Can't block a suspicious app

hippo · December 1, 2018, 5:23pm

Im pretty sure Im hacked.
Installed Glasswire after.

When coming out of idle, I get an alert which I can’t block or do anything too.
Starts : ff02…
says : Host process for windows services.
Region : other
size : around 300b

Any info on this ?

Ken_GlassWire · December 1, 2018, 5:56pm

@hippo

It may just be normal Windows behavior.

You can analyze the file with VirusTotal to be sure. https://www.glasswire.com/userguide/#Virus_Total

All GlassWire users (free users also) can use the VirusTotal API.

Ken_GlassWire · December 1, 2018, 5:57pm

You can also paste the host into VirusTotal.com to analyze it, or check it with our new host lookup service.
https://www.glasswire.com/host/

hippo · December 1, 2018, 6:00pm

Thanks Ken.

I have total confidence in glasswire (well … the most).

I have virustotal set up and it usually works perfect.
With this I can’t do anything (virustotal, block etc).
This seems to be the only exception so far.

It doesn’t seem to be a full address.
Just like ff02:1:1 (may have copied wrong)
This is not the proper info, but the structure is the same.

Ken_GlassWire · December 1, 2018, 6:18pm

@hippo

I think ff02:1:1 is a local multicast address.

So, it may not be dangerous.

You can also go to the exact file on your PC, then copy it to your desktop, then upload the file manually to VirusTotal.com.

If you click the file icon, then the three dot menu and choose “go to file location” GlassWire will take you to where the file is. Then you can copy it to the desktop and upload it manually.

hippo · December 1, 2018, 6:21pm

Thanks Ken.
What is a multicast ?
Im a 1 pc on broadband.
Im not sure I can even find the file location but I will try.

Im pretty sure Im hacked, so the horse has bolted I guess.

Remah · December 2, 2018, 6:56am

You don’t need to sweat about this as you are very unlikely to be hacked. This is a normal Windows process which I also have running on my computers…

Here’s what I see on my system: same process name; same or similar IPv6 address.

The IPv6 address ff02::1:3 appears in the table of Well-known IPv6 multicast addresses.

Multicast means that the message is sent out to any computer on your local network, even if the local network only consists of your one computer and a device (e.g. a modem) connecting it to the broadband network.