Windows XP SP2 TCP/IP "Patch"

[John Veteran]

BTW if Microsoft can get around the system file warning during updates so could a virus.

585958883[/snapback]

Do you know how hotfixes "get around" it? :rolleyes: They install files with higher version numbers that are digitally signed by Microsoft, that is the key. If the file is signed, it will be accepted by Windows File Protection. If it is a higher version number, Windows will allow it to install without asking the user. If it's a lower version, Windows might prompt you about it or might simply refuse the file.

It's not really possible for a virus to create a file signed by Microsoft, so that's not going to happen.

[em_te]

Or it could simply replace the file outright and lock the system up, forcing a reboot. Once a virus has full system control there is not much it cannot do.

585958883[/snapback]

It depends on the type of virus. If it's something like the Slammer virus, which only resides in memory, that it won't survive a reboot. That's already one class of viruses which this protects against. And if the virus is written in a scripting language like HTA viruses are, then it's going to be a lot harder to write all that code to "patch" the connection limit using the file manipulation libraries available in scripting languages. Most scripting languages only allow basic file editing and nothing to interface with WFP. So there's another class of viruses which will be hindered.

[Mastertech]

How long has Windows XP had Digital Signatures and WFP? Yet systems are still infected? :whistle:

[John Veteran]

How long has Windows XP had Digital Signatures and WFP? Yet systems are still infected? :whistle:

585959589[/snapback]

You misunderstand. What I posted was what a virus would have to go through in order to change the limit imposed by SP2. Digital signatures and Windows File Protection aren't meant stop viruses. Only antivirus software (and a somewhat intelligent user) can prevent/stop viruses.

[Mastertech]

I'd rather not bet on what virus writers would or would not have to do.

[John Veteran]

I'd rather not bet on what virus writers would or would not have to do.

585962820[/snapback]

Why? So you can be totally unprepared for a new, innovative virus?

[Mastertech]

Bet on as in I don't gamble. I run a firewall, keep my AV current and apply all security patches ASAP.

[ckozlowski]

I thought I'd add to this as I have found a good reason for the patch. It seems that when doing vulnerability scanning, using something such as Nessus or Harris STAT, having the patch does slow things up, since the scanners usually do exactly what the patch prevents: Open numerous TCP connections without waiting for reply. I noticed a marked improvement in my scanning times after applying the patch, since the scanner is testing machines that may or may not be there. (Hence all of the open TCP sessions....) I first found this using Harris STAT.

I figured this might be helpful for some of you who are sys admins out there and do vulnerability scanning over a LAN.

I've run this patch on my work machine but no others, I have not seen those event log entries while running bittorrent, etc. I'd have to agree with most everything that has been said in this thread, and as such I only have the patch on my work machine.

[Mastertech]

FYI one of the latest updates resets the limit to 10. I'm guessing this one "Cumulative Security Update for Internet Explorer (883939)".

[John Veteran]

Any and all new versions of tcpip.sys will have a hard coded limit, unless Microsoft changes their policy on this. That means that any updates that include newer versions of the file will break your hacks.

[Slimy]

^ new hacks will be made. that's life.

[Mastertech]

In this case you need nothing new and can just use the same one.

[Beastage]

What a pointless argueing thread...

I just have 2 things to say :

1. The TCP/IP patch improves your file sharing

2. The TCP/IP patch increases your system vulnerability to worms/viruses

Let the people decide what they want and stop convincing each other with opinions

[jamend]

What a pointless argueing thread...

I just have 2 things to say :

1. The TCP/IP patch improves your file sharing

2. The TCP/IP patch increases your system vulnerability to worms/viruses

Let the people decide what they want and stop convincing each other with opinions

586096369[/snapback]

The thread is obviously not pointless because you still don't understand what the patch does. #2 is completely wrong; you will not be more vulnerable to worms or viruses if you apply the patch. However, and as has already been said many times, your computer will infect more computers faster with a virus that you get.

[mocax]

Will this tcpip limitation affect hosting online games? eg. I wanna host a 16 player UT2K4 game, will 6 players just drop off the server?

And how about running a web server like Apache on a WinXP machine? will the number of connections be nerfed so that it can serve only 10 web clients simultaneously?

Is windows 2000 affected too?

[Mastertech]

If you are running any internet server related applications it is recommended to install this fix.

I believe it is only on Windows XP SP2 but you can run the utility on Windows 2000 and then look at the connection limit.

[NapsterDandune]

So I shouldn't Install SP2 on my new computer then??

[Mastertech]

No you should definitely install SP2, just afterwards apply this fix.

[The_Decryptor Veteran]

Will this tcpip limitation affect hosting online games? eg. I wanna host a 16 player UT2K4 game, will 6 players just drop off the server?

And how about running a web server like Apache on a WinXP machine? will the number of connections be nerfed so that it can serve only 10 web clients simultaneously?

Is windows 2000 affected too?

586165016[/snapback]

No, this feature in XP SP2 limits your computer to only have 10 half-open connections at one time, so you could still have 16 players, or server a few hundred people on a web serve, just cant have half-open connections.

Say, if you have 30 half open connections, it will limit you to 10, but if 5 suddenly become fully open, it will let 5 of the 20 remaining connecitons to be opened, so in the end, all those 30 connections will become open if they can (e.g. the computer is there)

Basically, no need to install this patch, unless for scanning subnets or the like, where you need alot of half-open connections quickly

[mocax]

so I can assume a winxp sp2 machine running apache web server and mysql won't be affected by this limitation?

Since the machine won't be scanning anything, just responding to requests.

[The_Decryptor Veteran]

Yeah, this limit is only there to slow down a flod of half-open connections

webservers dont open tones of half open connection, it opens one connection per client (and they become fully open quickly, thses half-open connections stay half open for a few seconds)

also, apache talks directly to mysql, it wont be affected at all by this limit.

[Mastertech]

If you are receiving any 4226 errors in your event log I would definitely patch it.

[freak_power]

I never read event viewer. I found it as useless crap...

[Mastertech]

Event Viewer is surprising effective when you have a problem but randomly looking at it, I agree is pointless.

[AgEnTsMiTh]

Edit... never mind I figured it out.

The patch really does nothing to help your p2p downloads. I investigated it myself and honestly, this is a lot of fuss for nothing. You can do everything you wanted just fine. At least this is the case for me.