Yesterday I got an alert that said “Windows Operating System is trying to connect to the internet” and that
Windows Operating System is a pseudo-process rather than a normal process and therefore the Firewall could not detect the real process behind this connection request. This usually happens when a computer is configured as an Internet Connection Server(ICS). Such alerts may also be caused by many other utilities like VPN clients or packet sniffers. If you are not sure what to do, it is recommended to block this request.
I didn’t know what was causing this alert, so I blocked this and my internet connection went dead. It still said I was connected to the internet, but I couldn’t access anything on the Web.
Looking at the firewall logs, there’s over 150 entries for “Windows Operating System” – one every few seconds. They all seem to be going to random locations…(see attached screenshot)
This is the first time this has happened to me. I wasn’t doing anything special at the time the alert came…(as far as I can remember, my web browser wasn’t even open at that time).
What could be the cause of this huge flood of connection attempts?
What could “Windows Operating System” trying to do?
If this alert ever appears again, how should I answer it?
(by the way, if I allow or block something without clicking “Remember my answer”, is there a way to change that decision without having to restart the program?)
Apparently there is program using a driver that is blocking the view for CIS. Finding that can be a bit of a puzzle. Do you have other security programs running? Try uninstalling them to see if they play a role. Are you using a tool like Net Limiter? Try uninstalling to see if that is in the way or not.
I checked the logs and will comment on the various entries:
192.168.1.255: that is the broadcast address of your Local Area Network. It is your computer broadcasting using the NetBIOS protocol to see if there are other computers to see if they can share folders or printers
156.154.70.22 and 156.164.71.22 are the DNS servers of Comodo Secure DNS service. Blocking access for them may result in problems with surfing. Your computer cannot connect to convert the url to the matching IP addresses. Local DNS cache of your computer may help you out but eventually your surfing would turn problematic
the traffic with destination port 80 may be related to surfing or programs looking for an update. If you want to check the IP addresses your computer is trying to connect you can use an online Whois look up service. I always use this one: Whois - IP Address - Domain Name Lookup
I use AVG with the Comodo firewall (and Defense+), but the two have always worked well with each other (as I said, that was the first time I got such an alert). I could try uninstalling AVG to see if it would make a difference, but if it doesn’t, reinstalling it would be a bit of a hassle as I would have to first uninstall CIS (AVG won’t install with CIS already on the system), and then install AVG and then CIS, and then…yeah.
I don’t use anything like Net Limiter.
I’m also noticing that the firewall always shows 0 outbound and 0 inbound connections (Active Connections window is empty). Also, the firewall has stopped showing any alerts at all, except for about 1/2 an hour ago, when it popped up another “Windows Operating System is trying to connect to the internet” alert. It seems to be ignoring its rules and allowing everything, unless I set the firewall security level to “Block All”.
Defense+ works fine, though.
I wonder what could be causing this strange behavior?
By default the FW has an application rule for Windows Operating System allowing all outgoing requests. If you have removed it, you must make rules for the processes which need to access the net.
I think you mean Windows System Applications, for which a default rule is created.
It would be useful to see a screen-shot of your firewall Application rules, however, there are two things to try.
First. Open CIS from the system tray, select More/Diagnostics See if it reports and errors.
Second, Open CIS from the system tray, select More/Manage My Configurations. Select one that’s not in use and activate it. Check the firewall Application rules.
I don’t know how much use they would have – the firewall was working and then it just wasn’t. I didn’t change any rules before it stopped working. Besides, the rules are just the default rules plus rules for a few specific applications. If I run a program not in the rules, the firewall doesn’t alert me when it connects to the internet – it just lets it connect. Also, the “Active Connections” window is always completely blank (summary always shows 0 outbound and 0 inbound connections).
First. Open CIS from the system tray, select More/Diagnostics See if it reports and errors.
The Diagnostics thing didn't find any problems.
Second, Open CIS from the system tray, select More/Manage My Configurations. Select one that's not in use and activate it. Check the firewall Application rules.
Did you activate the configuration after selecting it?
It would still be helpful to see what the rules say, as this is abnormal behaviour. Windows Operating System should not be trying to make outbound connections, on behalf of, what appears to be svchost and the system process.
My own view of what is happening here is that it’s pretty harmless. In the screenshot posted I see connections to port 53, 80 and 137. Connections where “Windows Operating System” is shown happen mostly in my experience AFTER YOU’VE CLOSED THE PROGRAM THAT WOULD INITIATE THESE CONNECTIONS.
Judging from the type of ports used, I would think it was a program used to do something on the LAN, where it communicates via NETBIOS and which you then closed. Could this be?
A very common example is a torrent program - after you close it you’ll still get numerous connection attempts to the port used bye the torrent program as incoming port.
In any case, your firewall should be hardened to the point as to never allow port 137 to connect outside your LAN, whereas it’s safe to always allow port 53 access to the WAN for DNS queries.
Unfortunately, that is not the case. WOS will sometimes handle INBOUND connections after an application is closed, but not OUTBOUND.
The only exception I can think of is if the PC is configured as an ICS box and you’re routing traffic through this connection.
Judging from the type of ports used, I would think it was a program used to do something on the LAN, where it communicates via NETBIOS and which you then closed. Could this be?
A very common example is a torrent program - after you close it you'll still get numerous connection attempts to the port used bye the torrent program as incoming port.
Only some of the events are related to the System Process (which handles NetBIOS communication) for which there is a default rule. As this is a system process, it’s not something that one ‘closes’.
As mentioned above, WOS can handle connections from utorrent, when that application is closed. If you search the forums you will find a rule to handle those INBOUND connections.
In any case, your firewall should be hardened to the point as to never allow port 137 to connect outside your LAN, whereas it's safe to always allow port 53 access to the WAN for DNS queries.
If you have a correctly configured router, NetBIOS broadcasts will be limited to the LAN. If you don’t have a router, but still need to make use of file and printer sharing on a LAN, it’s easy enough to configure. A search of the forums will explain how.
If you haven’t changed the default configuration of CIS and the installation was successful, you should not be seeing these connections.
So…does anyone have a clue as to why my firewall is always showing 0 outbound and inbound connections?
Maybe it’s related to the fact that no alerts are being displayed, except for the occasional “Windows Operating System is trying to connect to the internet” alert…(and the last time I got that was a few days ago).
There may or may not be a connection between your problem and the problem in this topic. But since this seems to be a bit of tricky problem it is better to treat the problems separately. Please start your own topic. That way your problem will get the problem it deserver and this topic won’t divert.
When you make your own topic also tell us a bit about your system. What OS you are using. What security and oteher utility software you are using that could interfere.
A couple of days ago I’ve started to get this alert also. I think this has something to do with Tunngle, because only after I’ve installed it, this alert showed up. This is a software that allows you to create/connect to a LAN using the internet, similar to Hamachi but designed mostly towards games.