Ive been doing some testing on a laptop with Glasswire installed and Im seeing in the Firewall tab that it shows almost constant communication with other wireless hosts on the same domain via the Host process for windows services. After running Glasswire for 24 hours I see a number of hosts that this process talks to that it really should not be talking to. Other laptops and wireless devices that Im not actively connected to. The data transfer is very little, 20-50B/s, but it is constantly up and down every few minutes it will send and receive a bit of data from other wireless hosts on the network.
Is this normal? What Im worried about is a possible malware infection that has piggybacked on the windows host process to hide its traffic. Ive recently cleaned out some malware from this machine and have reason to believe it may still be infected to a degree.
It’s normal for your PC to talk to other hosts on your own network a little bit. If you don’t want your PC to do so you could try going to the network and sharing center control panel and changing your settings to “turn off network discovery” and “turn off file and printer sharing” and see if that makes any difference.
If it does, then perhaps it’s just normal network activity.
If it doesn’t you could try investigating this way https://www.glasswire.com/malware/ to learn more about the hosts your PC is communicating with, or type in some of the hosts in VirusTotal.com. Good luck and let us know if you find a virus/malware!
Actually, network discovery and file and print sharing are already turned off. The other hosts it is talking to are other laptops in the same building. It does try to talk to the outside, however Glasswire only picks up the proxy address for any outside communication. There are a couple of outside addresses it has tried to talk to that were blocked by the firewall, which is what led me to this particular laptop, and those addresses are being detected as possible anonymizers and/or botnet connections. Further research into those addresses leads me to believe they are Tor nodes. I havent detected any traffic to the Tor nodes since cleaning up some PUP’s and related malware using Malwarebytes. I just wasnt sure about this communication to other laptops in the area, it seemed strange but possibly normal traffic.
It’s hard to say. It depends on your network, but if the hosts look OK then it’s probably OK. Maybe install GlassWire on another clean PC on the same network and see if it behaves the same way.