netBIOS bloodlust

[asilentfire]

Sometimes my firewall (Privatefirewall) would be blocking netBIOS over TCP literally every second. This service is constantly barraging my workspace and I want it gone, I have developed a personal hatred against this service.

I figured out how to disable netBIOS over TCP in my WiFi, and that was nice! I didn't have anything mention of netbios in my firewall, or really anything else for that matter

But the other day I got a call from my bank saying that someone just tried to clear out my accounts, and I'm checking my firewall again--
This image has been resized. Click this bar to view the full image. The original image is sized 1278x719.

netBIOS is back, this time in UDP:

I would like to just find the files for this and incinerate them.
I have no need for any kind of networking, remote administration, anything like that, just basic web browsing at best.

I want this thing dead.

 

[Littlebits]

Read this- http://www.wilderssecurity.com/showthread.php?t=270586

This is basically harmless connections that should not be blocked by default because they are needed by Windows Web Services for file sharing, device sharing, Bluetooth and printer sharing for home network.

Depending on your settings on Privatefirewall you may be able to stop it from blocking these connections.

Try using default configuration on Privatefirewall and see if the logs still appear.

You may also disable file sharing on Windows with the "Network and Sharing Center" configuration if you don't have other systems or mobile devices connected to your home network. May may also change your network to "Public" which should stop these connections.

Thanks.

 

[asilentfire]

You may also disable file sharing on Windows with the "Network and Sharing Center" configuration if you don't have other systems or mobile devices connected to your home network. May may also change your network to "Public" which should stop these connections.

Thanks.

Thanks Littlebits!

I forgot that my file and printer sharing automatically switch themselves on sometimes, and they were in fact enabled :O

I havn't seen any netbios today though, just general UDP packets (I started a thread on UDP in general under "UDP paranoia")

I would like to keep this thread open as I expect netbios to come back into my firewall logs, as it always does somehow, but for now I'm very thankful!

BTW, to set my network to public, wouldn't that setting be in the missing "unknown" section I have here?

 

[asilentfire]

well unfortunately netBIOS is back in full force, I just disabled the "server" service as well as some others, and rebooted to over 1000 netBIOS hits in 5 minutes.. I'm not exaggerating. I also noticed a few ICMP router solicitation packets being blocked right at boot.

 

[Littlebits]

I don't recommend manually changing the Windows Services defaults, it will only have a negative impact on your system. Server Service is required to Troubleshoot Problems with your connection.

These connection are most likely harmless feedback connections, all ISP have junk connections to will try to connect, PrivateFirewall is probably just acting paranoid intercepting the connection before Windows gets a chance to block them, if you have your Network and Sharing setup to "Public Network" these connection would be automatically blocked without Privatefirewall. Try changing your log settings to medium on Privatefirewall. Make sure Privatefirewall is set to its defaults.

You can conduct your own experiment to see if these connections even exists or are successful.

Temporary disable Privatefirewall, make sure Windows services are set to their defaults and your have your network set to "Public". Make sure Windows Firewall is enabled. Download NirSoft TcpLogView allow it to run as long as you want, it will record every successful connection.

If you don't see this same netBIOS connecting successfully with NirSoft TcpLogView then you have nothing to worry about. Giving that you have correctly set Windows Services to their defaults and have your network set to "Public".

If NirSoft TcpLogView does find this same connection it will display the info that can be traced to the source.

Thanks.