Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Has anyone seen this 445 traffic before? Not sure if virus/malware/MS crapware

Status
Not open for further replies.
DrB0b

DrB0b

IS-IT--Management
May 19, 2011
1,420
US
445traffic_dkswhb.jpg

See the photo above. We have a ton of 445 - SMB traffic going to 192.168.100.x, 192.168.101.x, and 192.168.5.x address even though those networks do not exist. The firewall is blocking all of the requests but it is unnecessary traffic on the network. I know ransomware will operate and move subnets via 445 but also I know some windows services utilize that port, like printer and file sharing which we do have enabled. I would Wireshark the data but I don't know what else I will find out about it in doing so as I know that almost all PCs in our building are doing this and going to these not real IPs. We have Trend Micro across all PCs in the domain and have ran various other malware/virus/trojan seeking apps and nothing is ever found.

Any thoughts? I'm hoping it is Windows 10 doing something funky or trying to query around and see who else is allowing SMB traffic. I only really see these 192.168.x.x fails as any of the successful 445 traffic is actually legit.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Sort by date Sort by votes
Do you have a linux server somewhere?
 
Upvote 0 Downvote
One VM and one physical on the 10.0.4.x scheme. I believe SAMBA may have something to do with it. I was going around and disabling file and printer sharing and network discovery for some machines that were displaying the 445 SYNs but I dont think that stopped any traffic.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Upvote 0 Downvote
Thanks Beilstwh for the info. We do have 445 blocked from the outside world. We are in a Active Directory environment. We do utilize printer and file sharing, such as mapped drives from file servers. I am under the assumption that 445 has to be enabled for this to function internally. I will look into this a little deeper and run some tests on it disabled but if anyone has any details, please post.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Bryan - Gendev
  • Locked
  • Question
Mouse not active after return for sleep WIN11
Replies
4
Views
343
xwb
xwb
steve288
  • Locked
  • Question
Convert MBR to GPT problems how to do this?
Replies
1
Views
87
goombawaho
goombawaho
HebieBug
  • Locked
  • Question
Boot From USB drive getting Error message "bootable device was not found" 1
Replies
2
Views
338
kjv1611
kjv1611
pmonett
  • Locked
  • Question
PC does not start after upgrade 1
Replies
18
Views
277
Andrzejek
Andrzejek
laoadam
  • Locked
  • Question
external hard drive does not recognized
Replies
3
Views
118
Stephen_Hawk
Stephen_Hawk

Part and Inventory Search

Sponsor

Back
Top