Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Digging down to the executable


  • Please log in to reply
6 replies to this topic

#1 IceCreamJones

IceCreamJones

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 28 April 2016 - 07:31 AM

Hi all,

 

I have a newish Windows 10 machine that I'm hardening.  I've disabled tiles to the best of my knowledge but something is still accessing the Internet when the machine is at rest.  If I run Wireshark with nothing else running, I can see connections to various IPs, notably (but not limited to) Akamai Technologies.  I tried  Microsoft network monitor but the processes are marked as "unknown."  Can anyone recommend an application that can see the network traffic and then actually drill down to the program that's causing it? 

 

Please note, just getting to something like "PID 4" is not going to cut it.  I need to see the which specific program or service is causing the connection so I can kill it.

 

Thanks in advance!


Edited by IceCreamJones, 28 April 2016 - 07:32 AM.


BC AdBot (Login to Remove)

 


#2 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 28 April 2016 - 07:44 AM

It's quite possible that the traffic you are seeing is caused by the telemetry that's built in to Windows 10.  You can try the workarounds in the following 2 article to see if they can stop the traffic:

Let me know how it goes.



#3 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 28 April 2016 - 05:37 PM

Try CurrPorts from NirSoft to find out what processes are responsible, it's portable and free!

The download and different languages are at the bottom of the page.

 

You will not see the actual network traffic but the process (program exe) and connections are revealed...

Number one should be explorer.exe contacting home...

 

Hope this helps!  :wink:



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA

Posted 28 April 2016 - 07:52 PM

There are third party utilities that will allow you to manage, block, investigate and view detailed listings of all TCP and UDP endpoints on your system, including local/remote IP addresses, state of TCP connections and the process that opened the port:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:55 AM

Posted 28 April 2016 - 07:54 PM

These are tools to investigate running processes, programs that run at startup, services and gather additional information to identify them or resolve problems:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rp88

rp88

  • Members
  • 2,980 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:55 AM

Posted 02 May 2016 - 09:16 AM

Akamai is, I think, something of microsoft's. So that would sound like telemetry, whether those other IP addresses are also for telemetry or something else I don't know.


I don't know enough to help you or advise you on finding what is doing the connecting, but if you find it I do have some advice for what to do next. If it is telemetry I wouldn't suggest deleting the executable, it might be an important part of your system. Better options would be those that can be reversed if they mess anything up, so for example in order of increasing desperation you could try: blocking it with your firewall, setting your router to refuse to make connections to those IP adresses, disabling startup tasks which cause those things to run, disabling scheduled tasks which cause them, disabling services that cause them, and if all else fails rename the executable used (this way windows won't be able to recognise it and tell it to run, but if you ever do need it you can rename it back to it's old name and have it working). Above all make sure to make a system image before trying any of these things, there are cases where methods as described there might help you get your system doing as you want it to do but they could also cause problems, incase they do make sure you can restore everything back to how it was before you did any of those things, Here's how: http://www.bleepingcomputer.com/tutorials/create-system-image-in-windows-7-8/

Edited by rp88, 02 May 2016 - 09:16 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:55 AM

Posted 02 May 2016 - 02:32 PM

Are you just giving PID 4 as an example, or is it really PID 4? Because the process with ID 4 is the SYSTEM process.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users