Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about Event ID 2011 in my Firewall log


  • Please log in to reply
6 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 March 2017 - 12:53 PM

Was just checking through some logs today when I saw the following: 

 

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
 
Reason: The application is a system service
Application Path: C:\windows\system32\lsass.exe
IP Version: IPv4
Protocol: TCP
Port: 49155
Process Id: 760
User: SYSTEM
 
Now this seems to appear consistently just after the PC is turned on, and only once. Its the first things to appear in the Firewall log for a given day. Looking through the logs, it goes back 8 months. No logs older than that. Now I haven't seen any network activity from Lsass.exe, bar the times when its involved in SSL authentication, eg with addresses like 93.184.220.29, and that only happens once every few days.
 
I have had my system looked at in the past half year, so its not malware or anything like that. My question is what is causing the event? No connections are being attempted, so is it just telling me that its blocking it from being able to accept any? I have never been notified of this by Windows Firewall, even on the days that the event does not happen. Any help is appreciated.
 
Thanks :)

Edited by hamluis, 06 March 2017 - 10:15 AM.
Moved from Win 7 to Firewalls - Hamluis.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 11 March 2017 - 05:53 AM

Is this Windows 7?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 11 March 2017 - 05:58 AM

 

No connections are being attempted, so is it just telling me that its blocking it from being able to accept any?

 

 

Yes. The program tries to open port 49155 to listen on it, and the Windows firewall prevents this. Probably because the network you connect to has been labeled as public.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#4 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 11 March 2017 - 07:37 AM

Yes it is windows 7. I checked, My network is labelled as a home network. It still has 2 listings for ports as IPV4 unspecified and IPV6 unspecified for 49155.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 11 March 2017 - 03:13 PM

What listings?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png


#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 195 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 19 March 2017 - 10:24 AM

Sorry for the late reply. I mistyped. Lsass.exe is listening on 49154 for an unspecified IPv4 AND IPv6 address



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:26 AM

Posted 19 March 2017 - 02:04 PM

What do you mean with unspecified IPv4? 0.0.0.0?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security
MVP_Horizontal_BlueOnly.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users