alg.exe - Application Layer Gateway Security Analysis

What is alg.exe?

alg.exe (Application Layer Gateway) is a Windows service that provides support for application-level protocol plugins.

Core Functions

Protocol Support:

• Enables [FTP](/glossary/ftp "GLOSSARY:FTP:## What is FTP?

File Transfer Protocol (FTP) is a standard network protocol designed to upload, download, and manage files between a client and a server. It operates over TCP and has historically been used for website hosting, file distribution, and administrative transfers.

FTP is one of the oldest protocols still encountered in IT environments.

Why FTP matters

FTP matters because it:

• Established early standards for file transfer
• Is still present in legacy systems and workflows
• Is widely supported by tools and platforms
• Helps explain modern secure alternatives

Understanding FTP is essential for assessing legacy risk.

How FTP works (simplified)

FTP uses two separate connections:

1. Control channel -- for commands and responses
2. Data channel -- for file transfers

Depending on the mode, the server or client initiates the data connection.

Active vs passive mode

FTP supports two connection modes:

Mode	Description
Active FTP	Server initiates data connection to client
Passive FTP	Client initiates both control and data connections

Passive mode is more firewall-friendly and commonly used today.

Authentication in FTP

FTP typically supports:

• Username and password authentication
• Anonymous access (public downloads)

By default, credentials are sent in clear text, which poses security risks.

Security issues with FTP

FTP is considered insecure by default because:

• Credentials are transmitted unencrypted
• Data is sent in clear text
• Sessions can be intercepted
• Susceptible to credential theft and sniffing
• Often targeted in brute-force attacks

FTP should not be exposed on untrusted networks.

Secure alternatives to FTP

Modern secure alternatives include:

• FTPS -- FTP over TLS encryption
• SFTP -- File transfer over SSH
• HTTPS -- Web-based secure transfers
• Cloud storage and managed file services

Most organizations are migrating away from plain FTP.

FTP in enterprise environments

FTP is still encountered in:

• Legacy applications and integrations
• Automated batch file transfers
• Industrial or embedded systems
• Older hosting platforms

Such usage typically requires isolation and compensating controls.

FTP vs SFTP

Aspect	FTP	SFTP
Encryption	No	Yes
Authentication	Basic	SSH-based
Firewall handling	Complex	Simple
Security	Weak	Strong

SFTP is generally preferred for secure environments.

Common misconceptions

• 'FTP is encrypted by default'
• 'FTP and SFTP are the same'
• 'FTP is obsolete everywhere'
• 'FTP is safe on internal networks without controls' :") through NAT/firewall
• Supports PPTP VPN connections
• Handles SIP/RTC communications
• Manages protocol-specific port mappings

Firewall Integration:

• Works with Windows Firewall
• Supports Internet Connection Sharing
• Manages dynamic port allocation

Security Significance

• Network Access: Has legitimate network capabilities
• Service Context: Runs as NETWORK SERVICE
• Firewall Integration: Can modify firewall behavior
• Legacy Service: Often disabled in modern environments

Normal Behavior

Expected Process State

Property	Expected Value
Path	C:\Windows\System32\alg.exe
Parent	services.exe
Instances	0-1 (may not be running)
User	NT AUTHORITY\NETWORK SERVICE
Network	FTP, PPTP ports when active
Memory	1-3 MB

Service Configuration

Service Name: ALG Display Name: Application Layer Gateway Service Startup Type: Manual (Trigger Start)

services.exe
└── alg.exe (NETWORK SERVICE)

Investigation Checklist

• Verify path is C:\Windows\System32\alg.exe
• Confirm parent is services.exe
• Check running as NETWORK SERVICE
• Review network connections for anomalies
• Validate service binary path
• Compare hash with known-good
• Search for alg.exe copies elsewhere
• Check if service should be running at all