Installation manual

ManualsBrandsESET ManualsSoftwareMAIL SECURITY 4 - FOR MICROSOFT EXCHANGE SERVER 2000-2003-2008

101

102

103

104

105

106

107

108

109

110

106

4.6.4.2 Structure of the Service script

In the first line of the script’s header, you can find information about the Engine version (ev), GUI version (gv) and

the Log version (lv). You can use this data to track possible changes in the .xml file that generates the script and

prevent any inconsistencies during execution. This part of the script should not be altered.

The remainder of the file is divided into sections in which items can be edited (denote those that will be processed

by the script). You mark items for processing by replacing the “-” character in front of an item with a “+” character.

Sections in the script are separated from each other by an empty line. Each section has a number and title.

01) Running processes

This section contains a list of all processes running in the system. Each process is identified by its UNC path and,

subsequently, its CRC16 hash code in asterisks (*).

Example:

01) Running processes:

- \SystemRoot\System32\smss.exe *4725*

- C:\Windows\system32\svchost.exe *FD08*

+ C:\Windows\system32\module32.exe *CF8A*

[...]

In this example a process, module32.exe, was selected (marked by a “+” character); the process will end upon

execution of the script.

02) Loaded modules

This section lists currently used system modules.

Example:

02) Loaded modules:

- c:\windows\system32\svchost.exe

- c:\windows\system32\kernel32.dll

+ c:\windows\system32\khbekhb.dll

- c:\windows\system32\advapi32.dll

[...]

In this example the module khbekhb.dll was marked by a “+”. When the script runs, it will recognize the processes

using that specific module and end them.

03) TCP connections

This section contains information about existing TCP connections.

Example:

03) TCP connections:

- Active connection: 127.0.0.1:30606 -> 127.0.0.1:55320, owner: ekrn.exe

- Active connection: 127.0.0.1:50007 -> 127.0.0.1:50006,

- Active connection: 127.0.0.1:55320 -> 127.0.0.1:30606, owner: OUTLOOK.EXE

- Listening on *, port 135 (epmap), owner: svchost.exe

+ Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft-ds), owner: System

[...]

When the script runs, it will locate the owner of the socket in the marked TCP connections and stop the socket,

freeing system resources.

04) UDP endpoints

This section contains information about existing UDP endpoints.

Example:

04) UDP endpoints:

- 0.0.0.0, port 123 (ntp)

+ 0.0.0.0, port 3702

- 0.0.0.0, port 4500 (ipsec-msft)

- 0.0.0.0, port 500 (isakmp)

[...]

When the script runs, it will isolate the owner of the socket at the marked UDP endpoints and stop the socket.