Do these attempted connections seem suspicious?

Date Application Action Direction Protocol Source IP Source Port Destination IP Destination Port
2012-01-17 06:32:55 C:\Windows\System32\PING.EXE Asked Out ICMP 192.168.1.3 Type(8) 65.55.21.23 Code(0)
2012-01-17 06:35:00 C:\Windows\System32\PING.EXE Blocked Out ICMP 192.168.1.3 Type(8) 65.55.21.23 Code(0)

does any of the above stuff seems strange to anyone? Also, I am aware that the 192.168.1.3 must be my router, but what keeps trying to connect to the .3 address? Thanks for your help :slight_smile:

Actually this is an outbound connection and the 192.168.1.3 address is more likely to be your system rather than the router. However, 65.55.21.23 (the destination) is Microsoft and since this is PING.EXE, this is likely to be Windows testing its Internet connection via a Task Scheduler process (there’s a couple of VBS scripts in there, one for wireless & one for wired).

It’s perfectly safe, although some people view it suspicion (because it’s Microsoft) and block it. I personally don’t.

thanks for the info, how would I go about allowing it and making the rule stick so I don’t need to deal with it?

What is your Firewall Security Level set at?

Are you getting this alert for PING.EXE appear a lot?

custom policy on high alert. No, I am not getting any alerts for it actually. Seems to be blocking it on its own. I noticed it in the log. Only two things I have in there, one saying it asked and another saying it blocked. I dont remember it asking…

Do you have Do not show popup alerts (see attached) enabled with “Block Requests”?

[attachment deleted by admin]

it is not enabled

[attachment deleted by admin]

FYI…

[attachment deleted by admin]

OK. The reason that you don’t have a rule for PING.EXE is because Create rules for safe applications is disabled. And I suspect that the reason for the Alert & Block that you see in your logs is that CIS did raise an alert for it, but didn’t get a response and the alert timed-out. This would default to a block in the absence of any response from you (which will probably stick until the next reboot).

makes sense :smiley:

should I enable “Create rules for safe applications”

With the firewall in Custom Policy Mode, then enabling Create rules for safe applications would make more sense. This will enable you to have better control over your applications, since in Custom Policy Mode no application network traffic is allowed without an associated rule being present. However, in the short term this will probably increase the number of alerts that you see as the rules are populated.

An alternative is Safe Mode where CIS handles all the traffic based on if the application is known to be safe or not. The upside, this means a lot less alerts. On downside, you don’t have fine control over you applications. Which you use, really depends on what you need and/or feel most comfortable with.

thanks for all the help :-*

No problem. :slight_smile: