Author Topic: Large unexplained upload  (Read 13019 times)

0 Members and 1 Guest are viewing this topic.

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Large unexplained upload
« on: March 26, 2016, 10:33:52 pm »
I noticed over 1GB upload from my machine on a day last week.

Does anyone know how I can trace the source ( after the fact as it were ) ?

I only know how I could have traced it while it was happening , and I didn't
notice it at the time it was going on .

My wireless network is well secured and my machine is the only device on it.
I have all Windows telemetry disabled so I don't think that was the cause .

« Last Edit: March 26, 2016, 10:41:43 pm by Jethro Bodine »

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Re: Large unexplained upload
« Reply #1 on: March 26, 2016, 11:24:48 pm »
Are you running Windows 10? One of the "benefits" of this  OS is that, presumably to lighten the load on Microsoft's servers, the default installation allows it to act as a file server to provide assistance in updating other computers around the world. Sneaky or what!

http://www.pcworld.com/article/2955491/windows/how-to-stop-windows-10-from-using-your-pcs-bandwidth-to-update-strangers-systems.html
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Re: Large unexplained upload
« Reply #2 on: March 26, 2016, 11:42:44 pm »
I'm wise to that sneaky behavior but no , I'm not on W10 ( and never will be ... Win telemetry being disabled )
I've also refused all of the well known poison  GWX updates

This happened on a W7 home premium 64-bit machine.
I know that many apps have "phone home" activity but nothing on this scale .

I'm also very security aware , keep things locked-down tight and run regular scans.
I'm running MBAM again as I write this but not expecting to find anything.

I don't use P2P or any torrent stuff .

I'm hoping that someone can point me to a log file that I can look at .
« Last Edit: March 26, 2016, 11:46:59 pm by Jethro Bodine »

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Re: Large unexplained upload
« Reply #3 on: March 26, 2016, 11:48:46 pm »
Sorry then, I don't have any other suggestions at the moment but I hope someone more experienced will be able to help. I keep W10 at bay with the aid of the wonderful GWX Control Panel - so far, so good!
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Re: Large unexplained upload
« Reply #4 on: March 27, 2016, 12:19:29 am »

Yes , I also have GWX control panel ..... " Belt and braces "    :smiley:

For now , I can only watch and wait , and hope to catch it if it happens again .
I have a couple of possible culprits in mind but it seems unfair to name them here without proof.

Thanks for the suggestions anyway .

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Large unexplained upload
« Reply #5 on: March 27, 2016, 03:47:19 am »
Do you have MBAM/Settings/Detection and Protection set to treat PuPs and PuMs as malware ?

What does Task Manager/Performance give for your CPU usage ?

Which browser are you using ?

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Re: Large unexplained upload
« Reply #6 on: March 29, 2016, 12:46:50 am »
Sorry about the delay in replying .

I would ask those very same questions myself .....
... to answer :-

Yes to the first .
< 2% cpu use with FF running and 10 or more open tabs.

I'm a regular user of Process Hacker , Dependency Walker etc so I've already been down that route.

I have one particular app I'm suspicious of but I'll wait for it's regular scheduled run later in the week
rather than force the issue now..

Thanks for the suggestions BTW  :)

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Large unexplained upload
« Reply #7 on: March 29, 2016, 01:00:47 am »
Intermittent problems are the worse to nail down but at least you have your eye on at least one possible culprit.

Process Explorer is also a handy program to have as you can see what's running and who it belongs to and with VirusTotal enabled on it, also if it's suspect.

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Click on Options and ensure Verify Signature is checked then hover over VirusTotal.com and check its box.

Its ratings should all be in blue but if any have a highish numerator in red then they would be suspect.

It can give some with just 1 or 2/50 but as long as you know what they are, they are usually nothing to worry about.

Offline Julian

  • "Professional Googler"
  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jun 2015
  • Posts: 1325
  • Location: USA, New Mexico
  • Karma: 38
    • View Profile
Re: Large unexplained upload
« Reply #8 on: March 29, 2016, 01:38:54 am »
tech toolbench has a system monitor and also netstat you can adjust the windows to refresh how ever many seconds you would like too. But to be honest the only thing you can do at the moment is make sure your do not have any pup or pum on your system. If you come up with being clean then I would try to recreate the situation's and let it monitor in the background then look at the stats.  :undecided:
Julian

Offline Jethro Bodine

  • Newbie
  • *
  • Join Date: Dec 2015
  • Posts: 29
  • Karma: 4
    • View Profile
Re: Large unexplained upload
« Reply #9 on: March 29, 2016, 07:24:20 am »
That's pretty much my intended strategy at this point.
Netstat is a long-time favorite of mine , and I'm certain there is no PUP stuff on my system ....
... I am fanatically opposed to all of that garbage :)

I originally posted because I'd hoped that someone knew of a network traffic log-file that I could look at .
But I've never heard of such a log , so I was fairly certain that it would be a long shot :)

As I mentioned earlier , it's doesn't seem right to name my main suspect without any proof.
I'm going to be keeping a sharp eye out for it happening again and I will pin it down  , and then post back here .

In the meantime , many thanks to all for the suggestions !
« Last Edit: March 29, 2016, 07:30:45 am by Jethro Bodine »

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
Re: Large unexplained upload
« Reply #10 on: March 29, 2016, 09:55:14 am »
- I wouldn't be surprised to see your system to have turned into an extra Microsoft server (for distributing Updates to ohter computers). In the last say 10 months there were a bunch of mysterious Updates that were related to "Windows Update". And for those Updates Microsoft only gave minimal or no information on its website of the purpose of those updates. (Since a while I won't install those mysterious updates any more.)

- One thing you could try is to keep an eye on the folder "C:\Windows\Softwaredistribution" and see what that/those folder(s) contain and what happens over there. Delete that folder and see what happens. Windows will re-create the "SofwareDistribution" folder automatically when deleted. In the "Download" folder Windows stores the Original update files but doesn't delete them after an Update. Were/Are there (A LOT OF) large files ?