224.0.0.22 from many different non-network programs
Hi.
I have been having a similar problem for the last few months and after lots of googling I have found very little in the way of answers to the aforementioned problem.
I'm going to try to restate the case a little, to address many of the issues people have brought up all over the Net. One thread blamed Lexmark for trying to dial home and, as much as I don’t like Lexmark engineers, because I have to repair the printers for a living, I don’t blame Lexmark because I believe something else is going on.
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network. The message I have up on my screen at the moment shows NTVDM.EXE is trying to broadcast to 224.0.0.22. Earlier my Klik & Play Pachinko for Win95 did it.
Now the protocol that is being used is IGMP and the address is, correctly, noted as being internal to the network. My concern is this:
If I was a naughty and smart virus writer, I would want to infect as many PCs as possible. I would probably do this through multiple infections using different applications. So, one part of the virus might simply open a few doors to allow access to other virii. Once granted access, other virii might acquire more access allowing more malicious virii to infest the machine and perpetrate DDoS attacks, send spam e-mail, etc.
That is my primary concern. Many of the suggestions on the Net are to allow the broadcast on the basis that it is internal only, so what could it hurt?
Here’s what it could hurt – once I grant access to 224.0.0.22 that application gets to continue to have free access past the firewall until the application stops running. So, when someone suggests that there is no danger in allowing this seemingly innocuous network connection, it opens a hole in the firewall that once tested as open could allow other malicious software onto the PC.
Now, I’m not saying this IS the case, only that it is possible. Sure, I may be paranoid, but there are people out to get me. Granted they don’t know it is me they are out to get, but that doesn’t mean they aren’t there. Truth is, they are trying to get you, too. Every time I hear or read tech news these days, people are always suggesting that the most spam, virii, and DDoS attacks come from Zombie machines (PCs that are infected and used without the owners knowledge).
Now, to be fair, I’m a little optimistic that nothing untoward is going on because I have regularly-updated AntiVir and Spybot S&D watching in realtime and with weekly scans. They find stuff every so often (more Spybot than AntiVir), but that hasn’t affected the 224.0.0.22 issue and I don’t like it that Pachinko, without network components, is trying to access my internal network.
Finally, my question is this:
Where is a network and firewall expert who has examined this issue and explained exactly what it is going on and, more importantly, why is it coming from programs that have no reason to connect to the network? A deciphering of the Binary Dump would lend a lot of credibility to the answer I’m hoping to receive.
Thanks!
Dale
address 224.0.0.22 (Sygate user answer)
[QUOTE=daleallenbaker]Hi.
<snipped>
I installed Sygate Personal Firewall (free version) and it pops up a message to let me know:
ANYPROGRAM.EXE (anyprogram.exe) is trying to broadcast to [224.0.0.22]. Do you want to allow this program to access the network?
Now, I use the name anyprogram.exe, but I have seen this pop-up for MANY programs that have no business whatsoever accessing the network.
<snipped>
Answer:
When using Sygate,
go to Settings>Network Neighborhood (or Options>Network Neighborhood for
the free version)
Uncheck the box by "Permit me to browse and share both files and printers on this Network Connection".
The "..............224.0.0.22" message will stop appearing.
Your machine was/is looking for other Network machines.
address 224.0.0.22 (revisited)
BTW If you still get the "...224.0.0.22", (after turning off Network Browse checkbox in Sygate) then you most likely have the "SSDP Discovery Service" set to Automatic (start type) under Control Panel>Administrative Tools>Services. This Service also checks your home network (for interactive devices). It can be set to Manual or Disabled by most users. [It's for UPnp devices; not commonly used, yet. Search for UPnP, if you're interested.]["Universal"Plug aNd Play, not to be confused with PnP.]
