Jump to content

Unexpected Outbound UDP Traffic on Port 137


Recommended Posts

always_working
Posted

Hello,

Running Kaspersky Premium on Windows 10.

I was monitoring the network and noticed unexpected traffic to seemingly random IP addresses.  This was after setting a packet rule to block such traffic.  It appeared that it was name resolution at first until I noticed in the firewall report that there was other outbound UDP traffic blocked on port 137 (and occasionally 138).  I only see this on one computer on the network yet the others have the same packet rules in place.  Some of the IP addresses are Kaspersky servers so I was wondering if this pertains to Kaspersky Secure Network but then why only on the one computer?

I checked the IPs with virustotal and they don't appear to be malicious but my concern is that there is a trojan or worm as I don't understand why there would be blocked outbound traffic on that port.  This happens consistently as soon as I turn on the computer.

Can someone kindly advise what I should be looking at?  All Kasperksy scans detects no issues.

 

Posted

Hello @always_working,

this smells like NetBios, an old and nowadays hardly used protocol. Used TCP and UDP on ports 137 and 138, also 139. However, it is partly used by viruses and worms, so it is blocked.

Have you enabled file sharing via SMB on the one computer?

always_working
Posted (edited)
2 hours ago, Schulte said:

Hello @always_working,

this smells like NetBios, an old and nowadays hardly used protocol. Used TCP and UDP on ports 137 and 138, also 139. However, it is partly used by viruses and worms, so it is blocked.

Have you enabled file sharing via SMB on the one computer?

Thanks for your prompt reply.  I was learning about name resolution and read that it was advisable to disable LLMNR (as I understand it, it's being phased out in favor of mDNS).  I did so via a command line on all network computers.

I would not know how to enable file sharing via SMB but, under advanced sharing settings, both network discovery and file and printer sharing are disabled (for all profiles).

I think what might have happened is that name resolution for the PC in question defaulted to NetBios after the fact (which surprises me because I would think that the computer would still use mDNS for name resolution before doing so once LLMNR was disabled).  I can say that NetBios already had a default value of 0 in the registry.  However, it was and is set to "default" on the NIC under the WINS tab in the Advanced TCP/IP settings for Internet Protocol version 4.

I also created a new packet rule blocking outbound UDP packets for ports 137 and 138.

Are you saying that the rule is already in place?  In looking at (the already established) network rules, I see one that would block inbound UDP traffic on several ports but not outbound.

That's when I started noticing all the outbound UDP traffic being blocked on those ports (mostly 137).

Then I downloaded Glasswire to see what app/process/etc was generating that traffic.  That caused even more of the aforementioned blocked traffic.  I believe it was associated the the system app (PID 4) and running TCPView showed Kaspersky Lab Launcher was generating some of the outbound traffic as well.  So it looked to be the system process, Glasswire, and Kaspersky, namely.

I can also say that the port range (137-139) was and is closed (inbound and outbound) in the router's firewall so I thought that it wouldn't leave the network anyway.  Was that a mistaken assumption?  How could all that outbound traffic even be generated in the first place with that being the case?

I've since reverted to a restore point and it's no longer happening.  Should I avoid Glasswire?  I liked the UI and it was helping me to learn networking and understand the network traffic.

Should I disable NetBIOS in the NIC?  Should I refrain from making that packet rule again in Kaspersky?

Most importantly, any idea what the heck happened?  Did the PC revert to just NetBIOS for name resolution causing all that traffic?

 Thanks again for your insight as I'm not sure how I would figure this out otherwise!

Edited by always_working
always_working
Posted
On 9/5/2023 at 4:31 PM, Schulte said:

Hello @always_working,

this smells like NetBios, an old and nowadays hardly used protocol. Used TCP and UDP on ports 137 and 138, also 139. However, it is partly used by viruses and worms, so it is blocked.

Have you enabled file sharing via SMB on the one computer?

Hello,

Could you kindly reply to my last post in this thread?  I realize there's a bit to unpack but any insight/direction would be helpful and appreciated so I can figure this out.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...