5031 The Windows Firewall blocked an application from accepting incoming connections
Written when the Windows Firewall blocked an application from accepting incoming network connections. It captures the fact that a non-permitted program tried to listen.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when an application not allowed by a firewall rule tries to accept inbound connections from the network and is blocked. It includes the path of the blocked program.
How it is triggered
- When a program with no inbound-allow rule tries to open a port and listen.
Security review points
- If an unfamiliar program, or a process that should not normally listen on the network, is blocked, it may be a sign of malware trying to open a listener (backdoor). Check the path and name of the blocked app.
- Listen attempts by programs in temp folders or non-standard paths are notable. Correlate with process creation 4688 to trace the program’s profile.
Notes for log review
- Legitimate apps often appear due to missing allow rules (prone to false positives). Baseline the legitimate apps that should be allowed and narrow to blocks of unknown/suspicious programs.
- Investigate starting from the blocked program’s path, hash, and parent process.
Key fields
| Field | Meaning |
|---|---|
Application Path | The blocked program |
Port / Protocol | The communication it tried to listen on |