Find out if programs are connecting to the Internet
Depending on how you have set up your system, all, some or only select applications and programs may connect to the Internet or local network resources. Especially the "allow all" approach runs the risk that programs establish an Internet connection that you may not want to do so if you'd know about it.
I revealed yesterday how Firefox add-ons may transfer data to servers without your knowledge and was asked to write a guide about how to detect these connections. While you could check the log of your firewall to find out about that, or configure your firewall to block all outgoing connections but those that you allow, it may sometimes be easier to use third party tools that provide you with a quick overview of what's going on at that time on your system.
I'd like to review two programs for that purpose, and link to a third that I have reviewed in 2008.
CurrPorts
CurrPorts by Nirsoft is a free portable program for 32-bit and 64-bit versions of Windows that can display all open ports on the system when it is run or refreshed. It is not a real-time scanner, only a program that displays all open ports and connections at the time the system was scanned by it.
All you have to do is download, unpack and run it on your system to get a listing of all processes, their connections, ports and servers they are connected to.
You can click on the refresh button to run a new scan any time you want to. This may be useful if you have started a program after you ran CurrPort and want the program to scan its connections as well.
You can drag and drop table headers in the program. I have moved the remote host and remote address information to the left for instance as they provide me with direct information about remote servers processes are connected to. You can also sort the listing with a click on a column header-
Check out our detailed review of CurrPorts here, and if you are looking for an alternative, try Close The Door instead. There you also find download links listed.
NetBalancer Free
The second program is a real-time monitor of traffic on a Windows system. The free version of NetBalancer is sufficient for monitoring all processes and their connections. Once you have started the program on the PC you will a list of processes at the top, their current upload and download bandwidth, and the overall upload and download bandwidth they have used.
If you see data listed in the downloaded or uploaded fields you know that the process has made connections. It is a good idea to run the program in the background for some time to get a good reading on all programs you use on a daily basis.
You can click on any process listed here to have its current connections displayed at the bottom right. Here you see all remote IP addresses and protocols it has established connections to.
Block Processes from making connections
If you have identified a process using one of the tools that established connections even though it should not have done so, you have a couple of options to resolve the issue. The first option is to uninstall the program from the system. Maybe there is an alternative available that is not connecting to servers when its run.
You can naturally also try and block all outgoing traffic of the program. This can sometimes render the program useless, so keep that in mind. You can use NetBalancer free for that too, but the free version is limited to three processes only. An alternative would be to configure your firewall to block outgoing connections for selected processes.
If you are using Windows Firewall, you may find Windows Firewall Notifier useful as it displays connection attempts to you giving you the chance to evaluate them and either block or allow the connection afterwards.
Advertisement
How about Windows’ built in Resource Monitor?
If you prefer CurrPorts, do not forget to download GeoLite City. Just extract to CurrPorts folder.
http://dev.maxmind.com/geoip/geolite
I think Process Hacker (Network tab) is also useful for this task. If you use Process Explorer from Microsoft instead, there is a TCP/IP tab when you right-click a process and select properties. It doesn’t show the whole information in a grid though, like Process Hacker or the tools reviewed by Martin.
On laptop, I use Networx portable, find it accurate but its netstat doesn’t give balloon/audio alerts to device access, so I also use Nir’s “Wireless Watcher” which does do that in if set to constant scan it detects even brief connection by another device(s)…still have to pull up Networx netstat if something unusual seems running from within. Your tips sound equally good where something like Comodo firewall can’t be used.
I loved the extensibility of CF, and way you could sandbox/be notified of all outbounds, but my Windows 7 Home Premium 64 bit on an Acer Aspire notebook is one of those that builds into random BSODs due to CF driver “inspect.sys”, so can’t use it or ZoneAlarm. Making even home network “Public” seems to at least stealth inbound ports and stop discovery of Netbios, but it’s hard to trust this way some new bootkit won’t get past AV and do damage before it’s discovered. Will check into Windows Firewall Notifier, thanks again for tip!
@JoJo: Security software tend to lock USB Storage Devices.
Although not exactly what you are asking for, you could be interested in another utility from NirSoft: USBDView available at http://www.nirsoft.net/utils/usb_devices_view.html
hello,
nice program, but I wonder if anyone can help me this request (similar but related to USB), is there a software to be used to see what program or process is using what USB port? like which is accessing the USB Stick or the Potable HDD?
Working for several hours with HDD connected to USB and then closing all related software still didnt release the HDD from being “Safely Removed”.
Thank you
I have also found the Free Portable version of Networx to work very well also. It has a realtime monitoring option under Netstat.
Windows Firewall Notifier requires .net framework.
Comodo firewall gets to the top end of most lists at ability to block everything properly, but the gui is a bit nasty. The new comodo is slightly better in some respects but everything has been shuffled around. These days it tends not to freeze apps while prompting for user input to allow or block traffic, which caused problems for a few,.
I clicked on your Windows Firewall Notifier link, downloaded it and tried to use it. It requires .net framework which I do not have. I appreciate free programs, but wish developers would tell you such things beforehand.
I had a good laugh at “Windows Firefox”. Firewall, of course.
Ha, sorry for that. Corrected.
TCPView by Sysinternals might be worth to mention too :)
Cheers
I totally agree with imu, TCPVIEW is the most efficient and lightweight tool to monitor TCP/IP Connections