The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.


"Wanna" ransomware outbreak. Please see this Sophos article for advice on how to protect your organization. Immediate action recommended.

Firewall Log Viewer (svchost.exe UPD)

Hi all, could someone shed some light on this please.. I am very new to the firewall log viewer and have looked at it from the client for the first time. I am worried to see a lot of these items

Application=svchost.exe

Direction = IN REFUSED

Protocol = UDP

Remote Port = Loads of different ones (Small list as an example - 59199, 56452, 50062, 57205, 62745)

Remote Address = (Lots of IP addresses from within our internal network)

Hope someone can help with this please? Thanks, John

  • Hello John Cassell,

    what's the local (i.e. destination) port? Source ports are most of the arbitrary ports.
    Nowadays networks are quite noisy, all kinds of discovery attempts, UPnP, Bonjour, printers, media protocols, you name it. The traffic is very likely "normal" but OTOH not essential for normal operation.

    Christian

  • In reply to QC:

    Hi Christian, thanks for the reply. Didn't realise there were some hidden columns such as local port. I've added it now and here are a few examples:

    Application     Direction        Protocol   Remote Address                    Remote Port - Local Port

    scvhost.exe - IN REFUSED - UDP -      'An IP Address on our LAN' -   33572 -          1900

    svchost.exe - IN REFUSED - UDP -     'An IP Address on our LAN'  -   60574            1900

    svchost.exe - IN REFUSED - UDP -     'An IP Address on our LAN'  -   49397            5355

    system        - IN REFUSED - UDP -     'An IP Address on our LAN'  -   17500            17500

     

    Guess my next question would be harder to answer - "Why is Bobs PC trying to snoop on Daves PC?" - This local port 1900 seems to be plug n' play broadcasting to all PCs. I can't imagine why this would need to happen so perhaps the approach of 'block it and see what breaks'? (Obviously only on a very small number of PCs to begin with)

  • In reply to John Cassell:

    Hello John Cassell,

    as to why, ("modern") devices are looking for available services on the network, printers, media servers, and so on. This is normally not directed traffic (e.g.Bob's PC snooping Dave's PC), the source sends packets to a broadcast address and devices on the LAN reply (or don't).
    You can look up the port at IANA - if the Description doesn't already tell what it is (17500 - Dropbox LanSync Discovery) it shouldn't be too hard to find detailed information (e.g. look up the Description on Wikipedia).

    Christian