(Windows XP Home Edition, service pack 2, router directly connected to modem by wire/cable, wireless connection to my computer, WPA-PSK encrypted, no other computers in my network.)

I'm currently trialling Eset Smart Security, with the firewall in interactive mode. Upon (re)boot I noticed a strange request for INBOUND traffic (Microsoft Windows Publisher I think), IP 207.46.197.32.

I decided to temporarily allow it. And I did look it up.
According to networksolutions:
'OrgName: U.S. Environmental Protection Agency
OrgID: UEPA
Address: NC 54 at Alexander Drive
City: Research Triangle Park
StateProv: NC
PostalCode:
Country: US'

That just seems weird. I decided to temporarily allow it because I had problems synchronizing the time on my computer, both automatic and manual.

I've noticed that 'Microsoft Windows Publisher' wants to phone out a lot. Also weird.

Anyone care to comment ?

What business is my computer to the 'U.S. Environmental Protection Agency ' ? :wacko:

{QUOTE-> What business is my computer to the 'U.S. Environmental Protection Agency ' ? :wacko: <-QUOTE}How did you lookup that IP address exactly?

207.46.197.32 is in a Microsoft owned IP address range, and appears to be a mix of update server and other distributed software functions.

{QUOTE-> Final results obtained from whois.arin.net.
Results:

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2004-12-09 <-QUOTE}See also: http://whois.domaintools.com/207.46.197.32 - lots of Microsoft domains hosted behind this IP address.

That's strange.

I used www.networksolutions.com/whois/index.jsp

I just tried it again, and it points to Microsoft. I remember paying attention when I did the WHOIS lookup. I guess I made a mistake ? :-\

But it's weird, according to Eset Smart Security it was INBOUND traffic, and I could choose between allowing and denying the request.

I haven't experienced that with any other firewall I've tried. Outbound requests, yes, but not inbound.

And there is even a router between the internet/modem and my computer.

So how did it get past that ? :wacko:

It's hard to say what it was without a full log - i.e. src/dst ports, protocol, flags, etc. However, since you do have a router protecting your network perimeter, it's very unlikely to be an unsolicited inbound connection. Meaning, it's not something random from the Internet that penetrated your router all on its own. It's much more likely that something in Publisher initiated the connection, (especially since you say it was the program Publisher that the alert said the communication was aimed at - for the firewall to know it was Publisher, Publisher must have been running), and the software firewall is merely alerting for another reason... Perhaps a late response that the program was no longer waiting for. There's also the question of "how soon after reboot" the packet came in. If it was immediate, the network connectoid may not have been fully started, which caused a delay in communications, again leading to the program having timed out on the connection that it actually initiated.

Windows Publisher is a fairly heavy program. It's not all that odd that it would make use of a lot of phone homes to a Microsoft update/service website, especially upon system reboot.

It's not even in the log, the log is completely empty.

I don't have a program called 'Microsoft Windows Publisher' installed.
I did a quick search on the internet, and it may have something to do with either Microsoft/Windows update, MS Works (MS Word 2002 ?), or certificates.

No other firewall I've ever used mentioned 'Microsoft Windows publisher'.

I found this http://www.microsoft.com/windowsxp/using/security/expert/russel_installsp2.mspx

It mentions Microsoft Windows Publisher below "How to Use Windows Update".

Maybe the reason other firewalls never warned you about is that they had Microsoft's related services under trusted software vendors?