Firefox flooding event log with connection errors at boot up
I was looking at my event log tracking down one issue when I noticed hundreds of audit failures (outbound connection blocked) in my event log.
Firefox is not even running. I've just started my computer. It's trying to make a connection to google @ 34.107.221.82.
Fortunately something is blocking the connection attempt, but why is Firefox making hundreds of connection attempts when I haven't even opened firefox? How do I stop it?
I looked in task scheduler and couldn't see anything there. Looked at group policy, couldn't see anything there.
FF91.13.0esr
Okulungisiwe
All Replies (9)
Recent versions of Firefox may be scheduled to check for updates in the Windows Task Scheduler. I don't know whether that was the case with the Extended Support Release of Firefox 91, but you could check.
I had that thought too. I checked the scheduler - there are no tasks.
I believe there was also a default browser task as well, but again, there are no tasks in my task scheduler.
I have updates blocked via group policy. I would have thought that would prevent an update check, but perhaps not. I roll out updates on a schedule which doesn't neccesarily align with Mozilla's releases.
Checked the registry for startup and startup approved tasks but nothing there either.
You have updates blocked via DisableAppUpdate? That definitely should stop Firefox checking for updates for the application. Firefox still might update the phishing/malware and extension blocklists. But I don't think those run on an external scheduler, so it's unclear why Firefox might be starting up.
The fact that the connections are blocked and you didn't set up the block implies that Windows is blocking them for other reasons. Possibly it's an attempted connection triggered by sending Windows a URL to open in the default browser? But the fact that it is blocked suggests its not just some informational/marketing page. ??
Current Firefox releases use GCP (Google Cloud Platform) and GCS (Google Cloud Storage) to store data where previously AWS was used and if it fails to access this cloud storage then you may see extra retries.
I will do a virus scan, though I'm pretty sure my system is clean. Just checked a couple of PCs here. They are all doing the same thing. "To store data"? Why would Firefox want to store any data in the cloud? What data is it storing (or attempting to) Well, I'll guess I'll just live with it. Windows is blocking the connection so that's good. What worries me though is what's not being blocked... IMHO FF should not be sending anything, particularly if it's not running. Time to install Wireshark :)
Okulungisiwe
As promised, an update.
The address 34.107.221.82 was mistakenly identified as belonging to another program which I had blocked in my firewall. Firefox doesn't just attempt to make this outbound connection ata start up, it does it (when firefox is not running) at periodic intervals. I have not been able to track down the source of that.
Firefox opens to a local webpage with no external content and makes 16 TCP outbound connections. Some of these are beling blocked by my hosts file*. Leaving the browser open on my internal homepage Firefox will continue to make what seems to be an endless number of connections to various IP addresses at github, googleusercontent, amazomnaws and various other destinations.
I have disabled things like telemetry, studies, feedback, updates, default browser agent and others, but the connections continue. Data is being sent out according to wireshark and Windows resource monitor. Some of these connections are over port 443 so I assume it to be sensitive information, perhaps identifying personal information. I find this to be most curious.
Some of the IP addresses include; 34.160.144.191, 34.160.122.198, 34.210.191.84, 34.149.128.2, 34.213.121.129 35.85.116.246, 35.164.243.166, 35.241.9.150, 35.86.38.2, 35.165.1.70 52.89.44.161, 52,88,63,243 54.148.242.254, 54.187.71.119, 54.90.106.26, 54.86.32.22 185.199.108.153
Some of these connections are made, whatever is transferred is transferred, the connection closed, then the same IP address connected again a few minutes later. Some remain open indefinately.
I stopped watching after 10 minutes, but firefox was still opening up outbound connections on additional IP addresses.
- My hosts file blocks social networking sites, porn, trackers, ad sites, potentially malicious websites. I don't think FF is sending data to porn sites or malicious sites, so possibly all of the rest.
I don't know why FF would want to be sending data to so many sites on a persistent basis. Even when not running.
Okulungisiwe
This article documents most of the connections: How to stop Firefox from making automatic connections.
The problem with using a firewall log for monitoring is that the request details -- including the host name on large hosting sites -- are not recorded. You need to use an HTTP proxy, or perhaps Firefox's HTTP logging option, to find that information.
- Example proxy: Fiddler classic @ https://www.telerik.com/download/fiddler
- logging: https://firefox-source-docs.mozilla.org/networking/http/logging.html (note: the internal URL to start/stop logging changed in Firefox 108)
You can also check about:networking for more detail.. I see several 34.xx and 35.xx and 52.xx IPs listed there.
ocsp.digicert.com ipv4 true 93.184 content-signature-2.cdn.mozilla.net ipv4 true 34.160 contile.services.mozilla.com ipv4 true 34.117 firefox.settings.services.mozilla.com ipv4 true 35.241 shavar.services.mozilla.com ipv4 true 52.35 push.services.mozilla.com ipv4 true 52.37 54.201 52.43 52.36 35.161 52.38 54.149 52.89
Hey thanks for that.
I wasn't actually looking for any problem initially. I was looking at something else in the eventlog and just happened to notice that the firefox connection had been blocked. That started me on a quest to find out what else was going on :)
I shall have a read of the stuff you have linked to.
I'm stuck on 91.13esr. I know I need to get off that version as it's unsupported. I'm struggling with dark mode issues and a line under the tab which i can't get rid of. Someone did say using a theme with dark text would fix it, but apart from not being able to find a decent theme that fits our tastes, it doesn't resolve the issue anyway. If I can ever get rid of the dark mode on the popups and dialog boxes I'll be moving to 102esr. The problem with dark mode is it's impossible for older people and vision imparied people to read.