always_working

"completely disconnect my computer from the network"

Thanks so much for the reply. I've read that link before and after posting and am sure I'm missing something obvious. Is the problem the fact that I have "Local Address" checked and/or "Any Address" selected in the corresponding field? That would seem to make sense that it would completely off the network if I (now) understand its usage. However, if that's the case, why did this packet rule suddenly do so if it never did in the past?

Running Kaspersky Premium 21.15.8.493 (a) on Windows 10 Professional x64 Build 19045 Version 22H2. I created a packet rule over a month ago to block two domains that were attempting to establish insecure connections. Please see the attached screenshot. As I was still learning to create packet rules in Kaspersky, I was unsure if all fields were set correctly. Also, a few weeks ago or so, the computer with the packet rules was being disconnected from the network. It would no longer even show as online unless I deactivated the rule. Did I create the rule incorrectly? Either way, why would it suddenly disconnect me from the network after weeks of not doing so? I made no changes in that time. I'd like to learn and understand if I made a mistake in setting the rule and also why it would suddenly knock me off the network. Any insight is appreciated!

As an update, I reached out to Youmail who communicated with Kaspersky, and asked them to stop identifying their app as a possible exploit. The alert stopped appearing a day or so after. Thanks again for your assistance!

My apologies for not providing the basic information initially which I will ensure I do moving forward. Android One UI 5.1 (Android 13-based) Youmail version 5.5.0 Kaspersky Premium (Android) version 11.105.4.10750 With respect to Kaspersky (I love their products), I have had much better experiences and more success posting here. Youmail is the app in question that was just updated to the most recent version. Youmail's not a mail app - it's a call screener to stop robocalls that I use consistently. Seeing this detection on two different phones and reinstalling Youmail doesn't stop it. Running an older version of the same app on a different phone with no such detection. I don't think the app is malicious but I've also reached out to that company directly and will follow up. I know it's preferable to know that to suppose, but I do think it's being identified as riskware solely due to the permissions it needs and not because it's malicious. A full scan shows the same detection but nothing else. Your reply would be appreciated.

Hello, Received this alert when running a scan on my phone - please see the attached screenshot. I read the article at https://www.bleepingcomputer.com/news/security/mobile-trojan-detections-rise-as-malware-distribution-level-declines/ and my initial reaction is that this app has been noted as one that needs permissions often associated with malicious apps. I can say that this alert only appeared after updating the app to the most recent version. Am I correct in my assumption or is it possible that the app has been compromised? Any help is appreciated as this is concerning to me and potentially time-sensitive. It's actually the first such alert I've received using the app on Android.

Thanks so much for your reply. It's a little more complicated than I thought! So the difference is the usage in that it's protocol specific and used to block by port as well as IP and for ACL packet filtering? In contrast, would just block inbound/outbound block all data transmission through that port regardless of protocol type? Still trying to understand so any elaboration would be appreciated. Perhaps you would be good enough to offer concrete examples of when you might employ one versus the other?

The answer is probably simple and obvious, but I'd still like to understand it. Wouldn't blocking inbound or outbound block everything (i.e. packets) or it just other types of data streams? Any help so I can know the difference would be appreciated!

Hello, Could you kindly reply to my last post in this thread? I realize there's a bit to unpack but any insight/direction would be helpful and appreciated so I can figure this out.

Thanks for your prompt reply. I was learning about name resolution and read that it was advisable to disable LLMNR (as I understand it, it's being phased out in favor of mDNS). I did so via a command line on all network computers. I would not know how to enable file sharing via SMB but, under advanced sharing settings, both network discovery and file and printer sharing are disabled (for all profiles). I think what might have happened is that name resolution for the PC in question defaulted to NetBios after the fact (which surprises me because I would think that the computer would still use mDNS for name resolution before doing so once LLMNR was disabled). I can say that NetBios already had a default value of 0 in the registry. However, it was and is set to "default" on the NIC under the WINS tab in the Advanced TCP/IP settings for Internet Protocol version 4. I also created a new packet rule blocking outbound UDP packets for ports 137 and 138. Are you saying that the rule is already in place? In looking at (the already established) network rules, I see one that would block inbound UDP traffic on several ports but not outbound. That's when I started noticing all the outbound UDP traffic being blocked on those ports (mostly 137). Then I downloaded Glasswire to see what app/process/etc was generating that traffic. That caused even more of the aforementioned blocked traffic. I believe it was associated the the system app (PID 4) and running TCPView showed Kaspersky Lab Launcher was generating some of the outbound traffic as well. So it looked to be the system process, Glasswire, and Kaspersky, namely. I can also say that the port range (137-139) was and is closed (inbound and outbound) in the router's firewall so I thought that it wouldn't leave the network anyway. Was that a mistaken assumption? How could all that outbound traffic even be generated in the first place with that being the case? I've since reverted to a restore point and it's no longer happening. Should I avoid Glasswire? I liked the UI and it was helping me to learn networking and understand the network traffic. Should I disable NetBIOS in the NIC? Should I refrain from making that packet rule again in Kaspersky? Most importantly, any idea what the heck happened? Did the PC revert to just NetBIOS for name resolution causing all that traffic? Thanks again for your insight as I'm not sure how I would figure this out otherwise!

Hello, Running Kaspersky Premium on Windows 10. I was monitoring the network and noticed unexpected traffic to seemingly random IP addresses. This was after setting a packet rule to block such traffic. It appeared that it was name resolution at first until I noticed in the firewall report that there was other outbound UDP traffic blocked on port 137 (and occasionally 138). I only see this on one computer on the network yet the others have the same packet rules in place. Some of the IP addresses are Kaspersky servers so I was wondering if this pertains to Kaspersky Secure Network but then why only on the one computer? I checked the IPs with virustotal and they don't appear to be malicious but my concern is that there is a trojan or worm as I don't understand why there would be blocked outbound traffic on that port. This happens consistently as soon as I turn on the computer. Can someone kindly advise what I should be looking at? All Kasperksy scans detects no issues.

Let me rephrase - if one blocks traffic either outbound or inbound, to my current understanding, blocking data packets in that direction would be redundant since traffic is already blocked anyway. What am I missing? What's the difference between the two?

I did but I don't fully understand it yet. So blocking inbound or outbound blocks the connection entirely so that no data can pass through whatsoever? Would this be the same as "closing the port" in that direction? Is that opposed to blocking any data packets in that no connection is allowed at all in the former? Wouldn't that be the same thing really since data packets are so small? I'm still learning!

In Kaspersky Premium, when creating a network packet rule, what's the difference between (direction action) outbound or inbound (packet) and just outbound or inbound? I checked the online documentation and couldn't find a definitive answer. Thanks for any help!

Also, would you be good enough to reply to my post at Having a difficult time processing this one.