Avast WEBforum

Other => Viruses and worms => Topic started by: DonZ63 on October 20, 2011, 10:00:06 PM

Title: Strange port 143 activity
Post by: DonZ63 on October 20, 2011, 10:00:06 PM

Win 7 x64 SP1, Avast 6.0.1289

Now that I have my Win 7 firewall outbound rules set up, I am getting this strange outbound  firewall alert from port 143 at boot time. Is this OK to allow? I don't use any e-mail except ISP based e-mail.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2011 3:31:57 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Don-PC
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
   Process ID:      4
   Application Name:   System

Network Information:
   Direction:      Outbound
   Source Address:      fe80::2401:1c51:9da4:dbc4
   Source Port:      143
   Destination Address:   ff02::16
   Destination Port:      0
   Protocol:      58

Filter Information:
   Filter Run-Time ID:   129197
   Layer Name:      Connect
   Layer Run-Time ID:   50
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5157</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-20T19:31:57.106526900Z" />
    <EventRecordID>28175</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>Don-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="ProcessID">4</Data>
    <Data Name="Application">System</Data>
    <Data Name="Direction">%%14593</Data>
    <Data Name="SourceAddress">fe80::2401:1c51:9da4:dbc4</Data>
    <Data Name="SourcePort">143</Data>
    <Data Name="DestAddress">ff02::16</Data>
    <Data Name="DestPort">0</Data>
    <Data Name="Protocol">58</Data>
    <Data Name="FilterRTID">129197</Data>
    <Data Name="LayerName">%%14611</Data>
    <Data Name="LayerRTID">50</Data>
    <Data Name="RemoteUserID">S-1-0-0</Data>
    <Data Name="RemoteMachineID">S-1-0-0</Data>
  </EventData>
</Event>

Title: Re: Strange port 143 activity
Post by: DavidR on October 21, 2011, 12:16:04 AM

I would start by reading this as it shows what that port is normally used for, Internet Message Access Protocol (IMAP) and from that you should be able to confirm if you have email being checked, etc.

http://www.grc.com/port_143.htm (http://www.grc.com/port_143.htm) also http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol (http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol).

Title: Re: Strange port 143 activity
Post by: DonZ63 on October 21, 2011, 12:49:34 AM

Thanks, David.

I did research this. It is indeed ICMPv6 Multicast Listener Report Message v2. In itself is a valid ICMPv6 outbound transaction but it should be blocked since it could invalid the default rules the WIN 7 firewall have for Teredo tunneling security. Hence the lack of this rule in the default WIN 7 firewall outbound core default rules.

Another example of the danger of running the WIN 7 firewall in the default allow all outbound traffic.

Title: Re: Strange port 143 activity
Post by: DavidR on October 21, 2011, 01:12:27 AM

The real danger of running the win7 firewall with outbound protection enabled is what you are going through right now; it is a pig; it isn't user friendly; it is rules based and you have to create the rules; that is always going to be prone to error.