-2

I'm having a serious problem and I'm getting out of options.

Out of the blue, my Windows 10 laptop with McAfee started reporting hundreds of suspicious messages blocked by the laptop firewall (I don't have a router firewall). The origin is random (though most of them come from Akamai.net) and the port is random as well, but in many cases there are dangerous ports such as 138 that's used to manage the NetBIOS.

This happens in all the laptops in my network, and I don't know how to stop these messages from coming in.

See sample messages here.

One thing I did, was to take one of the laptops and reinstall Windows 10 (from the image in the laptop itself) outside of my WiFi network. The strange thing was that even after resetting the entire disk and reinstalling Windows, these messages started coming in again, without even being ever connected to my network.

Any ideas what's going on and how to solve this problem?

ps0604
  • 3
  • 6
  • How about posting these messages? – joeqwerty Jan 27 '21 at 00:37
  • see screenshots taken from the laptop https://1drv.ms/u/s!Au4Vkx6gmEf-gnkJlCdNxrJkZhjX?e=Zn55gz – ps0604 Jan 27 '21 at 04:23
  • By what method is this laptop connected to the network? Describe every piece of hardware between it and your ISP. – Michael Hampton Jan 27 '21 at 09:25
  • I have an xfinity modem/router and the laptop is connected with wifi – ps0604 Jan 27 '21 at 12:55
  • In your question you stated that the freshly installed laptop was not connected to your network, yet in your comment you state that it's connected to your WiFi network. Which is it? Connected or not connected? – joeqwerty Jan 30 '21 at 17:52
  • I realize it is not clear. This is the series of events: (1) In my home network I installed windows from scratch using the laptop internal image (2) I install McAfee (3) I see in McAfee the suspicious messages in the link above (3) I go to a different network without any other laptops connected (4) I repeat the process, reinstalling Windows and McAfee (5) I also see these messages – ps0604 Feb 01 '21 at 00:53
  • https://community.mcafee.com/t5/Personal-Firewall/2576-blocked-suspicious-incoming-connections/td-p/490303 – Federico Sierra Feb 01 '21 at 04:20

1 Answers1

1

Let's check those source IPs:

  • 3.208.40.114 and 3.15.107.215 is owned by AWS, and these IPs are used by parse.ly as an application/website analytics and 1x1 pixel tracker.

  • 52.216.0.0/14 and 52.216.128.0/18 is owned by AWS and used by AWS to serve S3 APIs.

  • 74.125.21.95 is owned by Google, serving Google search.

  • 204.154.111.153 is used by DoubleVerify analytics.

Most of the IPs described are safe, and its origin can be tracked. Probably you're trying to browse the internet when you're receiving this messages.

Furthermore, most of the warnings connected through your PC via ephemeral ports, i.e. client-side communication port in TCP/UDP. These connections are short-lived and usually client-initiated, so if there's anything wrong, probably you can check and scan your PC to be safe.

Highly possible it's a case of hyperactive firewall, but please confirm it by cross-checking your antivirus log with your browsing activity.

Next, let's check your local network logs:

  • 3702/UDP is used for WS-Discovery broadcasts
  • 5355/UDP is used for LLMNR broadcasts
  • 137/UDP and 138/UDP are used by Windows' NetBIOS services

All these services are safe within your local network, and usually are broadcasts or unicasts. You can firewall these networks if you want, but you'll block your clients discovery if you do so.

mforsetti
  • 2,488
  • 2
  • 14
  • 20
  • Thanks for the analysis, I'm mostly worried about the 192.168.x.x messages, why would these be generated? – ps0604 Feb 01 '21 at 13:53
  • NetBIOS is an essential protocol used for things like SMB shares, local network hostname resolutions, AD DC, MS Exchange, etc. WS-Discovery is used to announce WSD printers, and LLMNR is used to do domain resolutions in local network. Check my linked wiki pages for more info. – mforsetti Feb 01 '21 at 15:05
  • I understand what you are saying, but meantime McAfee is catching around 2000 suspicious messages per day. So far I didn't have any issues (I changed all my passwords and have tokens whenever possible), but it doesn't feel comfortable. – ps0604 Feb 03 '21 at 22:48