Hi Jason,

I have doubts if this feature works as it should:
in my case, for any application launched to reach network AppDefend issues an alert about the "system" trying to connect. It is repeated until I check "allow always" network access for system. In that case I have no more network related alerts, even if new programs are trying to connect. Seems like it was only a global switch, not application based. For info, I am running Win2K Pro.
Thank you for any comments.

isnogood

hi isnogood,

is your "DNS Client" service running? if so, please disable and try again. hope this helps.

Yes I do run DNS client service. I'll have to change my firewall settings when I disable it, but reflection made it effectively may be the reason of my problem. Thanks for the hint, Alley, I will try this evening. Nevertheless, it is still strange that Appdefend does not detect the application originating the call, but indicates the system service.
isnogood

Ok, I tried to desactivate DNS client service, but it does not help. I still have only "system" process alerts (different process Id). For example, when I start firefox, the first alert is loopback (127.0.0.1) then it indicates unknown IP's and ports. This is repeated multiple times before I get effectively connected, and later on when browsing. It's really unusable. Any other ideas, please ? Am the only one experiencing this ?

-{ Quote: "Ok, I tried to desactivate DNS client service, but it does not help. I still have only "system" process alerts (different process Id). For example, when I start firefox, the first alert is loopback (127.0.0.1) then it indicates unknown IP's and ports. This is repeated multiple times before I get effectively connected, and later on when browsing. It's really unusable. Any other ideas, please ? Am the only one experiencing this ?" }-
Are your alerts about Unknown IP's and Ports possibly what Jason is talking about at the bottom of this message, http://www.wilderssecurity.com/showpost.php?p=610767&postcount=2? If you can, a screenshot of the alert would be helpful. My experience with Maxthon, an IE based browser, is once I Always Allowed Network Access I have not gotten those alerts again.

Just for clarity I have to ask, what did you do to stop the DNS Client Service? It is a 2 step process; 1 - stop the service if it is running, and 2 - set the service to Disabled to prevent it from starting again. Another thing is you will probably be presented with an alert for svchost.exe wanting Network Access, this is normal Windows XP uses svchost.exe for DNS resolution with your ISP's DNS servers.

-{ Quote: "...when I start firefox, the first alert is loopback (127.0.0.1) then it indicates unknown IP's and ports. This is repeated multiple times before I get effectively connected, and later on when browsing. It's really unusable. Any other ideas, please ? Am the only one experiencing this ?" }-Firefox will try to connect to 127.0.0.1 (the loopback address) on startup - it is apparently for the Password Manager feature. If you do not use this, you can block such connections but since AppDefend's network access is all-or-nothing you really need to allow it.

Svchost will request network access for DNS lookups if the DNS Client Service is running but disabling this, as per Disciple's post, will mean DNS lookups being done by the application itself (i.e. every application that tries to connect will then start with a DNS request). Svchost does also handle DHCP so you will need to allow it access if you are using it (almost certainly yes) but otherwise you could probably it from doing anything else.

Svchost is a good example of the problems with allow-or-deny network control - some things (DHCP, DNS) are critical and blocking them will result in loss of network access while others are optional (NTP for clock synchronisation) and some downright dangerous (DCOM/RPC).

Paranoid, I know all about this DNS/DHCP stuff. Except that for me it's not svchost but system, because I am on Win2k, not on XP. The first loopback connection is also common for many browsers, IE will also call 127.0.0.1 at first. I have special rule in my firewall (Tiny) to allow that. In my original setup I have been running DNS client service, so DNS lookup was always done by system, not the application itself. That's why I thought that Alley could be right in his post. So I desactivated DNS service (properly, verified) and created rules in the firewall to allow all internet applications to call DNS port themselves (originally they may only connect to a specific port like HTTP,HTTPS,FTP etc).
To my surprise, this does not help. I still have only alerts concerning system, not the calling application. The DHCP is still handled by system but I don't think I can stop this service without loosing network access. Not sure, but I believe DHCP cannot be handled by user applications.

-{ Quote: "Originally Posted by Disciple
My experience with Maxthon, an IE based browser, is once I Always Allowed Network Access I have not gotten those alerts again." }-
Me too, if I set "Allow Always" for system, I have no alerts, that's normal. But if you start Maxthon - do you have alerts about svchost/system or about Maxthon ??
This is my principal question actually. I don't see any sense of this feature if the switching on/off permission for system means de facto allowing/denying any application the network access.
In this case it is better to plug off the modem cable or use the "block all" / "allow all" button of your firewall. Really, I can't imagine this is the purpose of the network access control developed by Jason. I rather think of a bug or not finished feature in beta version.

Jason, please, can you comment on this ?

-{ Quote: "Paranoid, I know all about this DNS/DHCP stuff. Except that for me it's not svchost but system, because I am on Win2k, not on XP." }-For Win2K this should be services.exe - can you confirm this?-{ Quote: "The first loopback connection is also common for many browsers, IE will also call 127.0.0.1 at first." }-This should only happen if you are running a proxy server (e.g. a web filter like Proxomitron or anonymising client like JAP or Tor) - or have anti-virus software with a web-filtering option (e.g. NOD32's IMON - try disabling it if you have).-{ Quote: "The DHCP is still handled by system but I don't think I can stop this service without loosing network access. Not sure, but I believe DHCP cannot be handled by user applications." }-The only way to avoid using DHCP is to use a static IP address. If you connect via a router (and therefore always receive a 192.168.x.x address) you can do this via the Network Properties for your LAN connection.

-{ Quote: "Originaly posted by Paranoid2000
For Win2K this should be services.exe - can you confirm this?" }-
Yes, that's right.
-{ Quote: "This should only happen if you are running a proxy server." }-
Are you sure? I have a direct connetction, without proxy, and as I recall Firefox still needed loopback rule enabled. But that doesn't matter in fact.
-{ Quote: "The only way to avoid using DHCP is to use a static IP address. If you connect via a router (and therefore always receive a 192.168.x.x address) you can do this via the Network Properties for your LAN connection." }-
I am behind a router and I already have a fixed local adress, but I never disabled DHCP service. I will try this, thanks.
Nevertheless, can you tell me if you other guys also experience the same behaviour, or you have network access alerts based on application name ?

isnogood

Well, I disabled both DNS and DHCP services, set properly my local IP and DNS server adresses in the Network Connection Properties.
The behaviour od AppDefend does not change, however.

Let me describe the alerts I have when I start Firefox:

1) AD Alert: system -> loopback connection
2) AD Alert: system -> Udp send (unknown IP/port)
AD Alert: system -> Udp send (unknown IP/port)
3) AD Alert: system -> Connection (remote IP , port 80) - Mozilla
5) AD Alert: system -> Udp send (unknown IP/port)
AD Alert: system -> Udp send (unknown IP/port)

Browser window is now open. These alerts correspond exactly to my firewall logs for firefox.exe. Now, If I set "allow always" network access for system.exe, I have no more alerts for any other application connecting outside.

isnogood

-{ Quote: "Are you sure? I have a direct connetction, without proxy, and as I recall Firefox still needed loopback rule enabled. But that doesn't matter in fact." }-Firefox will for the Password Manager feature as mentioned above. However you did mention loopback connections for IE also and that should only occur with a proxy.

-{ Quote: "Not sure, but I believe DHCP cannot be handled by user applications." }-
Nor should it be, I can't see any reason a user application would need to have any involvement with a NIC getting/refreshing an IP address. That is more a function of the OS. Well I guess there might be some third party software that does Internet Connection Sharing, which in that case might/would need to handle DHCP.

-{ Quote: "Me too, if I set "Allow Always" for system, I have no alerts, that's normal. But if you start Maxthon - do you have alerts about svchost/system or about Maxthon ??" }-
No, all is quiet. However if svchost.exe does not have internet access (Network Access), no application can connect to an internet destination. Svchost.exe has some involvement with DNS resolution between said app and the internet. In your case services.exe may have the same functionality of involvement with DNS resolution that svchost.exe does on XP. Which may come down to a change in how things are done between the older W2k OS and the newer XP OS.

-{ Quote: "This is my principal question actually. I don't see any sense of this feature if the switching on/off permission for system means de facto allowing/denying any application the network access.
In this case it is better to plug off the modem cable or use the "block all" / "allow all" button of your firewall. Really, I can't imagine this is the purpose of the network access control developed by Jason. I rather think of a bug or not finished feature in beta version.

Jason, please, can you comment on this ?" }-
Or if you think of the Network Access function from the stand point of who developed AppDefend and the firewall (GhostWall) from the same person/company it may make more sense. GhostWall, as I understand it, operates on inbound packets only and does nothing for outbound connections. In the GS Freeware board there are two threads dedicated to Application Control in GhostWall, and I think it is mentioned in some other threads as well. Now comes AppDefend and as one of its many features is the ability to Allow/Deny, on a per application basis, Network Access. Is there program overlap between Network Access in AD and say your firewall, yes. But no more so than say the program overlap that exists between say; Spybot S&D, Ad-Aware, PestPatrol, or MS Antispyware, just to name a few. Its there for you to choose whether to use it or not, you can edit the .Default setting for this to Allow and then control it with your preferred application.

-{ Quote: "Originally posted by Disciple
Or if you think of the Network Access function from the stand point of who developed AppDefend and the firewall (GhostWall) from the same person/company it may make more sense. GhostWall, as I understand it, operates on inbound packets only and does nothing for outbound connections..." }-

This is exactly my point of view, Disciple. In my understanding, Jason does not want to add any application control to the GhostWall, to keep it simple and light. Very good, it's fine like that. I won't ever use it because my router does exactly the same job, but is clearly interesting option for many people. Its popularity prooves it. Now, I believe that Network Access component in AppDefend is something going in the direction of the outbond control, to make happy other kind of guys. The idea makes sense, obviously. Of course it may overlap with many existing security apps, especially firewalls but the choice is yours. Personally I use Tiny, which covers all network and system security aspects. This overlap does not bother me actually, I'm testing only. Perhaps I will dump Tiny one day if I find AppDefend or other program worth it.
What I do not understand, is the purpose of actual implementation of Network Access control, because it is not application based at all. I can't choose separate rules for different applications event the most simple as allow or block, since for firefox.exe or backdoor.exe I get always an alert telling me that it's service.exe willing to connect outside. It does not inform me what program is in the origin of the call. That does not make sense for me.

isnogood

-{ Quote: "This is exactly my point of view, Disciple. In my understanding, Jason does not want to add any application control to the GhostWall, to keep it simple and light. Very good, it's fine like that. I won't ever use it because my router does exactly the same job, but is clearly interesting option for many people. Its popularity prooves it. Now, I believe that Network Access component in AppDefend is something going in the direction of the outbond control, to make happy other kind of guys. The idea makes sense, obviously. Of course it may overlap with many existing security apps, especially firewalls but the choice is yours. Personally I use Tiny, which covers all network and system security aspects. This overlap does not bother me actually, I'm testing only. Perhaps I will dump Tiny one day if I find AppDefend or other program worth it.
What I do not understand, is the purpose of actual implementation of Network Access control, because it is not application based at all. I can't choose separate rules for different applications event the most simple as allow or block, since for firefox.exe or backdoor.exe I get always an alert telling me that it's service.exe willing to connect outside. It does not inform me what program is in the origin of the call. That does not make sense for me.

isnogood" }-

It could be an issue due to you using Windows 2000 operating system. I will take a look into this for a future build.

-{ Quote: "Firefox will for the Password Manager feature as mentioned above. However you did mention loopback connections for IE also and that should only occur with a proxy." }-

I'm not sure if this has anything to do with it but if you go to internet options in ie, connections, then lan settings, uncheck the automatically detect settings box, this may have something to do with ie checking 127.0.0.1 or proxies. I doubt this will solve the services.exe thing but I was just reading along and thought about it.

Best of luck
Marc

-{ Quote: "Originally Posted by Jason_R0
It could be an issue due to you using Windows 2000 operating system. I will take a look into this for a future build." }-
Thanks, Jason. At least I am confirmed it is a bug, no intended feature ;) I am really interested to see all the future developement of AppDefend. Looks very promising.

-{ Quote: "Originally Posted by MAL1234
I'm not sure if this has anything to do with it but if you go to internet options in ie, connections, then lan settings, uncheck the automatically detect settings box, this may have something to do with ie checking 127.0.0.1 or proxies. I doubt this will solve the services.exe thing but I was just reading along and thought about it." }-

No, aparently it's a browser feature, not depending of the internet option/connection settings, at least if you use direct connection. If you disable DNS and DHCP services, yo need to fix your local IP and DNS server adresses in the connection parameters. Anyway, it has nothing to do with the problem.

isnogood

I would like to be able to specify allowed and dis-allowed IP and port ranges for each application. This would help to harden network protection.

-{ Quote: "I would like to be able to specify allowed and dis-allowed IP and port ranges for each application. This would help to harden network protection." }-

If there is any chance to have this, I will buy this product the next hour.

Regards
joter

-{ Quote: "
Is there program overlap between Network Access in AD and say your firewall, yes. But no more so than say the program overlap that exists between say; Spybot S&D, Ad-Aware, PestPatrol, or MS Antispyware, just to name a few." }-

Kind of misleading example I think. Logically, Spybot, ad-aware etc depend on signatures to detect malware, so there is some gain if the signature databases are different. Emperically, we have seen reports that yes, it's a good idea to use several scanners since any single one miss quite a bit.

I don't think this applies to Network access on either grounds. Not unless you are one of those people who believe the word "redunancy" can justify everything.

-{ Quote: "I would like to be able to specify allowed and dis-allowed IP and port ranges for each application. This would help to harden network protection." }--{ Quote: "If there is any chance to have this, I will buy this product the next hour." }-There are several firewalls that already offer this feature. While it would be an improvement on the existing AD network access control, it would also require more monitoring of network traffic (hence more CPU usage) and a significant expansion of the AD code and UI to cover all the configuration possibilities (TCP and UDP protocols, other IP protocols like ICMP, IGMP, IPv6, RIP, port ranges, address ranges, network interface, stateful inspection options, etc) which could only detract from AD's current focus on application control.

If Jason wishes to add a fully-fledged firewall to his suite, more power to him. But doing one that covers all the necessary network-related options is a major piece of work (take a look at the pace and range of updates for Look'n'Stop for an example of how difficult it is for a lone developer to keep up with everything) and I'd suggest that the process/registry control area is the part of Windows security less served by current offerings - and therefore in more need of new utilities.

-{ Quote: "Kind of misleading example I think." }-
Not really when taken in the context of what Network Access does.
-{ Quote: "Logically, Spybot, ad-aware etc depend on signatures to detect malware, so there is some gain if the signature databases are different. Emperically, we have seen reports that yes, it's a good idea to use several scanners since any single one miss quite a bit." }-

I agree with you about this, but to borrow a word from you, but with those programs there are "redundant" detections.
-{ Quote: "I don't think this applies to Network access on either grounds. Not unless you are one of those people who believe the word "redundancy" can justify everything." }-
Not at all. I am "one of those people" that believe in using what works for the given hardware and situation. I accept the fact that with computer programs I may/will have to put up with some amount of redundancy. I made that statement from the point of view that if you deny a program Network Access if AD then it does not get access to any network be it a LAN or the Internet, and that statement holds true for a firewall. Take for example Spybot, to update its signature file it must access the Internet. Now deny/block that access in your firewall what happens, Spybot does not get updated. Similarly if Spybot has Internet access permission in the firewall but not in AD what happens, again Spybot does not get updated. Network access must be allowed in both programs where they are both running on a computer, for Spybot to update its self.

I don't have an AD log entry to back this up but I believe I have seen an AD Alerts for Network Access to the localhost, 127.0.0.1, also Win XP uses 239.255.255.250 to talk to its self. Which all of this really boils down to how a program/programmer defines/detects network access.

-{ Quote: "

I agree with you about this, but to borrow a word from you, but with those programs there are "redundant" detections.
" }-

Some of them yes, but not all of them. It's not the other part, that isn't overlapping that is really useful. E.g if you told me ad-aware detected exactly the same stuff as spybot I wouldn't borther using both unless i buy the redunacy idea. In fact, they differ not only in detection ability but also removal ,so things are not so straight forward.

But I don't think anyone is claiming Network access in AD can block events different from that of a firewall. Or are you? If so, than yes, you can start using the example of people running spybot and ad-aware.

If not, you are just being misleading.



-{ Quote: "
Take for example Spybot, to update its signature file it must access the Internet. Now deny/block that access in your firewall what happens, Spybot does not get updated. Similarly if Spybot has Internet access permission in the firewall but not in AD what happens, again Spybot does not get updated. Network access must be allowed in both programs where they are both running on a computer, for Spybot to update its self.
" }-

Yes you mean your firewall works exactly like Network access for appdefend.


-{ Quote: "
I don't have an AD log entry to back this up but I believe I have seen an AD Alerts for Network Access to the localhost, 127.0.0.1, also Win XP uses 239.255.255.250 to talk to its self. Which all of this really boils down to how a program/programmer defines/detects network access." }-

That's an interesting comment, based on the idea that AD network access would notice something that a firewall wouldn't.

But you do know that for many if not most firewalls, these events (including localhost) would be detected too, right?

-{ Quote: "I don't have an AD log entry to back this up but I believe I have seen an AD Alerts for Network Access to the localhost, 127.0.0.1," }-There are several possible causes here: You are using a hosts file that redirects known ad/malware domains to 127.0.0.1 (in order block access to the real domain); You are using proxy software (e.g. web filtering software like Proxomitron - some anti-virus web and email scanners also work in this fashion); Some software (e.g. Firefox) tries to connect to itself; Some Windows components (e.g. Microsoft Management Console) use 127.0.0.1 to communicate with other parts of Windows.In many cases, even though the 127.0.0.1 address doesn't involve Internet access, a connection to it is very likely to precede such access so receiving a warning on this would be useful in many cases.-{ Quote: "also Win XP uses 239.255.255.250 to talk to its self." }-This is Universal Plug and Play - best disabled if you don't need it (i.e. you don't have a router needing uPnP) since it does pose security risks.

Paranoid2000 wrote:

-{ Quote: "You are using proxy software (e.g. web filtering software like Proxomitron - some anti-virus web and email scanners also work in this fashion);" }-

correct, or perhaps a Anti-Spam application or a network- tool/application
etc.

Perhaps you can download Port Explorer and check for yourself:
http://www.diamondcs.com.au/portexplorer/index.php?page=download

-{ Quote: "Some of them yes, but not all of them. It's not the other part, that isn't overlapping that is really useful. E.g if you told me ad-aware detected exactly the same stuff as spybot I wouldn't borther using both unless i buy the redunacy idea. In fact, they differ not only in detection ability but also removal ,so things are not so straight forward." }-
Exactly, I am only talking about Network Access in AD and Application Control in a firewall. I am only pointing out that the Network Access in AD and Application Control of a firewall are similar enough in end result to be considered redundant features. I agree that each product arrives at the end result in a different way, if they did not I would suspect some legal posturing happening between the two companies.

-{ Quote: "But I don't think anyone is claiming Network access in AD can block events different from that of a firewall. Or are you? If so, than yes, you can start using the example of people running spybot and ad-aware.

If not, you are just being misleading." }-
No I am not. I would be very surprised that Network Access in AD would function as it does in a firewall, however the end result is still the same. I still stand by my analogy of the redundancy of some detections in Ad-Aware and Spybot when comparing the end result of AD's Network Access and Application Control in a firewall.

-{ Quote: "That's an interesting comment, based on the idea that AD network access would notice something that a firewall wouldn't.

But you do know that for many if not most firewalls, these events (including localhost) would be detected too, right?" }-
My firewall of choice for my desktop computer does not alert me to any traffic over the computers LocalHost, while AD does present an alert when a program/component wants this access. i.e. This morning AD alerted me that acrord32.exe, Adobe Reader 7.0, wanted network access to 127.0.0.1:4034 while my firewall did not. The only way I would find out about this in my firewall would be to read the log file regularly, not something I am interested in doing. So in this instance AD actively pointed out an activity, while the firewall did not. Which, for me, gives me a proactive means of knowing what is going on with the programs on my computer.

-{ Quote: "There are several possible causes here:

You are using a hosts file that redirects known ad/malware domains to 127.0.0.1 (in order block access to the real domain);
You are using proxy software (e.g. web filtering software like Proxomitron - some anti-virus web and email scanners also work in this fashion);
Some software (e.g. Firefox) tries to connect to itself;
Some Windows components (e.g. Microsoft Management Console) use 127.0.0.1 to communicate with other parts of Windows." }-No host file or proxy software, but most likely one of your last two reasons from above.

-{ Quote: "In many cases, even though the 127.0.0.1 address doesn't involve Internet access, a connection to it is very likely to precede such access so receiving a warning on this would be useful in many cases.This is Universal Plug and Play - best disabled if you don't need it (i.e. you don't have a router needing uPnP) since it does pose security risks." }-
See my example about acrord32.exe in my response to xmen, the last paragraph, from looking at the firewall log yes it did precede internet access. I may be wrong, but doesn't UPnP use ports 1900 and 5000?

-{ Quote: "Exactly, I am only talking about Network Access in AD and Application Control in a firewall. I am only pointing out that the Network Access in AD and Application Control of a firewall are similar enough in end result to be considered redundant features. I agree that each product arrives at the end result in a different way, if they did not I would suspect some legal posturing happening between the two companies. " }-

Do they really "Arrive at the end result in a different way"?

-{ Quote: "

My firewall of choice for my desktop computer does not alert me to any traffic over the computers LocalHost, while AD does present an alert when a program/component wants this access. i.e. This morning AD alerted me that acrord32.exe, Adobe Reader 7.0, wanted network access to 127.0.0.1:4034 while my firewall did not. The only way I would find out about this in my firewall would be to read the log file regularly, not something I am interested in doing. So in this instance AD actively pointed out an activity, while the firewall did not. Which, for me, gives me a proactive means of knowing what is going on with the programs on my computer." }-

What exactly is your firewall? A lot of firewalls have default rules that allow all traffic to local host. For many of these, you can turn off the rule to manage it yourself. The result is exactly the same as using AD.

I suspect your ignorance of loopback issues in your firewall is making you think AD is doing something special.

My firewall for example alerts me to _all_ network access.

-{ Quote: "Originaly posted by Disciple
My firewall of choice for my desktop computer does not alert me to any traffic over the computers LocalHost, while AD does present an alert when a program/component wants this access. i.e. This morning AD alerted me that acrord32.exe, Adobe Reader 7.0, wanted network access to 127.0.0.1:4034 while my firewall did not. The only way I would find out about this in my firewall would be to read the log file regularly, not something I am interested in doing. So in this instance AD actively pointed out an activity, while the firewall did not. Which, for me, gives me a proactive means of knowing what is going on with the programs on my computer." }-

If your firewall logs these connestions to LocalHost, it is most likely able to alert you about them, exactly like AD. This simply depends on your firewall rules and settings: traffic detected => ignore/log/alert/block. For known, authorized applications, logging about localhost connections is largely sufficient.

-{ Quote: "I may be wrong, but doesn't UPnP use ports 1900 and 5000?
" }-

That's right: local UPnP uses adress 239.255.255.250 (multicast), connecting to ports TCP 1900 and UDP 5000.

isnogood

I have the same issue, but on XP Home SP2, so it is definitely not Win2K specific. Has there been any status update on this?

Jason promised to look at this earlier in this thread, but the current beta has still this problem. I also realized that it is not limited to network access. On several occasions I had process modification alerts having the same problem, ie. alerts were about "system" instead indicating a specific application.

isnogood

Same here - I've had to give "system" terminate permissions.

Another thing I noticed last night was that AppDefend stopped prompting me on execution of apps that it hadn't "learned" about yet. But now, not only have the execution prompts resumed, but so have the network access prompts, even though "system" has permission. It seems that maybe these two issues are related somehow.

I've also had several system lock-ups where the AppDefend prompt only partly appears, and the desktop pretty much freezes. In all cases but a couple, I had to hit the reset button, since I couldn't kill AD with the task manager. If this continues, I'll have to give up and uninstall it.

-{ Quote: "
I've also had several system lock-ups where the AppDefend prompt only partly appears, and the desktop pretty much freezes. In all cases but a couple, I had to hit the reset button, since I couldn't kill AD with the task manager. If this continues, I'll have to give up and uninstall it.
" }-

Glad to hear that i'm not the only one
If you have fast user switching you can press windows-L to switch user and then end task using another admin account, or simply going to standby mode seam to take care of the freeze