Win 7 Pro What is Netbios?

Status
Not open for further replies.
AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,717
7,419
2,679
63
Been trying to see if the hosts file is blocking sites. On the one hand it seems so for entries in the hosts file that were placed by Spybot Anti-Beacon. However, any entries I added were not being successfully blocked. I tested by pinging the domains added by Spybot and got "host not found" which I assumed meant the hosts file was working. On the other hand I got a timeout from checking msn.com which I had added (I was using it for the test and yes I saved the file properly btw). I thought the timeout was probably protection on Microsoft's end, but the check ran the usual 4 times, so I assume that means that the host file did not block the attempt.

Anyway, this led me to see if I could learn more about the router and maybe use it to block. I learned that I could block a limited number of sites individually by domain name. At the same time, I decided to enable the log and see what turned up there. When I did, I noticed that Netbios (port 137) was actually on a regular basis using a UDP connection to various domains around the internet. Most of these are familiar and from Microsoft or CloudFlare or Amazon. This seems like abysmal security, so I would like to see if I can block this specific behavior from Netbios.

I read this which is great but a little over my head:

Is Netbios a huge security threat?

Then I saw this:

netBIOS bloodlust

which I could relate to better having used PrivateFirewall for an extensive period of time. I don't miss much about PrivateFirewall, but I do miss the logs and the connection controls.

So does anyone have any simple plain language input on Netbios, actually these three ports (Netbios is 137):

UDP/137, UDP/138, and TCP/139

, and on how to achieve blocks for all connections outside the local/home network? I only have Comodo FW to work with for this, other than the router settings...
 
  • Like
Reactions: shmu26, mehdi.n, Winter Soldier and 1 other person
That's what I thought. Isn't it a strange thing to see connections to the outside world via these ports? Google search is turning up other complaints about this behavior, and I can't think of a single reason to allow it off hand? Windows 7 by the way...
 
Last edited:
  • Like
Reactions: askmark
AtlBo said:
That's what I thought. Isn't it a strange thing to me to see connections to the outside world via these ports? Google is showing other complaints about this behavior, and I can't think of a single reason to allow it off hand? Windows 7 by the way...
Click to expand...
NETBIOS is mainly used for File and Printer sharing between PC's on the same network. It is a legacy protocol which is only really necessary for compatibility with pre Windows 200O devices.
No NETBIOS or SMB (TCP port 445) traffic from your local network should ever go out to the Internet.
Ports 137,138,139 and 445 should be blocked by CFW on your PC and also blocked on your router (usually by default). Some routers allow you to select which services (ports) to allow or block. If not you may be able to manually create a rule to block the service.
You can also turn off NETBIOS completely on your PC from the advanced tab of the TCP/IP v4 settings of your network adapter. The setting is called 'Enable NETBIOS over TCP/IP'. Please note if you have legacy devices on your network like a NAS box,which rely on NETBIOS to communicate then you will have to keep it on.
HTH
 
Last edited:
  • Like
Reactions: Andy Ful, harlan4096, Winter Soldier and 2 others
That's what I thought. Isn't it a strange thing to me to see connections to the outside world via these ports? Google is showing other complaints about this behavior, and I can't think of a single reason to allow it off hand? Windows 7 by the way...
Click to expand...
I'm not particularly familiar with Netbios so I can't troubleshoot for you but like @askmark said Netbios traffic should have no reason to be exposed to the internet.
 
  • Like
Reactions: AtlBo and askmark
askmark said:
NETBIOS is mainly used for File and Printer sharing between PC's on the same network.
No NETBIOS or SMB (TCP port 445) traffic from your local network should ever go out to the Internet.
Ports 137,138,139 and 445 should be blocked by CFW on your PC and also blocked on your router (usually by default). Some routers allow you to select which services (ports) to allow or block. If not you may be able to manually create a rule to block the service.
You can also turn off Netbios completely on your PC from the advanced tab of the TCP/IP v4 settings of your network adapter. The setting is called 'Enable NETBIOS over TCP/IP'. Please note if you have legacy devices on your network like a NAS box,which rely on NETBIOS to communicate then you will have to keep it on.
HTH
Click to expand...

Thanks for the information. Apparently, information is going outbound through the modem to these outside IPs. No idea what might be using this, although, I can't imagine a MS contact being anything but MS. Something in an application(s) allow rule(s) in Comodo I suppose is the reason for the connections. Seems I recall some other ports being referenced, but unfortunately I didn't save the first log I captured. The router log is quite short, only about 50 entries. I do recall 5228 was one of them, which I have read as something Google uses. Indeed it is a Google IP (74.125.21.188). I have actually been checking the IPs using IPVoid's Blacklist check since last night for some of the detected entries.

I may have to go to the Comodo board to see what I should do to tighten down. It's hard to understand why supposedly security minded developers are using ports in this way. It's such a big distraction. Anyway, if you have a simple fix in Comodo askmark, I'll give it a try, otherwise off to the Comodo Forum...
 
Last edited:
  • Like
Reactions: askmark
askmark said:
NETBIOS is mainly used for File and Printer sharing between PC's on the same network. It is a legacy protocol which is only really necessary for compatibility with pre Windows 200O devices.
No NETBIOS or SMB (TCP port 445) traffic from your local network should ever go out to the Internet.
Ports 137,138,139 and 445 should be blocked by CFW on your PC and also blocked on your router (usually by default). Some routers allow you to select which services (ports) to allow or block. If not you may be able to manually create a rule to block the service.
You can also turn off NETBIOS completely on your PC from the advanced tab of the TCP/IP v4 settings of your network adapter. The setting is called 'Enable NETBIOS over TCP/IP'. Please note if you have legacy devices on your network like a NAS box,which rely on NETBIOS to communicate then you will have to keep it on.
HTH
Click to expand...
I am glad you did this, saved me from having to type,I got 2 sentences and saw your post :P
Mark is correct and shutting it off is not complex.
 
  • Like
Reactions: askmark, Winter Soldier and AtlBo
Here is one of the port 137 log entries:

LAN 192.168.1.120 Destination 209.170.111.17 Port 137 (netbios-ns)

Blacklist says this one is Akamai, which is not flagged at least. I think MS uses Akamai servers but I could be wrong about this. The Akamai connection seems to be doing a loop through the computer. It starts with the UDP connection in through netbios and then the next entry is the same IP on port 80. o_O

Here is another one that also appears twice in the log:

LAN 192.168.1.120 Destination 104.19.192.102 Port 443
LAN 192.168.1.120 Destination 104.19.192.102 Port 137 (netbios-ns)

These are separated by 8-10 lines. This one is CloudFlare. Another one I am used to seeing around...

Apparently, a highway has now been built through the netbios on this PC, considering the others I have seen and their destinations.

On the positive side, router is not showing any traffic in :)
 
  • Like
Reactions: _CyberGhosT_ and askmark
This outbound traffic seems to have stopped since the issues over Wannacry. Maybe servers have had this ability patched out of them. I suppose it was somehow associated with Google Chrome, since many of the refs were preceded by a contact via 80 or 443 html contacts. Maybe something installed in Chrome (i.e. extensions etc) could be the source. Akamai is hosting service at least in part and the MS contacts are something I can't explain, however.

I am curious if this is one reason maybe MS was angry with the CIA over EternalBlue & DoublePulsar...exposing a sketchy info grabbing technique of MS by allowing EB and DP to be exposed to hackers and the public without consulting MS before it could happen. Happy to see that more and more information is being revealed on these CIA malware agents and many others:

Articles tagged with Vault 7

CIA seems unable to level with the American people on any rational level. Thank goodness for WikiLeaks honestly...
 
I disabled netbios right after a clean install. One of my "must-be-done" tweaks.
 
Status
Not open for further replies.

You may also like...