"Windows Operating System" trying to connect to random Greek IP

There’s no specific process, just “Windows Operating System”. Looking at the details, it just references the System32 folder. What is this mysterious non-process trying to access the Greek IP 94.68.66.48? Is this malware trying to phone home? How can I find out?

Are you getting an actual firewall alert that says Windows Operating System is trying to connect to the internet or are you seeing windows operating system in the firewall event logs. If you are getting a firewall alert it could be malware unless you use any virtualization software (VMWare, Virutalbox, Virtual PC,etc). You can use killswitch to list every process running and their rating. Also what version of CIS are you using?

Yes, the firewall poped up with an alert 3 or 4 times in a row last night. I just downloaded KillSwitch. What am I looking for? I’m running 8.2.0.4703.

In killswitch under the processes tab you are looking for any process who’s rating is not trusted. I’m very interested in this as you should never get firewall alerts originating from “Windows Operating System” as CIS no longer detects such network traffic when applications bypass the windows networking stack and use a 3rd part protocol driver. If you can, the next time an alert appears could you make a screenshot. Also could you export your firewall logs and attach it here in a zip folder.

94.68.66.48 is registered to the Greek national telephone company OTE, so this is likely to be either a company using OTE as their ISP or a private individual using OTE as their ISP. If you think it suspicious (and it does sound that way) email the relevant section of your firewall logs to abuse@otenet.gr.

I do have an FLS.Unknown running under svchost.exe by the name of Microsoft.Photos.exe. Virustotal says it’s clean, but I get this “Windows protected your PC” if I try to run it:

[attachment deleted by admin]

Can you check the digital signature of Microsoft.Photos.exe and see if it is valid. If it is valid the file was not changed after publishing and is an original file from Microsoft making the Smart Screen detection a false positive.