2

McAfee has been blocking a connection from a certain IP address (I found the IP Adress to be from Hong Kong). Should I be concerned? McAfee says the program is "SYSTEM". Also if I should be concerned what could I do about it?

Vilican
  • 2,723
  • 8
  • 22
  • 35
Newman
  • 21
  • 2
  • Welcome to Security.SE! Do you have any more information about this connection? Do you know if a program on your computer is trying to connect to the IP address of if the connection is coming from Hong Kong? – amccormack Jun 21 '15 at 03:28
  • Note sure, that was all the information McAfee provided in a small pop-up window in the bottom of my screen. – Newman Jun 21 '15 at 03:52
  • You can sometimes find more information by looking in McAfee's logs stored on the computer. I don't know the exact location, but you could try in `C:\Program Files` or in `%APPDATA%`. The internal logs are usually not intended for non technical users (and sometimes not intended for humans at all), so it may be difficult to understand. – amccormack Jun 21 '15 at 04:00
  • If the warnings appear even after reboot, then you probably are infected with a level 3 userland skiddy RAT. If the warnings do not persist after reboot, then someone may be exploiting you repeatedly using metasploit or any shell handler program and escalating to SYSTEM. In both cases you should be able to track down the originating process and kill it. – H3lp3ingth3p33ps Jul 21 '15 at 05:19

1 Answers1

1

If the connection is originating from your computer, you should investigate why

Determining which process is attempting the connection

There are several tools in the [Sysinternals Suite] that can help you understand what program is making the connection. The TCPView program may show you the attempted connection, but as I understand it, it is basically just a GUI on netstat, so you might miss the connection.

The process monitor (ProcMon) tool will capture many different kinds of events concerning network connections, the file system and the registry (and much more). This page has details about how to use ProcMon to trace network connections to the responsible process.

Additionally, you can use the new sysmon tool. This page has some details on how to setup and use sysmon.

Once you determine the process that is sending the connection, you can use Process Explorer to submit the program to Virus Total. Virus Total will scan the sample across a few dozen AV products. A non-finding of a malicious signature doesn't necessarily mean it is benign, but its a good start. Launch procexp.exe as Administrator, locate the process via it's PID and right click to select "Check VirusTotal".

Determining what the process is trying to send

Using a program like wireshark, you may be able to determine what the program is trying to send. If McAfee is blocking the connection then, then nothing may be sent because connection is blocked. However, if you can determine what DNS entry is being used (if one is being used at all), then you can edit your hosts file to your local host. You can then set up a temporary webserver, (I like using python's python -m SimpleHTTPServer 80) to allow the connection to be established.

Follow Traditional Malware Investigatory Practices

If you can't track down the network connection, follow traditional approaches to determining if your computer is infected with malware. This post has many areas to investigate. Further, you can use tools like volatility to investigate your computers memory. Volatility can be especially helpful if a rootkit has been utilized to hide processes.

amccormack
  • 3,951
  • 1
  • 15
  • 23