Daily Protection Log showing Detection of Inbound port, but port already blocked by Windows Firewall

[jay_bplogix]

I have a new PC Windows 8.1 with RealVNC (port 5900). I have Windows Firewall configured to only allow a single IP to connect to that inbound port.

 

But I noticed every other day or so in the Daily Protection Log of MalwareBytes Premium, it showed: Detection, Protection, Malicous Website Protection, IP 89.248.162.228, 5900, Inbound, C:\Program Files\RealVNC\VNC4\winvnc4.exe

 

The IP that is listed in the MB logs is not in my firewall's list of allowed IPs, and should be blocked by the firewall. Does MB run "below" the Windows Firewall? Could it be seeing (and blocking) the incoming connection to 5900 before the Firewall blocks it?

 

thx

[bearybear]

Sounds like windows firewall is not actually blocking it.

Within Windows Firewall Properties make sure the Firewall state: is set to On and Inbound connections: is set to Block; make sure this is the case for both the Private Profile and the Public Profile.

[jay_bplogix]

That was my first thought as well. But when I disable my "enable" rule in the Windows Firewall for the allowed IPs, then it correctly blocks all attempts to VNC in. When I enable that rule, it correctly allows VNC attempts from only those IPs.

 

That is why I was thinking the only way this could happen was if Malwarebytes blocked connections PRIOR to the windows firewall?

[bearybear]

Y'know, I really wouldn't have thought so but I think you're right.

I tried to connect to that IP address, Malwarebytes of course blocked it and redirected to loopback, if it passed windows firewall first it would be logged as an allowed connection, but it isn't, so as far as Windows Firewall is aware, there was never any attempt to connect to the IP at all.