If you’ve recently installed the Microsoft Live service in the last few weeks, months or even years you may or may not have noticed a not-so-quiet program called SeaPort.exe running in the background that’s eating up processing speed and even chews up a fair amount of network bandwidth (especially when you’ve got multiple workstations).

Research has indicated this process may be detrimental to your network security and workstation operating capacity.

What is it?

SeaPort.exe typically comes bundled as part of the Microsoft Live Search Enhancement application pack.  In addition, there’s a plethora of “helpful” web downloads from Microsoft including the Bing and MSN toolbars that this application is included as a part of.

You’ll notice in the description field of the Services Administrator Tool that Microsoft describes that it:

“Enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement Applications.  Also provides server communication for the customer experience improvement program.  If this service is disabled, search enhancement features such as search history may not work correctly”.

How does it affect the workstation?

From the description one might infer that this “enhancement” should only run while browsers are open and actively searching history, etc.  But Seaport.exe runs not only on boot-up (drawing out an already lengthy startup process for your workstation), but also in the background on your OS whether any searches have been performed or not, or even whether or not there are any browsers open.

The service is automatic and begins churning and eating up approximately 4-7 MB (reports vary) of RAM upon install.  All this activity for a little used function, and in some cases a never-used function, seems like a waste of resources for what is already an overworked OS.

How could it be harmful?

The Microsoft description above is really quite open-ended for a service that indicates it’s transmitting some type of information about the workstation back to the mothership.

Researchers have published detailed evidence that Full URLs are being sent back to Microsoft for analysis by the Microsoft customer experience improvement program.  In addition, if you’re using poorly coded web applications that include the session ID, or even worse, username and password in them, it’s frighteningly possible that this information is being passed to Microsoft through SeaPort.exe.

What steps should I take?

Removing SeaPort.exe from any workstations running the process is the first step.  Once accomplished, use of good risk management techniques such as monitoring your users and applications/processes that are installed on their workstation should be continued.  A policy should be implemented against installing various toolbars and unauthorized applications and processes.

Brian Nelson from brighthub.com has a step-by-step process for deleting the Seaport.exe service.  You can view his blog by clicking HERE.

What does this mean going forward?

To date, most security analysts operate under the presumption that Spyware is defined as anything that “reports private information or activity to a remote host that the user may not be aware of”.  In most cases, SeaPort.exe is installed without the front-end user knowingly doing so.  When installing Microsoft Live, there’s no option to skip the Seaport.exe portion of the application set, it’s included no matter what selections are made.

SeaPort.exe should be considered armed and dangerous and network administrators need to understand that this process is gaining access and information about workstations that is better kept private.  In short, we’re not ready to call Seaport.exe “Spyware” but it’s teetering on the edge of the definition, which is uncharted territory for a major OS vendor.