NIS Firewall Non-stop inbound connection - Default Block Microsoft Windows 2000 SMB TCP port 445

Hi guys:) I'm runing win7x64 with nis 2011 and have a lot incoming connection on TCP 445, with the IP address changing every 2 tries and very frequently. I scan my pc with norton and with malwarebytes show my pc is clean. Here is log:

 

Date & Time,Risk,Activity,Status,Recommended Action,Category
15.8.2013 г. 11:21 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (112.218.21.197, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:21 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (112.218.21.197, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:20 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (84.228.225.159, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:20 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (84.228.225.159, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:19 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (184.106.251.114, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:19 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (184.106.251.114, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:19 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.199.142.94, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 11:19 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.199.142.94, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 10:42 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (110.139.177.150, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 10:42 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (110.139.177.150, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:21 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.56.154.23, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:21 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.56.154.23, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:17 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (210.0.133.87, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:17 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (210.0.133.87, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:14 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (216.249.76.53, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 09:13 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (216.249.76.53, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:35 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (113.197.179.44, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:34 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (113.197.179.44, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:34 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (86.52.195.216, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:34 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (86.52.195.216, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:32 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.59.250.87, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 08:32 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (61.59.250.87, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities

 

 

Shall i close for good port 445?

Have you restarted your computer?

 

Nis 2011 is very old in computer terms. You really should consider upgrading to the latest version. It costs nothing, and will bring you up to the latest protection engines. 

 

Either way, be sure you have run LiveUpdate manually a few times, rebooting as necessary, until no updates are available.

 

 

 

My pc is can't hadle with NIS 2013 (corei3 2.20Ghz 8GB ram). I know that NIS 2013 have high cpu usage. Cpu goes high on 30-40% last time i install.


milen15 wrote:

My pc is can't hadle with NIS 2013 (corei3 2.20Ghz 8GB ram). I know that NIS 2013 have high cpu usage. Cpu goes high on 30-40% last time i install.


That system should be able to handle Norton Products. How long ago did you try 2013? Many enhancements have been made over time to address many of the issues that were found.

 

Back to your problem. Did you try restarting your computer, and running LiveUpdate?

 

 

 

Yep last updates (smart def is off), restart a lot of times and still no effect. Keep coming inbound traffic on tcp port 445

NIS 2011 is handle for the moment but i want to stop this.

 

Some of the log:

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
15.8.2013 г. 18:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (109.197.86.10, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 18:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (109.197.86.10, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 17:55 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (89.169.103.67, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 17:55 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (89.169.103.67, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 17:55 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked communication.",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 17:46 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (186.89.48.65, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
15.8.2013 г. 17:46 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (186.89.48.65, Port (445)

Hi milen15

Try getting windows updates and recheck for updates until there are no more updates restarting the computer as requested.

 

 

ATB

 

intesec

Hi:)

Windows and NIS 2011 are up to date. After restaring there is strange log of this:

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
15.8.2013 г. 18:30 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked communication.",Detected,No Action Required,Firewall - Activities

 

With no ip adresses neither mine or someone else i talk to my isp to change my ip, and think to try NIS 2013 i hope the firewall is better than 2011.

milen,

 

You're in area I know nothing about but I'm not bad at searching so I wonder if anything in this list of Google results is any help:

 

https://www.google.com/search?sourceid=navclient&aq=hts&oq=&ie=UTF-8&rlz=1T4GZAZ_enUS384&q=Default+Block+Microsoft+Windows+2000+SMB 

 

Good luck -- you'll see that someone else posted about it back in 2011 so maybe going to 2012 would help if you think 2013 is not for you?

 

We have a link to download 2012 from ......

Do you have other computers or game systems in your home using your wifi ?

Hi milen15,

 

You can actually disable NetBIOS over TCP/IP  on Windows 7 through the Advanced  Settings of your network adapter.

 

Reboot your pc.

Also, if you do not need it, you can also disable "File & Printer Sharing" via the W7 Control panel.

Hope this helps,

 

Regards,

 

Hi guys:) FIrst of all thanks for all the help.
I change my ip the situation is same. I added rule in general rules block tcp/udp 445 - same. I tried NIS 2013 same logs.
And finally come to extreme decision to close for good port 445.

 

Here is:
I'm go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' key
Create a 'REG_DWORD' Entry with the name SMBDeviceEnabled and give it's value 0
Close Registry Editor

Open Services by typing services.msc in Run dialog box.
I locate the service named 'Server'. I disable it and stop it.
Same with the service named 'TCP/IP NetBIOS Helper' I disable it and stop it.
Reboot the pc.
Cmd- command "netstat -an" and no 445 port listen.

And i very hope that this will work.

 

Update: Nope same logs:

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
16.8.2013 г. 11:07 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (66.27.55.122, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
16.8.2013 г. 11:07 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (66.27.55.122, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities

 

I'm in cirle and there is no way out.

 

There is nothing you can do at your end to stop the port scans, any more than changing any setting on your telephone would be able to stop someone from dialing your number.  The Norton Firewall is doing what it is there to do, which is to block this unsolicited traffic.  You aren't at any risk, here.  But if the the log entries make you uneasy, the best advice I could offer would be to get a router, which will drop this incoming traffic so that it never reaches your computer in the first place.

Hi milen 15,

 

In my history of "Firewall Activities", I found the same results, but this does not happen so frequently, 2 / 3 times a day, and I can confirm what has already been explained by SOJ, that you are not at risk, and possibly you could use a router to have additional security.

These blocks, usually occur when you share a computer with other users, and you have enabled Home Group for file sharing, such as music, pictures, printers, etc..

 

Since all users belong to the same Home Group, Windows Media Player and other Windows components must synchronize and update these files and folders using that Port that NIS block by default, but it is just a problem at the level of aesthetics in your NIS history.

In addition, synchronization is done anyway, even if not all elements are synchronized as Microsoft would like this to happen.

 

I hope this helps.

 

Sandro

Edit to my previous post

 

I'm not sure that port 445 is used for synchronization, but what I have found in the past, is that disabling file sharing, etc. (as I explained above), on the NIS History, were no longer present logs for the blocks on port 445, therefore, mine is only a deduction.

milen15,

 

Some steps to try:

 

1.Go to Control Panel, section Network, and disable all types of private and public file sharing.

Confirm that the changes are applied.

2. Open the services tab and disable: a) UpnP Device host service, b) SSDP Discovery service and c) WMP Network service.

 

If this last service comes up after some reboots because Microsoft wants you to run this service even if unneeded, select properties, then security, then change ownership from Trustedinstaller to the account that you normally use when logging on to your pc. (must be an account with admin rights.).

Deny all rights to TrustedInstaller and give full permissions to your admin account.

Also, go to WMP and disable all types of Network communication. ( I don't remember the exact steps but it's easy to find).

When you're done please REBOOT your pc, after boot verify that those 3 services are not running and also not started.

After all those steps, look into NIS history and see if those many logs are back or not and let us know the results.

 

Regards,

 

Hi milen15,

 

Just a little note to clarify that when I say disable File Sharing, you open Control panel, section Network and uner the menu

"change advanced homegroup settings" you expand the arrows and turn off all the options about network discovery, file sharing etc, everything, in other words you leave the Homegroup.

I checked my NIS Firewall history and I do not have a single entry about SMB.

 

Regards,

 

Hi Apostolos :) I stopped all 3 services, 1)SSPD Discovery, 2) UPnP Device Host 3) Windows Media Player Network Sharing. Also disable file sharing in advanced settings all is set to "off".After some restarts this message in NIS log appear:

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
18.8.2013 г. 11:45 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked communication.",Detected,No Action Required,Firewall - Activities
Process name: System /TCP Port 445.

 

Then I stop service 4)Sever and 5)NeBIOS Helper but log keep appearing  in my NIS log.
I also preinstall my browses latest version of Chrome.
I also disable Windows Media Center Receive service also Windows Media Center Scheduler.

 

And the logs keep coming, Apostolos i was thinking about some software about network analyzer/monitoring to see more detailing info about these logs maybe are fake or wich services they want to connect/wich service is causing all this. My isp installed me some crappy router brand huawei EchoLife HG8245 installed in my home that i had no admin rights to it.I ask my isp to block TCP port 445 but they told me that the router hasn't that options or they lie.

I aslo uninstall in local area connection 1.Client for Microsoft Networks and 2.File and Pring Sharing no effect and return it.

Now is:


new.jpg

Update:

Some new logs from NIS and same smb 2000:

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
18.8.2013 г. 21:10 ч.,Info,"Rule \"Default Block EPMAP\" blocked (78.63.114.105, Port dcom(135) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:10 ч.,Info,"Rule \"Default Block EPMAP\" blocked (78.63.114.105, Port dcom(135) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:00 ч.,Info,"Rule \"Default Block EPMAP\" blocked communication.",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:00 ч.,Info,"Rule \"Default Block EPMAP\" blocked communication.",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 20:54 ч.,Info,"Rule \"Default Block EPMAP\" blocked communication.",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 20:54 ч.,Info,"Rule \"Default Block EPMAP\" blocked communication.",Detected,No Action Required,Firewall - Activities

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
18.8.2013 г. 21:08 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (5.53.198.218, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:08 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (5.53.198.218, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:08 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (5.53.198.218, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:08 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (5.53.198.218, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (46.127.214.134, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (46.127.214.134, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (46.127.214.134, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities
18.8.2013 г. 21:02 ч.,Info,"Rule \"Default Block Microsoft Windows 2000 SMB\" blocked (46.127.214.134, Port (445) ). Inbound TCP connection. ",Detected,No Action Required,Firewall - Activities

Process name is "C:\Windows\System32\svchost.exe"

 

Update, strange run netstat -an command and there is no TCP 445 port listening, some of the netstat -an details/info:

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5466 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5466 0.0.0.0:0 LISTENING
TCP 0.0.0.0:10394 0.0.0.0:0 LISTENING
TCP 0.0.0.0:15731 0.0.0.0:0 LISTENING
TCP 0.0.0.0:18394 0.0.0.0:0 LISTENING

There is no 445 and the log keep coming.


milen15 wrote:

Update, strange run netstat -an command and there is no TCP 445 port listening, some of the netstat -an details/info:

There is no 445 and the log keep coming.


That is correct.  Nothing on your computer is expecting to receive anything on port 445, so the firewall is blocking the incoming traffic on that port.  That is how it works.  Again, there isn't anything you can do to your PC that is going to make these port scans go away - you have no control over things on the internet "dialing" your public IP address.  A router is the only way to stop this traffic from getting to your computer, but that is simply because the router handles it rather than the PC firewall - but the traffic will still be there.

Hi milen15,

 

Try the command netstat -ano to see if there is further info.

What SendOfJive stated is correct, but I do not understand why I have not any single entry in NIS firewall from SMB.

I'm thinking that there is maybe an application or Windows component that is trying to communicate on port 445 but finds it blocked and tries to restart communication.