0

On a locked-down Windows 7 test box on a completely isolated test network, I could account for every incoming and outgoing attempted network connection.

Then I temporarily installed the PortableApps.com version of SRWare's Iron web browser, used it to connect to a single known site on the internet, and then uninstalled it. If you're not familiar, Iron is a Chromium-based web browser similar to Google Chrome, but with an array of Google's undesirable code removed.

After doing this, Windows' svchost.exe regularly tried to connect to port 443 of a Google-owned IP address (34.104.35.123) via TCP. That connection was blocked by the Windows Filtering Platform (WFP). Interestingly, it was blocked by a default system filter, not a user filter. In other words, the filter blocking that connection did not not appear in the Windows Firewall list of filters, but did appear in wfpstate.xml generated by netsh.exe wfp show filters.

After the connection attempt to port 443 was blocked, a TCP connection to port 80 on the same IP address was attempted. Again, it was blocked by a system filter. This makes sense, as the service was likely first trying a secure connection, then a non-secure connection.

That sequence of connection attempts repeated every 60 seconds.

I rebooted the box, and those exact connection attempts persisted every minute.

After I performed extensive service isolation, I determined the actual service in svchost.exe generating the connection attempts appeared to be Schedule (AKA Task Scheduler).

The box is just a test box that was temporarily placed on a completely isolated test network, so I'm not worried about anything (the box will get reformatted soon enough), but I would like to learn exactly what was going on to further my understanding of the inner workings of Windows.

How can I determine what these unwanted connection attempts are for, and get them to stop?

BTW, my initial hunch was that running Iron resulted in the need for a security certificate to be updated, and Windows was continually trying to update that certificate, even though it no longer really needed to do so. But if this is the case, I don't understand why such connections would be blocked. I created Windows Firewall rules to allow that specific traffic, but the invisible default system-level firewall filters continued to block the connection attempts.

RockPaperLz- Mask it or Casket
  • 7,741
  • 30
  • 73
  • 122

1 Answers1

0

The IP address 34.104.35.123 is said to belong to YouTube, but I'm not sure this is correct.

The address belongs to the domain edgedl.me.gvt1.com.

In the article What are these suspicious Google GVT1.com URLs? this is described as :

The domains *.gvt1.com and *.gvt2.com, along with their subdomains, are owned by Google and typically used to deliver Chrome software updates, extensions, and related content.

Your suspicion seems to be right, and this is a remnant from the Iron web browser installation.

I would try to reinstall Iron and also Revo Uninstaller Free, then use Revo to uninstall Iron. Revo does a good job of chasing down all the left-overs.

You could also use tools such as :

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Thanks Harry. The BleepingComputer article is quite interesting (and typical of Google... with almost no effort, they could easily add a simple HTTP server and serve a single page to end all confusion). The explanation of the likely purpose of that host is interesting and leads to even more questions. (continued) – RockPaperLz- Mask it or Casket Jan 07 '23 at 22:22
  • Unfortunately, apps installed via the PortableApps.com platform cannot be uninstalled via Revo Uninstaller because they aren't technically installed. I did try Autoruns, but it found no changes. Autoruns, however, is notoriously bad at detecting changes to scheduled tasks. Since removing Iron, I have performed a fair amount of in-depth manual scanning on that box, and the only thing I have found thus far is that it is, as expected, still listed in the `AppCompatCache` registry key. – RockPaperLz- Mask it or Casket Jan 07 '23 at 22:28
  • If the IP address was owned by Microsoft, or by a common Certificate Authority, this would all make a bit more sense. I would then still suspect Windows attempting to update a security certificate. But the repeated attempts at connecting to a Google IP address are concerning (and why I *never* install Google software on any production machines). If that Google host was known to serve security certificates, the connections could possibly make sense, but as BleepingComputer points out, GVT stands for *Google Video Transcoding*, which doesn't yield confidence. The mystery & research continues... – RockPaperLz- Mask it or Casket Jan 07 '23 at 22:35
  • Then again, we are talking about *Google*, so maybe they do serve their security certificates from some video host. Even so, why would Windows continually be trying to connect to that host after a portable Chromium-based web browser was used and then removed? – RockPaperLz- Mask it or Casket Jan 07 '23 at 22:42
  • Follow [this answer](https://superuser.com/a/1192108/8672) to separate the svchost services, so you can better detect the culprit. – harrymc Jan 08 '23 at 09:46
  • Yes, that's what I did to isolate each service to determine the culprit is most likely the `Schedule` service. It got a little bit more complex because `gpsvc` and `Schedule` are protected by the OS, so you have to run `sc` as the `SYSTEM` user, and not just as `admin`. – RockPaperLz- Mask it or Casket Jan 09 '23 at 06:11
  • Did you try to uninstall Iron using Revo? – harrymc Jan 09 '23 at 09:02
  • Unfortunately, apps installed via the PortableApps.com platform cannot be uninstalled via Revo Uninstaller because they aren't technically installed. – RockPaperLz- Mask it or Casket Jan 09 '23 at 09:12
  • You could perhaps play detective by installing the non-portable version on another computer and saving the in Revo the list of files and registry items that need to be deleted. Another idea: repeat the installation of Iron portable on another computer or VM where Iron was never installed in any version, then check what has changed in the registry using [RegistryChangesView](https://www.nirsoft.net/utils/registry_changes_view.html). – harrymc Jan 09 '23 at 09:23
  • Those are interesting ideas, thanks. I might give one or both a try. Is there any gratis VM you like that will run on that Win7 test box? – RockPaperLz- Mask it or Casket Jan 10 '23 at 09:01
  • You may download VMs [from Microsoft](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). Pay attention to: "Note: These virtual machine images will no longer be offered starting later this month". These virtual machines expire after 90 days. – harrymc Jan 10 '23 at 09:07
  • Thanks. Do you know if they will continue to work after this month? MS says they "expire after 90 days", which in typical MS fashion, is ambiguous. I'm guessing that perhaps they mean the VMs will work indefinitely, but will have to be deleted and re-installed 90 days after installation. What do you think? – RockPaperLz- Mask it or Casket Jan 10 '23 at 09:12
  • I don't know - never used one myself. Just wanted to help. – harrymc Jan 10 '23 at 09:14
  • No problem. Thanks for the help. – RockPaperLz- Mask it or Casket Jan 10 '23 at 09:30