Event ID: 861 - The Windows Firewall has detected an application listening for incoming traffic

Posted by Chris Marisic on Server Fault See other posts from Server Fault or by Chris Marisic
Published on 2009-08-27T17:05:14Z Indexed on 2010/05/25 1:21 UTC
Read the original article Hit count: 1072

Firstly, my machines aren't compromised any person suggesting such will be DV'd.

The security logs on some of my networks client machines (all Windows Xp Sp3) get filled with these useless error messages.

Security Failure Audit
Detailed Tracking
Event ID: 861
User: NT AUTHORITY\NETWORK SERVICE
The Windows Firewall has detected an application listening for incoming traffic. 

Name: -     							
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 976
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55035
Allowed: No
User notified: No

It's always on various random ports of UDP so setting up a port exception isn't really an option.

It's always from svchost or lsass both of which are running services from DLLs. One of the most offending processes seems to the be DnsCache.

I have in my global policy under AT < Network < Network Connection < Widnows Firewall < Domain Profile (I haven't changed any standard profile options do both need configured?

To allow remote administration and desktop exceptions and have a custom program exception list that has

%SystemRoot%\system32\svchost.exe:*:enabled:svchost

(Windows won't allow you to add this exception on a local machine but it let me have it on here in the global policy it just doesn't seem to do anything)

%SystemRoot%\system32\lsass.exe:*enabled:lsass

(I think this one ended all of my LSASS messages)

%SystemRoot%\system32\dnsrslvr.dll:*:enabled:dnscache

(I tried adding the dll itself to the exception list, this didn't seem to do anything)

Is there really any other options left other than disabling the Windows Firewall entirely, disabling auditing entirely or just changing the event viewer to just auto overwrite when needed?

I'd much rather fix the problem and get rid of these entries ever being created instead of just trying to cover up the problem.

© Server Fault or respective owner

Related posts about group-policy

Related posts about event-log