5157 The Windows Filtering Platform has blocked a connection
Written when the Windows Filtering Platform (WFP) blocks a network connection. Paired with permit 5156, it captures denied communication.
Overview
The subcategory is Audit Filtering Platform Connection. It is generated when WFP blocks a connection (outbound/inbound). It includes the source/destination IP and port and the process involved.
How it is triggered
- When a connection is denied by a filter condition.
Security review points
- A blocked outbound connection can be a sign of malware being stopped while trying to reach C2. Check the blocked process and destination IP/port.
- Note patterns such as a specific process repeatedly having outbound connections blocked, or many connection attempts to unfamiliar destinations. Together with permit 5156, build the full communication picture.
Notes for log review
- It appears in volume. Aggregate by process, destination, and count, and narrow to outbound attempts by suspicious processes or connections to known malicious destinations.
- Blocks due to missing rules for legitimate apps are also common (false positives). Baseline them and keep the unknown.
Key fields
| Field | Meaning |
|---|---|
Application | The process that attempted the connection |
Source/Destination Address / Port | The source and destination |
Direction | Outbound/inbound |