Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual Amount of Entries in my Firewall Log


  • Please log in to reply
12 replies to this topic

#1 Bennn

Bennn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 05 June 2013 - 10:44 PM

I've recently started using AVG Internet Security. Everything is fine, except I'm unsure why the number of entries in my firewall log is so high. Since enabbling the firefall, there have been non-stop entries every single minute. See the image below:


avgfirewalllog.png

 

And that's only a 15 minute slot. Without failure, every single minute has resulted in an entry. Is this common/unsual? Is there cause for concern?

 

I'm relatively certain my computer is not infected (hence my decision to post the thread in this forum section). Malwarebytes, SuperAntiSpyware, AVG and a few other security programmes all suggest that the computer is clean. What I don't understand is that the firewall in place (Comodo) before I switched to AVG would only occasionaly show up entries in the log - whereas AVG is blocking something every single minute.

 

Any help is greatly appreciated. It'd also be great if someone could give a brief explanation of the different categories of the firewall log shown above.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 05 June 2013 - 11:21 PM

Hello Bennn -

From part of AVG general FAQ related to Firewall settings -
AVG Internet Security 2013 : Firewall Settings
 In the default automatic mode, the firewall automatically configures Internet and network permissions for known program. If you enable the interactive mode, it will pop up a query every time a new program attempts access.

 

These are not always bad, but AVG is just informing you of actions taken - The settings can be altered.

 

Extra - You may need to click on "Skip this Ad" if it pops up in my link -

 

With your Comodo, the same items may have been blocked, but AVG fully records these, while others may also have blocked them but the report was just not as detailed -

 

Thank You -

EDIT - Please note your first few IP's listed in the screen shot. Your computer is talking to itself -

Definition: The IP address 192.168.1.254 is the default for certain home broadband routers and broadband modems, including

  • some 3Com OfficeConnect routers
  • Netopia / Cayman Internet gateways
  • Billion ADSL routers
  • Linksys SRW2024 managed switches
  • Westell modems for Bellsouth DSL Internet service in the U.S.

Edited by noknojon, 05 June 2013 - 11:26 PM.


#3 Bennn

Bennn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 05 June 2013 - 11:27 PM

Hi noknojon, thanks for the response!

 

My current Firewall setting is Automatic. Unless I've misunderstood you, your response suggested the reason for so many entries is down to the "interactive mode"?

 

Are you also able to help me with my question at the end? "It'd also be great if someone could give a brief explanation of the different categories of the firewall log shown above."



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 05 June 2013 - 11:51 PM

Hi -

I would be pleased to detail any part of the log, but I have listed a few details below. Please be specific on
Can you please list the parts of the logs you wish explained - Most are logical in description -

Event Time - Application - Log Action - - - User - - - - - - PID - Direction - Protocol - Remote Port - Local Port - Remote IP - Local IP

Logical item, What area, What is done,None/Automatic, Etc / Etc /

 

If you wish details on a particular item, please specify the item or items, and I can give details on that -

 

Thank You -



#5 Bennn

Bennn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 06 June 2013 - 12:03 AM

I'm unfamiliar with "PID" - I'd greatly appreciate if you could explain this in simple terms please.

 

As for the outward bound connections - eg. 92.242.144.50 - Is my firewall blocking my computer from connecting to potentially malicious addresses?

 

Please forgive my ignorance; whilst I'm familiar with computer security I feel my knowledge is still somewhat limited.



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 06 June 2013 - 12:22 AM

There is a full page on Wiki HERE for you to read -
The very basics are copied below --->
A proportional-integral-derivative controller (PID controller) is a generic control loop feedback mechanism (controller) widely used in industrial control systems. A PID controller calculates an "error" value as the difference between a measured process variable and a desired setpoint. The controller attempts to minimize the error by adjusting the process control inputs.

 

This means that it keeps an eye on things and calculates an "error" value, then attempts to minimize the error.

 

Very Simple Description, and it has been converted to computer controls (In and Out) -

A familiar example of a control loop is the action taken when adjusting hot and cold faucets (valves) to maintain the water at a desired temperature.... In this case, it is Inlet and Outlet to your Computer.

 

Any better ?

EDIT - If you use Facebook, this may also be another reason for that list and some IPs -


Edited by noknojon, 06 June 2013 - 01:18 AM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 06 June 2013 - 12:27 PM

I'm unfamiliar with "PID" - I'd greatly appreciate if you could explain this in simple terms please.

 

As for the outward bound connections - eg. 92.242.144.50 - Is my firewall blocking my computer from connecting to potentially malicious addresses?

 

Please forgive my ignorance; whilst I'm familiar with computer security I feel my knowledge is still somewhat limited.

 

PID stands for Process ID. Every process (running program) in Windows has a number, the PID. According to your logs, SYSTEM has PID 4 (it's the same on my machine).

https://en.wikipedia.org/wiki/Process_identifier

 

The fact that you have many entries is no surprise, when I see that the firewall is also blocking local ICMP packets. You know what ping is? It uses ICMP packets.

 

But I'm very confused by the packets with IP address 92.242.144.50. There's a contradiction in your log that I can't explain.

The protocol for these packets is IPv6, and the IP addresses are IPv4. That's not possible.

IPv6 packets use IPv6 addresses, and IPv4 packets use IPv4 addresses.

An IPv4 address is 4 bytes long, like this: 92.242.144.50

An IPv6 address is 16 bytes long, like this: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

 

Maybe someone has an explanation.


Edited by Didier Stevens, 06 June 2013 - 12:35 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:47 PM

Posted 06 June 2013 - 02:12 PM

Update: I clicked on your screenshot, and now I see that the protocol is IGMP, not ICMP.

 

That's your router sending out an IGMP broadcast every minute, it's not something to worry about.

https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 06 June 2013 - 02:23 PM

After the process has terminated, Windows can reuse the PID for a different or unrelated process except for SYSTEM process which uses PID 4 and SYSTEM IDLE process which uses PID 0. As such, the PID for other processes is not static and can change with each logon. However, PIDs generally stay nearly the same because they are always running services.

To view the PID in Windows Task Manager:
1. Open Windows Task Manager and click the Processes tab.
2, Click View in the top menu and choose Select Columns...
3. Place a check mark in the box next to PID (Process identifier)
4. Click OK.

To view PID and memory usage from a command prompt, press the WINKEY + R keys on your keyboard or go to StartBtn.gif > Run..., and in the Open dialog box, type: cmd
Click OK or press Enter.
At the command prompt type: tasklist >c:\taskList.txt
press Enter.

To retrieve the output file, press the WINKEY + R keys on your keyboard or go to StartBtn.gif > Run..., and in the Open dialog box, type: C:\taskList.txt
Click OK or press Enter to view the list of processes
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Bennn

Bennn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 06 June 2013 - 04:06 PM

Thanks for all the answers! A couple of questions:

 

- What I don't understand is why my firewall is blocking all this activity? Why is it blocking an IGMP broadcast?

- Why is my firewall occasionally blocking svchost.exe?

- What does "Filter Device" mean?

avgfirewalllog2.png

 

I appreciate any help. Like I said, my understanding is very limited so whilst these questions may be trivial, any answers you give will certainly broaden my understanding.



#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 10 June 2013 - 02:10 AM

Hello -
Again, please see my first post - "These are not always bad, but AVG is just informing you of actions taken" -

Some Firewalls just have a more detailed report than others. Yours is a very detailed report, but nothing in it seems to be bad, or Didier Stevens would have picked it up when he was looking at it.
From a few listed items, I may be wrong, but you seem to be in "England" or you may have contact with someone there ??

Taken from --> AVG Firewall
821
: I have full log of “Filter device” records. What does it mean?
All denied requests to system services and requests for applications that does not have its Allow for safe and Allow for all rules in the AVG Firewall are logged as FilterDevice. The record means that there was an attempt to contact a system service from inside or outside of the PC. It was allowed/denied according to your AVG Firewall rules.

 

This lists all (or most) Firewall settings, and I hope that it covers most questions. Always post back if you still need more information -



#12 Bennn

Bennn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 14 June 2013 - 03:11 AM

Thank you very much, noknojon! I've read up a little more, and in combination with the answers you've provided, feel satisfied with my level of understanding.

 

One final question for now: I've just recently found out there are still traces of my old AV (Comodo) on my computer. When removing it, I only used the Add/Remove Programme feature (as I was unaware other steps were required). Are you able to guide me in the steps I need to take in order to completely remove Comodo, despite there being no searchable traces/items in the Add/Remove List?

 

Thanks in advance for any help.



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 14 June 2013 - 04:43 AM

I have left options for you to look through, and they are all good -

I think this is what you're looking for: From Comodo -
http://forums.comodo.com/install-setup-configuration-help-cis/cleanup-tool-for-comodo-internet-security-t36499.0.html

 

Uninstallers lists from Bleeping Computer -
http://www.bleepingcomputer.com/forums/t/224915/list-of-antivirus-uninstallers-and-removal-tools/#entry1252913






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users