Windows 10: I have a firewall keeps popping up a blocked set of packets from ransomware called "conti"...

Hello, I have a Cisco Meraki Firewall AMP, which has started blocking packets from what it things are an infection of ransomwhere called "Conti" Variant. The packest certainly look suspicious, but this is a ServerCore 2022 HyperV hypervisor and the only 3rd party software is communication softare from APC for shutting down the machine in case of UPS failure. the Built in firewall and Defender stuff is running and up to date and turns up nothing and I ran MSERT and it too turned up nothing. The packets are sent out only saturday and sunday and appear to be going to my management workstati

:)

 

What in the firewall is blocking my app? UPDATE

One easy way to figure out which executable is being blocked is to use process monitor:
https://docs.microsoft.com/en-us/sys...nloads/procmon

Download it and run as Administrator.

Next step is to configure filtering in process monitor to show only dropped connections, here is a link to customized setting for this task:
ProcmonConfiguration.pmc

Download it to your desktop, then in process monitor click on File -> Import configuration and locate downloaded configuration.

Next step is to clear accumulated data by pressing following button marked in green in process monitor:




Now go ahead and try to reproduce your problem with Arduino IDE.
Within process monitor all dropped TCP connections and closed TCP connections will be marked with Cyan color as soon as there is dropped data.

Not all of this cyan lines are drops, but it should give you some picture.
If you want to be 100% sure, click on filter to enable showing received TCP data as follows, click on red marked button:




Here when filter opens up uncheck options that says
Operation is TCP receive





Click OK and now you can investigate which of the cyan lines are dropped packets and which ones are normal TCP close.
For example if you see cyan lines without matching TCP receive then you know these lines are representing firewall problem with outbound traffic (not inbound!)

Your next step is to investigate if within firewall there are block rules that contribute to dropping packets.
If not, next step see if default outbound is set to block in firewall, and if so create allow rule for dropped packets.

 

Blocking Torrenting

to effectively block torrent, you need to define fire-walling rules that are based on layer 7 pattern and packet content matching - which i doubt that your switch is capable of.

consider a mikrotik or any powerful router to get it done.

shall you deploy a mikrotik, all you need to do is add this rules to firewall:

• drop packet that are matching to a L7 pattern of torrents packet (use built in feature: p2p=all-p2p) - this will keep classic - non secure - torrents connection out
  
• block outgoing DHT from your network (packets containing "d1:ad2:id20:" with packet size from 95 to 190 and in a udp protocol)
  
• block outgoing torrent announce (packets containing "info_hash" in a tcp protocol format)
  

 

.DOCM Ransomware

Some more helpful links....

• ID Ransomware
• https://support.emsisoft.com/topic/29386-first-steps-when-dealing-with-ransomware/
• How to remove ransomware the right way: A step-by-step guide (Updated for 2019) - Emsisoft | Security Blog