Hey there, My questions are of many kinds. Just pick and reply to ones you know the answers to. QUESTION 1- I use IVPN. It has an option not to allow any traffic outside of VPN tunnel. It's firewall starts very early when windows starts and doesn't allow other programs to connect to anything. It blocks not only HTTP, HTTPS, but also UDP, TCP any connection whatsoever. After using the web a little I check my 2 adapters in Network and Sharing Center. (There is 1 normal and 1 TAP adapter for the VPN to use) First (Normal adapter) shows higher Sent/Recieved Bytes than the Second (TAP) Adapter. Pics: 1st adapter: postimg.org/image/nan90its1 2nd adapter: postimg.org/image/4sb3b0z9f Does it mean that I leak data with my real IP adress? QUESTION 2- When I start Firefox, it makes hidden connection to some places (like checking for addon updates etc.) I disabled all of FF's update checks, but one connection I can't stop. dcky6u1m8u6el.cloudfront.net (52.85.173.57) Very strange thing is I blocked it's domain and IP in hosts file, but it still can connect. Glasswire Screenshot: postimg.org/image/705do8onr How does it bypass it? QUESTION 3- I installed Ubuntu and Linux Mint before(Couldn't get used to them, rolled back). While I was using Linux I must have deleted something from my External Hard Drive. Now there is a ".Trash-100" folder that CAN'T be deleted. Removing "Read Only" option from properties does not help. Pic: postimg.org/image/3w9vj43tv QUESTION 4- When I start my PC, I see an external connection made by broadcasthost and also 224.0.0.252 , and glasswire says they are external connections. I know broadcasthost makes connections for Windows services (which I'm also against). After a little tampering I found broadcasthost (255.255.255.255) made by PID 984 which includes 4 services: - Security center - TCP/IP NetBIOS Helper - Windows Event Log - DHCP Client I still don't know what connects to 224.0.0.252 Pic: https://postimg.org/image/8ki7w1tyh/ PC sends 329 bytes and recieves 900 bytes from 255.255.255.255 (broadcasthost) PC only sends 150-370 bytes to 224.0.0.252, recieves 0 bytes I'd like to know what connections carry across and what's behind them. And where are they going to? With friendly thanks and best wishes!
#1 - The VPN tunnel is a virtual network. All of the packets that create and support it go through the physical LAN adapter. How else would they reach the VPN server? So this isn't a risk. The IVPN client in Windows does not leak: https://vpntesting.info/ #2 - As long as those connections use the VPN, is it really a major concern? #3 - I have no clue. #4 - Yes, Windows is very chatty
That looks like it may be NewTabPage tiles related. More specifically, requests to one of: tiles.cdn.mozilla.net CNAME dcky6u1m8u6el.cloudfront.net tiles-cloudfront.cdn.mozilla.net CNAME dcky6u1m8u6el.cloudfront.net because you aren't disabling the mechanism that retrieves special tiles (such as suggested sites). Two reasons I think. One, you created an entry for the CNAME rather than the hostname (tiles-cloudfront.cdn.mozilla.net) that was looked up (in a recursive fashion, the hosts file wasn't queried for the CNAME). Two, the hosts file isn't used to block IP Addresses as you are trying to do (remove those entries). I saw a hosts file entry for secure.informaction.com and question why you are doing that. If it is to stop the ABE Wan IP query that can be disabled by unchecking NoScript Options ->Advanced->ABE->WAN IP ∈ LOCAL. Assuming you genuinely understand what that is used for and want to disable it. I also noticed an OCSP server in there which is unusual. Are you venturing into unfamiliar territory? If so, that's fine, but you might want to do so with more care.
TheWindBringeth, you seem like a knowledgeable fellow. I will keep you busy if you allow me to. I live in a third world country, there are not many people I can ask the things in my mind. I couldn't reproduce mozilla's automatic connection, I think I've solved it as I changed some settings. I should take more notes on what I'm doing though I knew informaction was NoScript's page but I didn't know it had that setting, thanks again. As for blocking OCSP pages, I've already unchecked firefox'es "Query OCSP" setting, I get irritated instinctively when my PC makes connections I'm not aware of. Makes my life harder. Still fun to achieve some things. You catched it right away, I'm venturing into unfamiliar territories. I made an emotional, not knowledgeable decision to block them. I'm a novice but I know enough to take the internet's bureaucratic rules/protocols with a pinch of salt. I usually witness that the things we think keeping us safe from harm on the internet are actually doing the reverse privacy-wise. I might be wrong on certificate issue though, so I will go along with your suggestions, please explain if and why I should keep them updated. Have you ever heard someone saying "I can't speak german but I can understand what they are saying when someone speaks german." I'm like that person in programming-language. I would like to hear your opinion on Question 4 New: Question 5 I watched Glasswire's System section, I was not doing anything(not browsing) but it showed connections to many places. https://s18.postimg.org/5aaiwga6x/System_connections.jpg All of them are uploads; 150 Bytes. Traffic type: NetBIOS Name Service (disableing NetBIOS over TCP/IP solved it, thanks to Mattchu) Today I couldn't reproduce it, it only connected to 224.0.0.252 sending 150 bytes at first; then it added up to 300-450-600-750 as the time passed. Can't understand what's being sent with 224.0.0.252, it still keeps doing it, broadcasthost is also still there. https://s18.postimg.org/t19wekadx/System_connections.jpg
224.0.0.252 is for LLMNR (Link Local Multicast Name Resolution) Code: https://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution From the wiki for Broadcast Address: "A special definition exists for the IP broadcast address 255.255.255.255. It is the broadcast address of the zero network or 0.0.0.0, which in Internet Protocol standards stands for this network, i.e. the local network. Transmission to this address is limited by definition, in that it is never forwarded by the routers connecting the local network to other networks." Personally on any windows box i don`t use for any network sharing/homegroup, etc, i go into Network/Ethernet Properties and untick everything except QOS Packet Scheduler and Internet Protocol Vesion 4. I also disable NetBIOS over TCP/IP by double clicking Internet Protocol Version 4 -> Advanced -> WINS -> Check "Disable NetBIOS over TCP/IP". Is this good practice....not sure, but iv`e never had a problem and it`s easy to revert if needed!
Glasswire shows it as external connection https://postimg.org/image/8ki7w1tyh/ Whadd'ya think? I love disabling stuff! I cant believe I missed those. I'm now gonna restart my PC and see if system and host process still do their things. Edit: It kinda worked! That "system" connections are gone (Those in old pic https://s18.postimg.org/5aaiwga6x/System_connections.jpg) But under Glasswire's "Host Process for Windows services" tab, connections to 224.0.0.252 and 255.255.255.255 continues: Current situation: https://s14.postimg.org/e9saboci9/glasswire_new.jpg
You can disable LLMNR via Group Policy. From Computer Configuration go to Administrative Templates -> Network -> DNS Client -> Turn Off multi cast name resolution (double click) -> Set to enabled -> Apply. Apparently you can also do it via the registry although iv`e never done this and editing the registry is never wise unless you`re sure, have back ups, etc... You need to set this key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\DNSClient\EnableMulticast = 0x0 As for the broadcast to 255.255.255.255, i wouldn`t worry about it, it is an essential part of networking...
# 3 Running Command Prompt as Administrator allows you to delete anything at all!! http://mintywhite.com/windows-7/7maintenance/delete-file-command-prompt/
That is a good idea. In part because you may have to do it all over again somewhere down the road. Making backups of Firefox's profile folder (when Firefox isn't running) would also be helpful. Plenty of people get irritated by that and it makes sense in several respects. However, some connections not only serve a useful purpose they also serve a *protective* purpose. If you block those you in effect harm yourself. So when you see a connection you don't understand you have to figure out what it is used for. Then determine if that has positive aspects. Then determine if that has negative aspects. Then decide whether the negative outweighs the positive. If so, then figure out how to best deal with it. All while questioning (doubting!) yourself: Do I know enough about this? Do I have a reasonably good understanding of the pros/cons? Am I missing anything? Note: although I refer to you here I actually mean you, and me, and everyone. Fortunately, there is much information just a search or two away. Both that NoScript feature and OCSP checks serve a protective purpose. So if you haven't researched them you will want to before blocking them.
Thanks mate, I've solved it by inserting linux cd and going into try mode, then it was deleteable. Oh, but is it? :O Onto 2 new questions. Question 6 I saw "Windows Explorer" made 2 connections. Isn't it's job only to serve me for browsing my local files etc? If it has more jobs, are those crucial? I'd like to disable it's connection to the internet if not. Any way? https://s9.postimg.org/bxk3s4gtb/Windows_explorer_connects.jpg Question 7 I disabled IE 8 and 11 from "Programs and Features>Turn Windows features on or off" I have not ever once started them after formatting. When I use Ccleaner, it occasionally shows some files deleted from IE. Even though IE doesn't exist in my computer, it somehow creates files. Whadd'ya think? https://s22.postimg.org/i8lv13xap/Ccleaner_shows_IE.jpg
explorer.exe is involved in a number of functions and is known to phone out for different purposes which partially depends on OS version. I forget some details I once knew, and wouldn't know some details involving the more recent versions of Windows. Suggestion: Perform some targeted searches looking for informative discussions about that specific subject. When selecting keywords consider terms such as "Windows Explorer", explorer.exe, connection, firewall, block, and/or the hostnames or IP Addresses you know. Those akamaiedge host names seem unlikely to be the ones that were originally looked up, and the initial hostname queried for almost always helps to answer why a connection is being made. I don't know GlassWire and what it can be configured to show you, and I'm not sure what else is available that would make observing all the DNS related info easy(*). I will usually make use of a WireShark like tool to capture the DNS traffic and then look through it. However, getting comfortable with such protocol capture/analysis takes time. Most people become overloaded and even more confused for awhile, with some throwing in the towel early on. I quick search of my own suggests that both names have been associated with certificate checks, but I'm not in front of the machine to confirm that is what you are seeing. Regarding the latter, I think Internet Explorer and some other things utilize a component known as WinInet, and it is WinInet that maintains the cache directory/file structure you are referring to. There are various articles and discussions about this subject too, plus some tools to inspect such caches. If you are interesting in more info. (*) Edit: Thought I'd take a quick look and found http://www.nirsoft.net/utils/dns_query_sniffer.html
Windows explorer isn't allowed to go out beyond my LAN. LAN I need for few mapped drives. Never allowed on XP, Windows 7, Windows 10. No harm done far as I know. On Windows 10, typical attempted connections (from my firewall logs). All blocked. Most are to akamai and M$: TCP tile-service.weather.microsoft.com/23.33.251.127:80 TCP tile-service.weather.microsoft.com/23.207.33.134:80 TCP tile-service.weather.microsoft.com/23.207.33.134:80 TCP tile-service.weather.microsoft.com/23.207.13.66:80 TCP tile-service.weather.microsoft.com/23.207.13.66:80 TCP tile-service.weather.microsoft.com/104.70.48.99:80 TCP tile-service.weather.microsoft.com/104.100.95.68:80 TCP tile-service.weather.microsoft.com/172.229.105.58:80 TCP 23.0.160.19:80 TCP 23.0.160.83:80 TCP 23.10.119.227:80 TCP 23.3.13.233:80 TCP 23.3.96.34:80 TCP 23.3.96.33:80 TCP 23.62.236.120:80 TCP 23.62.236.131:80 TCP 88.221.199.22:80 TCP cdn.content.prod.cms.msn.com/65.202.58.25:80 TCP cdn.content.prod.cms.msn.com/65.202.58.17:80 TCP oem.twimg.com/104.244.43.199:443 TCP oem.twimg.com/104.244.43.71:443 TCP client.wns.windows.com/131.253.34.230:443 TCP client.wns.windows.com/65.52.108.254:443 and many more.
What firewalls do you suggest for blocking Windows' own connections? - No extra protection for 5 more dollars ads. - No connection to the internet itself - Preferably free and open sourced - Preferably the most simple firewall
That wasn't all from Windows Explorer was it? I did notice WNS in there, which I've seen associated with Windows Explorer.
TheWindBringeth, Yes, it was all from windows explorer. Regarding the most recent ones - WNS jobs came about an hour after I installed windows 1607 aka anniversary update. I don't think I've seen'm before, but not sure. Full log version: 2016:09:21|22:24:50|Blocked|1|IPv4 TCP tile-service.weather.microsoft.com/104.87.128.113:80(49831)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:24:50|Blocked|2|IPv4 TCP 23.46.253.118:80(49832)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:24:50|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(49834)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:25:00|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(49835)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe and a later sequence stuff inside () is local port 2016:09:21|22:57:04|Blocked|1|IPv4 TCP 131.253.40.69:443(50041)|Wireless Background Task|DisableAll/DisableAll Outgoing|C:\windows\system32\wifitask.exe 2016:09:21|22:57:35|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50042)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:57:36|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50043)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:59:01|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50045)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|22:59:31|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50046)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:01:16|Blocked|1|IPv4 TCP client.wns.windows.com/65.52.108.254:443(5004|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:01:49|Blocked|1|IPv4 TCP client.wns.windows.com/65.52.108.254:443(50049)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:03:37|Blocked|1|IPv4 TCP client.wns.windows.com/65.52.108.254:443(50050)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:04:44|Blocked|1|IPv4 TCP client.wns.windows.com/65.52.108.254:443(50051)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:05:03|Blocked|1|IPv4 TCP cache.datamart.windows.com/184.30.73.149:443(50052)|Wireless Background Task|DisableAll/DisableAll Outgoing|C:\windows\system32\wifitask.exe 2016:09:21|23:05:04|Blocked|1|IPv4 TCP 131.253.40.69:443(50053)|Wireless Background Task|DisableAll/DisableAll Outgoing|C:\windows\system32\wifitask.exe 2016:09:21|23:06:25|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50054)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:08:12|Blocked|1|IPv4 TCP client.wns.windows.com/131.253.34.230:443(50055)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe 2016:09:21|23:09:27|Blocked|1|IPv4 TCP client.wns.windows.com/65.52.108.254:443(50056)|Windows Explorer|ExplorerZone Outgoing|C:\windows\explorer.exe I think there's a new tasks wireless and datamart that the firewall wasn't familiar with (so denies). Maybe that causes these WNS connection attempts. I know no more. Just watching what's going on. I tried to make the font smaller so this post will not be so long, but it doesn't work for me
@act8192: Thanks for the followup. Coming back to this after a break, I question my own question. I guess at first glance it appeared worse than other things I've seen reported. That wifitask.exe + cache.datamart.windows.com smells like PaidWifi to me. I've seen some people mention related settings. Example: http://www.tenforums.com/tutorials/45354-paid-wi-fi-services-turn-off-windows-10-a.html. Have you tried disabling that stuff? Or does it still try to phone home when you do?
No firewall suggestions? Also Firefox makes these connctions automatically, couldnt get rid of em. https://s22.postimg.org/5n5ou8d75/shavar_net.jpg Asked in mozilla support too, no luck. https://support.mozilla.org/en-US/questions/1141064
Yes, smells like that to me as well. I need it like I need a hole in my head. I haven't done any disabling nor uninstalling yet. I don't have a sandbox computer so have to be careful. I rely on the firewall (Sphinx) and NVT-ERP at this point to warn/block. I don't use any of those M$ store apps. I have only LOCAL account, no M$ account, so it wouldn't work anyway, me thinks. I need to learn about disabling which is more complicated in Win10 because of the thousands of background tasks.
I checked NVT-ERP, it has 30 days trial, are there any freeware/open source alternatives to that? I checked Sphinx(Windows 10 Firewall Control) it's nice and simple. It's what I was looking for so thanks for mentioning. It frequently warns like that: "Blocked: IPv4 UDP 192........ Host process for windows services Windows Firewall IVPN Firewall outgoing" Its on the last line here: https://s22.postimg.org/y8rauzt2p/IVPN_firewall.jpg I don't know what it is blocking and it doesn't give an option to allow it. My VPN has a built in firewall, is that doing this? if so, why is it blocking a local IP?
bopbop, NVT-ERP is donation now. I have an old licence, but the header has a Donation button. So I don't know if yours will be 30 days or not. Sphinx - your bottom log line indicates that it was not blocked by Sphinx. It was blocked by Windows Firewall, the built in one, before Sphinx got to it. Sphinx reports it to you. You won't see it in Events, nor in the log. I don't know why, but that's how it is. Perhaps it was denied because your connection attempt was for DNS port (53) in the router. I assume your IVPN is VPN and it would have its own behavior which I do't know. Sorry. Sphinx firewall can run with or without native firewall. Windows Firewall takes precedence. I found it much too complicated to have both firewalls active in several instances, so I've shut off Windows native firewall. Windows filtering platform still works. If you click on a blocked entry in that baloon/popup, it'll open a dialog which should allow you to set a rule the way you want it. They have a forum where this confusion of two firewalls is covered in several places http://vistafirewallcontrol.freeforums.org/
Passing on the HTTPS Everywhere check.torproject.org request blocking question. Just mentioning it so readers know what you are asking about. Regarding the snippets problem: that request looks like it is reporting a snippet impression and I suspect it was done after a snippet was retrieved/shown. Which raises a question. Are you failing to block retrieval operations, post-retrieval operations, or both? I would double check that browser.aboutHomeSnippets.updateUrl is blank. There have been some cases where pref reading code is particular and so you have to provide a valid URL and/or change the pref's default value rather than the user value (using autoconfig for example). I don't think this is such a case but but be aware of it. Also, something that might be helpful in terms of steps/order: https://wiki.mozilla.org/Firefox/Pr...ppet_Service#Manually_Updating_Snippet_Source https://wiki.mozilla.org/Websites/Snippets/about:home_101#Manually_Forcing_a_Snippet_Refresh
Thoughtful. Clearing values of these stopped shavar connections: browser.safebrowsing.provider.mozilla.gethashURL browser.safebrowsing.provider.mozilla.updateURL For snippets, I don't know, they don't happen on every startup, I don't think I've solved them yet. Says 19.99$ here http://www.novirusthanks.org/products/exe-radar-pro/ Using trial version now, saying I got 30 days left, I liked the program though so I might buy it. But I'll probably look for an alternative. Well I also disabled windows firewall right away, but Sphinx still shows hosts process blocked when trying to connect some IP adress so similar to my local IP(only last two digits are different) First adapter shows IPv4 default gateway, DHCP server and DNS server as 192.168.1.1. VPN's firewall was blocking it, on port 56704(I also wonder what that means to you) why could it be? IVPN does it, I just can't understand why. It's firewall claims "IVPN" blocks all non-VPN traffic" but would a service connecting to 192.168.1.1 be a non-VPN connection?
I think most of the code is designed to avoid both a request attempt and a browser console error message when a URL pref is set to an empty string. IOW, you won' t know when the associated Firefox "feature" tried to perform such a request. Sometimes it is helpful to know that. If you use a valid URL instead (I'd recommend HTTPS since it is a hard requirement for some things) then you will see the request reported in the browser console. For example, you could set browser.aboutHomeSnippets.updateUrl to https://127.0.0.77/browser.aboutHomeSnippets.updateUrl while testing. You could look over snippet related logic yourself if need be: view-source:about:home view-source:chrome://browser/locale/aboutHome.dtd view-source:chrome://browser/content/abouthome/aboutHome.js Note the "Shows locally cached remote snippets, or default ones when not available." section in the last file. The map clearing step in the links I posted earlier looked like an attempt to purge the locally cached ones. The default ones I see are:
Please check this: https://s21.postimg.org/nwdbrcn13/IVPN_blocks_myhome_mynet_connection.jpg Edit: I disabled DNSClient service to see what happens. This time firefox tries to connect to 192.168.1.53(I dunno this adress, what it does?) IVPN firewall again doesn't allow it. https://s17.postimg.org/ad85o7bwf/disabled_dnsclient.jpg See the last line of my previously shared pic:https://s22.postimg.org/y8rauzt2p/IVPN_firewall.jpg Then host process was trying to connect to the same adress with same port. After disabling IVPN firewall, THIS: /https://s21.postimg.org/nwdbrcn13/IVPN_blocks_myhome_mynet_connection.jpg) happened, after re-enabling VPN firewall and disabling DNSClient service(in services.msc) ff tried to connect to it, IVPN again blocks it. Any idea why? I'm curious but I know so little.
