System.exe trying to connect to nbname

Hi,

I recently installed the Comodo firewall, and ever since I installed it, it gives me a warning that system.exe is trying to connect to port 137 (nbname) via UDP. It happens once after every boot, and then not again.

I set it to block and log, but it still is weird?

The source IP is my own (e.g. 192.168.2.21) and the destination IP is also within my “network”: 192.168.2.255.

Is this kosher?

Virus scans (AVG), scans with spybot search & destroy and rootkit scans (GMER) came up clean. HJT log is also clean.

My previous firewall (zoneAlarm) never alerted me to something like this…

So, my question is: Is this normal?

Using Windows XP SP 3 with all updates installed.
Other security products: AVG 8.5. Spybot is not running in the background (teatimer, etc, are turned off), only running on demand.
Using the latest Comodo 3 version (freshly downloaded and installed on February 28)

ETA: The connection request is outbound, just in case that didn’t come out in the post.

192.168.2.255
is the broadcast adress of your LAN/workgroup, and 192.168.xxx.xxx are non routable: your computer is sending netbios requests to whatever else is connected (other lan computers, printers, wireless card....) to check the local network awareness of such hardware.

In short, netbios requests are normal on your lan, but should be denied elsewhere as netbios over internet is a fundamental security risk: if not automatically recognized by comodo, create a network zone named lan in the ip range 192.168.1.1-192.1.255, and make a system rule allowing ports 137-139 for LAN, immediately followed by a block/log rule for the same ports if not.

If Zone Alarm does not warn for that, it is a real plague…

Hm, but there is nothing else connected. Just my computer and the router. Unless the router counts (uPnP is turned off at the router, and the uPnP windows service is also turned off).

No printer, no wireless card, no… nothing.

So these requests, within my network, are normal then and nothing out of the ordinary, even if there’s nothing else connected?

your router has a wan ip, but also a ip on the lan side in the 192.168.xxx.xxx range, the default gateway is most often 192.168.1.1 and is the http administration adress of the router.

If netbios is not disabled in the tcp ip properties of your connecting device, the requests shall always be present, but are not a security threat.

Thanks so much for the reply and the help!

So from what I gathered, an outbound UDP netbios request within my network at around boot-time is normal, even if there are no other devices connected, right? (and yep, 192.168.1.1 is my router’s address)

Thanks again! I do get paranoid now and then :wink:

Yes.

But, again, IMMEDIATELY forbid netbios outside of your lan adresses if not allready done.

Hi

I’ve encountered a similar problem several times in the past hour, but external IPs are trying to connect and/or the “system” is trying to listen for connections to those on the 139 port, which I understand is in the NetBIOS ports range (137 - 139). I don’t believe I need NetBIOS although I am using a router and we have 3 computers in a simple LAN (with shared folders of course, but no network printers or other devices) and I thought I could just disable it, but it seems I have to block “system” (or any other process for that matter) from accepting connections on those ports (the LAN range of IPs are already allowed any connections, although I’m starting to worry about any viruses my brother could get that could affect me).

Since I’m not exactly a networking specialist, I’m a little confused as to whether I should specify that set of ports as the “source” or “destination” having no idea what they’re all about (I guess the source is the port the source IP is using to open the socket trying to connect to my PC, and I am the destination, represented by the open NetBIOS ports ?). I’d appreciate a little help, I’m sure it isn’t too complicated for you! :stuck_out_tongue:

I’m also often confused about the meaning of “IN” and “OUT” type of connections, as I quickly forget which means a process on my PC is serving/listening for connections, and which is the outgoing connection.

Currently, I am blocking TCP/UDP connections IN for SYSTEM on the NetBIOS (“DESTINATION”) ports set (137-139) having ANY “SOURCE” port. I just wanted to know if what I’m doing is right. Also, I’m using Windows XP with SP3 and updating it once every few months (if you can help me disable NetBIOS support without messing up anything else).

You made the proper rule for System.

Please read How to disable NetBIOS on the Internet Adapter for Windows 2000/XP/2003 on how to disable it in Windows.

Thank you for your time, Eric. ;D