Unusual Notification from Firewall

Discussion in 'other firewalls' started by AtlBo, May 9, 2014.

Thread Status:
Not open for further replies.
  1. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    I have a batch file that runs on a schedule to change an .ini file. It's a very simple five line batch file that runs another batch file that actually performs the change. Today I got a strange notification that the 5 line batch file was trying to connect on the internet. This is unusual, but what is even stranger to me is that the destination for the connection was Akamai Technologies Inc. From using WhoIs in TCPView, I am familiar with Akamai Technologies as I have noticed it using browser internet connections when I open a browser.

    A while back I did some research on Akamai Technologies (and some others like it), and it seems this company is somehow associated with image protection. Apparently, companies hire them to make sure their image isn't being misused or something. How and/or why would this batch file, that has nothing in it for connecting to the internet, all the sudden be requesting to connect to Akamai Technologies?

    By the way, I was using an outdated version of Opera at the time. I know, I know, but I use it for brief periods to play flash games. Usually, I use a fully updated version of Firefox for internet browsing. At any rate, I am a little bit glad this happened. I have been aching to find out who these people are behind these image companies (or whatever they are). There are at times a dozen or more connections to this PC from these individuals when the internet is open. Maybe someone has some insight here, but this is one time I can say this request makes NO sense.

    Attached picture shows the warning. Connection was blocked, but I would really like to know what is going on here.
     

    Attached Files:

  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    So it's quite usual to see connections to it. BUT, the 5 line batch file trying to connect on the internet is Very strange. I wonder if your AV etc considers it as Malware & is trying to upload it to check ?

    I noticed it was invoked by ProcessLasso, which is a safe product. But your batch file being unusal, might be the key to all this !
     
  3. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    CloneRanger...

    Thanks for the input. I think you might be right about that. I Googled "does avast use akamai" and found this:

    http://forum.avast.com/index.php?topic=82472.0

    I wish it were clearer.

    The difficulty I am having is understanding how Akamai is connecting via a System connection. I believe I have seen Akamai in associiation with an avastsvc.exe connection, but then there are these open ones that open by hooking into system processes. I just opened TCPView, and blocking the connection seems to have stopped the traffic from Akamai for now.

    There is another company called MarkMonitor that has open ports too and also somehow hooked into a System process that needs net rights. WhoIs indicates the connection is somehow related to Dropbox. I do have Dropbox installed, and there is, of course, a Dropbox connection. Trouble is there are 3 of them. I would sure like to know why this is necessary.

    I would say that net dependent companies need to get out from behind information management for money companies, honestly. It seems like it's trouble waiting to happen, kind of like the data compromise problems that happened early on with online storage. Any connection on a PC should be easily and directly traceable to its source on the PC and to its destination on the outside. Definitely should be no way for a process to patch into the OS to connect. Also, I don't think anyone should have to open TCPView to see if I can trust their anti-virus company or firewall company, especially when it comes to security programs.

    I'd like to learn as much as I can about this subject, and I will do some more research myself, so thanks to anyone else who has any information...

    Add this link about avast/akamai that seems to be clearer:

    http://forum.avast.com/index.php?topic=112353.0

    Kind of gloomy. He didn't even have the cloud service turned on...
     
  4. FOXP2

    FOXP2 Guest

    That's near exactly as HIPS warnings I've seen over the years from the likes of Malware Defender and Online Armor.

    I don't know how PF is configured, but it would seem to me you need to rule your bat file as trusted. The warning is about it, not Opera.

    Your concerns about Akamai are unfounded, especially on port 443.

    Cheers.
     
  5. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    FOXP2, there is nothing in PL Batch file for connecting to the internet. Yes, the warning is about PL Batch file, but, since it is impossible for it to initiate a connection, what could be behind this? Also, whatever did initiate this was trying to use Opera to complete the connection.

    I don't see how this could be avast or Opera, and it can't be PL Batch file. Maybe it's not Akamai. It could be something on the PC using the service I don't know.

    Just for the record, PL Batch file changes a speed setting in Process Lasso that tends to change to an unwanted number indiscriminantly. I got tired of the behavior, so I found someone to write the script for this so I could keep using PL. It has nothing to do with the internet, whatsoever. It runs on a schedule and makes the change.

    Private Firewall has been 100% on the money with the alerts since I have been using it for the last 4 to 5 months. It's a solid firewall, so this concerns me. I have included all the settings for PL Batch Change in Private Firewall. Nothing is being 100% denied. The allows are for the changes to take place without a pop up.
     

    Attached Files:

  6. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    Clone Ranger...

    I can explain this:

    The PL\...config path is the path where I have placed the batch file, so that I can remember where it is located...
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Avast uses Akamai servers. You can block NetBios ports from the internet in the firewall with no harmful effects to anything.
    System entries you see in TCPview usually just refer to already finished conversation and system will close it all up. Post TCPview screenshot here if you really see an established connection.

    If you haveAvast sandbox, aka deepscreen, enabled and/or file reputation, cloud services are used in which case avast service will go out to avast servers port 443 (but maybe akamai, I don't recall) to check files but browser is not used for this.
    When your batch file's behavior is unknown to Avast, it'll use the servers and when it doesn't know what to do it'll block (no Ask option anymore) since your batch file is not in their lists.
    You can try putting your batch file into exclusion lists (under files and IIRC under advanced where deepscreen tab is). No promises, but it might work.

    For streaming updates Avast connects to their own servers, as well as google analytics unless you have HOSTS file installed which blocks analytics with no adverse effects on updating virus databases. MarkMonitor is part of that whole story as well.
    http://forum.avast.com/index.php?topic=139876.0

    Oh, I know I didn't answer about your alert in the first post, but I hope I covered some of the other stuff you mentioned.
     
    Last edited: May 9, 2014
  8. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    Yes you covered the other stuff thanks.

    I don't have an image of this particular connection, since it never actually happened. I do have a screenshot of some Akamai connections. Who Is says they are being done for TuCows? Wow, avast shouldn't be using this kind of service. Nothing against TuCows, but it makes avast look less than 100% devoted to security that such a broad array of companies use the Akamai service.

    Using the browser is what's giving me the hard time about this one.

    I still don't understand how PL Batch Change could do anything that could be interpreted as connecting to the internet. It's like something reached in and edited the file so that it would attempt to connect to the internet.

    I wonder if avast has some secret trick they use where they perhaps try to see if particular batch files are part of a complex set of them. But I have been running this batch for 6 months very frequently every day. I installed the OS on this PC about 6 months ago. All I can think of in that light is that avast just now found the file. I don't think I have run a full scan.

    I know this sounds extreme, and I don't believe this, but the far fetched scenario I envision is that someone dropped a file on the PC that would try to start PL Batch file (maybe any random non system batch? (there are only 14 .bats on this system)) every time a browser was opened. If the browser wasn't secure (like Firefox is which I use mostly and perhaps why it never happened on that browser) a connection could be possible maybe. Anyway, the connection still couldn't have been possible without editing the PL Batch Change file first to be the file that contacts the remote server and does whatever any hacker that may have been on the other end was wanting it to do. So the file dropped on the PC would have had to have been able to run undetected (maybe as part of another program) when a browser runs and then search out a .bat and make the change to the file for a connection to be created. I kind of see the hacker sensibility in this as it makes sense to use an existing file rather than create one. The batch file can be repaired after the connection closes and the hacker gets his info or whatever, and there isn't any record of a strange file running. The file doesn't have to pass the inspection of security if the firewall doesn't block such or whatever, because it is a known file.

    OK, the main reason I don't believe this is true is that the batch file was last edited a while ago on a date that would match closely enough with my memory of when I might have edited the file last. However, I have seen hackers underestimated too many times. I don't know, this makes me think that maybe the far fetched scenarios that users develop about what could be happening on their PC should be treated like the old adage "there aren't any bad questions" as in "there aren't any bad security breach scenario breakdowns".

    There were nine attempts at a connection from my IP to the one single IP at Akamai in about 30 seconds. Only the last one was caught by Private Firewall. Was this the only time PL Batch Change.bat was used by whatever did this? My guess, based on the information all of you have provided, is that avast has some far gone way of checking batch files, and this was the first time this batch file was checked (hence the firewall flag). Again, the installation of Windows is only about 6 months old.

    If it was avast, I hope they can someday do this from their own servers. Paying a host to run security services wouldn't be a very safe idea I don't think.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It's probably perfectly harmless...nothing to lose sleep over. There is a relationship of sorts between Akamai and Microsoft, and since the bat file is run by a MS process (cmd.exe), that in itself might explain the connection attempt to that ip address via secure http. I don't know why/how Opera is involved but I sincerely doubt there's anything nefarious going on.
     
  10. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    OK, appreciate the input. I believe you are right about that.

    This is the most unusual security related event I have experienced on a PC. It looks really actually like a security breach must have occurred on first glance.

    Anyway, thanks again to you guys for your input. I'm really beginning to enjoy this forum, having used it now several times. PC security is an interesting topic to me.
     
Loading...
Thread Status:
Not open for further replies.