During Windows startup a message appears informing that the Windows Firewall has blocked “netsession_win” with an unknown publisher. The message asks whether I wish to block, unblock, or ask again later. Thus far I have selected the “Ask again later” option because I am uncertain whether it is safe to allow the unblocking of this file. However, this message appearing every time the computer starts is becoming quite annoying. Could you provide any advice on the purpose of this file and whether it can be safely blocked or unblocked? The computer is running Windows XP SP3.

You have certainly done the right thing not granting this process access to your computer through the Windows Firewall, as with any suspicious process (where you do not know what the process does or its origin) you should be safe rather than sorry and err on the side of caution. When doing some research on the “netsession_win” process it has become evident that this is a bit more of a tricky process to track down, since there are quite a few conflicting reports regarding the purpose of the file and whether it is legitimate. This is not uncommon since malware and other infections have been known to masquerade using the filenames of legitimate programs and processes. That’s not saying that the “netsession_win” process installed on your computer is malicious – it is just a word of warning that we should always keep this possibility in mind when processes that we don’t recognise start requesting exceptions through the Windows Firewall.

Rather than delving into the possibilities of this being malicious we will start with checking out whether the process is actually legitimate and serving a proper purpose. Even though you are telling the Windows Firewall to “Ask again later” regarding the access which the “netsession_win” has to your computer, it is likely that the process is still running on the computer – it just does not have all the access which it requests. This gives us an opportunity to investigate the process further to find out its true nature. There is a very good article at www.hanselman.com/blog/CSIMyComputerWhatIsNetsessionwinexeFromAkamaiAndHowDidItGetOnMySystem.aspx which deals with tracking down the purpose of the “netsession_win” process on a computer to determine its legitimacy. As a first step you should follow through the excellent instructions given at this website. These will step you through the procedure to find the “netsession_win” process in the Task Manager and then trace that process through to its actual executable file on the computer and then check for a digital signature which will help indicate whether the process is legitimate and from a legitimate vendor. Be aware that the instructions given on the website are written for Windows 7. While the instructions should generally be applicable without modification to a computer running Windows, be aware that some of the file paths are likely to be different. For example, the article refers to the “netsession_win” process being located in the directory: C:\Users\\AppData\Local\Akamai . On a Windows XP computer it would instead be most likely in the folder: C:\Documents and Settings\\Application Data\Akamai .

As you will read in the article, it is designed to determine whether the “netsession_win” process is legitimate and related to an application called Akamai which is a download accelerator used within other products to help assist with downloading updates (amongst other things). In particular, from the research that I have conducted, the “netsession_win” process is the “Akamai NetSession Interface”. In addition to downloading content to your computer, this adds functionality as a peer-to-peer delivery service so that your computer can transmit data to other computers. This doesn’t mean that any data can be sent from your computer, but instead just data that is distributed by the Akamai network (such as updates) which has already downloaded to your computer can then be re-distributed to other client computers. This is designed to make the distribution of content across their network much quicker, because rather than each client having to download content from the Akamai servers they can instead connect to other clients to download the content. In principle, this is similar to other peer-to-peer services. You can read more about the Akamai Netsession Interface at www.akamai.com/html/misc/akamai_client/netsession_interface.html which also provides other articles with information about the technical details.

If you determine that the “netsession_win” process on your computer is legitimate, as it has all the correct and valid digital signatures, then it does seem to be the actual Akamai file. However, this does not necessarily mean that you may wish to unblock this service. As you have read above (and may have read further on the Akamai website) this seems to be a peer-to-peer content delivery system, so if you do not wish for your computer to be used in this manner (to assist in the delivery of content to other clients) then you may wish to block the process at your firewall. If you do decide that you wish to block the process, as you do not wish to partake in distributing content on the Akamai network, then you may also wish to uninstall the Netsession Interface. Before doing so it would be worthwhile to determine exactly which program installed this, as if you update or reinstall that software it is likely that the Netsession Interface will return. Fortunately, the Netsession Interface includes a utility which will provide you with all this information. Go to the “Start” menu > “Run” and type in “C:\Program Files\Common Files\Akamai\AdminTool.exe”. Hopefully this should launch the administration tool which will provide you with information about which program installed Akamai and also all the data which has been downloaded using the Netsession Interface.

Should you wish to proceed with uninstalling the Netsession Interface, instructions are provided on the Akamai website at www.akamai.com/html/misc/akamai_client/csd_faq.html . However, you should be aware that some applications may require the Netsession Interface so it would be worthwhile noting down those programs (when you look in the administration utility during the previous procedure) so that you can keep an eye out for any strange behaviour in those applications as a result of uninstalling the Netsession Interface.

Now that we have considered the situation where the “netsession_win” process is legitimate, we should turn our attention to the scenario where the process is not legitimate. It is also worth noting that such a situation is not just limited to a process with the name “netsession_win” but malware is well-known to masquerade as the name of Windows system processes as well, occasionally even going so far as performing the same function as the legitimate process but also having a malware payload included in the file. This is why digital signatures on files are very useful and important things to verify when installing software. The purpose of a digital signature is to verify that the file came from a particular source and that the file has not been subsequently changed by an unauthorised party. As an example, say that XYZ Corporate publishes a downloadable setup file on their website. They have digitally signed this file, which verifies that the file was produced by XYZ Corporation and that it has not been changed. When you download that file, assuming that the digital signature is intact, this provides a guarantee that the file was produced by XYZ Corporation and has not been changed. Be aware, this does not guarantee that the file doesn’t do anything malicious, just that it was produced by a particular source and has not been changed. However, if you download the file from a trustworthy source then you can probably be fairly certain that it isn’t a file with malicious intent. It is quite easy to verify a digital signature – simply right-click on the file and select “Properties”. In the window that appears, click the “Digital Signatures” tab. You will see the digital signature listed and can select it then click “Details” for additional information regarding what the signature actually guarantees, since different signatures offer different levels of protection and guarantee.

Another way to view the digital signature is when Windows shows the security warning the first time that you try to open a new executable file on your computer. This is a warning which is designed to let you know that you are about to run an executable file and asks whether you wish to proceed. The window also lists the software publisher, and you can usually click the name of the publisher (which is in blue text, underlined) to show the certificate. Be aware that digital signatures are generally only found on executable files and not other file types, such as images, since executable files pose the greatest security risk as they execute code (which could potentially be malicious) as opposed to image and other kinds of files which simply store content which can be displayed on your computer using an appropriate viewing application.

You should note that a large portion of software and executable files do not have digital signatures. This is because many software developers may not be able to afford the costs to have their software digitally signed. Just because a piece of software is not digitally signed does not necessarily make it insecure, although you just need to take extra precautions to ensure that you have downloaded such files from a reputable source (e.g. the software developer’s website, rather than some third-party website) so that you can have peace of mind that the download is legitimate and minimise the chance that the file has been changed or tampered with.

So, returning to the situation where the “netsession_win” process on the computer is not legitimate. It could be quite tricky to make the ultimate determination as to whether the process is legitimate if it lacks a digital signature, because it is possible that early versions of “netsession_win” lacked a digital signature. However, I would err on the side of caution and assume that if this does not have a digital signature it is suspicious and should be removed (as it is much better to be safe than sorry in these situations). As you may have read in my previous columns, when a computer has potentially become infected with a virus or malware then I am of the opinion that it can never be trusted again until the hard drive has been wiped and the operating system installed fresh. This is because you never know whether the removal of such infections has been completely successful, and there could be bits and pieces remaining behind which continue to compromise your security and the integrity of your data. Therefore, I would recommend backing-up all of your data and completing a reinstallation of Windows. While this does seem a bit heavy-handed I am generally very security conscious when it comes to computers, so this is my recommended course of action when you have had a suspected infection. When you come to reinstalling all the software on your computer make sure that you have the most up-to-date versions, since if “netsession_win” was legitimate then it is possible that through using the latest versions of your software it will reinstall the latest version of the Netsession Interface that will hopefully include the digital signature, verifying its authenticity.