I have this “System” application that appears to send 150 bytes to China, Ukraine, Brazil, and pretty much everywhere else. What I would like to know is, what is “System”, and can you guys add more information about the process? Specifically, I would like to right-click and get the PID. That would be very helpful, particularly if the process is deemed to be malicious and needs to be killed. For all I can guess, System may be part of the kernel, networking, that responds to DNS - which seems about right given the size of the request.
Someone else also requested adding the PID. We’re investigating how to add extra information like PID in the future. Thanks for reporting this.
That’s great news. Can you answer the other question and tell me what the “System” app is?
Could it be Windows update using its content delivery network? I wouldn’t expect their CDN to be in Ukraine and China though… Is there no US/EU activity from it at all?
https://social.technet.microsoft.com/Forums/windows/en-US/75102969-5635-40aa-8f83-4fee4325c0de/windows-7-system-process-constant-network-drive-activity?forum=w7itpronetworking Maybe this link is helpful.
Ah, thank you. Now I know which System process it is. Yes, it makes calls to the US frequently and those calls do look legit, but also makes frequent calls to many odd places (esp China) at 150 bytes apiece. Well thanks for pointing out which process. Now I can explore that particular process to find out what it’s doing.
Excellent application. Looking forward to the PID introspection when you get around to it.
Another very useful feature I find in commercial tools like Fireeye, StoneSoft IPS, etc. are a right-click-WHOIS function (or IPLOOKUP), and a little country flag beside the connection identifying the country of origin.
These are excellent at-a-glance features that speed the process of differentiating between legit traffic (e.g. CDNs) and malicious actors. It’s trivial then to pinpoint all the Chinese actors who routinely scan our networks.
Thanks again for your hard work.
I have this “app” called System too, sending 150 bytes of data to 896 different hosts in different countries. What makes me mad is that it doesn’t show in the Firewall tab, so I can’t block this. What Windows are you using @torinwalker ? I’m using Windows Technical Preview.
EDIT: I have blocked all applications under Firewall tab and it still keeps sending data.
EDIT: Well, it seems like different processes can be under this “System” process, like Windows Update, BUT I really think it’s not normal to have my pc sending data all over the world.
I ran Wireshark and I found some traffic outgoing under NBNS protocol. So I picked up some of the IP’s of the outgoing NBNS on Wireshark and compared to the outgoing IP’s shown in the Glasswire in this System “app” and guess what? They were the same.
Disabling NetBIOS under WINS tab in the Advanced Properties of IPV4 solved the problem, no more outgoing traffic to these crazy IP’s. But I still have to find what application was sending this data.
EDIT: I found it. It was qBittorrent. As soon as I open it for the first time, it starts to send data all over the world and won’t stop even after uninstalling. I had to format to get rid of it. So I installed Transmission as my torrent client and problem solved.
Service is a MS "user " who is streets ahead of user/ administrator it helps MS control your PC it has access to much more than any user has and many more privileges . If you check in the registry you will be surprised to find that what you see when you click on properties and then security isnt telling you all the truth. When in registry there appears a lot more "users " than you know about for many programmes. So when you make changes in properties to allowed access it can still be overridden by a secondary properties window in the registry
XeidiDent.-If qBittorrent is using system then it has integrated itself in the Windows basic programming as a service. I have several programmes that integrate into Windows and Windows displays them as part of Windows service . System/Service make use of svchost to relay info back to MS and other places as to what you are doing on your PC. Svchosts act like trojans which are controlled by System /Service /“trusted installer” -“compatibility assistant”-NOT!! are root kits which are official . Windows ,no matter what MS says is designed to leak data back to headquarters all in the name of improving the service in doing so it leaves massive holes to be exploited by hackers. You will find to use Win 10 properly your account cant be local or you are denied apps on MS website and you will find you are blocked from installing many programmes because that big Trojan /rootkit blocks you installing them by blocking the drivers from functioning properly . I have Win 7 Prof .and when it comes to an end it will be LInux . I dont allow wholesale downloads of Windows updates as many blue screen you and programmes that ran for months suddenly wont work /Blocked . MS has intentionally made their system insecure by their hidden actions and that accounts for 10000,s of complaints from its users.
Not just format it but you also need to format all your other (6) devices and reset your modem to factory setting.
Greetings from Salterns Lane.