Firewall rules getting changed by Usermode Font Driver Host

Bill Morrissey 1 Reputation point
2021-06-17T14:29:05.32+00:00

Our servers are monitored by a security service that flagged several events ion the security log as suspicious activity. the event ID 4946 was logged saying:

"A change was made to the Windows Firewall exception list. A rule was added.     Profile Changed: All    Added Rule:   Rule ID: {D6AD1878-3133-4581-99C8-75FE56B3DA96}   Rule Name: Usermode Font Driver Host    154443850
<date & time> <servername>/<serverIP> MSWinEventLog     1       Security        2064595 <date & time>        4946    Microsoft-Windows-Security-Auditing     N/A     N/A     Success Audit   <servername> MPSSVC Rule-Level Policy Chang.."

I'm reasonably certain that this was not malicious activity since the firewall is actually disabled on the server and no reason for a hacker to change those rules. I suspect that this is a normal process caused by the Usermode Font Driver, in fact the same security vendor dismissed some of these events because they occurred just after a reboot but in this instance, the server had not rebooted. The events showed a couple of rules related to the driver first removed and then re-added with a different Rule ID. Can anyone point me to some documentation that could explain this behavior? The server is Windows 2019 build 10.0.17763 and is pretty much fully patched on a regular basis. Thanks for any help you can give.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,799 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Miles 1,266 Reputation points
    2021-06-18T07:43:50.217+00:00

    Hi

    Event ID 4946 means a change has been made to windows firewall exception list and a role was added.
    Here is a link about event ID 4946. event-4946

    To solve the problem caused by fontdrvhost.eve,we could try the following steps:

    1. use windows repair tools ,such as cleanmgr and sfc/scannow to look for the causes. Under most circumstances ,this is a valid method.
    2. updating usermode font drive host, we could find the update in this link fontdrvhost-exe
      Please note: Information posted in this given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Bill Morrissey 1 Reputation point
    2021-06-18T13:27:57.497+00:00

    Miles,
    Thanks for the response. I understand what the event is telling me, but i'm not convinced that it is any sort of an error, I believe that it's just as likely the driver doing exactly what it was designed to do. The question I am faced with is "Was this a malicious attack? Or is there a valid explanation?" I suppose "This happened because the driver is damaged" is a valid explanation but then I need to prove it. I followed your link but even their link takes me to an older version of the file than I have. My fontdrvhost.exe is version 10.0.17763.1757 from 2/17/21 . The server has the June security updates and https://support.microsoft.com/en-us/topic/june-8-2021-kb5003646-os-build-17763-1999-81e2ff5a-0769-4e56-8762-059dd6e0d6bb says that I have the latest build of the fontdrvhost.exe file. sfc did not find any problems.

    0 comments No comments

  3. Miles 1,266 Reputation points
    2021-06-21T01:40:33.543+00:00

    Hi

    Sorry for the late response.
    If we want to know whether the event is a malicious attack, we could check the following steps

    1.check what it runs under in your Task Managers
    If it’s running under the UMFD-0 account, then you’re sure it’s the real process and not a virus imitating it.
    If it isn’t under a UMFD-0 account, then your suspicion has probably been confirmed. Please run a dependable antivirus program to clear out viruses and harmful processes.

    2.check the file path of the process
    Please open your task manager and look for the fontdrvhost.exe process.
    Right click on it and go to Open File Location in the list of the options
    If the file path matches C:\Windows\System32 then the process is the real deal. If the file path does not match what is above, you definitely need to run a full scan of your system ASAP using a really good antivirus program.

    Please note:The fontdrvhost.exe file should be about 800kb in size. If you find out that the size is considerably more than this, then something else might be wrong and you should do a full scan just to be sure.

    Best Regards

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Bill Morrissey 1 Reputation point
    2021-06-22T20:57:05.223+00:00

    I've seen comments about how big the file should be and that it generates accounts on the fly. My file is the right size and the right build number based on the latest security update so i'm personally convinced that it is legit, but i'm not the one that I need to convince. I just got another alert today that the same process happened again (firewall rules removed and then added back in).
    I also found this article https://www.devbuzz.net/what-is-fontdrvhost-in-windows-10-is-it-a-malware/ that says that we can run wmic useraccount list full to confirm the account sid but that command gives me an error, I'm assuming the error is because this happens to be a DC and doesn't have any local accounts per se. That article also says that the UMFD accounts are extremely limited in what they can do. Obviously they can change firewall rules, for whatever reason, is there any chance that the UMFD account can be exploited to do a hacker's bidding? Is there another way for me to confirm the sid of these accounts? They don't appear in AD or anywhere in the registry.


  5. Bill Morrissey 1 Reputation point
    2021-06-23T17:35:46.41+00:00

    Thanks for the info, the first article was interesting but it didn't help me determine if these actions by the usermode font driver were valid, perhaps there are articles more focused on that one driver and what it is expected to do normally? The commands in the second article just ran against AD since this a DC and it didn't find any UMFD accounts, currently i see 4 instances of fontdrvhost.exe each running with their own pid and account. We had a previous ticket for events like this and the SOC told us that it was normal to see these firewall rules recreated on a reboot but I can't even find any way to collaborate that or find their source. Apparently these events will continue to happen, I'm thinking some sort of autiting or debug logging to catch the next event?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.