Scan triggers outgoing "unknown" traffic on ports 139 & 445

[Guest]

Like clockwork during a full Defender scan (daily) my firewall (zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination DNS /
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Dave M]

What's your membership in SpyNet set to?

 

[Guest]

Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..
--
Regards Jon J

What's your membership in SpyNet set to?

--

Regards, Dave

Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Dave M]

Oh no, the Canadians are gathering intelligence on us now, and I thought it
was only the NSA...

Seriously though, why not just "resign" your spynet membership temporarily
by clicking "I don't want to join at this time" and see if the outbound net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something more
sinister could be happening, perhaps you should use your firewall to block
those two outbound ports. Let us know what results.
--

Regards, Dave

Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave

Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Guest]

CA /NSA spying .. Surely not ... I'm in Australia !
Resigning from spynet made no difference.
The ports are blocked and the attempts get logged ... I was only trying to
establish what is going on.
Its triggered by the scan ... what does it do that would generate traffic ?
Its more than likely that I had visited that example ca site, coz its part
owned by Macquarie (an Australian Bank blah blah) and presumably the others
as well. (Only a handful) But I cannot find any trace anywhere .. registry,
files, history etc.
Its one of those mysteries ....

--
Regards Jon J

Oh no, the Canadians are gathering intelligence on us now, and I thought it
was only the NSA...

Seriously though, why not just "resign" your spynet membership temporarily
by clicking "I don't want to join at this time" and see if the outbound net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something more
sinister could be happening, perhaps you should use your firewall to block
those two outbound ports. Let us know what results.
--

Regards, Dave

Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave


Jon J wrote:
Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Dave M]

Another thing I think you might want to try is to flush your DNS...

Start > Run > type
ipconfig /flushdns

then click OK.

The ipconfig /flushdns command provides you with a means to flush and reset
the contents of the DNS client resolver cache, but I'm not a networking
person, so you might want some additional input before you do this or do a
bit of googling, as I'm not sure of all the ramifications. I believe it
just recreates the cache again which in your case might be goodness.

--

Regards, Dave

CA /NSA spying .. Surely not ... I'm in Australia !
Resigning from spynet made no difference.
The ports are blocked and the attempts get logged ... I was only trying
to
establish what is going on.
Its triggered by the scan ... what does it do that would generate traffic
?
Its more than likely that I had visited that example ca site, coz its
part
owned by Macquarie (an Australian Bank blah blah) and presumably the
others
as well. (Only a handful) But I cannot find any trace anywhere ..
registry,
files, history etc.
Its one of those mysteries ....

Oh no, the Canadians are gathering intelligence on us now, and I thought
it
was only the NSA...

Seriously though, why not just "resign" your spynet membership
temporarily
by clicking "I don't want to join at this time" and see if the outbound
net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something
more
sinister could be happening, perhaps you should use your firewall to
block
those two outbound ports. Let us know what results.
--

Regards, Dave

Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave


Jon J wrote:
Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Dave M]

Windows Defender seems to have acquired a strange fascination with state
and local governments:

From: MikeLib
Subject: Defender Accessing web site during scan?
Date: Mon, 31 Jul 2006 15:53:01 -0700
Newsgroups: microsoft.private.security.spyware.onlinecommunity

--

Regards, Dave

CA /NSA spying .. Surely not ... I'm in Australia !
Resigning from spynet made no difference.
The ports are blocked and the attempts get logged ... I was only trying
to
establish what is going on.
Its triggered by the scan ... what does it do that would generate traffic
?
Its more than likely that I had visited that example ca site, coz its
part
owned by Macquarie (an Australian Bank blah blah) and presumably the
others
as well. (Only a handful) But I cannot find any trace anywhere ..
registry,
files, history etc.
Its one of those mysteries ....

Oh no, the Canadians are gathering intelligence on us now, and I thought
it
was only the NSA...

Seriously though, why not just "resign" your spynet membership
temporarily
by clicking "I don't want to join at this time" and see if the outbound
net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something
more
sinister could be happening, perhaps you should use your firewall to
block
those two outbound ports. Let us know what results.
--

Regards, Dave

Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave


Jon J wrote:
Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Guest]

Flushed ... = same problem. :-(


--
Regards Jon J

Another thing I think you might want to try is to flush your DNS...

Start > Run > type
ipconfig /flushdns

then click OK.

The ipconfig /flushdns command provides you with a means to flush and reset
the contents of the DNS client resolver cache, but I'm not a networking
person, so you might want some additional input before you do this or do a
bit of googling, as I'm not sure of all the ramifications. I believe it
just recreates the cache again which in your case might be goodness.

--

Regards, Dave

CA /NSA spying .. Surely not ... I'm in Australia !
Resigning from spynet made no difference.
The ports are blocked and the attempts get logged ... I was only trying
to
establish what is going on.
Its triggered by the scan ... what does it do that would generate traffic
?
Its more than likely that I had visited that example ca site, coz its
part
owned by Macquarie (an Australian Bank blah blah) and presumably the
others
as well. (Only a handful) But I cannot find any trace anywhere ..
registry,
files, history etc.
Its one of those mysteries ....

Oh no, the Canadians are gathering intelligence on us now, and I thought
it
was only the NSA...

Seriously though, why not just "resign" your spynet membership
temporarily
by clicking "I don't want to join at this time" and see if the outbound
net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something
more
sinister could be happening, perhaps you should use your firewall to
block
those two outbound ports. Let us know what results.
--

Regards, Dave


Jon J wrote:
Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave


Jon J wrote:
Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?

 

[Bill Sanderson MVP]

Well--surely a Canadian entity is pretty safe. Just think if it was going
to Phila.gov, for example! (Sorry John Street--no reflection on your
leadership intended, but.....)

--

Windows Defender seems to have acquired a strange fascination with state
and local governments:

From: MikeLib
Subject: Defender Accessing web site during scan?
Date: Mon, 31 Jul 2006 15:53:01 -0700
Newsgroups: microsoft.private.security.spyware.onlinecommunity

--

Regards, Dave

CA /NSA spying .. Surely not ... I'm in Australia !
Resigning from spynet made no difference.
The ports are blocked and the attempts get logged ... I was only trying
to
establish what is going on.
Its triggered by the scan ... what does it do that would generate traffic
?
Its more than likely that I had visited that example ca site, coz its
part
owned by Macquarie (an Australian Bank blah blah) and presumably the
others
as well. (Only a handful) But I cannot find any trace anywhere ..
registry,
files, history etc.
Its one of those mysteries ....

Oh no, the Canadians are gathering intelligence on us now, and I thought
it
was only the NSA...

Seriously though, why not just "resign" your spynet membership
temporarily
by clicking "I don't want to join at this time" and see if the outbound
net
traffic dies away as a consequence. Seems like a reasonable way to
approach that possibility. If that doesn't stop the traffic something
more
sinister could be happening, perhaps you should use your firewall to
block
those two outbound ports. Let us know what results.
--

Regards, Dave


Jon J wrote:
Set @ basic.
The urls /Ips dont look like they'd be related to spynet activity ?
Eg. 199.213.146.11 www.infras.gov.ab.ca
& I dont recall ever being there either ..

What's your membership in SpyNet set to?

--

Regards, Dave


Jon J wrote:
Like clockwork during a full Defender scan (daily) my firewall
(zonealarm)
blocks outgoing traffic to apparently unrelated [but consistent]
destinations. Oddly I cannot find any reference to these destination
DNS
/
IPs anywhere on the PC except in ZA logs.

Why would Defender trigger such outgoing traffic ?