Is there some common rule for System Idle Process?
I would like to know this, too. The Defense+ logs tend to fill up with unnecessary reports about blocking SIP. It would be very useful to suppress this.
Try this thread. Worked for me.
Had a look in the help section of v3 about this and I think the SIP logs are genuine attempts against the system.
The first line of the help text seems to explain it all; If the application has no icon, the default system icon for executable files will be used; This is obviously ‘System Idle Process’, so no real problem if you are getting a normal amount of items logged. If you are getting one every second (like a report on another thread) then I guess there’s something wrong.
Quote from helpfile…
Application - indicates which application or process propagated the event. If the application has no icon, the default system icon for executable files will be used;
Action - indicates how the firewall reacted to the connection attempt.
Protocol - represents the Protocol application attempted to use to create the connection. This is usually TCP/IP or UDP - which are the most heavily used networking protocols.
Source IP - States the IP address of the host that made the connection attempt.
Source Port - States the port number on the host at the source IP which was used to make this connection attempt.
Destination IP - States the IP address of the host to which the connection attempt was made. This is usually the IP address of your computer.
Destination Port - States the port number on the host at the destination IP to which the connection attempt was made. This usually indicates the port number on your computer.
Date/Time - contains precise details of the date and time of the connection attempt.
Please correct me if I’m wrong in this explanation,
There are definitely some intrusion attempts that use SIP. There are also connection attempts from my ISP, Microsoft, the telco (I assume that the ISP hands off my connection to them), and some news companies that I have viewed reports from. These are all unsolicited connections and I am not inclined to accept them until someone can show good cause to do it.
I would think that if you are able to use those applications OK without allowing intrusions then it would be best for CFPv3 to block them.
I am getting about the same number of intrusions as with v2 and they all appear under System Idle Process.
Can’t remember if v2 had that column in it’s report file now.
If you really don’t want to know about the blocked connections, edit the Block rule for SIP under the Firewall>Advanced>Network Security Policy section. Select the SIP entry, click Edit, select the Block rule and Edit and then uncheck the “Log” box.
As long as the Firewall is doing it’s job I don’t think it matters what is in the log or how many entries; after all you are not obliged to check it every day; I just look occasionally out of curiosity, not that the individual entries mean much to me.
Nice to see that it stops so many though; just reminds you of how many nasty systems there are out there trying to get you. :o
Guys, have you checked out Egemen’s response yet?: