Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicous Firewall Rules


  • Please log in to reply
1 reply to this topic

#1 spenca57

spenca57

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 15 March 2018 - 01:03 AM

Tonight, while considering improving my security policy for my Windows system I decided to check the firewall rules to perhaps bolster them. When I did so I noticed some unusual rules that had recently been set. The rules had names like @{Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Windows.ContactSupport/Resources/appDisplayName} and @{Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName} and @{Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.PPIProjection/resources/ProductName}. They are inbound rules, I have attached screenshots bellow. What I thought was most unusual about these rules was that the local user owner was an unusual name like S-1-5-21-293847239847 (random sequence of numbers). I have seen these similar suspicious accounts when checking the permissions on Linux ISOs I have downloaded. I have also included a screenshot of these. An unusual account named S-1-5-21-34817632187 has read permissions on every ISO I download. Is this normal? Could this be an IOC? If so, what can I do? I have attached screenshots of all of this, however the screenshots in my posts seems to be disappearing for some reason. This is a bit off topic but what is the best way to improve my firewall security? I want to take the most aggressive stance possible, certainly don't mind if it's annoying, but I want as much security as possible from my firewall. Thanks for your time. 


Edited by spenca57, 15 March 2018 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 MZOP

MZOP

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 17 September 2018 - 10:48 PM

You can always block them and unblock if issues arise. 

S-x-x-xx-xxxxxxxxxxx is called a SID.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users