I noticed event ID 5156 is filling up my event logs. It logs one or two of these events literally every 2-3 seconds. Now my security logs are useless. I run SEP 11 which takes control of the windows firewall as well uses its own fire wall. I googled and found that anti-virus software can be responsible for this behavior (like macaffee) and saw how I could disable logging of this event with auditpol. My question is how can I be sure that this is my anti-virus software doing this? I can't see anywhere in the log itself something that would link this to my antivirus product. The source address listed is always the broadcast address of my subnet and the destination is any computer I make ANY network connection to (file servers, DCs, etc). Here is what I am seeing: The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: mybroadcast.address.for.subnet Source Port: 137 Destination Address: IP.of.destination.PC Destination Port: 137 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44 I haven't really found to much info on event ID 5156, or at least info I can make that much sense of. Would I ever really need this event to be logged? And why would my anti-virus software cause so many of these events?

I don't know why I didn't think of this before, but I just disabled my AV software and this is still happening. Is there possibly some auditing setting for windows firewall I might have turned on?

Hi, This would be caused by the following Security Auditing policy: Audit Filtering Platform Connection Hope it helps. Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

This didn't really answer the question. I am getting the same thing, but I'm wondering how to determine what it means by System, as there are no services associated with System, and why both source and destination ports are 137. How can we determine what process or service is creating these logs with this information. Thanks.