Hundreds of suspicious messages coming from random sources [closed]

networking firewall anti-virus malware mcafee

I'm having a serious problem and I'm getting out of options.

Out of the blue, my Windows 10 laptop with McAfee started reporting hundreds of suspicious messages blocked by the laptop firewall (I don't have a router firewall). The origin is random (though most of them come from Akamai.net) and the port is random as well, but in many cases there are dangerous ports such as 138 that's used to manage the NetBIOS.

This happens in all the laptops in my network, and I don't know how to stop these messages from coming in.

See sample messages here.

One thing I did, was to take one of the laptops and reinstall Windows 10 (from the image in the laptop itself) outside of my WiFi network. The strange thing was that even after resetting the entire disk and reinstalling Windows, these messages started coming in again, without even being ever connected to my network.

Any ideas what's going on and how to solve this problem?


Solution 1:

Let's check those source IPs:

  • 3.208.40.114 and 3.15.107.215 is owned by AWS, and these IPs are used by parse.ly as an application/website analytics and 1x1 pixel tracker.

  • 52.216.0.0/14 and 52.216.128.0/18 is owned by AWS and used by AWS to serve S3 APIs.

  • 74.125.21.95 is owned by Google, serving Google search.

  • 204.154.111.153 is used by DoubleVerify analytics.

Most of the IPs described are safe, and its origin can be tracked. Probably you're trying to browse the internet when you're receiving this messages.

Furthermore, most of the warnings connected through your PC via ephemeral ports, i.e. client-side communication port in TCP/UDP. These connections are short-lived and usually client-initiated, so if there's anything wrong, probably you can check and scan your PC to be safe.

Highly possible it's a case of hyperactive firewall, but please confirm it by cross-checking your antivirus log with your browsing activity.

Next, let's check your local network logs:

  • 3702/UDP is used for WS-Discovery broadcasts
  • 5355/UDP is used for LLMNR broadcasts
  • 137/UDP and 138/UDP are used by Windows' NetBIOS services

All these services are safe within your local network, and usually are broadcasts or unicasts. You can firewall these networks if you want, but you'll block your clients discovery if you do so.

Related

Can a CNAME record point to a domain handled by another DNS server?
How do I replay the tutorial in Splatoon 2?
How to start with the most Health?
Linux mail command treating -b and -c as email addresses
Is it possible to serve the same root from autoindex both as JSON and HTML with nginx?
Does the Ghost update introduce a meaningful ending to the Subnautica storyline?
Do I need to enable the day/night cycle to unlock the 1001 Nights trophy/achievement?
Do Fireteam Medallions stack?
Forward domain resolution to AWS's namesever
Can I plant and chop forest multiple times for production in Civilization 6?
Does accuracy lower for higher level weapons?
Redirecting HTTPS