BFE "BASE FILTERING ENGINE" network communication or attack/intrusion?

Discussion in 'other firewalls' started by conandrum, Jun 1, 2009.

Thread Status:
Not open for further replies.
  1. conandrum

    conandrum Registered Member

    Joined:
    Jun 1, 2009
    Posts:
    1
    Hi, this is my first post to this forum.
    Today I installed a 3rd party firewall (COMODO Internet Security) on my laptop and HTPC, that coexists with the VISTA firewall on both.
    Both machines have Vista SP2. Both are behaving perfectly.
    After the first reboot on the HTPC, I noticed 203 intrusion detections. Further inspection showed a remote IP address 72.27.8.199:1051 hammering my port 56420 every 2 seconds. Seven other remote machines tried the same thing within the same 203 attempts but with ports above 51000 and only once each (e.g. 83.227.24.134:59791).
    I was alarmed and searched for my 56420 port, which led me to SVCHOST and a PID. Using PROCESS EXPLORER (I guess you could use task manager) I found out that several services could be using this port, so I started disabling each one, until the port was no longer available in PORT EXPLORER (i guess you could use netstat -ano). This led me to discover that port 56420 was used by BFE or "Base Filtering Engine" (and not to its dependents).

    1. Was 72.27.8.199:1051 probing/attacking me?
    2. Was 83.227.24.134:59791 probing/attacking me or is there something else going on with this one?

    Anyway the intrusion counter soon stopped and I then installed the same firewall on my laptop.
    To my amazement intrusion alerts started poping up and their source was my HTPC with port 56420!
    The logger showed: HTPC:56420 -> LAPTOP:57312 and also MYPUBLICIP:56420 -> LAPTOP:57312
    Running my usual tests on port 57312 on the laptop I soon discovered that this port corresponded to BFE or "Base Filtering Engine" (and not to its dependents).

    DEJAVU? What is going on here? Why is this happening? The HTPC and laptop BFEs like talking once every time I reboot!

    3. Can someone please explain to me why the "Base Filtering Engine" on each of my LAN machines feels the need to communicate and make small-talk?
    4. And can someone please explain to me why the "Base Filtering Engine" on my HTPC feels the need to communicate and make small-talk long distance (could this be what it was doing with those 7 remote IPs)?
    5 And what does my MYPUBLICIP:56420 have to do with everything?

    Anyway I am confused. Is this normal?
    Any ideas please?
     
Thread Status:
Not open for further replies.