You can see that there is a lot going on in terms of the number of threads under this Process. I don’t know any way to to isolate this traffic further to specific thread. Are there any network specialists who might know how to do this or what tools might help me do it?.
I did try to manually suspend the whole process but this led to the machine freezing, requiring a hard reboot. However, when I turn off all traffic through the firewall, I was able to turn it back on hours later w/o any problems.
Since this traffic is almost evenly divided up/down (totaling about 15MB/hour), it looks almost like some sort of TORRENT is running node to me. But that would also be characteristic of a trojan where I might be zombied, wouldn’t it?
I have added a firewall rule to block this data transfer until/if I understand WHAT is being transferred and WHY. SO far, blocking the traffic doesn’t seem to be causing any problems. After about 10-15 minutes of trying to get through from different source ports, the process/task gives up and goes back to sleep.
It looks like Messenger service is enabled as well along with windows Firewall/ICS service
Messenger service should have been disabled by default since XP SP2 update
It might worth stopping Windows Firewall \Internet Connection Sharing service without disabling it to check if those connections are suppressed.
Though it’s only a guess and it’s likely other members might provide better advices. :-[
If the log was deleted, it should have filled up fairly quickly. Yet I am still seeing just the same 2 events from 2 days ago! So something looks wrong with the logging. Or the source has realized it is blocked and has shut itself down (uh oh).
All of this would be a lot easier to test if Comodo supported rule disable/enable (which I know is on the wish list already).
I’d also say that there should also be a circular option to write over the the older log entries. This is kind of standard in logs.
As to devices connected to this system, I don’t have any.
In the original report, I was seeing approximately 15MB per hour (divided about 60% down and 40% up) moving through that port 5431. That’s a lot of unexplained traffic. Since I have blocked this connection, I have not noticed any problems. What I am trying to find out is what was generating that 15MB of hourly data.
Come this weekend, I am going to try and run a Wireshark trace and see what comes up.
Yes, I initially came across the UPNP and Discovery Service refs originally. So I tried turning those service off but there wasn’t any change. Windows Massager is currently running. I can try and disable that when I delete the blocking rule also.