My company security team has informed me that my workstation is pinging some “blacklisted” IP addresses. The enterprise security tool reporting this information sits in place of the usual Windows firewall, but it seems it is unable to tell which process is the culprit.
I had the device rebuilt about six months ago for the same reason, and I’m pretty sure it’s just an application that’s using a content-delivery network that happends to have also been used by some malware at some point; hence the blacklisted IPs.
Normally in this situation a combination of Wireshark, netstat, TCPView and other tools would help me nail down which process is generating the traffic. For ICMP echo requests, however, it seems that the source process is always a system DLL.
Some googling led to a page which does have some advice on how to narrow down the process by checking which have got the icmp.dll or iphlpapi.dll loaded. I’ve currently got dozens of processes with iphlpapi.dll loaded, so trying to narrow down which might be sending these requests is going to take quite some time.
Another issue is that these ICMP requests are sent very infrequently. Maybe a couple of times a day. So at the point I’m looking, the process might not even be running.
What I really need is a tool that I can leave running which will look for ICMP requests to these IP addresses, and as soon as they’re seen it would identify the process that made them. Does such a thing exist? Is there another low-effort approach that I’m missing?