Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 13, 2018 3:24 AM
Hi,
We are getting this on all of our computers (Windows 7 Pro and Windows 10 Enterprise)
The Security log is now useless as it is filled with these Audit Failures
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 13/02/2018 2:09:48 PM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: <my computer name>
Description:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 10.0.12.146
Source Port: 56340
Destination Address: 255.255.255.255
Destination Port: 1947
Protocol: 17
Filter Information:
Filter Run-Time ID: 95299
Layer Name: Transport
Layer Run-Time ID: 13
Most of the events are for Destination Port 1947 and Protocol 17. Source Addresses and ports appear to be random.
I have seen several other posts that have not been resolved, and none of them were for Windows 7 or 10, so though I would post a new one that is more relevant.
Some other posts mention this can happen if the firewall is disabled. Ours is turned on.
Any ideas on what I can do to find out what is causing this, and how to stop it?
I would love to be able to use the Security Log again...
All replies (7)
Wednesday, February 14, 2018 1:42 AM
My initial port showed the full log.
The Application name and process are blank, so unable to determine what is generating the packets.
How else can I determine that?
Do I have to run those commands on all the 100s of machines that we have?
Wednesday, February 14, 2018 1:46 AM
Also, I am not comfortable in just ignoring those logs, as that is just brushing the issue under the rug, or putting a bandage on a gaping wound, which-ever metaphor you prefer. :)
It hides the symptoms, but does not deal with the cause.
There are still going to be thousands of dropped packets on each machine in the network just not being logged.
Wednesday, February 28, 2018 6:01 AM
Is there any solution to this?
How can I determine what is generating these packets?
As mentioned the Application and Process fields are blank, so that does not help
Friday, May 4, 2018 4:52 AM
Sorry to drag this up, but we now have a SIEM in place, and the thousands of these messages we get make it very difficult to find the actual errors.
Yes, I can filter them out, but it still does not discover the Root Cause, which is what I want to resolve.
Tuesday, July 31, 2018 11:40 PM
Do you happen to be running Sophos? A number of a people have seen this after installing Sophos (although I suspect that's not the only cause). See https://community.sophos.com/products/sophos-central/f/sophos-central/97331/sophos-endpoint-protection-generating-100s-of-events
A quick search for security event 5152 will show that many people have been experiencing this problem, across several versions of Windows on both servers and workstation. And, no, I don't have an answer. Most of these threads are unresolved (or end with the suggestion to suppress the messages - which, to me, is not a resolution).
Below is a bit of PowerShell I threw together to categorize and summarize the errors (note that filter ids are dynamically assigned and can change after a reboot. I think). And this script doesn't snag the XML descriptions for all the filters (perhaps missing some that are dynamically added by Sophos via Windows' firewall API?).
$os = gwmi win32_operatingsystem
$bt = $os.ConvertToDateTime($os.LastBootUpTime)
$minutesUp = (get-date).Subtract($bt).TotalMinutes
$fiftyOne52sSinceBoot = Get-WinEvent -FilterHashtable @{ProviderName='Microsoft-Windows-Security-Auditing'
StartTime=$bt; Id=5152}
$fiftyOne52sSinceBoot `
| %{
$evt = $_
$propLines = $evt.FormatDescription() -split "`r?`n" -match '\S\s*:\s*\S'
$propLines | %{
$name, $val = $_.split(':', 2)|%{$_.Trim()}
$evt | Add-Member -membertype noteproperty -name $name -value $val
}
}
$grouped5152s = $fiftyOne52sSinceBoot | group 'Filter Run-Time ID', Direction, 'Source Address' <#, 'Source Port'#>,
'Destination Address', 'Destination Port', 'Application Name' | ?{$_.Count -ge $minutesUp / 10 }
$grouped5152s | sort count -desc `
| ft count, name, @{n='Earliest';e={($_.group | measure TimeCreated -Minimum).Minimum}},
@{n='Latest'; e={($_.group | measure TimeCreated -Maximum).Maximum}} -AutoSize
$filterIds = $grouped5152s | %{$_.Group[0].'Filter Run-Time ID'} | sort | Get-Unique
Add-Type -AssemblyName System.Xml.Linq
$xdt = [System.Xml.Linq.XDocument]
pushd $env:temp
netsh wfp show state
$ws = [xml](gc .\wfpstate.xml -raw)
popd
$ws.SelectNodes("//*[$(($filterIds | %{"filterId=$_"}) -join ' or ')]") `
| %{$xdt::Parse($_.OuterXml).ToString()}
Friday, April 5, 2019 2:59 PM
Although this might not give you an entirely conclusive answer it may be able to point you in the direction of being able to determine which application/process is the source:
go to cmd and do a tasklist >> tasklist.txt
now do a netstat -ano >> connections.txt
The way you will identify this is by looking at the time events are being generated and match them with the time you performed the netstat -ano command. You should be able to match up port numbers from active connections. Once you have those active connections there is also a PID column in the netstat output which will correlate with your tasklist. This should give you some idea of where it is being generated from
Friday, April 5, 2019 5:06 PM
Thanks for trying to be helpful but. . .I'm guessing you're not getting these, because if you were, you'd know that the 5152s already have all that information (see sample below)
Here are some of the suspects: DHCP, LLMNR, DNS, ICMP, HTTP, HTTPS.
If you're still interested in this rather puzzling phenomenon, you can find more information at the Sophos community link (https://community.sophos.com/products/sophos-central/f/sophos-central/97331/sophos-endpoint-protection-generating-100s-of-events). I suspect this issue pops up (at random, on some machines and not others) wherever a 3rd party firewall is attempting to coordinate with the Windows firewall infrastructure.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/5/2019 12:51:21 PM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxxxxxx.yyyyyyyyyyy.com
Description:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Outbound
Source Address: 192.168.9.233
Source Port: 0
Destination Address: 192.168.8.3
Destination Port: 0
Protocol: 1
Filter Information:
Filter Run-Time ID: 166692
Layer Name: ICMP Error
Layer Run-Time ID: 32