Event ID: 861 - The Windows Firewall has detected an application listening for incoming traffic

group-policy windows-event-log configuration windows-firewall

16,140

This occurs when "audit object access" is set up to be logged to audit failures.

Under admin tools, launch 'local security policy', navigate to local policies\audit policy, and set it up for no auditing. Then, run gpupdate.exe.

That being said, consider what information you may be losing by not auditing object access failures, and what your security policy requires.

16,140

Chris Marisic

I am the Principal Consultant of Marisic.NET specializing in user experience, software architecture, project design, and systems testing.

Updated on September 17, 2022

Comments

Chris Marisic almost 2 years
Firstly, my machines aren't compromised any person suggesting such will be DV'd.

The security logs on some of my networks client machines (all Windows Xp Sp3) get filled with these useless error messages.
```
Security Failure Audit
Detailed Tracking
Event ID: 861
User: NT AUTHORITY\NETWORK SERVICE
The Windows Firewall has detected an application listening for incoming traffic. 

Name: -                                 
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 976
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55035
Allowed: No
User notified: No
```
It's always on various random ports of UDP so setting up a port exception isn't really an option.

It's always from svchost or lsass both of which are running services from DLLs. One of the most offending processes seems to the be DnsCache.

I have in my global policy under AT < Network < Network Connection < Widnows Firewall < Domain Profile (I haven't changed any standard profile options do both need configured?

To allow remote administration and desktop exceptions and have a custom program exception list that has
```
%SystemRoot%\system32\svchost.exe:*:enabled:svchost
```
(Windows won't allow you to add this exception on a local machine but it let me have it on here in the global policy it just doesn't seem to do anything)
```
%SystemRoot%\system32\lsass.exe:*enabled:lsass
```
(I think this one ended all of my LSASS messages)
```
%SystemRoot%\system32\dnsrslvr.dll:*:enabled:dnscache
```
(I tried adding the dll itself to the exception list, this didn't seem to do anything)

Is there really any other options left other than disabling the Windows Firewall entirely, disabling auditing entirely or just changing the event viewer to just auto overwrite when needed?

I'd much rather fix the problem and get rid of these entries ever being created instead of just trying to cover up the problem.
- Jimsmithkka almost 15 years
  
  what makes you think you do not have an infection? I know there are methods for tunneling traffic through dns. But asside from that, where are these connections going, as in what is the destination port?
- Chris Marisic almost 15 years
  
  As I said it's all various UDP ports and the reason I know it's not infected is because 1 of the work stations this is on, is my own personal work station. I have never had a virus at any work ever, or at home in atleast a decade. The other reason is on another work station in our domain this occured from the time the pc was unboxed from dell. This is Windows Firewall reporting useless information filling security logs which seems almost impossible to disable without turning off things entirely. Not to mention there isn't even traffic for this, it's just listening for connections.
Chris Marisic almost 15 years

I've decided my solution to this is once I audit the machines to verify every single one (not just assume all of them) have a 3rd party security tool I'm just going to disable the entire Windows Firewall and that will fix my problem.