Win 7 x64 SP1, Avast 6.0.1289

Now that I have my Win 7 firewall outbound rules set up, I am getting this strange outbound firewall alert from port 143 at boot time. Is this OK to allow? I don’t use any e-mail except ISP based e-mail.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/20/2011 3:31:57 PM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Don-PC
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 4
Application Name: System

Network Information:
Direction: Outbound
Source Address: fe80::2401:1c51:9da4:dbc4
Source Port: 143
Destination Address: ff02::16
Destination Port: 0
Protocol: 58

Filter Information:
Filter Run-Time ID: 129197
Layer Name: Connect
Layer Run-Time ID: 50
Event Xml:



5157
1
0
12810
0
0x8010000000000000

28175


Security
Don-PC



4
System
%%14593
fe80::2401:1c51:9da4:dbc4
143
ff02::16
0
58
129197
%%14611
50
S-1-0-0
S-1-0-0

I would start by reading this as it shows what that port is normally used for, Internet Message Access Protocol (IMAP) and from that you should be able to confirm if you have email being checked, etc.

http://www.grc.com/port_143.htm also http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol.

Thanks, David.

I did research this. It is indeed ICMPv6 Multicast Listener Report Message v2. In itself is a valid ICMPv6 outbound transaction but it should be blocked since it could invalid the default rules the WIN 7 firewall have for Teredo tunneling security. Hence the lack of this rule in the default WIN 7 firewall outbound core default rules.

Another example of the danger of running the WIN 7 firewall in the default allow all outbound traffic.

The real danger of running the win7 firewall with outbound protection enabled is what you are going through right now; it is a pig; it isn’t user friendly; it is rules based and you have to create the rules; that is always going to be prone to error.