Windows Operating System / System Idle Process in Logs [Merged Threads]

gibran · November 25, 2007, 2:56am

all rules after block and log IP /in out will not be used (that block all that wasn’t alloved before) but your trusted zone is correctly set. thus you should be able to be pinged from your other pc and you should have no log entry for any traffic in your trusted zone including ICMP. ???

but if those ping are blocked maybe your home lan range is not set correctly. run ipconfig from the other pc to check if that ip is included in your home lan range

[attachment deleted by admin]

gibran · November 25, 2007, 2:58am

outbound traffic read first from app rules. inbound traffic read first from global rules.

fleamourian · November 25, 2007, 9:06pm

Hi

The firewall is logging loads of blocked attempts by System Idle Process UDP 10.0.0.4, 0.0.0.0 and 10.0.0.2. Is this legit or not?

system · November 25, 2007, 11:15pm

i have some attempts like that, not the same numbers, but nothing seems to be afected by them

egemen · November 26, 2007, 4:10am

No no. Do not create any rule for “System Idle Process”. That is simply a ping request. You can use “Stealth Ports Wizard” and trust your LAN. This way both of those computer can speak to each other.

Egemen

fleamourian · November 27, 2007, 11:29pm

Here is Log Scope: Today

Date/Time Application Action Source IP Source Port Destination IP Destination Port
27/11/2007 00:08:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 00:18:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 00:28:18 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 00:38:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 00:48:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 00:58:18 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 01:08:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 01:17:43 System Idle Process Blocked 65.55.197.248 80 10.0.0.4 2440
27/11/2007 01:17:44 System Idle Process Blocked 65.55.197.248 80 10.0.0.4 2437
27/11/2007 01:17:46 System Idle Process Blocked 65.55.197.248 80 10.0.0.4 2437
27/11/2007 01:17:50 System Idle Process Blocked 65.55.197.248 80 10.0.0.4 2437
27/11/2007 01:17:58 System Idle Process Blocked 65.55.197.248 80 10.0.0.4 2437
27/11/2007 01:18:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 01:22:51 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2431
27/11/2007 01:22:52 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2431
27/11/2007 01:22:53 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2431
27/11/2007 01:25:01 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2607
27/11/2007 01:25:02 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2607
27/11/2007 01:25:04 System Idle Process Blocked 213.254.200.19 80 10.0.0.4 2607
27/11/2007 01:28:17 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:04:48 C:\WINDOWS\system32\svchost.exe Blocked 10.0.0.4 Type(8) 10.0.0.2 Code(0)
27/11/2007 12:04:53 C:\WINDOWS\system32\svchost.exe Blocked 10.0.0.4 Type(8) 10.0.0.2 Code(0)
27/11/2007 12:04:54 C:\WINDOWS\system32\svchost.exe Blocked 10.0.0.4 Type(8) 10.0.0.2 Code(0)
27/11/2007 12:14:06 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:24:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:24:54 System Idle Process Blocked 66.135.209.234 80 10.0.0.4 3336
27/11/2007 12:24:55 System Idle Process Blocked 66.135.209.234 80 10.0.0.4 3336
27/11/2007 12:24:57 System Idle Process Blocked 66.135.209.234 80 10.0.0.4 3336
27/11/2007 12:25:01 System Idle Process Blocked 66.135.209.234 80 10.0.0.4 3336
27/11/2007 12:25:06 System Idle Process Blocked 66.135.221.33 443 10.0.0.4 3338
27/11/2007 12:25:07 System Idle Process Blocked 66.135.221.33 443 10.0.0.4 3338
27/11/2007 12:25:09 System Idle Process Blocked 66.135.221.33 443 10.0.0.4 3338
27/11/2007 12:25:13 System Idle Process Blocked 66.135.221.33 443 10.0.0.4 3338
27/11/2007 12:25:21 System Idle Process Blocked 66.135.221.33 443 10.0.0.4 3338
27/11/2007 12:34:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:44:06 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:54:06 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 12:59:40 System Idle Process Blocked 213.200.110.89 80 10.0.0.4 3789
27/11/2007 12:59:41 System Idle Process Blocked 213.200.110.89 80 10.0.0.4 3789
27/11/2007 12:59:42 System Idle Process Blocked 213.200.110.89 80 10.0.0.4 3789
27/11/2007 13:04:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 13:05:08 System Idle Process Blocked 193.243.130.158 80 10.0.0.4 4024
27/11/2007 13:14:06 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 13:24:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 13:34:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 13:44:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 13:54:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 14:04:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 14:09:51 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:09:52 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:09:53 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:09:54 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:09:55 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:14:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 14:14:11 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:14:12 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:14:13 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:14:14 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:14:15 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:16:58 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:16:59 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:17:00 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:17:01 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:17:02 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:20:22 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:20:23 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:20:24 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:20:25 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:20:26 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:24:05 System Idle Process Blocked 10.0.0.2 50002 239.255.255.250 1900
27/11/2007 14:24:54 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:24:55 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:24:56 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:24:57 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:24:59 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)
27/11/2007 14:25:02 System Idle Process Blocked 212.58.227.102 Type(3) 10.0.0.4 Code(3)

This is a fraction!

Blizziestorm · November 27, 2007, 11:32pm

I don’t understand. Can you tell me which option to choose under Stealth Ports Wizard? Either way, all three still causes System Idle Process to be blocked.

[attachment deleted by admin]

autochthon · November 29, 2007, 1:47am

I’m mystified by this, apparently system idle process is calling out to one or more ip addresses related to my verizon wireless service. CF3 identifies system idle process as a web browser then proceeds to block some of the outbound connection attempts. This may be a bandwidth management service related to verizon but it is very strange to me. Why system idle process? I tried completely blocking all internet connections from system idle process with no apparent negative effects as of yet. Anyone know what is going on here?

thank you

AnotherOne · November 29, 2007, 6:08am

You don’t want SIP accepting incoming calls because some of those can be malware. Most of them will be from your ISP, telco, Microsoft, and a bunch of other semi-legitimate sources, but it is a potential source of trouble. The Storm Bot worm uses that process to access the messenging service on your system to fool you into downloading and installing it on your computer. The Global Block all incoming IP connections is what blocks these attempts and it should be left that way. If, for some overriding reason, you must have an incoming connection allowed, place it above the Block rule on the Global rules under the Network Security Policy section. BUT, only allow one IP address in and restrict it as much as possible.

adric · November 29, 2007, 12:36pm

I would like to understand this a bit more. Can you or someone else explain some of the reasons for seeing unsolicited packets?

Thanks, Al

MikeG · November 29, 2007, 1:17pm

I think this explains it (from the help files)

Column Descriptions
Application - indicates which application or process propagated the event. If the application has no icon, the default system icon for executable files will be used;

In other words if it doesn’t recognise anything to call the attack it calls it by an executable file name, i.e. System Idle Process.

All these attacks (in my opinion) are the same as you see with any other Firewall log, only they are labled SIP instead of something else.

adric · November 29, 2007, 1:33pm

Actually, my question was what are some of the causes for unsolicited packets and not why they are labeled as SIP

Al

MikeG · November 29, 2007, 2:09pm

Sorry, misunderstood.

I can only assume these attacks are the usual ones from outside sources (usually BOTs) trying to gain access to your system.

I get around 15-20 per hour; not sure if that’s the norm; would be interested in others log readings.

However I am on a USB modem, not a router with a built in firewall; many with routers hardly ever see an attack.

A Firewall is essential these days with 15-20 attacks an hour coming your way.

Mike.

adric · November 29, 2007, 2:19pm

Not all are attacks. That is why I am trying to get a deeper understanding for unsolicited packets so I can filter the Event Log to list only the important things. The other stuff I would still block, but not log.

Al

ei4ia · November 29, 2007, 2:23pm

you are realy lucky! my norm: 15-20 per MINUTE (cable)

that’s the point 88)

MikeG · November 29, 2007, 2:29pm

OK Adric, understand a little more what you are trying to do; but it may be difficult to establish why some are occurring (I get a few internal pings) and unless you are getting 100’s an hour then a cant really see the point in worrying about them or trying not to log the unimportant ones.

Just my personal opinion.
Looking at your attack log every hour or so can worry you to death.

gibran · November 29, 2007, 2:29pm

gibran · November 29, 2007, 2:38pm

I guess the real issue is that the log need some more features. like some filter out and an optional query module to save custom made queries (SQLITE engine can do it).
A setting to apply some users defined filter to the log by default will do the trick. BTW also an option to get the filter values from the current selected log entry would help.

All these issues will eventually disappear. So all members should address current issues (one at time) in a separate topic and elaborate a solution or an enhancement.
Description of the solution, Issues that solve, screenshots, concepts and so on in order to provide as much detail is possible and gathered in the same topic.

Once all solutions are elaborated a poll can be made in order to gather consensus on a particular topic. Don’t ever give up Submit your feedback as detailed is possible and use whatever (legit :P) means this forum offers to highlight it. Beware! duplicated topics will disrupt this cooperative feedback.

(CNY)

adric · November 29, 2007, 2:56pm

That is one issue, the other is understanding the event that caused the block. I asked if anyone else was interested in understanding this stuff here. Hopefully, with enough interest and input from some talented network gurus, the thread will help increase our network awareness.

Al

gibran · November 29, 2007, 3:02pm

You already got a correct answer there. Outbound traffic is blocked by ruleset. Inbound too. The only concern so far is SIP blocked entries as there is no entry in CFP help about them, plus the log cut out some extra info that V2 usually gave (like SPI blocks).