itman 1,538 Posted November 7, 2015 Share Posted November 7, 2015 WIN 7 x64 SP1, IE 11, Eset Smart Security 8.0.319.0 This is a first. I run the firewall in interactive mode. I also have had no issues with the firewall alerting me of connection activity; until today that is. I also frequently check my WIN 7 security audit logs. I saw 20+ blocked outbound connections from IE to this IP address 63.245.216.133 using port 81 in my WIN 7 security audit log. The URL for that IP is zlb3.pub.phx1.svc.mozilla.com. I also use Thunderbird as my e-mail client. I believe I was reading an e-mail from a known personal source around the time of this outbound activity and clicked on a link in the e-mail. I have TBird set to always open my browser for that activity. So it is possible that the connection to mozzilla.com was initiated by TBird although I have never seen any previous connection to that IP address and never for port 81. The question is why didn't Eset's firewall alert for this activity? I assume Eset's firewall blocked the connection since I only allow outbound connections for ports 80,443, 3128, and 8080 for IE. Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 11/6/2015 12:24:54 PMEvent ID: 5157Task Category: Filtering Platform ConnectionLevel: InformationKeywords: Audit FailureUser: N/AComputer: xxxxxxDescription: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 3080Application Name: \device\harddiskvolume3\program files\internet explorer\iexplore.exe Network Information:Direction: OutboundSource Address: 192.168.1.XXSource Port: 50919Destination Address: 63.245.216.133Destination Port: 81Protocol: 6 Filter Information:Filter Run-Time ID: 190300Layer Name: ConnectLayer Run-Time ID: 48Event Xml:<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5157</EventID> <Version>1</Version> <Level>0</Level> <Task>12810</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2015-11-06T17:24:54.779356500Z" /> <EventRecordID>670003</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="60" /> <Channel>Security</Channel> <Computer>Don-PC</Computer> <Security /> </System> <EventData> <Data Name="ProcessID">3080</Data> <Data Name="Application">\device\harddiskvolume3\program files\internet explorer\iexplore.exe</Data> <Data Name="Direction">%%14593</Data> <Data Name="SourceAddress">192.168.1.XX</Data> <Data Name="SourcePort">50919</Data> <Data Name="DestAddress">63.245.216.133</Data> <Data Name="DestPort">81</Data> <Data Name="Protocol">6</Data> <Data Name="FilterRTID">190300</Data> <Data Name="LayerName">%%14611</Data> <Data Name="LayerRTID">48</Data> <Data Name="RemoteUserID">S-1-0-0</Data> <Data Name="RemoteMachineID">S-1-0-0</Data> </EventData></Event> Link to comment Share on other sites More sharing options...
Recommended Posts