B
bithead223
Guest
I'm not sure of the best place for this. I chose Performance and System Failures as it is about Resource Monitor, which is a performance monitoring utility. If there is a more appropriate forum, please feel free to relocate it.
==============
I recently noticed a lot of very unusual traffic being reported in my firewall logs - I was suddenly getting 50000+ blocked packets/day attempting to reach hundreds of public IP addresses on UDP port 137. Info in Wireshark reports these as "Name query NBTSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>" traffic. Wondering where this was coming from, I methodically started closing apps and watching Wireshark to see if the traffic stopped. Eventually I came upon Resource Monitor which I had opened a couple of days ago and which was left running behind other apps on the system. When I closed Resource Monitor, the port 137 traffic destined for public IP addresses stopped.
I needed to restart the computer to let Windows install some updates. As I closed down apps in preparation for this, I opened and closed Resource Monitor several times, verifying each time that the traffic started and stopped with the program. After the updates were installed and I logged back in, this behavior with Resource Monitor continued.
The Resource Monitor executable shows no version information. Here is the info on the executable in C:\Windows\System32:
12/07/2019 02:09 AM 110,592 resmon.exe
MalwareBytes and Norton 360 find the file to be clean. It tried to contact more than 500 public IP addresses over the last 3 days. Why would it do this? If nothing else it puts quite a load on my firewall as it successfully blocks the traffic, keeping it in house. What would happen if the requests were allowed through? Is it malware phoning home (to a lot of homes)? Would it invite something bad into my system if it made contact?
Hopefully it is "just a bug" and nothing of ill intention is occurring. An explanation would certainly be appreciated.
My Windows 10 Settings indicate:
Edition - Windows 10 Pro
Version - 2004
OS Build - 19041.508
Continue reading...
==============
I recently noticed a lot of very unusual traffic being reported in my firewall logs - I was suddenly getting 50000+ blocked packets/day attempting to reach hundreds of public IP addresses on UDP port 137. Info in Wireshark reports these as "Name query NBTSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>" traffic. Wondering where this was coming from, I methodically started closing apps and watching Wireshark to see if the traffic stopped. Eventually I came upon Resource Monitor which I had opened a couple of days ago and which was left running behind other apps on the system. When I closed Resource Monitor, the port 137 traffic destined for public IP addresses stopped.
I needed to restart the computer to let Windows install some updates. As I closed down apps in preparation for this, I opened and closed Resource Monitor several times, verifying each time that the traffic started and stopped with the program. After the updates were installed and I logged back in, this behavior with Resource Monitor continued.
The Resource Monitor executable shows no version information. Here is the info on the executable in C:\Windows\System32:
12/07/2019 02:09 AM 110,592 resmon.exe
MalwareBytes and Norton 360 find the file to be clean. It tried to contact more than 500 public IP addresses over the last 3 days. Why would it do this? If nothing else it puts quite a load on my firewall as it successfully blocks the traffic, keeping it in house. What would happen if the requests were allowed through? Is it malware phoning home (to a lot of homes)? Would it invite something bad into my system if it made contact?
Hopefully it is "just a bug" and nothing of ill intention is occurring. An explanation would certainly be appreciated.
My Windows 10 Settings indicate:
Edition - Windows 10 Pro
Version - 2004
OS Build - 19041.508
Continue reading...