Hi habe the same problem that has already been mentioned in this forum before: Since an update a few months ago, I very frequently get alerts of applications, that have nothing to do with the Internet at all, trying to access 220.127.116.11 over ICMP.
The 18.104.22.168 multicast address is used for LLMNR (Link Local Multicast Name Resolution) which actually uses UDP. Basically, it's like a local DNS and is part of Windows network Discovery.
I get this for almost every single program in Windows. I know that this is a multicast address, and I don't care about allowing or blocking it, but what I do want is
- stop being bugged by alerts for this address all the time
- not have entries for every single program in my network security policy (because this screen is not sortable and becomes a big mess the more application-specific rules you have, this should really be improved).
Unfortunately, this is a bug in CIS. Strictly speaking only svchost should make these queries.
So of course I tried to create a global rule:
ALLOW ICMP IN/OUT from SOURCE=ANY to DESTINATION=22.214.171.124
ALLOW ICMP IN/OUT from SOURCE=126.96.36.199 to DESTINATION=ANY
But I keep getting these alerts! What am I doing wrong? Shouldn't the global rule allow this traffic? Why do I stell get alerts asking me to block or allow?
The rule is probably failing because LLMNR uses different source and destination addresses/ports and, as mentioned earlier, UDP not ICMP.
What may be easier then trying to block these connections is disabling LLMNR. You could disable Network Discovery in Network and sharing but it's likely you'll still see these alerts. better would be to disable it with the group policy editor.
1. Win Administrator privileges open Start/Run and type gpedit.msc
2. In the right side window navigate to
Local Computer Policy/Computer Configuration/Administrative Templates/Network/DNS Client
3. In the left side window select Turn off Multicast Name Resolution
4. In the settings windows select Enabled.
If you have other devices/PCs on your network, you may need to perform similar tasks if LLMNR is supported.
If you don't want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)
Application Name - All Applications File Group
Action - Allow
Protocol - UDP
Direction - Out
Source Address - ANY
Destination Address - 188.8.131.52
Source Port - ANY
Destination Port - 5355
Place the rule at the top of the Application rules list.
Edit: Just a thought. If you have one of the 'Home' designated versions of Windows, you can make the change via the registry:
1. Navigate to:
2. Set EnableMulticast to 0