Event ID: 861 - The Windows Firewall has detected an application listening for incoming traffic
- by Chris Marisic
Firstly, my machines aren't compromised any person suggesting such will be DV'd.
The security logs on some of my networks client machines (all Windows Xp Sp3) get filled with these useless error messages.
Security Failure Audit
Detailed Tracking
Event ID: 861
User: NT AUTHORITY\NETWORK SERVICE
The Windows Firewall has detected an application listening for incoming traffic. 
Name: -     							
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 976
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55035
Allowed: No
User notified: No
It's always on various random ports of UDP so setting up a port exception isn't really an option. 
It's always from svchost or lsass both of which are running services from DLLs. One of the most offending processes seems to the be DnsCache.
I have in my global policy under AT < Network < Network Connection < Widnows Firewall < Domain Profile
(I haven't changed any standard profile options do both need configured?
To allow remote administration and desktop exceptions and have a custom program exception list that has
%SystemRoot%\system32\svchost.exe:*:enabled:svchost
(Windows won't allow you to add this exception on a local machine but it let me have it on here in the global policy it just doesn't seem to do anything)
%SystemRoot%\system32\lsass.exe:*enabled:lsass
(I think this one ended all of my LSASS messages)
%SystemRoot%\system32\dnsrslvr.dll:*:enabled:dnscache
(I tried adding the dll itself to the exception list, this didn't seem to do anything)
Is there really any other options left other than disabling the Windows Firewall entirely, disabling auditing entirely or just changing the event viewer to just auto overwrite when needed?
I'd much rather fix the problem and get rid of these entries ever being created instead of just trying to cover up the problem.