Big amount of suspicious ICMP OUT connections in windows 7

After some recent CIS update(all started around 5 Nov (or atleast thats what i think was beginning of it, but i might be wrong)). Firewall started to alarm me with big amount of warnings that application “x” (where “x” is pretty much all of what I try to run) try to establish outgoing connection to adress 224.0.0.252 (or sometimes similar adress from same range). Even if it is some dummy app I’ve just created on the fly, or any app that has nothing to do with internet. Besides that “System” process itself tries to send these IGMP requests as well requests. 5 connections per minute on average. There was also increase (or CIS update triggered oversensitivity) with traffic on ports 137 and 138 UDP, which I fixed by disabling NetBIOS. I also tried to deal with these strange ICMP OUT connections

Someone suggested that it might be dll injection, Currently im after several full system reinstalls System process (as far i keeped testing freshly installed system) didnt caused me trouble but ICMP requests appear almost form start like for starters with “trustedInstaller.exe” what i believe is part of windows update. Then other apps that i run like vlc just after i unchecked the options about internet use in welcome dialog. I did tried to scan my computer with windows defender offline, utility from malwarebytes, spybot s&d and combofix, none of these tools didnt reported any problems with my system. I tried to wipe mbr and delete partition where my system is located, Nothing seems to work.

My question is: What can be the cause of this? Is that normal? Did my firewall got oversensitive with the latest update (i rather excluded windows updates), alarming me of some inner Windows stuff that happens all the time? Or maybe I’ve catched something malicious (Comodo / and other stuff i used for test seem not to raise any red flags). What else I can use to check/clean my system for threats that can be applied over CIS

I’m basically out of ideas and still wonder if its caused by some recent system update or maybe faulty firewall software. And if its caused by some rootkit how to reveal it and get rid of it. And in case its normal (somehow) why its happens and how to disable it

Hi timroy2000, welcome to the forums.

The ICMP outbounds on 244.0.n.n is something called Multicasting, more details here [wikipedia.org].

Why did suddenly start after an update? I’m not entirely sure, but check to ensure that your current Profile is populated with rules and settings that you expect it to be. Are you running Avast? Also please confirm the CIS version that you have now, thanks.

no Avast, just CIS FW/AV, Yes rules was set to ones i like so was the alert level.

Fact that this is multicasting is one thing, the big mistery is why notepad.exe likes to multicasts stuff, i’ve tried various things during my tests and nothing seem to help.

CIS version 5.12.256249.2599

Does it actually say: Notepad exe tries to connect""?

While i know the ip part 224 … (somehow related to a router broadcast), it doesnt make sense that something on your computer wants to connect (to that) without initialisation. Especially something that has no business in teh internet.

Rule of thumb:
Work with OUTgoing rules (for things that NEED to be online). ICMP out can stay blocked. I never allowed that.
Dont allow INgoing traffic.

That way you get requested packets. This minimizes the “chance” to get a faulty packet that was probing or trying to “establish” something.
To avoid un-necessary questions, use stealth port wizard setting 3.

For the future, i would suggest to keep the latest “known running” version of important programs, so a bad update has no impact on your days.
But your descriptions are rather pointing to a general problem. I would not use the computer without a two way firewall at the moment.

Next time when you would make an OS reinstall, try at each step of “introducing something new” if the problem appears.

What about your LAN IP? If you use a router for DHCP and boot Windows when the router is either unconnected or powered off, then this will cause your LAN IP to revert to the NIC default address and this can cause problems with previously defined CIS rules/settings.