How to Vet Internet Accesses

[NoelC]

With all the talk of privacy, I've been watching my systems (not just Win 10) like a hawk.

 

For example, I see occasional TCP connections from a service (in svchost) to 134.170.58.190, which reverses to fe2.update.microsoft.com.  These connections are being allowed because they have the appearance of being needed to successfully do Windows Updates.  But I'm not really sure why it's being contacted, which invites more research. 

 

Ultimately I'll want to make a choice to continue to allow it or block that address.

 

The specifics of the above are neither here nor there.  What I'd like to discuss here are the techniques one can use to research / vet internet connections one sees made. 

 

I'd really like to hear others' thoughts and techniques, tools recommended, etc.

 

What I normally do is one or more of the following:

 

• If I see an address blocked, I'll make some notes about when, what was being done, and what rule blocked it.  I'll then try to correlate that with any problems that might turn up.  Often something will fail right away - e.g., an update check will fail in an application, or a debug session won't start, that sort of thing - and the action to take will be obvious.  Or I might see System or svchost being blocked, and will find that it's an address I've seen trying to be contacted before, when I look it up in my notes.
   
• If I see an address contacted owing to a blanket rule (e.g., to enable Windows Updates), I use a site like http://www.ipaddress.com or similar to look it up.  That tells me who owns the address and where it is in the world.  Often it will also reverse the address into one or more server names.  Example:
   
  
   
• I'll do an internet search for more info if the address is resolved into a name, and see what others have uncovered and published on that name.  Sometimes it's obvious - e.g. if a site was called telemetry.microsoft.com one can infer what it does.  In the specific case of the above example, the name fe2.update.microsoft.com implies it has to do with Windows Update.
   
• I'll note the conditions in which it was contacted.  For example, I see svchost contact fe2.update.microsoft.com once a day.  I've deconfigured automatic Windows Updates, so my system shouldn't need to contact anyone, and so this does raise my suspicions a bit.  But it's one packet a day, so not a whole heap of data is being sent.
   
• If I suspect the address as being unneeded for any legitimate system activity, I'll block the originator from being able to contact that address with a specific rule.  While a general rule may allow svchost to do TCP port 80 and 443 operations with addresses (for Windows Update), connections to this particular address can be blocked.  Then I'll wait a few days and see what, if anything, has gone wrong.  Often what will happen in this case is that an alternate address will be contacted.  Again, if it's suspicious, I'll repeat these last couple of steps, making notes along the way.

 

I'd love to hear your ideas on what other tools or techniques you might use (or suggest using) to gather more intel on what's going on. 

 

-Noel

[jaclaz]

Well, next step would be packet sniffing, think WireShark/NetCat or similar, and once you have a dump of the data transmitted decode the contents (if needed).

For all we know some of the attempts to connect to some servers may well be - if not legitimate - at least innocuous.

Let's say that some stupid service has been mis-coded and *needs* to "ping" (by - still say - downloading a short string of text) a given server to make sure that the local PC (and/or the given server) is/are online BEFORE starting some "real communication" (that is what actually should be blocked), the "ping" may be stupid or not needed, but all in all it is not an issue.

jaclaz

[NoelC]

What concerns me, perhaps more, is that it may need that connection and some small amount of data just to verify that the system is properly licensed and remains activated.

 

I had been considering WireShark.  I guess that's next.

 

-Noel

[HarryTri]

 

What concerns me, perhaps more, is that it may need that connection and some small amount of data just to verify that the system is properly licensed and remains activated.

 

If you are legal I don't see why should you bother about this.

[NoelC]

You missed the point. I'm legal and would like the system to continue to be able to verify that it is properly licensed and remain activated. I'm not convinced it will do that forever without a network connection.

To put it more directly:

How does a person separate THAT necessary communication out from the communication that, say, uploads key buffers or recorded audio?

-Noel