Isolating which rogue program is trying to access the Internet using Windows 7

So my trusty network administrator at work was on my case because my workstation has been trying to get to Internet sites directly without a proxy, and my little machine is the top hitter on her firewall deny rules. Normally that’s a symptom of malware, so after a partial day looking for and not finding what was causing it, I formatted my aging XP machine and installed Windows 7, which I’d been meaning to do anyway.

After several days rebuilding everything the way I like it, my machine turned up as the frequentest flyer in the firewall deny logs again! It turns out that Windows 7 has some better tools that made it easier to find what was going on.

First, I wrote a new Windows Firewall rule to block all outbound traffic to ports 80 and 443. Easy enough. My network admin was off my back!

But I wanted to find out what was causing the trouble. I found a Microsoft TechNet article that showed me how to Enable IPsec and Windows Firewall Audit Events.

I had trouble isolating the events in the snazzy new Vista/Win7 Event Viewer but finally came up with this manual XPath query after some googling and trial and error. It shows requests to port 80 which are blocked by the firewall, filtering out inbound requests so only the outbound traffic shows up:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
       *[System[(EventID=5157)]] 
       and *[EventData[Data[@Name="DestPort"] = "80"]]
    </Select>
    <Suppress Path="Security">
       *[EventData[Data[@Name="Direction"] = "%%14592"]]
    </Suppress>
  </Query>
</QueryList>

I feel obligated to point out that grepping a text file would have been much easier.

Also make sure to turn auditing off again when you’re all done.

My problem now, it turns out, was that the Weby plugin in Launchy was scanning all the built-in Firefox and IE bookmarks every 10 minutes. Maybe it hits each bookmark and scrapes the <title> tag contents to make it launchable? Whatever. I disabled the Weby plugin and the requests ceased. Launchy also has proxy settings, but they won’t work here because there aren’t any NTLM authentication options.

I’m not entirely sure my first problem was the same… it might have been malware after all. But at least this time I know what was going on and don’t have to rebuild everything.