I have an app called “system” connecting to many different hosts but sending and receiving only a few bytes. Is this some windows process that checks connections or something? There is no info about the app location etc visible.
This appears to be normal Windows behavior. Some GlassWire users have asked GlassWire to show more details about what’s behind the Windows “System” and we are investigating how to do this in the future.
Meanwhile, this is how Windows works and it’s not recommended that you block the Windows “System”.
I remember seeing that last year, and as a result I had disabled NetBIOS over TCP/IP for my Wi-Fi adapter. I assumed that would be all of it.
Never really followed up like I should have, because I just discovered that the network adapter installed by my VPN service also has a similar set of advanced TCP/IP settings. I checked that and discovered it was still set to default. Yikes! I just set NetBIOS over TCP/IP to disabled in there also.
I have my VPN set to launch and connect at boot, so those settings must override the network settings for my Wi-Fi adapter.
If the connections are to external IPs, chances are that is not normal. I don’t have any Allow rules for System processes talking out to the internet. I am pretty restrictive with my rules. What port is it for? Are you on a “shared” network, like one for an office? What is the name of the process (like “NetBIOS Name Service”)? Only a few bytes could be suspicious or totally normal based on what the traffic is. If it is to external IPs, do a WHOIS on those IPs, figure out where they are in the world… if a lot of them belong to China or Russia or the Middle-East or Africa (meaning 80% or more belong to one of those regions) then it is possible you have malware that is beaconing out to a control server. I mention those regions because most malware doesn’t phone home to the US or western Europe or many “first-world” countries for that matter.
It seems to connect to hosts that are related to programs I use and websites I visit. That’s why I think it has to do with the way windows handles connections or something. Since it’s basically every host from other programs.
Here’s an example using Task Manager: You can see that System is the program ntoskrnl.exe. The name abbreviates “Windows NT Operating System Kernel” which is the core program that is Windows. That’s why it is involved with a lot of what you do