Our servers are monitored by a security service that flagged several events ion the security log as suspicious activity. the event ID 4946 was logged saying:
"A change was made to the Windows Firewall exception list. A rule was added. Profile Changed: All Added Rule: Rule ID: {D6AD1878-3133-4581-99C8-75FE56B3DA96} Rule Name: Usermode Font Driver Host 154443850
<date & time> <servername>/<serverIP> MSWinEventLog 1 Security 2064595 <date & time> 4946 Microsoft-Windows-Security-Auditing N/A N/A Success Audit <servername> MPSSVC Rule-Level Policy Chang.."
I'm reasonably certain that this was not malicious activity since the firewall is actually disabled on the server and no reason for a hacker to change those rules. I suspect that this is a normal process caused by the Usermode Font Driver, in fact the same security vendor dismissed some of these events because they occurred just after a reboot but in this instance, the server had not rebooted. The events showed a couple of rules related to the driver first removed and then re-added with a different Rule ID. Can anyone point me to some documentation that could explain this behavior? The server is Windows 2019 build 10.0.17763 and is pretty much fully patched on a regular basis. Thanks for any help you can give.