Jump to content

No Outbound Firewall Alert?


Recommended Posts

WIN 7 x64 SP1, IE 11, Eset Smart Security 8.0.319.0

 

This is a first. I run the firewall in interactive mode. I also have had no issues with the firewall alerting me of connection activity; until today that is. I also frequently check my WIN 7 security audit logs.

 

I saw 20+ blocked outbound connections from IE to this IP address 63.245.216.133 using port 81 in my WIN 7 security audit log. The URL for that IP is zlb3.pub.phx1.svc.mozilla.com.

 

I also use Thunderbird as my e-mail client. I believe I was reading an e-mail from a known personal source around the time of this outbound activity and clicked on a link in the e-mail. I have TBird set to always open my browser for that activity. So it is possible that the connection to mozzilla.com was initiated by TBird although I have never seen any previous connection to that IP address and never for port 81.

 

The question is why didn't Eset's firewall alert for this activity? I assume Eset's firewall blocked the connection since I only allow outbound connections for ports 80,443, 3128, and 8080 for IE.

 

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/6/2015 12:24:54 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      xxxxxx
Description: The Windows Filtering Platform has blocked a connection.

Application Information:  Process ID:  3080
Application Name: \device\harddiskvolume3\program files\internet explorer\iexplore.exe

Network Information:
Direction:  Outbound
Source Address:  192.168.1.XX
Source Port:  50919
Destination Address: 63.245.216.133
Destination Port:  81
Protocol:  6

Filter Information:
Filter Run-Time ID: 190300
Layer Name:  Connect
Layer Run-Time ID: 48
Event Xml:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5157</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-06T17:24:54.779356500Z" />
    <EventRecordID>670003</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>Don-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="ProcessID">3080</Data>
    <Data Name="Application">\device\harddiskvolume3\program files\internet explorer\iexplore.exe</Data>
    <Data Name="Direction">%%14593</Data>
    <Data Name="SourceAddress">192.168.1.XX</Data>
    <Data Name="SourcePort">50919</Data>
    <Data Name="DestAddress">63.245.216.133</Data>
    <Data Name="DestPort">81</Data>
    <Data Name="Protocol">6</Data>
    <Data Name="FilterRTID">190300</Data>
    <Data Name="LayerName">%%14611</Data>
    <Data Name="LayerRTID">48</Data>
    <Data Name="RemoteUserID">S-1-0-0</Data>
    <Data Name="RemoteMachineID">S-1-0-0</Data>
  </EventData>
</Event>

 

  

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...