Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about Event ID 2011 in my Firewall log


  • Please log in to reply
10 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 05 March 2017 - 12:53 PM

Was just checking through some logs today when I saw the following: 

 

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
 
Reason: The application is a system service
Application Path: C:\windows\system32\lsass.exe
IP Version: IPv4
Protocol: TCP
Port: 49155
Process Id: 760
User: SYSTEM
 
Now this seems to appear consistently just after the PC is turned on, and only once. Its the first things to appear in the Firewall log for a given day. Looking through the logs, it goes back 8 months. No logs older than that. Now I haven't seen any network activity from Lsass.exe, bar the times when its involved in SSL authentication, eg with addresses like 93.184.220.29, and that only happens once every few days.
 
I have had my system looked at in the past half year, so its not malware or anything like that. My question is what is causing the event? No connections are being attempted, so is it just telling me that its blocking it from being able to accept any? I have never been notified of this by Windows Firewall, even on the days that the event does not happen. Any help is appreciated.
 
Thanks :)

Edited by hamluis, 06 March 2017 - 10:15 AM.
Moved from Win 7 to Firewalls - Hamluis.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 11 March 2017 - 05:53 AM

Is this Windows 7?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 11 March 2017 - 05:58 AM

 

No connections are being attempted, so is it just telling me that its blocking it from being able to accept any?

 

 

Yes. The program tries to open port 49155 to listen on it, and the Windows firewall prevents this. Probably because the network you connect to has been labeled as public.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#4 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 11 March 2017 - 07:37 AM

Yes it is windows 7. I checked, My network is labelled as a home network. It still has 2 listings for ports as IPV4 unspecified and IPV6 unspecified for 49155.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 11 March 2017 - 03:13 PM

What listings?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 19 March 2017 - 10:24 AM

Sorry for the late reply. I mistyped. Lsass.exe is listening on 49154 for an unspecified IPv4 AND IPv6 address



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 19 March 2017 - 02:04 PM

What do you mean with unspecified IPv4? 0.0.0.0?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 31 March 2017 - 07:45 AM

Sorry for the late reply. Yeah. Checked in TCPView, its says 0.0.0.0. What does that mean exactly?


Edited by HairyApricot, 31 March 2017 - 07:50 AM.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 01 April 2017 - 02:23 AM

0.0.0.0 does not mean unspecified. It means that the port is opened for listening on all the IP addresses your computer has. This includes the loopback addresses 127.0.0.1/8.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png


#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 17 April 2017 - 01:35 PM

I take it that its meant to be doing this. Again, apologies for the later reply.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:04 PM

Posted 18 April 2017 - 04:29 AM

No worries!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP
MVP_Horizontal_BlueOnly.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users