Networked Media Player

I have a set-top media player with a built-in hard drive, WD TV Live Hub, wirelessly connected to my home network. I noticed this activity in Firewall Events from it to my notebook.

Application: svchost.exe
Action: Blocked
Protocol: UDP
Source IP: 192.168.1.144 (WD TV Live Hub)
Source Port: Varies from 47773 to 49189
Destination IP: 192.168.1.163 (my wireless notebook)
Destination Port: 61455

There look to be about 150 of these since about 14 hours ago. The source port keeps going up.

Looking back through history, I see a lot of this activity with other destination ports: 49913, 55446 and others to 61455.

My Network Security Policy for svchost.exe is set to Treat As Outgoing Only.

My inclination is to allow this activity but I wanted to check first. If I should allow this, what rules should I set?

Thanks.

You can adapt the rule for svchost.exe.

Double click on the rule and choose to make a Custom Policy. Then choose to import an existing policy; being Outgoing Only.

Next step is to add the following rule in the new svchost rule:
Action: Allow
Protocol: UDP
Direction: IN
Description: Port rule

Source Address: fill in IP addres when using a fixed IP address for the Media Player. Or fill in the MAC address of its network card or Host name.
Destination Address: Choose how you want to define your computer. Same considerations as in the above.

Source Port: Any
Destination Port: 61455

When this is added use drag and drop to move the port rule to a place somewhere above the block rule. Then Apply and OK your way back to the main screen.

I appreciate the instructions. I am trying to find out what this activity is through a WD user forum and from WD itself. Do you consider this at all dangerous?

urlvoid, ipvoid and Virustotal are good place to start at.

Regards,
Valentin N

I seriously doubt these connections are malicious, but without access to one of these media hubs, understanding why svchost is responding to inbound requests, needs a little investigation.

The problem is, svchost, which is simply a host for a multitude of other services, listens by default, on a range of ports and sets aside a proportion of the dynamic port range, (49152–65535) for this purpose.

From what I understand of this device, when plugged into an existing network, it ‘scans’ to find resources that may contain media. So my best guess is that you are seeing a multicast from media hub, both advertising and soliciting for resources. I’d guess it’s associated with the Network Discovery process FRDesPub.

Thanks for the replies. I don’t think it is malicious either but I think I’ll leave things as they are for now. The device seems to work fine. I did try turning off its DNLA capabilities and its media server but this had no effect as the blocked activity continued.