How can I track which software/process stops the windows firewall?

1

Something stops the windows firewall. If I restart it, it is again stopped within 2 minutes.

How can I track which software/process stops it?

Or how to configure the event manager in order to track what is stopping the firewall?

Thanks in advance

Alex

Posted 2017-01-02T09:36:02.593

Reputation: 23

Answers

0

you can see the events here:

Application and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security

Here you can check who and what has disabled your firewall, in my case I did it myself just to test. It should look something like this, you can see that Value = No. That means firewall is turned off.

Firewall off

Bungicasse

Posted 2017-01-02T09:36:02.593

Reputation: 902

Thanks a lot:

The application is this one C:\Windows\SysWOW64\netsh.exe

Is it that some script is launching it? I have now to track what is launching netsh, no? – Alex – 2017-01-02T11:32:33.437

And modifying user is the System S-1-5-18 which is not the current user S-1-5-21-4001752... – Alex – 2017-01-02T11:37:07.697

Are you on a home network or in a work/domain network? If you're in a work network I would advise you to call your IT-Administrator immediately and let him know that someone or something is messing with your firewall. If you are on your home network I would advise you to give us some more information. Which antivirus you use etc. – Bungicasse – 2017-01-02T13:53:40.623

Computer is on the home network, with various Windows and Linux machines on this network. The only protection is the Windows Defender. – Alex – 2017-01-02T16:27:41.933

A scan searching for advfirewall only found a gatherNetworkInfo.vbs script and AuthFWSnapIn and MIGUIControls.resources DLLs. No other scripts or executable – Alex – 2017-01-02T16:29:51.153

The faulty action seems to be something with the same effect as the command C:\Windows\SysWOW64\netsh.exe advfirewall set allprofiles state off.

Is it possible to track it? – Alex – 2017-01-02T16:37:06.393

0

Finally I installed an anti-virus "Avira" and launched a scan several times. First it found the Trojan "TR/Crypt.XPACK.e5637e" in various files:

C:\WINDOWS\urzivdfs.exe 
C:\WINDOWS\jupkeyptbl.exe
C:\WINDOWS\urzivdfs.exe

Second the "TR/BitCoinMiner.fopp" in

C:\Windows\p2p_05\win32\win32blot2.exe

Now everything is fine: the firewall remains ON.

Thanks Bungicasse, your help led me to the conclusion that something stopped maliciously the firewall using the command netsh.

Thanks again,

Alex

Alex

Posted 2017-01-02T09:36:02.593

Reputation: 23

Asked: 2017-01-02T09:36:02.593

Viewed: 133 times

Active: 2019-01-25T09:33:37.217