Hi to all.
I've been testing LNS after my fresh Install of Windows 7.
Sadly I installed Adobe Reader 9 and blocked all its attemps to connect to Internet.
A few seconds later, I noticed that I had some internet activity, so I discovered that Adobe Reader somehow uses svchost (maybe via BITS) to download its updates and LNS wasn't able to block it (I saw this via LNS interface showing me active connections).
Is there a way to block this?
I don't know that much about networking or BITS (I tried to find a way just to allow Windows Update connections using this service but wasn't able to).
Thanks in advance for any help!

it might be using some other .exe to download, there was a change in the autodownloader. I doubt it is using bits or svchost for downloading updates. Check other Adobe related .exe running or scheduled to run.

I have this part of Adobe Blocked this may help! Have a look at this thread as to the file! http://forums.adobe.com/thread/522601

218124

TH

Hi to all.
Thanks for your reply.
Anyway I´m pretty sure of what I saw and being that I had previously blocked all Adobe apps and the network activity was due only to svchost, I'm really thinking that Adobe Reader uses BITS as a last resource to update itself.
Please read following thread:

http://forums.comodo.com/empty-t55882.0.html

Anyway I'm not sure If blocking this kind of access is under the scope of LNS or Windows. I mean, if any software can use BITS to call home bypassing firewalls its a problem.

try blocking AdobeARM.exe and see if you are prompted by LNS for access as I think you will be

I already did that and didn't work.
Even more, I blocked everything related to Adobe that asked my permission (putting LNS in advanced mode).
I read somewhere that Adobe Reader first tries to update via AdobeARM.exe and if it fails it does it via BITS.
I'm sure that the only network activity before I had the "New update notification" from adobe was svchost's (it lasted for about 10 or 15 seconds).
Anyway, I uninstalled this and went to a more reliable and simplier PDF reader... I don't need something that tries to connect to Internet all the time just to read PDFs... (I know I can uncheck automatic updates, but just don't feel comfortable with that kind of software).
My question was directed to whether is possible to certain program to use BITS to avoid a firewall and if LNS was able to block this (even when this might be a MS flaw).
Thanks anyway!

I don’t use Adobe Reader, but don’t be fooled, just because updaters say something like ‘no updates available’, often they say this or something similar even when they fail to make an connection.

Have the main adobe Reader application set with the deny attribute for allowing software that will connect (requires advanced mode enabled).


Not sure why anyone would want to block Adobe Reader updates, Adobe Reader is one of the most known targeted application existing today. They constantly releasing vulnerability patches, which people shouldn’t put off.



Regards,
Phant0m``

Hi!
I know that a lot of apps reports "Not updates available" when they can't connect to their server.
My point wasn't that I didn't want to update Adobe Reader. My point it's that it did update itself even when I blocked all related applications in LNS and I'm pretty sure it did it using svchost.
Maybe my english is not as good as I thought!
I was worried by whether any software (call it Adobe Reader or whatever) can use BITS (svchost) to update itself or download stuff without the user notice or consent.
That's all I was worried about!!!

I discovered the same behavior by Adobe about two months ago and it alarmed me so much I uninstalled it and switched to PDF-XChange PDF Viewer which has its own issues ,but at least I can control whether it connects out to internet.what if other software starts using adobe tactics-I am no firewall expert but I have used LnS since the Becky forum days and I could not stop adobe even after blocking every likely .exe associated with adobe-the svchost and bits thing now explains the situation to me

-{ Quote: " I could not stop adobe even after blocking every likely .exe associated with adobe-the svchost and bits" }-
that is strange, I also have Adobe and it certainly does not update without my say so

the behavior is when you initiate update there is no lns alert whether to allow it or not and even after you have blocked dlls and exes update still connects-granted you have to initiate update.

Like Cudni, I’ve never observed this.

It would be interesting to see if you still get the same message when you have BITs service entirely disabled first. ;)

If I remember correctly-I updated adobe-got alert-clicked allow this session.I then removed adobe from lns applications allow list.removed adobe dlls from lns options.went back to adobe updater to check update prefs got lns alert -chose do not allow-adobe seemed to connect got response no updates available(so it could have been as you said you may receive this response because adobe couldn't connect.blocked all likely adobe exes,dlls and initiated adobe update-adobe still seemed to connect.Removed adobe completly from lns applic,dll list-rebooted-initiated adobe update-now no lns alert and adobe seemed to connect-of course no updates were available because I had already updated.uninstalled adobe -did reg cleaning,folder removal etc-reinstalled adobe and from then on when I initiated adobe updater I no longer got any lns alert box and adobe seemed to connect and connectons were in lns log.this was version 9.1 or 9.2.Found situation alarming-do not have expertise- just communicating that I experienced similar situation to original poster.

-{ Quote: "adobe seemed to connect" }- what does that mean? did it connect or not, what did you use to verify? LNS is a well accomplished firewall and if well configured will block almost everything. And certainly Adobe; not that there is any reason to do so in home environment.

There is another means to know for certain, from the Internet Filtering layer, place an outgoing www-http blocking with logging rule... If Application filtering layer fails to block Adobe updater, you’d see the requests to adobe updater server being logged on the Look ‘n’ Stop - ‘Log’ screen. ;)

It means what i said-i am not certain it connected-I have used lns for years and find it to be the best firewall for me.I have received much support from Frederick and Phantomn over the years and thought it might be something they with their extreme expertise might want to investigate.I am sure there is a way to block this behavior but i did not choose to investigate it.as to adobe-i have no problem with them either.I did not want to get into a chirping match with you.I will post no more and reply no more to this topic.Over and out.

no-idea4, & pantezuma, thanks for posting your observations.

Frederic will investigate this, he probably uses bulky Adobe Reader anyways. :)

-{ Quote: "no-idea4, & pantezuma, thanks for posting your observations.

Frederic will investigate this, he probably uses bulky Adobe Reader anyways. :)" }-

Hey so do I ;)

TH

Hey!
Thanks to all for your concern.
I remember exactly what I did first time.
LNS was set to Advanced Mode and password protected with "Lock All" enabled.
Suddenly I realized there was some internet activity (just after installing / ran Adobe Reader and before disabling automatic updates on its interface).
So i clicked LNS and saw the only active application was svchost.
After a few seconds I recieved a message alert in Sys Tray telling me that the "New Adobe Reader update was downloaded and ready to be installed".
As I had LNS password protected and with "Lock All" enabled I didn't recieve any warning (later I blocked AdobeARM.exe and everything else, but nothing changed).
If you google "adobe reader +BITS" or "adobe reader +svchost" you'll find some other posts like this and other users worries about this issue.
Again, I don't know if blocking this is under LNS scope or if it's Microsoft who should let the user configure BITS and set which applications are allowed to use it.
Thanks again!:)

Curiosity finally got the best of me... I installed Adobe Reader and investigated the Updater, it does appear to use BITs service (svchost.exe) if the original means fails to make an connection ... persistent bugger!!

The SVCHOST.EXE is usually one of the first alerts you get when you first have installed Look ‘n’ Stop, if you would have denied that from the beginning, you wouldn’t have the leak. ;)

Unfortunately Look ‘n’ Stop doesn’t give you much control to what can use the trusted applications that’s making the connection.

If you want to block BITs support for all other applications, try configuring SVHOST.EXE application filtering entry to deny TCP connections to IP address range outside of Microsoft.

BITs is there, any product can use it, to ditch Adobe Reader because of it’s persistence to ensure user gets critical or otherwise .. updates ... is simply silly. ;)

-{ Quote: "Curiosity finally got the best of me... I installed Adobe Reader and investigated the Updater, it does appear to use BITs service (svchost.exe) if the original means fails to make an connection ... persistent bugger!!
" }-
Persistent indeed. Does it not honour if its own update is deselected? What if the following key placed?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockdown]
"bUpdater"=dword:00000000
Funny thing is I don't see such behaviour with Adobe Acrobat (standard or pro) nor is any other means of updating invoked

I don’t know, the experiment was with the default install of the latest version or version they have listed on their official product website. Anything else would be irrelevant. ;)

-{ Quote: "I don’t know, the experiment was with the default install of the latest version or version they have listed on their official product website. Anything else would be irrelevant. ;)" }-
Understood. Just one more question to clarify for me. You specifically denied access to Adobe reader, the best you could, and yet it accessed the net?

LOL! yes, I did it properly. :P Everything associated with Adobe was set to deny for both attributes on the Application filtering screen.

-{ Quote: "LOL! yes, I did it properly. :P Everything associated with Adobe was set to deny for both attributes on the Application filtering screen." }- well, if you didn't do it properly ;)

It wasn't that, I find the whole thing I little bit disappointing as I think a firewall should be able to deny access to any app

But we are referring to an special case where communication to the Windows BITS likely not using Network environment, not until BITS processes things. Frederic would likely have to implement HIPs-like capability .. to monitor applications trying to work with Windows BITS.

You can still control the actual SVCHOST connections, like doing what I’ve said previously.

.. I also think Frederic should implement way to control a list of parent processes that is allowed to use trusted applications making the connections. ;)

-{ Quote: "But we are referring to an special case where communication to the Windows BITS likely not using Network environment, " }- sure, but on specific command the firewall should have blocked the (any) communication with the outside world for that app and it didn't. In any case, hopefully LNS will be enhanced further

-{ Quote: "sure, but on specific command the firewall should have blocked the (any) communication with the outside world for that app and it didn't." }-

But it is not that application making the internet connection, it is setting a job for BITS. You would need to get an HIPs that will intercept the internal comms and/or watch the BITS service/reg start entry.

I am not actually sure as to how many firewalls/HIPS will actually intercept this, but it as been a known issue for a few years.


- Stem

-{ Quote: "But it is not that application making the internet connection, it is setting a job for BITS. You would need to get an HIPs that will intercept the internal comms and/or watch the BITS service/reg start entry.

I am not actually sure as to how many firewalls/HIPS will actually intercept this, but it as been a known issue for a few years.


- Stem" }- What is the job of the firewall? I think it is to block an application, should the user decide, from communicating with the outside world. Don't care how, even if the app somehow tries to send a messenger pigeon...shoot it. I beleive LNS can be made to do so and indeed there are few FW that can do it (obviously not shoot the poor pigeons ;) ).

-{ Quote: "What is the job of the firewall?" }-

Packet filtering.


- Stem

-{ Quote: "Packet filtering.


- Stem" }-

In it the true sense of the word yes but the firewalls of today, for better or for worse, do more than just that.

Frederic can we get some input from you on how to control BITS with Look'n'Stop?

TIA,

TH