Outlook Web Access corrupts HTML attachments

Hong Kong readers: meet with me on June 15

By Brian Livingston

For many moons, I’ve wanted to hold a series of free seminars for Windows Secrets readers in various cities of the world.

I don’t really have an entire series worked out yet, but I’m doing kind of a trial run by offering a meeting with newsletter subscribers on June 15 in a single city: Hong Kong.

As you may remember, we gave four lucky readers in 2007 a Fred Langa Housecall — a one-on-one free seminar with our former editor, who wanted to discover the breadth of North America on his motorcycle before retiring from computer writing. We used the locale (country and postal code) that our subscribers had entered on their Windows Secrets preferences page to help decide where on his U.S. and Canada tour Fred would stop.

This year, if I held a free seminar in, say, Manhattan, I don’t know whether 10 or 10,000 readers would show up. So I’ve decided to start small in Hong Kong, a place where we have only about 200 subscribers.

Meeting with Brian Livingston
Sunday, June 15, 2008, 2:00–3:30 p.m.
Excelsior Hotel
281 Gloucester Road (near Causeway Bay metro station)
Hong Kong, PRC
Business Center, 33rd Floor, room number to be announced
(photo courtesy of the Excelsior)

If this little beta test works out, I hope to arrange meetings in future months in California, New York, London, Toronto, Sydney, and elsewhere. Let’s see how this first one goes.

As a seminar, my June 15 meeting is more like a “listening tour.” There won’t be any PowerPoint slides and I’m not selling any products or services. My goal is to learn from Windows Secrets subscribers how they use Microsoft’s operating system and how we can give you better information. It’ll just be me and a few readers, talking.

Considering that Hong Kong can be an expensive place, the Excelsior has offered us a private meeting room at a nominal rate. To guarantee an accurate count, Windows Secrets is collecting for pre-registration just $9 U.S. (about 70 Hong Kong dollars) per person, which is our cost for the tables, chairs, etc.

Yes, I’m sure if I actually knew a soul on the island, I could probably find something cheaper. If I can make future seminars truly free, I will.

Space is limited, and only Windows Secrets Newsletter subscribers may register. (Of course, anyone may subscribe for free to become eligible.) To let me know you’re coming, use the following link by 5 p.m. June 10 Pacific Time/8 a.m. June 11 Hong Kong Time:

Use this link to pre-register

Would you like Windows Secrets to hold a free seminar near you one of these days? Be sure your country and ZIP/postal code are correct in your WS preferences, so we can make plans. Visit your preferences page

Thanks for your support!

Meet Becky Waring, our newest columnist

This week’s newsletter marks the arrival of a new columnist with more than 20 years of experience as a tech writer and editor. Becky Waring (photo, left) will alternate with Scott Spanbauer in writing the Best Software column in our paid content.

Becky has been a frequent contributor to PC World, CNET, USAToday.com, Macworld Magazine, and many other tech publications and Web sites. From 2003 until just a couple of months ago, Becky was executive editor of JiWire.com, a leading Wi-Fi directory service. She also served as editor of New Media magazine.

In the Best Software column, Becky will put new freeware, shareware, and Web services to the test. This week, she tackles file-transfer services and identifies two that are a cut above the competition. As you’ll soon learn from reading her reviews, Becky has a real knack for finding a program’s best and worst features. I know you’ll enjoy her work.

Brian Livingston is editorial director of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books.

Outlook Web Access corrupts HTML attachments

By Scott Dunn The “Safe HTML” filter in Microsoft’s Outlook Web Access for Exchange Server deletes code from HTML attachments without warning. Microsoft claims the filtering protects users by removing malicious elements, but the deletions can ruin a collaborative project and the “feature” isn’t present in any other Microsoft mail products.

Microsoft Exchange stealth-edits your e-mail

If you use Microsoft’s Outlook Web Access (OWA) to send someone an HTML file, don’t expect them to see any of the file’s comments or scripts. The file you receive may look completely normal, but Microsoft has edited the comments from the file along with other material the company considers dangerous.

It gets worse. According to Microsoft Knowledge Base article 899394, OWA may corrupt the structure of the message, remove some advanced functions, and eliminate other harmless content in the message itself or any attachments.

“Even if an e-mail message appears to be unmodified in Outlook 2003, that same e-mail message may be missing content when you view the message in Outlook Web Access,” the article states bluntly.

You needn’t even view the attachments to have them modified by the service. Merely right-clicking an attachment and saving it to your computer causes the file’s code to be stripped. Microsoft calls this feature of OWA “Safe HTML” filtering.

OWA is a component of Microsoft Exchange Server that provides a browser-accessible version of Microsoft Outlook for anyone who needs to access mail, calendar, and contact info remotely.

The filtering is intended to eliminate malicious scripts and “all potentially unsafe content” from the e-mail messages OWA receives, according to the Knowledge Base. However, as the KB article concedes, some “non-malicious content” may be removed in the process.

The feature was introduced with Exchange Server 2003, but remarks on a forum at MSExchange.org indicate that the filtering is still part of Exchange Server 2007. In one post, a user complains that OWA 2007 is removing JavaScript embedded in his HTML attachments.

It’s annoying enough to have the JavaScript edited out of your HTML files, but it’s difficult to comprehend how HTML comments, which are not executable, could contain malicious content.

HTML comments start with “<!–” and end with “–>”. They cannot contain the characters “–” or “>”. The comments are not visible in a browser unless you view the page source. They can also be seen if you open the file in a word processor or other text or HTML editor.

Such comments allow Web developers to insert instructions, feedback, and other information that may be useful to clients or co-workers. For example, a page’s visual designer could use comments to give coding instructions or feedback to the page’s HTML coder.

If the intended recipient of a comment receives the file via OWA, the page will look normal in a browser, but its HTML code will have no JavaScript or comments at all. OWA provides no warning of the deletion, so the recipient has no idea that the file ever contained any comments.

At least you’d know something is wrong with the file if the e-mail program blocked or deleted the attachment, popped up a warning, or added its own warning comments to the attachment. Simply editing the attachment without warning can be completely misleading to anyone who isn’t aware of this “feature.”

Outlook and other e-mail clients automatically block attachments with certain extensions, such as .js for JavaScript. But in these cases, a warning appears in the mail explaining that the attachment has been blocked.

Safe HTML filtering is found only in OWA. Neither the desktop version of Outlook nor Microsoft’s other mail products (Windows Live Hotmail online and the downloadable Windows Live Mail) edit the content of messages or their attachments. Consequently, users of OWA have no precedent to prepare them for or warn them about this behavior.

Stealth security does customers a disservice

Why would Microsoft create one version of Outlook that differs so significantly from the others? For that matter, why include this feature in only one of the company’s many mail products?

The Microsoft Knowledge Base article states:

• “The filtering in Outlook Web Access for Exchange Server 2003 is more rigorous than the filtering in Microsoft Office Outlook 2003. The reason is that the Outlook Web Access browser interface has more security requirements than the Outlook 2003 interface.”

Unfortunately, the article does not explain why the OWA security requirements need to be stricter than those for Outlook itself. If the browser-based version of Outlook is inherently riskier than the desktop version, why isn’t Safe HTML filtering used in Microsoft’s other Web mail products?

No easy way to preserve your HTML files in OWA

The only workaround offered by the KB article is to post files that you don’t want corrupted to a shared network resource and then send the recipient a link to that location via e-mail.

An alternative is to compress your HTML files into a .zip file prior to sending them as e-mail attachments; OWA does not edit the contents of compressed files.

Of course, people expect the files they send via e-mail to be delivered in the same condition in which the files were sent. If a file can’t be sent for any reason, customers have every right to expect a warning or explanation.

OWA does neither. The service silently edits perfectly safe comments while giving the impression that your e-mail and attachments have arrived in the same state they were sent in.

It’s time for Microsoft to provide clear warnings of this behavior as well as an option for turning the “feature” off.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

XP Service Pack 3: not yet ready for prime time

By Susan Bradley The growing list of XP SP3-related glitches being encountered by users should give pause to anyone thinking of downloading and installing the update. If you’ve kept XP patched from week to week, there’s presently no clear advantage to implementing the OS’s latest service pack, though you’ll want to do so eventually.

When should you install XP Service Pack 3?

Since its initial release a little over a month ago — as I reported in last week’s special news update — XP Service Pack 3 has been plagued with reports of problems among early adopters. Considering that the service pack’s most important enhancements relate to computers on corporate networks, you may be wondering whether you need XP SP3 at all.

It comes down to a question of support: Microsoft supports each service pack for two years following the release of its successor. Thus in the spring of 2010, XP SP3 will be the only XP service pack that Microsoft will support. In addition, Microsoft has stated it will offer free support for those facing XP SP3 installation issues through April 2009.

If you have already installed XP SP3 and haven’t experienced any problems related to AMD processors, Norton AntiVirus’s SystemProtect, or any other service-pack glitch, you don’t need to remove SP3. However, if you haven’t yet installed XP SP3, hold off.

Instead, scroll down the Windows Update page each Patch Watch Tuesday and choose to install updates that do not include XP SP3. I’m starting to hear more reports of SP3-related driver problems. For example, Microsoft’s Knowledge Base article 951822 describes a free hotfix for a problem encountered when using certain models of Citizen or Alps printers after XP SP3 is installed.

Bottom line: if you’ve installed XP SP3 and your PC is working fine, leave it alone. However, if you suspect SP3 has caused your system to act up, remove it via XP’s Add or Remove Programs applet. Finally, if you haven’t installed SP3, it’s perfectly okay to wait until all the wrinkles are ironed out.

A fix for constant XP reboots

If your Windows XP machine keeps rebooting after you install SP3 and it’s not due to the problem with AMD-based systems I reported on earlier, you have a couple of options.

Press F8 just as the system starts and check “Disable automatic restart on System Failure.” If this option isn’t available, reboot, press F8 again, and select the Safe mode option, which loads Windows without certain drivers.

Once Windows opens in Safe Mode, go to the Add or Remove Programs applet in Control Panel and remove XP Service Pack 3. If that stops the reboots, you know your issue is SP3 related and you need to contact Microsoft about it via the links I list below.

If you have one of the offending AMD machines and you’re unable to enter Safe Mode, return to the startup menu by pressing F8 as the system starts and choose the Recovery Console option. Detailed instructions can be found here. When the Recovery Console opens, enter the commands as listed in Jesper Johansson’s blog post on XP SP3.

To get help from Microsoft for problems related to XP SP3, follow one of these links:

• US Support
• Canada Support
• UK Support
• AU Support
• Other Locations

Once you’re on one of the above pages, click Select a Product, choose Windows XP, and click one of the options for Windows XP Service Pack 3.

Just remember, there’s no rush to deploy this service pack.

Readers report their own XP SP3-related problems

Following last week’s special edition of the newsletter, Windows Secrets technical editor Dennis O’Reilly heard from many readers who have experienced their own XP SP3 headaches. R. Fraile’s problems were related to his antivirus program:

• “Threatfire caused problems for me. Crashed during the update, but I was able to uninstall it. Tried again without Threatfire and [XP SP3] installed fine. However, when I reinstalled Threatfire, Explorer and Firefox would crash after working for a few minutes, taking the system down and requiring physically pulling the power cord.”

Reader John E. Mrochek wasn’t as lucky in tracking down the source of his XP SP3 woes:

• “I attempted to install SP3 on a Dell Inspiron E1705 laptop with XP Media Center. Four install [attempts] failed on a fully updated XP SP2. No new software was installed previous to the update, disabled AVG antivirus and Zone Alarm.”

Finally, Connie Smith wrote to tell us about the problems she experienced using Microsoft Office 2000 and Internet Explorer 7 after installing XP SP3:

• “At home, Word would only open part way and no documents could be retrieved. I fought it for a week and finally bought Office 2003, which I had planned to do some time this summer anyway. [I] removed Office 2000, installed Office 2003, and all works fine.

  “At work, IE 7 won’t close and locks everything up. The only way around it is to minimize [the program] and close down. Task Manager has been no help, as it shows IE is not running when the screen shows a partial image or full page but [is] locked up. I haven’t found an answer for that yet.”

Old Flash versions may be vulnerable to attack

When you click this link, if it says anything other than “9.0.124.0” under “Version Information,” go to this page and download the latest version of Adobe’s Flash player.

Be sure to uncheck the option to download the Google Toolbar, which is prechecked for your “convenience” whether you want this toolbar in your browser or not.

There was a lot of discussion earlier this week about whether people using an earlier version of the Flash player were vulnerable to a possible “zero day” attack, as reported initially by Symantec. Later it was determined that as long as you have the latest version, you are safe.

Older versions of the player risk getting hit by malicious advertisements. To check whether you have a version of Flash that is vulnerable, visit Adobe’s test page to ensure that yours is version 9.0.124.

Note that Windows XP SP3 will reinstall an older version of the Flash player, as stated in this Incidents.org diary entry blog. However, if you have installed the latest version 9.0.124 beforehand, SP3 will not make the older version of the player the default on your system.

It’s a bit confusing right now trying to determine whether a specific PC is or isn’t vulnerable to a malware attack, but the tests above should ensure that the system has the patched Flash version.

Vista’s application compatibility improves

Vista Service Pack 1 was released several months ago, but the monthly application compatibility patches for Vista continue. In fact, one patch that was released last month helped me out at the office.

Knowledge Base article 894199 lists all the Vista patches released as of the end of May. The fix that caught my eye was the Application Compatibility Update for Vista and Windows Server 2008, KB 947562, which blocks older versions of Web Spy Sweeper and enhances compatibility with the RealVNC Server remote-control software.

I use RealVNC Server to control my Macintosh computer remotely from my Windows Vista PC, so I was glad to see that update.

None of the patches that were released at the end of May caused any major headaches or hiccups that I’m aware of. Unfortunately, we can’t say the same about XP SP3.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

You want me to spell what?

As exciting television goes, spelling bees aren’t more than a notch or two above watching Congressional debates on CSPAN. They may lack the grimaces of mixed-martial-arts contestants, but in recent years the pre-teen contestants of the Scripps National Spelling Bee have supplied some high-level drama — and hilarious bloopers. This year, the 13-year-old champion Sameer Mishra shows just how important it is to ask the word’s language of origin. “Can you use that in sentence please?” Play the video

Transfer mammoth files reliably for free

By Becky Waring File-transfer services make it easy and relatively reliable to exchange multi-gigabyte files with family, friends, or co-workers. Xdrive and TransferBigFiles top the list of free file-transfer services, though each of the two imposes some limitations.

The challenge: transfer a 2GB video file

It all started innocuously enough. I simply needed to exchange a high-definition video file with a friend. Even zipped, the file was 2.4GB.

Forget e-mail. Gmail is the most generous Web-mail service for attachment size, but it tops out at 20MB. And YouSendIt’s free file-transfer service — which I frequently use and highly recommend for midsize transfers — maxes out at 100MB per file. My high-def file was more than 20 times that size.

It turns out the biggest obstacle to sending big files is not finding a free service to store them; it’s uploading the files in the first place. That 2.4GB file we wanted to exchange takes about 7 to 14 hours to transfer over a typical broadband connection (which often has an upload speed of just 384 to 768 Kbps, a fraction of its average download rate).

At first, my friend and I tried transferring the files directly between us via AOL Instant Messenger’s Send File feature. Knowing how long it would take, we started the transfer at night and hoped it would be done in the morning. The transfer wasn’t quite finished when I started work the next day, and I accidentally closed the AIM chat window, which aborted the process.

We made another attempt via AIM that evening, only to get a transmission error somewhere in the middle that again foiled the whole thing. Ultimately, we resorted to FedEx.

But now I was on a mission to find free services that could securely send and receive files of at least 300MB and, just as importantly, had a reliable resume feature for paused or interrupted uploads.

The pros and cons of the top two services

The hands-down file-transfer champ is AOL’s free Xdrive service, which requires only an AOL or AIM account. Xdrive offers 5GB of free storage and transfers single files as large as 2GB. You can upload files directly from the Xdrive site or use a desktop client to make the move.

I got the best transfer results using Xdrive’s Java applet running in Internet Explorer. Java enables a special upload accelerator that compresses files and resumes broken connections automatically.

By contrast, Xdrive’s beta desktop client was unreliable: It frequently dropped connections and offered no progress indicator for downloads. The desktop version also requires that you install the Adobe Integrated Runtime (AIR) environment for so-called rich Internet applications.

Once your files are uploaded, you select the document(s) on your Xdrive that you want to share with others and then e-mail them a download link. You can share entire folders and apply varying permissions: read, write, modify, delete, etc. (see Figure 1).

Figure 1. Sharing files with more than one person at a time is simple using Xdrive’s e-mail options.

Xdrive provides direct access to your AOL address book, which makes it easy to send files to multiple recipients at one time. Perhaps the best thing about Xdrive is that you can store the files for as long as you like. With most file transfer services, your uploaded files are deleted from the server after a week or so.

The only real downside to Xdrive is the service’s 5GB storage limit. If you want to send a number of files that, when combined, are larger than 5GB, try our runner-up transfer service, TransferBigFiles.

Along with the lack of an overall storage limit, TransferBigFiles is also easier to use than Xdrive. However, the service limits individual files to 1GB.

You don’t even need to sign up for an account to transfer files directly from the TransferBigFiles site. Still, I prefer to use the service’s handy DropZone utility, which you access via a system-tray icon. DropZone lets you drag and drop the files you want to transfer at any time. You can also queue multiple files for upload and resume after broken connections.

Another advantage of DropZone is that it lets you designate the recipient(s) at the same time you start the upload; with Xdrive you must first upload the file, and then send download links to the recipients.

Your files are saved on the TransferBigFiles servers for 10 days if you use DropZone, but for only five days if you transfer the files via your browser. I recommend using Internet Explorer to download the files; when I used Firefox to test the download service, some files failed to save properly.

While neither Xdrive nor TransferBigFiles will speed up your Internet connection — a 2.4GB file will still take all night to upload — they do take much of the pain out of the transfer process. Two features in particular make them worthwhile: they resume uploads after dropped connections, and they make sharing files with multiple recipients safe and easy.

The also-rans can’t accommodate monster files

I investigated at least a dozen services before narrowing the list to the two best candidates above. The major disqualifier was file-size limits: the free versions of YouSendIt and WikiSend restrict files to 100MB or less. That’s nowhere near large enough for my video files.

Several other file-transfer services looked like good bets until I tried them out. Pando has a 1GB-file size limit and offers unlimited uploads and a reliable suspend/resume feature. However, the service requires that the recipient download and install client software; all the other services simply send download links to your recipients.

More egregiously, the Pando installer is rife with crapware that you need to decline to avoid having it installed automatically on your PC.

Another service that seemed promising was Driveway, which limits files to 500MB and features a handy upload utility. However, I experienced too many problems with dropped connections and misguided links to half-uploaded files.

Similarly, the free version of SendSpace, which has a 300MB-file size limit and a highly capable transfer-management utility, looked great until I tried to download a file. Unfortunately, downloads are throttled to just 400 Kbps unless you have a paid account. Scratch that.

Becky Waring has worked as a writer and editor for PC World, NewMedia Magazine, CNET, The San Francisco Chronicle, Technology Review, Upside Magazine, and many other news sources. She alternates the Best Software column with Windows Secrets contributing editor Scott Spanbauer.

The hardware way to boost your productivity

By Woody Leonhard You might think that my favorite PC timesaver would be a souped-up computer, a super-secret utility, or a settings tweak that makes Windows run at warp speed. Nope. The tool that speeds my workday like no other is my ancient, indestructible Northgate keyboard — and while these babies have been out of production for years, I know how you can get your hands on a close approximation.

The saga of the perfect keyboard

In my column on May 8, I described how to reassign the keys on your keyboard. Many people use this trick to disable the obnoxious Caps Lock key. Some take the next step and reposition their Ctrl key back to the left of the A key, where the Ctrl-key gods intended it to be.

That column also mentioned my ancient Northgate OmniKey keyboard. I was thrilled to hear that many of you also swear by this antique beast. And therein lies a $200 tale.

Way back in the annals of computer prehistory (also known as the mid-1980s), Windows was just a gleam in some Xerox engineer’s eye and keyboards ruled the roost. There weren’t many mice outside user-interface labs, so there wasn’t any way to click File, Save to save a file, for example.

Instead, you saved a file by pressing a bizarre sequence of keys, such as Esc+T (for “Transfer,” of course) and then S (as in “Save”). If you were really clever and could remember such things, you pressed the Ctrl+F12 key combination to perform the same operation with one fewer keystroke.

In those days, consumers paid attention to keyboards. If you hit the Esc key a thousand times a day — not outside the realm of possibility — it was important that your Esc key didn’t stop working, fall off, or get worn down to a tiny plasticine blob — also not outside the realm of possibility.

Mail-order PC companies were springing up like dandelions in springtime those 20-plus years ago. Dell, Gateway, and a few other of these vendors eventually became household names (as in “There goes my   %$#@ Dell again!”) Other new tech vendors such as Northgate and Zeos tanked, even though theirs were among the best PC products available.

Northgate took great pride in the quality of its PCs, and the company’s commitment to first-rate tech hardware was also evident in the fine keyboards that shipped with all its systems.

It didn’t take long for Northgate to figure out that people would pay handsomely for the company’s keyboards. The Northgate OmniKey series became the keyboard of choice for serious typists, regardless of whose PC they bought. Northgate continued to sell its keyboards long after its PC business hit the skids.

Building a better keyboard, one key at a time

What makes the Northgate OmniKey so special? First, the keyboard weighs in at almost five pounds. Its “Alps” key switches — the gizmos underneath the keys themselves — are rated for 10 million pushes. I bet most of Northgate’s switches can stand up to ten times that number of presses, and I should know because I’ve pushed at least that many Alps switches over the years.

By the way, the switches are named after Alps Electric Co., an electronics manufacturer founded in Japan in 1948. Alps Electric made its first keyboard switches in 1966. The company now has offices all over the world and employs more than 6,000 people.

If you’re a two-finger typist, the OmniKey may not impress you. However, if you play your keyboards eight, nine, or ten fingers at a time, trying your first OmniKey rates as a religious experience.

Every time you press a key, you know darned good and well that it’s pressed — there’s strong tactile feedback and a very audible “click” sound. The key springs back immediately, ready for repeated action. Standard keyboards — even expensive ones — are like typing in mashed potatoes by comparison.

OmniKeys don’t last forever; it just seems like they do. The top of the keyboard is heavy, molded plastic and the bottom is metal. All four of my OmniKeys take all the abuse I can heap on them, requiring only the occasional tune-up at Bob Tibbett’s Northgate Keyboard Repair shop located in upstate New York.

The best alternative to the long-gone OmniKey

You can’t buy a new OmniKey anymore — all of the models have been out of stock for years. Used OmniKeys are listed on eBay from time to time, and Bob Tibbetts gets a few of the pre-owned models in stock now and then. Still, used OmniKeys are not easy to find, and they’re expensive when you do find a good one for sale.

All is not lost, however. Creative Vision Technologies worked with the OmniKey’s designers to create a worthy successor: the Avant.

Avant keyboards come in two sizes. The 104-key Avant Prime has function keys across the top rather than on the side; it lists for $149. I prefer the 116-key, $189 Avant Stellar, which has function keys on both the top and the left side.

Some keyboard purists feel that the Avants don’t live up to the OmniKey ideal. For example, the letters on the Avant key caps are printed, while those on the OmniKey are embossed into the key caps themselves. This isn’t a huge deal until you press a key 10 million times or so.

Still, people who tear apart keyboards for a living tell me that the inside of an OmniKey is clearly superior to the guts of Avant models. All I know for sure is that my two Avant keyboards have been working just fine for many years.

Like Northgate’s OmniKey, the Avants ship with software that lets you rearrange your key layout. However, I prefer the software I described in my last column — RandyRants’ SharpKeys, which covers all the bases. SharpKeys also prevents you from having to rework the innards of the keyboard itself.

If you’re looking for a long-lasting gift for a PC-using dad or grad this June, consider a peripheral they could still be tapping on 20 years from now. If people are still using keyboards in 20 years, that is.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Take the mystery out of network-traffic analysis

By Ryan Russell The free TCPView utility shows which programs are responsible for which network connections. Free up bandwidth and stay safe by identifying the network links that you don’t need or that jeopardize your security.

Identify the apps that are reaching out

In my Apr. 24 column, I mentioned in passing Microsoft’s free TCPView utility (developed by Sysinternals), which displays all the network connections made to and from your computer and identifies the program responsible for each connection.

Suppose you find some interesting network traffic by using Wireshark, the packet-monitoring utility I described in the previous column, and you wonder which program is responsible for the transmission. Since Wireshark works at the network-driver level, the monitor has no idea which program is generating which packets.

In some cases, the source will be obvious from the traffic. For example, many ports are assigned to specific purposes. If a computer has connected to yours at port 1433, it’s a fairly safe bet that SQL Server is responsible for the connection, since the program is assigned to that port.

However, you probably have dozens of programs installed on your computer that are HTTP clients and thus use port 80. These include not only the obvious Web browsers but also any self-updating programs such as media players, games, and many Office-type applications. How do you know which program initiated the network session? TCPView can show you.

Link a program to its network connections

Unlike most other network-monitoring utilities, TCPView is simple and single-purpose. The program displays everything you need to see in one window, and you probably won’t need to change the utility’s default settings (see Figure 1).

Figure 1. TCPView shows you the program behind the network link.

The Process column tells you the name of the program initiating the connection, which is the information you’re after most of the time. If you see suspicious traffic in Wireshark or another packet-monitoring program, note its IP addresses, port numbers, and protocol. Open TCPView and use the information from the packet monitor to identify the program.

About 95% of the time I use TCPView to track down the app behind a connection, I think to myself, “Well, that explains it” and leave things as is. The rest of the time, I decide that the program in question doesn’t need to be dialing out and shut it off. On rare occasions I find something really wrong, such as an active piece of malware that needs to be removed from the computer.

The program’s network-monitoring blind spots

TCPView is live-view-style, which means the information displayed by the utility eventually vanishes from the screen. If you don’t act fast, you may not see your active network ports listed. TCP connections stick around in a waiting state for a short period of time after they close, so you usually have a minute or two to identify them.

Also, the program seems to monitor only TCP and UDP connections. If you open a command prompt and ping an IP address, the connection will not show in TCPView’s window. This is usually a problem only if something really stealthy is communicating via a custom protocol.

One final bit of strangeness: on my XP system, a number of outbound HTTP connections claimed to be coming from [System Process]:0. This worried me a little bit.

However, by monitoring traffic and applying the process of elimination, I discovered that the links were established by the iGridd Java applet for solving Griddlers logic puzzles. Griddlers are an entertaining — and harmless — waste of time. It would appear that Java does something a little funny with its network communications.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.