Blog | G5 Cyber Security

Block DiagTrack to Stop Malware

G5 Cyber Security

TL;DR

Malware often uses DiagTrack for outbound communication. This guide shows you how to block it using Windows Firewall, preventing the malware from sending data and potentially receiving instructions.

Blocking DiagTrack Outbound Connections

  1. Understand DiagTrack: Diagnostic Track (DiagTrack) is a Microsoft service that collects usage data. While legitimate, malware can exploit it for communication. Blocking its outbound connections helps isolate infected systems.
  2. Open Windows Firewall with Advanced Security:
    • Press the Windows key + R to open the Run dialog box.
    • Type wf.msc and press Enter.
  3. Create a New Outbound Rule:
    • In the left pane, click “Outbound Rules”.
    • In the right pane, click “New Rule…”.
  4. Rule Type – Program:
    • Select “Program” and click Next.
  5. Specify the Program Path:
    • Select “This program path:”.
    • Enter C:WindowsSystem32DiagTrack.exe in the box.
    • Click Next.
  6. Action – Block the connection:
    • Select “Block the connection” and click Next.
  7. Profile – All Profiles:
    • Ensure all three profiles (Domain, Private, Public) are checked. This ensures the rule applies regardless of network type.
    • Click Next.
  8. Name and Description:
    • Give the rule a descriptive name like “Block DiagTrack Outbound”.
    • Add an optional description, e.g., “Prevents DiagTrack from sending data after malware infection”.
    • Click Finish.
  9. Verify the Rule:
    • In the Outbound Rules list, find your newly created rule and ensure it’s enabled (green checkmark).
  10. (Optional) Block Related Processes: Malware may use related processes. Consider blocking these as well:
    • Repeat steps 2-7 for the following paths if they exist on your system:
      • C:Program FilesMicrosoftOneCoreDiagTrack.exe
      • C:WindowsSystem32svchost.exe (be cautious blocking svchost, as it hosts many legitimate services – investigate before blocking)
  11. Monitor Network Activity: Use a network monitoring tool (e.g., Wireshark, Resource Monitor) to confirm DiagTrack is no longer initiating outbound connections. 
    netstat -ab | findstr "DiagTrack.exe"

    This command will show any active connections associated with DiagTrack.

Exit mobile version