Event ID: 861 - The Windows Firewall has detected an application listening for incoming traffic
This occurs when "audit object access" is set up to be logged to audit failures.
Under admin tools, launch 'local security policy', navigate to local policies\audit policy, and set it up for no auditing. Then, run gpupdate.exe.
That being said, consider what information you may be losing by not auditing object access failures, and what your security policy requires.
Related videos on Youtube
Chris Marisic
I am the Principal Consultant of Marisic.NET specializing in user experience, software architecture, project design, and systems testing.
Updated on September 17, 2022Comments
-
Chris Marisic almost 2 years
Firstly, my machines aren't compromised any person suggesting such will be DV'd.
The security logs on some of my networks client machines (all Windows Xp Sp3) get filled with these useless error messages.
Security Failure Audit Detailed Tracking Event ID: 861 User: NT AUTHORITY\NETWORK SERVICE The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWS\system32\svchost.exe Process identifier: 976 User account: NETWORK SERVICE User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 55035 Allowed: No User notified: No
It's always on various random ports of UDP so setting up a port exception isn't really an option.
It's always from svchost or lsass both of which are running services from DLLs. One of the most offending processes seems to the be DnsCache.
I have in my global policy under AT < Network < Network Connection < Widnows Firewall < Domain Profile (I haven't changed any standard profile options do both need configured?
To allow remote administration and desktop exceptions and have a custom program exception list that has
%SystemRoot%\system32\svchost.exe:*:enabled:svchost
(Windows won't allow you to add this exception on a local machine but it let me have it on here in the global policy it just doesn't seem to do anything)
%SystemRoot%\system32\lsass.exe:*enabled:lsass
(I think this one ended all of my LSASS messages)
%SystemRoot%\system32\dnsrslvr.dll:*:enabled:dnscache
(I tried adding the dll itself to the exception list, this didn't seem to do anything)
Is there really any other options left other than disabling the Windows Firewall entirely, disabling auditing entirely or just changing the event viewer to just auto overwrite when needed?
I'd much rather fix the problem and get rid of these entries ever being created instead of just trying to cover up the problem.
-
Jimsmithkka almost 15 yearswhat makes you think you do not have an infection? I know there are methods for tunneling traffic through dns. But asside from that, where are these connections going, as in what is the destination port?
-
Chris Marisic almost 15 yearsAs I said it's all various UDP ports and the reason I know it's not infected is because 1 of the work stations this is on, is my own personal work station. I have never had a virus at any work ever, or at home in atleast a decade. The other reason is on another work station in our domain this occured from the time the pc was unboxed from dell. This is Windows Firewall reporting useless information filling security logs which seems almost impossible to disable without turning off things entirely. Not to mention there isn't even traffic for this, it's just listening for connections.
-
-
Chris Marisic almost 15 yearsI've decided my solution to this is once I audit the machines to verify every single one (not just assume all of them) have a 3rd party security tool I'm just going to disable the entire Windows Firewall and that will fix my problem.