Hi habe the same problem that has already been mentioned in this forum before: Since an update a few months ago, I very frequently get alerts of applications, that have nothing to do with the Internet at all, trying to access 224.0.0.252 over ICMP. I get this for almost every single program in Windows. I know that this is a multicast address, and I don’t care about allowing or blocking it, but what I do want is
stop being bugged by alerts for this address all the time
not have entries for every single program in my network security policy (because this screen is not sortable and becomes a big mess the more application-specific rules you have, this should really be improved).
So of course I tried to create a global rule:
ALLOW ICMP IN/OUT from SOURCE=ANY to DESTINATION=224.0.0.252
and another
ALLOW ICMP IN/OUT from SOURCE=224.0.0.252 to DESTINATION=ANY
But I keep getting these alerts! What am I doing wrong? Shouldn’t the global rule allow this traffic? Why do I stell get alerts asking me to block or allow?
The 224.0.0.252 multicast address is used for LLMNR (Link Local Multicast Name Resolution) which actually uses UDP. Basically, it’s like a local DNS and is part of Windows network Discovery.
I get this for almost every single program in Windows. I know that this is a multicast address, and I don't care about allowing or blocking it, but what I do want is
- stop being bugged by alerts for this address all the time
- not have entries for every single program in my network security policy (because this screen is not sortable and becomes a big mess the more application-specific rules you have, this should really be improved).
Unfortunately, this is a bug in CIS. Strictly speaking only svchost should make these queries.
So of course I tried to create a global rule:
ALLOW ICMP IN/OUT from SOURCE=ANY to DESTINATION=224.0.0.252
and another
ALLOW ICMP IN/OUT from SOURCE=224.0.0.252 to DESTINATION=ANY
But I keep getting these alerts! What am I doing wrong? Shouldn’t the global rule allow this traffic? Why do I stell get alerts asking me to block or allow?
The rule is probably failing because LLMNR uses different source and destination addresses/ports and, as mentioned earlier, UDP not ICMP.
What may be easier then trying to block these connections is disabling LLMNR. You could disable Network Discovery in Network and sharing but it’s likely you’ll still see these alerts. better would be to disable it with the group policy editor.
Win Administrator privileges open Start/Run and type gpedit.msc
In the right side window navigate to
Local Computer Policy/Computer Configuration/Administrative Templates/Network/DNS Client
In the left side window select Turn off Multicast Name Resolution
In the settings windows select Enabled.
Reboot
If you have other devices/PCs on your network, you may need to perform similar tasks if LLMNR is supported.
If you don’t want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)
Application Name - All Applications File Group
Action - Allow
Protocol - UDP
Direction - Out
Source Address - ANY
Destination Address - 224.0.0.252
Source Port - ANY
Destination Port - 5355
Place the rule at the top of the Application rules list.
Edit: Just a thought. If you have one of the ‘Home’ designated versions of Windows, you can make the change via the registry:
Unfortunately, this is a bug in CIS. Strictly speaking only svchost should make these queries.
I don’t understand why they don’t get this fixed, this has been bugging me and others for a while now.
What may be easier then trying to block these connections is disabling LLMNR. You could disable Network Discovery in Network and sharing but it's likely you'll still see these alerts. better would be to disable it with the group policy editor.
I’d rather not change any of the Windows settings for this, as I’m unsure about the side effects. Also, I don’t have control over all computers on the local network.
If you don't want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)
That’s what I just did and I’ll report back if I see the popup again.
What’s interesting is that if I click on allow/remember on one of these alerts, I get an entry in the application rules that looks like this:
Action: Allow
Protocol: IP
Direction: OUT
SOURCE: ANY
DEST: 224.0.0.252
IP DETAILS: IP PROTOCOL: IGMP
By the way, the application rules list is just horrible to deal with, and hasn’t changed for ages. They do all kinds of redesign (which actually makes CIS less usable, since it’s harder to get to the important screens), but don’t improve handling of application rules. I have more than hundred applications in this list, they appear to be not sorted by anothing, just moving the new rule from bottom to top takes more than a hundred clicks! If you want to find a single application there is not even a search function anymore (the one that used to be there was ■■■■■■, as you couldn’t just search for the name of the exe, but had to enter the whole path. But instead of improving it they completely removed it!)
Yes, it does that. Unfortunately, it’s not quite correct.
By the way, the application rules list is just horrible to deal with, and hasn't changed for ages. They do all kinds of redesign (which actually makes CIS less usable, since it's harder to get to the important screens), but don't improve handling of application rules. I have more than hundred applications in this list, they appear to be not sorted by anothing, just moving the new rule from bottom to top takes more than a hundred clicks! If you want to find a single application there is not even a search function anymore (the one that used to be there was ■■■■■■, as you couldn't just search for the name of the exe, but had to enter the whole path. But instead of improving it they completely removed it!)
I completely agree. If you look around the forums, you’ll find many others feel the same way.
