Anonymous firewall alerts

It bothers the heck out of me. Especially during windows startup do I get these alerts, perhaps 3 times one after the other I get this “Windows pseudo operating system process” try to access the internet with various ip addresses and ports. I have absolutely no idea what process it is and what it is doing, and I certainly don’t know if it is the operating system or not.

Should I allow these to pass through my firewall?

Of course not if you dont know what it is.
And also not if its not necessary.
Just block it permanent and look what happens.

Are you sure that its outgoing? Because then its unusual to have that generic name given.

When the firewall log reports something is blocked by Windows Operating System (WOS) it means there is no program listening and that the firewall is blocking the unknown traffic (which is one of the jobs of the firewall).

Unless you are expecting this traffic you can make the needed adaptations.

It happens after I reboot and after I launch opera web browser I get 3 alerts. I have 5 tabs open in the browser so it accesses different websites immediately when I open opera so I don’t know if that is the cause. I took a screenshot of the alert and I clicked the process to find a name of it, but it only shows the windows directory, no executable name at all. If I don’t have a name of a process I can’t know what to do with it, it could be anything really.

I’m sitting here reading a web page for almost 50 minutes, not doing anything with my computer, not even moving my mouse a bit, all the suddenly this darn thing pops up again, this time it wants to access the internet at port 5355, I have no clue what it wants to do, its certainly an external ip, udp protocol this time. The same “pseudo operating system process”.

Just popped up out of nowhere for no apparent reason

What do we need firewalls for these days when half of all outgoing requests are anonymous secret processes. I guess we could just block every request, but it wouldn’t make much sense in the end.

It is a pseudo operating system process it is not the operating system itself. Read the initial post. The alert suggest I have the computer configured as ICS but i’ve checked that, it’s not.

This alert for outgoing traffic also happens when another program’s driver is “blocking view” for CIS metaphorically speaking.

What programs that interfere with networking at driver level do you have installed? Try temporarily uninstalling them one by one until the problem goes away. Sorry there is no smarter way to try to figure this out… :-\

If this could be malicious activity, udp protocol would be the protocol of choice to use since it is stateless. A hacker would not choose to use tcp in that case. Do you agree?

If you’re worried about being infected please scan your computer with various scanners.

Other than that try uninstalling programs with networking related drivers to find the program interfering. It may be worth a bug report.

I’ve done that. I did a full scan with microsoft security essentials and a full scan with malware bytes too. I found a few security threats, but the only security threats I found was my own made programs, funny enough.

I don’t know what to do, I will let this rest for a few days, I’m tired these days and is not in for any fix for a few days. Until then I will pretend as if this is not a security threat. It probably isn’t. If it weren’t for the fact that I have been uncareful a couple of times in the past and used unsafe software with admin privileges, I wouldn’t be asking on this forum. I know that I have not been careful enough, there is a tiny chance something might be lurking behind the surface on my machine.

If you get malicious code into the windows kernel, it’s serious business and can not be easily detected. If some piece of code can wrap themselves unrestricted into the kernel, no anti virus or firewall will be safe. The firewall may be working 99%, but chances are that some piece from the kernel opens up a door to invalidate the firewall completely, and it just won’t work as it should.

Please uncheck the box in the settings. ???
This computer is an Internet gateway (ISC service).

P.S. I looked at the old Russia forums in 2010.( Not official forum.)
This problem was mentioned in the CIS 4 on certain systems.

P.S. I checked at home. Turn on or turn off, there is no similar alerts.(there is nothing). Alert Level - Low.
Win7 32 SP1 CIS 5.10
Never seen this alert.

Just block (dont allow) everything that you didnt initiate and what you dont know.
Just block it.
Thats how a firewall works :slight_smile:

How often did i read: It pops up every day, should i allow it?
And then i think: I used windows a long time without the internet. It worked. No chance to allow anything. So, why should it be vital to allow something when i plug the internet cable in?
Make an update, allow whats necessary. Thats all.

You’re missing the point here. The request is for outgoing traffic by WOS (CIS cannot see its source).

Please also check with Hitman Pro, Super Antispyware and TDSS Killer just to be on the safe side.

When not finding malware the problem is with a driver blocking view for CIS. The only way to find out which program is causing this is to uninstall possible candidates.

If you get malicious code into the windows kernel, it's serious business and can not be easily detected. If some piece of code can wrap themselves unrestricted into the kernel, no anti virus or firewall will be safe. The firewall may be working 99%, but chances are that some piece from the kernel opens up a door to invalidate the firewall completely, and it just won't work as it should.
Once something runs in the kernel you're at the mercy of signature based detection. However with CIS you're very well protected. Changes are very very slim you're actually infected.

My attempt has been to protect the user until things get sorted out.
The other point :smiley:

Ok this is getting way out of hand, this time it wants to connect to an ftp server on the internet and I don’t even have my web browser open. This has to be malicious activity, I can not see it otherwise. The so-called “Operating system” is now doing so many different things, that I can no longer keep up with this, there has got to be a line I have to draw here, this is it, this is that line I have to draw. Enough is enough. I have never ordered any ftp requests on the internet.

I got several more as well. Another wants to connect to port 9574, which is an unassigned port, no serious software company rely in unassigned ports. Why would the windows operating system rely in unassigned ports. This is getting very suspicious.

There are now tens of events happening under the name of “Windows operating system”, I am almost tempted to say that the mafia works through this name, because thats how many alerts I get under this name.

I traced one of the Ip addresses in these alerts, it traced back to an unknown source in Taiwan.

I would make a clean operation system re-installation.
After formatting that partition.

Most probably i would have done it earlier allready.

Good luck. Keep your eyes open for persistent infection. And for the source.

The designation Windows Operating System only means that CIS cannot see what is causing the alert. The name is at least a bit misleading.

I am not only going to reinstall the OS, I will buy a hardware firewall too very soon. I cannot rely in software anymore, I have to have something hardwired too. Computers aren’t what they used to be in the 90’s, all we ever had on the computer back then was games and apps. Nowadays, everything happens through the computer and internet, even bank account transfers. Back then, security was about not corrupting files, but today security is about not losing your money and personal information.

The internet is a tremendously dangerous place. A single mistake, a single failure to keep your personal data safe, will be eternally punished on the internet, you can’t get rid of it once its out there.

Just look at facebook for example, all of your pictures will be kept there forever, they refuse to delete them, and they even (recently) said that they will recover deleted images. Internet used to be something fun, but today it is a place of terror. We are terrorized by free floating information.

I checked my ports at shields up. Usually all ports are stealth, but this time all ports were blue, which means they are closed. Telnet, Ssh, Ftp and http are open ports. That’s insane. All the dangerous ports that shouldn’t be open, are open and listening. I forgot, these ports are only open to the ISP, they have access to the router, so it is not externally open to other people, so no danger there.

One shouldn’t be too quick to judge suspicious activity. The ftp request came from Asus AI Suite II software that comes with the graphics card, it searches for update through ftp, on asus ftp servers. So it wasn’t dangerous after all.