Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 8 firewall rules.


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lisamichele

Lisamichele

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 January 2016 - 04:25 PM

I have just done a factory restore on this machine. Could someone tell me if these whitelisted rules produced by "FRST" are normal/typical? Thank you.

 

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{7F2A9F33-5DF3-4C74-B089-634CBCC640CF}] => (Allow) C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{A12436B0-723C-4159-895E-093104FE096B}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{FAC5731B-2675-4D93-9FD4-DE8C04ABF09D}] => (Allow) LPort=2869
FirewallRules: [{241CA93A-09D1-43F6-8B00-667845E3EC85}] => (Allow) LPort=1900
FirewallRules: [{62BB807A-4500-408C-B0EA-6D44F6DD1160}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{C61273DC-1F31-41D5-AD4E-A3DC2F7447CC}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe
FirewallRules: [{0D364BFF-3A8F-4B22-8843-2FA75478E796}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{B467AF7C-14BF-4446-8B7D-15F16808F9CA}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe
FirewallRules: [{E4688DC2-F544-47E3-9955-4581E475285F}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{996C1E3C-9D83-4C41-A375-F81EBC5E8833}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe
FirewallRules: [{653D3B9F-C33B-408D-B958-8B554DE7947F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{D3DF59C6-BB18-4185-837F-2F07ADF48C53}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{DC6DE25F-1BC3-4F39-B673-E83882B2442F}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{A046141E-0637-408D-80E1-EE5C173E3452}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FCD2A94B-F59F-431A-A654-CABBCFA73412}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{8628D8EB-B9E7-42B2-A8F9-DBEBB238940C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{993D1F47-6F23-450F-969C-8ADD3EA69BEF}] => (Allow) LPort=53000
FirewallRules: [{1C359C01-505C-4FFF-B3B3-45DC42C5D132}] => (Allow) LPort=52000



BC AdBot (Login to Remove)

 


#2 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 January 2016 - 05:39 PM

I question the VM open port mainly. All machines I own are basic home use machines.



#3 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:20 AM

Posted 21 January 2016 - 05:41 PM

Those look like either defaults or software thats allowed to connect out.


How Can I Reduce My Risk to Malware?


#4 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 January 2016 - 05:48 PM

I wonder why the vm nb would be open by default?



#5 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:20 AM

Posted 21 January 2016 - 06:12 PM

NetBios session is for file/printer sharing between machines on a local network.


How Can I Reduce My Risk to Malware?


#6 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 January 2016 - 06:16 PM

So if Home network is chsen during setup this port is open allowing outbound traffic? Assuming that is correct,,,What  does vm have to do with it when there should be no VM's.



#7 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:20 AM

Posted 21 January 2016 - 08:44 PM

Local traffic on your LAN not over the internet. Maybe its referring to some HP installed software? not sure really. It dosnt mean its exposed or connecting out to the internet.

 

If you want you can open up a cmd prompt and type in netstat -ano

to get active tcp/udp connections, ports,states and PIDs.

Then tasklist /svc to match the PID to the process for port 139

 


How Can I Reduce My Risk to Malware?


#8 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 21 January 2016 - 09:42 PM

Used Currports  already. No way a factory restored machine could have the info it gave.

 

Nah.....It's creating some kind of vm during setup.  As I said in op,,,,,I just did a factory restore using defaults. The embedded Norton product gives some interesting info in full history.


Edited by Lisamichele, 21 January 2016 - 09:46 PM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:20 AM

Posted 22 January 2016 - 08:21 AM

I think factory restored just means back to the "state when it was purchased."

 

Commercially purchased machines come with all kinds of software/bloatware already installed so I wouldnt be to surprised to see lots of activity in Currports, as opposed that is, to a machine that was reformatted and just the OS reinstalled.


How Can I Reduce My Risk to Malware?


#10 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 23 January 2016 - 06:51 PM

I have a Win 7 machine that has been cleanly re-installed using a purchased disk that shows the same only it is using generic devices instead of say, HP, or Apple devices.



#11 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:20 AM

Posted 24 January 2016 - 11:26 AM

You mean shows the same thing in a FRST log:  FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139


How Can I Reduce My Risk to Malware?


#12 Lisamichele

Lisamichele
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 24 January 2016 - 11:56 PM

Can't swear it was from a "FRST" log. Let me ck and will try to post.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users