4000 to 5000 TCP hits in my Firewall log??

ports 135-139 + 445 are specific ports used by MS. add a rule, allow tcp/udp $your-lan-address/24 ports 135-139,445 ignore, nolog

eg: 139/445 are use for file/print sharing

Firewall 0:00:17 TCP 192.168.1.154 2630 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:00:20 TCP 192.168.1.154 2630 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:00:26 TCP 192.168.1.154 2630 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:01:11 TCP 192.168.1.154 2633 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:01:14 TCP 192.168.1.154 2633 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:01:20 TCP 192.168.1.154 2633 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:02:05 TCP 192.168.1.154 2634 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:02:08 TCP 192.168.1.154 2634 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:02:14 TCP 192.168.1.154 2634 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Firewall 0:02:59 TCP 192.168.1.154 2635 192.168.1.100 135 C:\\WINDOWS\\SYSTEM32\\SVCHOST.EXE Generic

Hi Jeff - Does this mean that I shouldn't be concerned about this? The other computer isn't trying to "attack" this one? Why would this only be occuring on one machine on the network. The other 5 machines only have 100 to 200 ICMP entries each day - nothing like this....

Thanks,

pdarrah

this is normal for MS, *BUT* you must enforce the access to only your lan segment(s). ALL perimeter access *MUST* be denied!

see

see also

Thanks Jeff - I have read through the links you sent and I do see that traffic within the local network for port 135 could be "normal". What has me concerned however is that we are talking about 3 to 4 of these per minute. Each entry is identical except for the time logged and the "Source Port" which slowly increments up from 1025 up to 4998 and then starts over again. It has been doing this for nearly 2 weeks (I just noticed the other day and have been trying to figure it out ever since!) It just looks like it is looking for a way to sneek in. The firewall is blocking it, but I assume this is using system resources and if there is something wrong with the other PC (it seems to be running very slowly) I would like to fix it.

pdarrah

this defines the behavior of a client application; these ports (better said sockets) on the source machine with the 135 as the destination or the 'well known' service that resides(if active) there.

run every AV you have on the source machine.

that's the correct default behavior

not really (for the firewall IF you disregard these and avoid logging)

get these two tools installed on that machine and run under the Admin account: Curports 1.03 at

will show which process is using specific port(s)

Process Explorer at

better TaskMonitor you can sort by task name, cpu usage and get detail info re the task/threads rigth click a process->properties and the details are just amazing

Totally silly to install such personal firewall crap on the workstations. Filter on the perimeter. The LAN is usually trusted and usually one wants that these machines can commnicate with each other.

Absolutely normal Microsoft network noise.

Normal Microsoft network noise.

Several:

- Use another operating system

- Uninstall the firewall simulation, whose output you don't understand anyway

- filter at the perimeter

- pay someone, who knows what he's doing.

Wolfgang