GlassWire detected an unknown Hyper-V device running RealServer in "Things"

GlassWire found a device in my network with an internal IP of 172.17.142.XXX and MAC of 00-15-5d-d4-da-xx, manufacturer being “Microsoft Corporation”. This is a private virtual IP and MAC range of Hyper-V, and I use Hyper-V and VirtualBox, so I assumed it might be one of my virtual network adapters. But I checked, since it’s unusual for virtual adapters to show up on network devices list.

Here are things that I did

  1. NirSoft CurrPorts — No process currently using that IP
  2. netstat -ano | findstr 172 — No process currently using that IP
  3. Get-NetIPConfiguration -All -Detailed — No adapter currently assigned that IP or MAC
  4. sudo nmap -sn 192.168.1.0/24] — No unusual device
  5. sudo nmap -sn 172.17.142.0/24 — Nothing at all (0 hosts up)
  6. sudo nmap -Pn 172.17.142.XXX — Something???

The result of nmap
Nmap scan report for 172.17.142.XXX
Host is up (0.013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
554/tcp open rtsp
7070/tcp open realserver

What is this thing??? If you’re reading, thanks for reading a stranger.

Further testing traffic

  1. sudo netcat -p 7070 -l — Blanking
  2. sudo netcat -p 554 -l — Blanking

Some more info
Only 1 Windows Enterprise edition machine in network
Security cams correctly assigned 192.168.X.X range IP
Using Hyper-V, WSL, VirtualBox, but none of my virtual adapters match that IP and MAC
Usually careful with installing programs, so no malware history in Malwarebytes

1 Like

@aethereum1

This is a new device that appears if you try out the Windows Sandbox. Have you used it, or is it on your PC? If so it’s that. I have it also myself now after using the Windows Sandbox.

You are wonderful. Yes. I do use Windows Sandbox sometimes. I wonder why Windows Sandbox would keep ports 554 and 7070 open, however. Anyway, bless. This kind of support will make me buy GlassWire twice!

1 Like