Background:
* Fresh windows 10 (1803) install using ISO direct from microsoft.
* LAN configured on 10.x.x.x/24 subnet
After accessing file share on a different pc (same subnet), windows will attempt to open up phantom port 445 (dest) connections to remote ip's 192.168.1.241 and 192.168.3.241. There is nothing on the network configured for the 192.168.x.x subnets.
Service connecting is SYSTEM, PID 4 (see pic above). My firewall (UTM) is set to block anything in or out that isn't explicitly permitted. I discovered this issue when I noticed number of packet filter entries was unusually high.
There's two ways of dealing with this. I can configure the firewall to just drop and not log these packets or do the same in the windows firewall on the offending pc. The first I believe still generates this noise on the network, the second blocks it such that it never leaves the pc.
I consider both of these work arounds as bandaids. I'd really like to figure out why the windows box is even attempting to create these connections. Nothing in netstat or tcpview gives me any more detail other than what's pictured above. I tried disabling various discovery options but this still persists. As mentioned earlier it is related to file sharing. These outbound attempts do not show up if the windows 10 box doesn't attempt to access any network shares.
Both router2 and local.domain are on the 10.x.x.x/24 subnet.
* Fresh windows 10 (1803) install using ISO direct from microsoft.
* LAN configured on 10.x.x.x/24 subnet
After accessing file share on a different pc (same subnet), windows will attempt to open up phantom port 445 (dest) connections to remote ip's 192.168.1.241 and 192.168.3.241. There is nothing on the network configured for the 192.168.x.x subnets.
Service connecting is SYSTEM, PID 4 (see pic above). My firewall (UTM) is set to block anything in or out that isn't explicitly permitted. I discovered this issue when I noticed number of packet filter entries was unusually high.
There's two ways of dealing with this. I can configure the firewall to just drop and not log these packets or do the same in the windows firewall on the offending pc. The first I believe still generates this noise on the network, the second blocks it such that it never leaves the pc.
I consider both of these work arounds as bandaids. I'd really like to figure out why the windows box is even attempting to create these connections. Nothing in netstat or tcpview gives me any more detail other than what's pictured above. I tried disabling various discovery options but this still persists. As mentioned earlier it is related to file sharing. These outbound attempts do not show up if the windows 10 box doesn't attempt to access any network shares.
Both router2 and local.domain are on the 10.x.x.x/24 subnet.
Facebook
Twitter