Management station attempting external nbname connections?!?!

[jchrisos]

I am seeing dropped traffic from my Windows management station to a ton of external IPs on UDP port 137 from UDP 137. I scanned the machine (Win2k3 standard) with an updated virus scanner and it found no malware. Anyone else ever experience this?? Maybe this means I need to move to SPLAT ;-)

[kva.kva]

TCP/UDP 137 is netbios name service.
What do you mean "Windows management station"? SmartCenter or your computer with SmartConsole?

I think you can disable NetBios service on Check Point servers. It's more secure.

[jchrisos]

Quote:

Originally Posted by kva.kva

TCP/UDP 137 is netbios name service.
What do you mean "Windows management station"? SmartCenter or your computer with SmartConsole?

I think you can disable NetBios service on Check Point servers. It's more secure.

Sorry - the management console is Windows, which is also where logs are sent. SmartCenter is installed there as well as locally on my PC.

Under normal circumstances, a windows machine shouldn't be trying to contact the outside world on windows ports unless it's infected with something. I wanted to know if what I am seeing is common for a management console or do I possibly have malware that my AV scanner isn't picking up.

Jim

[drhex2000]

Hi all,

was this ever resolved? Have the same problem here with UTM R65.

Thanks,

Florian

[jchrisos]

Quote:

Originally Posted by drhex2000

Hi all,

was this ever resolved? Have the same problem here with UTM R65.

Thanks,

Florian

Unfortunately I have not resolved this. I am trusting that what I am seeing is supposed to happen. If anyone can shed any light on this, I'm all ears!

[khanta]

I had this same issue about 1.5 years ago on an R55 box. The machine would try and send netbios datagrams. I never got a resolution to it. I did notice that basically the management station (with smart tracker) would try and send nb datagrams to ips that it was doing a reverse lookup on.

Hope that helps.

Had another issue that was similar that was not checkpoint related, I had a windows box that would send out 137 and 139 datagrams to various servers on the internet. It was a windows thing. Tried every antimalware and rootkit and antivirus scanner out there, never found anything. There were a few other people that had the same issue. Google loki74@gmail.com and you will see my post out there.

Good luck.

[chillyjim]

These are not Check Point issues. Windows will try NBT connections to lots of things on the Internet. This is one of the many reasons not to use Windows as your SmartCenter.