Abnormal Uploads (VMWare ESXi Virtual Machines)
Since my FWG has been in operation over the last few days, it's been quite an eye-opener to see devices sending "data" outbound to various places. For my family's cadre of gear that mostly translates into outbound data from:
- ESXi Virtual Machines (servers and mostly Windows 10 Pro virtual machines);
- HP Computers;
- Amazon Fire TV Devices.
While from a general awareness perspective, I knew this type of activity was going on, the volume, size, and frequency were a bit surprising. Also, things that I do not normally use like Xbox software on the Windows virtual machines are actively sending outbound data throughout the day.
- My ESXi server (multiple virtual machines running 24x7; no gaming use) routinely bundle up 300 MB of "data" each day and ship to a VMWare IP address. In addition to that, each Windows 10 Pro Virtual Machine routinely triggers a "gaming alert" on the FWG.
My wife and I do not play ANY games on our virtual machines. She plays games on her iPad and iPhone but that it is. As Xbox software comes pre-installed on Windows 10, what is it doing if no one here is using it? Also, I found that removing Xbox software is not a simple nor straightforward process though it can be done by following a multi-step procedure which shall I say "is not obvious to the casual user"??
- The Amazon Fire TV devices are communicating with Amazon servers several times per day with multi-MB size files.
Remember these are OUTBOUND files/data...not an INBOUND file or data that might represent updates to something locally.
Does FWG provide any file-level information as to exactly what was uploaded? Sometimes even a file name and its location might give some clues to what is going on.
I've also "blocked" a few of these activities just to see what happens. In most cases, nothing. From what I can tell these devices are programmed with multiple upload destinations so that if one is not available (or blocked), it has alternative destinations for the data to be sent.
While I'm sure most of these uploads are legit in one way or another, I can tell you first hand that the fallacy that most modern devices and those that code them are operating from is...a good, high-speed Internet connection is always available. That is NOT true for rural areas and having observed my slow Internet connection at our cabin getting swamped with Windows updates much less having the capacity to handle these massive uploads for other things forces me to shut down everything I can that is not absolutely needed at our cabin and other rural properties we have. So determining what is going on behind the scenes is important for us.
Any thoughts about how to get to the bottom of what we see happening using FWG?
1. Gaming detection was intentionally made very sensitive as feedback from a few parents. What you can do is just mute xbox ... it should not generate any more alerts.
2. There is no way to get the data to send. As those requires HTTPS man in the middle to break down the encryption... we do not want to do that.
3. Multiple destination upload is a problem. We do have another task, and hopefully, in 1.973 we can implement a better algorithm. For specific uploads, you can search this site, I believe users contributed things like muting bigger subnets.
Please sign in to leave a comment.