Avast WEBforum
Other => Viruses and worms => Topic started by: DonZ63 on October 20, 2011, 10:00:06 PM
-
Win 7 x64 SP1, Avast 6.0.1289
Now that I have my Win 7 firewall outbound rules set up, I am getting this strange outbound firewall alert from port 143 at boot time. Is this OK to allow? I don't use any e-mail except ISP based e-mail.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/20/2011 3:31:57 PM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Don-PC
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: fe80::2401:1c51:9da4:dbc4
Source Port: 143
Destination Address: ff02::16
Destination Port: 0
Protocol: 58
Filter Information:
Filter Run-Time ID: 129197
Layer Name: Connect
Layer Run-Time ID: 50
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5157</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-10-20T19:31:57.106526900Z" />
<EventRecordID>28175</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="60" />
<Channel>Security</Channel>
<Computer>Don-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">4</Data>
<Data Name="Application">System</Data>
<Data Name="Direction">%%14593</Data>
<Data Name="SourceAddress">fe80::2401:1c51:9da4:dbc4</Data>
<Data Name="SourcePort">143</Data>
<Data Name="DestAddress">ff02::16</Data>
<Data Name="DestPort">0</Data>
<Data Name="Protocol">58</Data>
<Data Name="FilterRTID">129197</Data>
<Data Name="LayerName">%%14611</Data>
<Data Name="LayerRTID">50</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>
-
I would start by reading this as it shows what that port is normally used for, Internet Message Access Protocol (IMAP) and from that you should be able to confirm if you have email being checked, etc.
http://www.grc.com/port_143.htm (http://www.grc.com/port_143.htm) also http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol (http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol).
-
Thanks, David.
I did research this. It is indeed ICMPv6 Multicast Listener Report Message v2. In itself is a valid ICMPv6 outbound transaction but it should be blocked since it could invalid the default rules the WIN 7 firewall have for Teredo tunneling security. Hence the lack of this rule in the default WIN 7 firewall outbound core default rules.
Another example of the danger of running the WIN 7 firewall in the default allow all outbound traffic.
-
The real danger of running the win7 firewall with outbound protection enabled is what you are going through right now; it is a pig; it isn't user friendly; it is rules based and you have to create the rules; that is always going to be prone to error.