I installed Comodo Firewall about a week ago or so, and after much internet digging and reading of guides, I’ve pinned down the whys and triggers of most of the things Microsoft does. I’ve never had ping.exe try to dial out before now, and I’m curious as to what happened. I believe the ping may also be tied to something that’s been bugging me for some time, and I’m not sure how to disable it. Call me paranoid. A firewall’s made it worse.
When I leave my PC idle for 10+ minutes, sometimes I come back to find the HD being thrashed, VSSVC.exe and TrustedInstaller.exe running. Also usually the degramenter, despite deleting the task for it and turning off auto-defragmenting. The defragging isn’t what’s bugging me, though, it’s the TrustedInstaller and VSSVC. I scan my PC regularly. Every couple of days, in fact. Run Noscript and AdBlock+ on Firefox and seldom browse outside of my comfortable zone. Any site I need to visit that I’ve not been to before I usually pull up on one of my consoles.
I’ve not had any viruses, nor anything suspicious happening, but I can’t figure out what exactly is making those two processes kick in when I leave the PC idle, as Updates are off and the service disabled until I do it manually. But it wasn’t until I left the PC idle today and came back to them running that I saw ping.exe had made several attempts to connect and since I’d been away the pop up had expired and been blocking them.
It’s just several repetitions of C:\Windows\System32\PING.EXE (so obviously the legit file) asking to connect via UDP protocol from my PC’s IP at port 57673 to my router’s IP, destination port 53. Are TrustedInstaller, VSSVC, and Ping all related to some still-attempting-to-run update nonsense? Is it possible (however I believe it highly unlikely) that there is some malware activity here? It should be noted that I have svchost blocked from anything other than bootstrap and time synchronization host/port and to block but not log anything else. Thing was always trying to dial Akamai and Qwest until I turned off the Certificate checks, and I had gotten tired of the logs so I just have it quietly blocked so I’m not sure if svchost was also trying to dial up and being blocked or not.
Manually setting a restore point is not triggering ping, nor even TrustedInstaller to show. Those two only happen when the PC goes idle. My guess is it’s a task, but it’s troubled me for some time and googling it isn’t giving me much information one way or the other.
Edit: I decided to do some digging in my tasks, and found several related to the Customer Experience things that triggered at, or shortly before the pings. Why these would trigger TrustedInstaller and VSSVC, I’m not sure, but if they triggered the ping, they probably triggered the processes as well. I could’ve sworn I had opted out, but for good measure I disabled the service and all the tasks I could find related to it. We’ll see what this does.