User-ID Agent odd outbound traffic patterns

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Agent odd outbound traffic patterns

L3 Networker


We've noticed some strange traffic patterns coming from our Agent boxes and am curious why, and if others are seeing something similar... ?

Looking in our Monitoring logs I see our two Agents sending data to:

Via SMB ports 135,137,139

This appears to be something out of Australia

We're blocking this communication, and they're fresh boxes with Anti-Virus installed so it's really odd that we're seeing this..





L6 Presenter

What is your settings your of userid agents?

I think its recommended to disable netbios lookups but enable wmi lookups (if possible).

You can also in the menu enable debug log level and then watch the userid directory in program files and then copy the debug file as soon as you see this traffic (dont forget to change log level back to informational or such after you copied the debug log to not run out of disk).

Hopefully you can then find in the debuglog from where these ip addresses is pickedup (is it someone logging in to your exchange server or is it something else).


UserAgents have a feature that scans workstations via WMI/Netbios. If you firewall request informations about an IP to a UserAgent (even if that IP is on internet), it will scan it.

If you don't want internet addresses to be scanned or IDed, look at your zone User Identification configuration and UserID doc in general.

We did have our Agents set to use Netbios so I disabled it, and now it seems to have quited down.

As far as zone ID goes we're only checking for IDs on our Trusted segment, IE: Trusted (Inside) -> Untrusted (Outside) -> Internet and not the reverse..

It's strange that those couple hosts would keep coming up... Hmmm..

Thanks guys!


If im not mistaken you can in the userid agent also filter which ip addresses it should lookup/handle.

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!