I have a set-top media player with a built-in hard drive, WD TV Live Hub, wirelessly connected to my home network. I noticed this activity in Firewall Events from it to my notebook.
Source IP: 192.168.1.144 (WD TV Live Hub)
Source Port: Varies from 47773 to 49189
Destination IP: 192.168.1.163 (my wireless notebook)
Destination Port: 61455
There look to be about 150 of these since about 14 hours ago. The source port keeps going up.
Looking back through history, I see a lot of this activity with other destination ports: 49913, 55446 and others to 61455.
My Network Security Policy for svchost.exe is set to Treat As Outgoing Only.
My inclination is to allow this activity but I wanted to check first. If I should allow this, what rules should I set?
You can adapt the rule for svchost.exe.
Double click on the rule and choose to make a Custom Policy. Then choose to import an existing policy; being Outgoing Only.
Next step is to add the following rule in the new svchost rule:
Description: Port rule
Source Address: fill in IP addres when using a fixed IP address for the Media Player. Or fill in the MAC address of its network card or Host name.
Destination Address: Choose how you want to define your computer. Same considerations as in the above.
Source Port: Any
Destination Port: 61455
When this is added use drag and drop to move the port rule to a place somewhere above the block rule. Then Apply and OK your way back to the main screen.
I appreciate the instructions. I am trying to find out what this activity is through a WD user forum and from WD itself. Do you consider this at all dangerous?
urlvoid, ipvoid and Virustotal are good place to start at.
I seriously doubt these connections are malicious, but without access to one of these media hubs, understanding why svchost is responding to inbound requests, needs a little investigation.
The problem is, svchost, which is simply a host for a multitude of other services, listens by default, on a range of ports and sets aside a proportion of the dynamic port range, (49152–65535) for this purpose.
From what I understand of this device, when plugged into an existing network, it ‘scans’ to find resources that may contain media. So my best guess is that you are seeing a multicast from media hub, both advertising and soliciting for resources. I’d guess it’s associated with the Network Discovery process FRDesPub.
Thanks for the replies. I don’t think it is malicious either but I think I’ll leave things as they are for now. The device seems to work fine. I did try turning off its DNLA capabilities and its media server but this had no effect as the blocked activity continued.