You don’t need a firewall for this. A mere netstat -bf on Windows will also showcase currently established connections:
Proto Lokaal adres Extern adres Status
TCP 10.0.1.25:54457 m2052.contabo.host:https ESTABLISHED
TCP 10.0.1.25:54592 18.104.22.168:https TIME_WAIT
TCP 10.0.1.25:54594 22.214.171.124:https TIME_WAIT
TCP 10.0.1.25:54598 a104-125-38-50.deploy.static.akamaitechnologies.com:http TIME_WAIT
TCP 10.0.1.25:54599 a-0001.a-msedge.net:https TIME_WAIT
TCP 10.0.1.25:54600 a-0001.a-msedge.net:https TIME_WAIT
TCP 127.0.0.1:1101 localhost.localdomain:54467 ESTABLISHED
TCP 127.0.0.1:1101 localhost.localdomain:54468 ESTABLISHED
TCP 127.0.0.1:1101 localhost.localdomain:54469 ESTABLISHED
TCP 127.0.0.1:54467 localhost.localdomain:1101 ESTABLISHED
TCP 127.0.0.1:54468 localhost.localdomain:1101 ESTABLISHED
TCP 127.0.0.1:54469 localhost.localdomain:1101 ESTABLISHED
So, what we’re seeing here… “m2052.contabo.host” is basically VPository.
126.96.36.199 is also known as ns1.msft.net and seems a regular DNS server. However, do note the TIME_WAIT, it doesn’t make an actual connection.
a104-125-38-50.deploy.static.akamaitechnologies.com puzzled me at first, but a Google search pointed me to the Akamai website. They’re a cloud hosting provider, and Visual Paradigm is more heavily relying on net based functionality these days, so there’s also not much of a surprise here.
Then we’re down to a-0001.a-msedge.net. It has 2 IP addresses:
omicron:/home/peter $ dig a-0001.a-msedge.net
; <<>> DiG 9.11.2 <<>> a-0001.a-msedge.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61978
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a-0001.a-msedge.net. IN A
;; ANSWER SECTION:
a-0001.a-msedge.net. 28 IN A 188.8.131.52
a-0001.a-msedge.net. 28 IN A 184.108.40.206
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 28 07:43:30 CET 2017
;; MSG SIZE rcvd: 80
The IP addresses don’t really tell me much but checking for a-msedge.net in the whois database directs me straight to Microsoft.
In specific the markmonitor website. Which also looks very legitimate to me, it’s basically an online service used to protect brands and services from abuse (hackers).
The rest are merely local connections (as you can see).
So summing up: I can’t reproduce your findings.
When I’m using the “Community Circle” option more data gets send across, but that’s logical behaviour because that option establishes a website connection from within Visual Paradigm. Is it possible that you used something similar?
From what I can tell Visual Paradigm uses the Chromium engine which is used to establish (HTTP) connections, for example with Community Circle and VPository, but those are not rogue connections.
Also noteworthy is that the Visual Paradigm website utilizes Google Analytics.
So I think that’s what you’re seeing here. Nothing malicious is going on, the program is merely pulling in web data from the website which in its turn also contacts Google analytics.