Solved

Windows 7 Pro is contacting sites in China, Ukraine, Poland and other Eastern Bloc countries.

Posted on 2016-11-02
9
35 Views
Last Modified: 2016-11-11
We have a few Windows 7 Pro laptops that are configured to auto-start the VMware Horizion client.

The Windows 7 Pro PC firewall is disabled, since the users do not access the OS.  They only have the option to connect to the VMware Horizon connection server for their Virtual Desktop, which is accessed over a Verizon VPN.

Recently we have noticed, on our domain firewall, that a few of these systems are attempting to connect to IP's in China, Poland, Ukraine and other Eastern Bloc countries.

Since there is no direct user activity on the Windows 7 Pro laptops and we are connecting to our Horizon View desktops through the VPN we would like to find a way to block all IP address except the local network and one External IP.

Any suggestions?
0
Comment
Question by:Ambonia
9 Comments
 
LVL 24

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 167 total points
ID: 41871144
I'd get rid of the virus or malware infestation that is causing this behavior instead, and then there will be no outgoing attempts.
0
 

Author Comment

by:Ambonia
ID: 41871177
Malware bytes did not detect any infection.  Should have mentioned that before.
0
 
LVL 24

Expert Comment

by:Dr. Klahn
ID: 41871185
imo, the only plausisble reason that a system would be trying to contact ex-USSR countries is if it is infected with something.  Try Spybot - S&D, and use some of the various online virus scanners.

The fact that a virus scanner and Malwarebytes do not find an infection does not mean that there is no infection.  Infection databases are never complete due to the Day Zero problem, among others.  There is also infective software now that runs in several pieces, all of which are innocent, until they amalgamate and then the total effect becomes hostile.
0
 

Author Comment

by:Ambonia
ID: 41871205
The vehicles are currently out of the office.  I will run additional utilities and update.  Won't be till Thursday or Friday though.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 30

Expert Comment

by:pgm554
ID: 41871257
Most virus scans are about 92% effective.
You need to run two or three to be sure.
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 167 total points
ID: 41871280
The Windows 7 Pro PC firewall is disabled, since the users do not access the OS.  They only have the option to connect to the VMware Horizon connection server for their Virtual Desktop, which is accessed over a Verizon VPN.
That is a very bad misconception since the users do access the OS the only difference is where their keyboard, mouse and display device are. The OS also connects to the internet.  Since you already know that something is connecting to an ip in another country you can see which IP is doing the connection concentrate your efforts on the machine that is doing the connection
0
 

Assisted Solution

by:Ambonia
Ambonia earned 0 total points
ID: 41871312
Thank you David,  We have identified two of the systems.  We cloned one of the devices from another laptop and are waiting to see if we are getting the rogue access.

This is an interesting setup in that we have Comcast, AT&T, and Verizon involved for our connections.

Going forward we would like to adjust the windows firewall to block everything but the connections we need.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 166 total points
ID: 41871412
When you get the chance, I suggest you scan all running processes with VirusTotal, on each machine you've identified.  This service uses over 55 antivirus products simultaneously to determine if malware is present.  The process is easy when using Process Explorer.

You can also use TCPView to identify which processes are communicating to the foreign IP addresses.
0
 

Author Closing Comment

by:Ambonia
ID: 41883580
The clone of the system resolved the issue. However the suggestions given are correct procedures if cloning is not an option.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
pdf convertor 7 66
Introducing Windows 10 into Windows 7 Network 4 45
Windows 7 System Updates - problem continues 8 75
Connection String 16 43
One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now