Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4226 Source: Tcpip

Source
Level
Description
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Comments
 
This event could represent a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows.

At the command prompt, type Netstat –no. Find the process with a large number of open connections that are not yet established. These connections are indicated by the TCP state SYN_SENT in the State column of the Active Connections information. Note the process identification number (PID) of the process in the PID column. Press CTRL+ALT+DELETE and then click Task Manager. On the Processes tab, select the process with the matching PID, and then click End Process. If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK.
See the link to "Windows XP SP2 and Event ID 4226" for useful information about this event.
I was getting this event intermittently when trying to print from a Windows XP machine with SP2 to a printer connected to a Windows 98 machine. Found a newsgroup post that suggested blocking connections on port 445. I have blocked this port in Windows Firewall (under Exceptions, File and Printer Sharing) and it seems to have alleviated the problem.
See "Changes to functionality in Microsoft Windows XP Service Pack 2" to find out what new functionality is added to TCP/IP in Windows XP Service Pack 2.

This event is more than likely to appear if the user is running a P2P application (e.g. Emule, BitTorrent, Kazaa, etc.). Stopping the application will also stop this event from reappearing.

As per Microsoft: "The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged". See MSW2KDB for additional information on this issue.
Information taken from  www.Bink.nu ArticleID=2208: "This new feature is one of the stack's "springboards", security features designed to proactively reduce the future threat from attacks like Blaster and Sasser that typically spread by opening connections to random addresses. In fact, if this feature had already been deployed, Sasser would have taken much longer to spread. It is not likely to help stop the spread of spam unless spammers are trying to reach open email relays in the same way, by opening connections on SMTP ports of random IP addresses. This is new with XP SP2 and we are trying to get it right so that it does not interfere with normal system operation or performance of normal, legitimate applications, but does slow the spread of viral code. New connection attempts over the limit for half-open connections are queued and worked off at a certain (limited rate)". See the link to "www.Bink.nu ArticleID=2208" and ME314053 for additional information on this problem.


Info quoted from ntcanuck.com forum: “The limit you are hitting only applies to connections in which the destinations are unreachable. You absolutely should not hit it if you are opening TCP connections to addresses that are live with an active listener on the destination port. It is enforced by the stack and has nothing to do with your firewall software (third party or ours). There is an improvement to this code, which we are planning for SP2 RTM”. See the link to “ntcanuck.com forum” for more details.

In plain English if it occurs, there are many connection attempts to unreachable addresses like IP scanning performed by virus or a bad configuration.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...