Black
- Normal Sockets
Most sockets from applications started by the user will display as black. This
means the owner process of the socket is a visible application - it has a window
that is visible on-screen (although it may be minimised). It is possible but
highly unlikely that trojan sockets will display as black.
Blue
- System Sockets
Blue sockets indicate ownership by
either the System process or by a registered service process (usually started by
the operating system). It is possible for trojans to register themselves as
service processes, but this is very rare.
See also Notes on Services
Red
- Hidden Sockets
Red sockets indicate that the
owning process is hidden (ie. it has no visible windows) and is not a service or
system process. Although there are some legitimate applications that behave this
way, many hidden sockets are owned by trojans, so
red-socket processes are always worthy of further investigation. In fact, very
few
Red (Background)
- Closing Sockets
Sockets with red backgrounds are
sockets that have just closed. The red background remains for one 'refresh',
allowing you to see sockets as they close rather then having them immediately
disappear.
Notes:
It is not practically possible to determine if a process has an icon in the system
tray as the system tray icon is handled by the explorer.exe
process, not the process, so hidden processes that have a system tray icon will
still show up as red.
Port Explorer maintains a tally of each socket class. These tallies (and
combined total) can be seen in the status bar at the bottom left-hand corner of
the main Port Explorer window.