DavidR
34
To me like essexboy, that doesn’t make sense either, as this is giving svchost.exe as the application but the blocking as inbound. Masking the destination IP, etc. doesn’t aid investigation.
Generally this inbound connection would have an associated outbound connection for any inbound connection to be for a local file.
So I think filtering this on only inbound/blocked connections may be giving a misleading impression.