over and perform the general system maintenance that I do for her computer, and I found 178 peices of spyware including all the major well known ones. The only possible source of these is from the girls using messenger (excpet for the 9 or 10 that regularly have to clean from IE Cookies).

 

Rather than fighting with teeanged girls I'd rather that they suddenly find they cannot send or recieve files anymore (oh no, my life is over )

 

I've searched the net for a couple hours and I can't find anything that helps me, I'd imagine that if it's an issue of blocking a port or something I could manually set that in the firewall, but I suspect messenger rotates the ports it uses for security's sake.

 

Anyway, any insight would be appreciated.

 

Thanks.

[Champion_R 0]

MSN uses ports 6891 to 6900 for file transfers.

[jimf43 0]

If you use ZoneAlarm as your firewall, then just block MSM as a server. I think that 'should' still allow messages, but not file transfers.

[Avalanche 0]

Thanks for the help, I will try the server thing ASAP, she is running ZoneAlarm.

[Avalanche 0]

Well not allowing servers made no difference to incoming files.

 

I can block outgoing transfers, so I guess then my problem is 50% solved. Not really though, since if the files are already here, they've done their damage.

 

BTW, I should have mentioned before, it's Messenger 5.0 that's being used. Sorry I forgot about that before.

[jimf43 0]

Quote:

Well not allowing servers made no difference to incoming files.

I can block outgoing transfers, so I guess then my problem is 50% solved. Not really though, since if the files are already here, they've done their damage.

BTW, I should have mentioned before, it's Messenger 5.0 that's being used. Sorry I forgot about that before.

Well I supose that you could just disallow MSM 'all' access through zonealarm... Just tell them you can't figure out why it isn't working (darn MS software)... humm... maybe not ;-). Time to block ports 6891 to 6900?? ;(

[theelviscerator 0]

I have run into this problem when I had to reformat and reinstall a system over spyware. System was running at 100% cpu on win2k pro.

Kazaa was main culprit that let in who knows what else. I said fine do what you want but when computer goes down again, its YOUR PROBLEM. You want to dl crap for a short period of time or use your system.

Its still running...............So maybe just maybe the idea of NO COMPUTER at all scared him a bit.

[jimf43 0]

Quote:

I have run into this problem when I had to reformat and reinstall a system over spyware. System was running at 100% cpu on win2k pro.
Kazaa was main culprit that let in who knows what else. I said fine do what you want but when computer goes down again, its YOUR PROBLEM. You want to dl crap for a short period of time or use your system.
Its still running...............So maybe just maybe the idea of NO COMPUTER at all scared him a bit.

If Spyware is your main concern then you should make sure that you have the latest version of ADaware run on a regular basis. I'm sure that you have a decent antivirus package installed, and, you should also turn on the MailSafe feature in ZoneAlarm. I'm afraid that's about as far as you can go with it ;-).

[Avalanche 0]

I did install Ad-Aware, which is how I knew there was 178 pieces of SpyWare on the system. The issue is, it's not my system, it's my mom's, and she's likely to shy away from running Ad-Aware on a regular basis.

 

She does have a decent anti-virus, and whenever I'm over there, I do run everything, and clean out the system, but I'm not over there every day.

 

I'm gonna try blocking the ports that messenger uses next time I'm over there and see what that does. There may be unfortunate side effects of blocking all those ports, other apps may want to use them too.

 

We'll see.

 

 

Thanks for the input everybody.

[adamvjackson 0]

Avalanche, I have just what you need. TweakMsgr

[Avalanche 0]

You sir, do indeed ROCK!

 

Thanks very much for this. Where on earth did you find it? I've been looking high and low for something like it. It's perfect!

 

I'll report back later tonight after I've tested it on my mom's system.

[adamvjackson 0]

Glad I was able to reach you, I hope it works. I found it here.

[Avalanche 0]

Bad luck. I tried every possible combination of settings, and it simply doesn't do anything that it says it should do. It doesn't block file transfers, it doesn't block video, or voice. It doesn't even work to disable MSN altogether.

 

This is a real bugger. You'd think there'd be an easy way to do this, it seems like a fairly big security risk allowing any and all users to send and recieve all the files they want.

 

I know MicroSoft isn't the best when it comes to security, but this one seems to be a bit of an agregious oversight.

 

PS, I'm not blaming the people who made this little program, it's a great idea. There must be some difference in how it's set up on this machine than they expected.

[adamvjackson 0]

You're running MSN Messenger 5, right? Not Windows Messenger (XP)

[Avalanche 0]

That is correct.

 

MSN Messenger 5.0.04xx on Windows 2000 Professional sp2. Sorry I can't remember the exact build number on msn, but it was the one that just came out this morning. When I went over to my mom's to test that program she told me that she had done the update that it notified her of just today.

 

I'm home again now, so I dont have direct access to the computer.

 

Personally I use Trillian, so I really don't have much experience with Messenger itself. But I went through everything I could think of, but the best I could do is block outgoing files, and not incoming files.

[clutch 1]

What happened to blocking the ports? Did you try that? It would probably be your best bet.

[Avalanche 0]

Oh, sorry. I guess I should have been more clear. Blocking the ports only served to stop messages and outgoing files.

 

This is because for receiving files Messenger offloads that duty onto a system file called ndisuio.sys. This file is apparently used by many windows systems for access to a network. It seems to exclusively use port 137, for all it's access, so I can't just block it for when it is working for messenger. Looking at my Sygate logs I see that ndisuio.sys on port 137 was accessed by several windows systems, including ntoskrnl.exe, and explorer.exe.

 

So Blocking the ports doesn't do anything that disallowing server didn't do.

 

PS, this search had allowed me to find a feature in sygate firewall that is far superior to similar functions in ZoneAlarm. Even in the free edition of Sygate, I can do things like observe the network activity of things like ndisuio.sys, and block any individual port I want, and specify which protocol I'd like to be blocking (UDP for messenger, but I tried them all, none worked, because of the .sys thing). ZneAlarm doesn't offer anyhere near that much flexability, even in their Pro edition. </soapbox> :-)

 

So again, this is where I stand. Thanks for all the input.

[jimf43 0]

Quote:

That is correct.

MSN Messenger 5.0.04xx on Windows 2000 Professional sp2. Sorry I can't remember the exact build number on msn, but it was the one that just came out this morning. When I went over to my mom's to test that program she told me that she had done the update that it notified her of just today.

she's smart enough to update MSM, but, she can't run addaware??? Time for a serious talk

[Avalanche 0]

Quote:

she's smart enough to update MSM, but, she can't run addaware??? Time for a serious talk

Seriously good point. I hadn't thought of it that way. You are right of course.

The thing is, I was hoping for security's sake that I could get this done, whether she can get rid of the spyware or not. Spyware is but one of many security concerns that are at issue here, concerns that will be impossible to teach to the girls who are the root of the problem.

Oh well, I just find this whole thing rather frustrating.

[jimf43 0]

Quote:

Quote:

she's smart enough to update MSM, but, she can't run addaware??? Time for a serious talk

Seriously good point. I hadn't thought of it that way. You are right of course.

The thing is, I was hoping for security's sake that I could get this done, whether she can get rid of the spyware or not. Spyware is but one of many security concerns that are at issue here, concerns that will be impossible to teach to the girls who are the root of the problem.

Oh well, I just find this whole thing rather frustrating.

The 'root of the problem' is really the MSM, and not the girls. The only real solution is to uninstall the MSM or to password the account and not give 'the girls' access untill they are accountable ( try never ). in any case, you have to get control of the situation.

[adamvjackson 0]

If the password is stored on the system, you can use this to recover it, FYI.