Hi!

I just installed McAfee Desktop firewall. When i do online scans (grc.com and pc.flank), they say port 1034 is open. How i can close that port? Computer is scanned with several AV's and other malware proggies.


Thanks,


Ludow

Hello Ludlow:
I suggest going to McAfee Website and download the manual pdf file on the firewall, this should give you the necessary info on how to stealth port 1034. Also if you wish contact tech support they also should help

Thanks for the reply. Have a great one.

You could try doing a netstat to determine which process is listening on that port (likely a Windows service) and then check your firewall rules for that service and make sure it is not allowing inbound connections.

Regards,

CrazyM

Hi CrazyM. Thanks for the advice. Nokia'a mrouter (mobile device) was listening/opened that port. It's sorta strange cause other FWs don't do that . It must be FW spesific "feature". So McAfees Desktop 8.5 FW ain't water proof.


Best regards,

Ludow

Has to be your configuration there. I am using this firewall right now with great results. I am extremely impressed with it. Perhaps you can create a rule for that app to block any inbound traffic? That might do it.

Yep, its bullet proof, one of the best offerings to come out currently and that too surprisingly from McAfee, check out SSC review at http://www.fluxgfx.com/ssc/showthread.php?goto=newpost&t=173

Yep, this is a real nice firewall guys.. Been using it here for a while today, on Jazzie's recommendation. Very cool..

I didn't realize this thread was so ancient, sorry. But this one deserves mention. Nice rule based firewall with IDS and some excellent anti-hooking features as well. Kinda like a firewall/ids/anti-hook combo that's really nice. Light as well. Very light.

Highly recommended anyway... for anyone wanting to try it out. See the link Arup posted above or check out this one also:

http://www.mcafee.com/us/products/mcafee/host_ips/desktop_firewall.htm

McAfee acquired Signal 9 (ConSeal PC Firewall) some time ago, and it was a solid packet filter. Perhaps McAfee Desktop Firewall is where they have taken development of that code to.

Regards,

CrazyM

Crazy M,

I would guess so, it does look quite familiar to Conseal, specially the rule making.

Hi all!

I want to stress that while in learning mode with either the packet filter and or the application filter, the fw will ask permission for every connection attempt(s). I don't have any 'inbound' rules so I disable the inbound learning. Plus, it is not necessary to have the ids enabled if you don't have any inbound services! Meaning all your ports closed!!! By defualt you should place your clients behind the 'High Client Security' policy---


Regards
Jazzie

Well i just tried to download this v8.5 McAfee Firewall. Filled in the form and hey presto! tells me i'm in a country that USA can not sell to by law. So please tell me, since when did the USA change the law so that they can't sell to a resident of the United Kingdom? What hope for the firewall if their form can't even recognise i'm in England!!!

muf

Good question I would post it here.

http://forums.mcafeehelp.com/viewforum.php?f=45&sid=d946097fde3b02ae01d16ab5f6d717bf

I downloaded McAfee Desktop firewall a few hours ago and have a question. In View - Firewall policy I have enable firewall checked, learn mode I have incoming enabled NOT checked and outgoing checked. Does that sound right, or should they both be checked. Haven't made any incoming rules, and the firewalls shows fully stealthed at grc.com, pcflank, and at Sygate.

I like this firewall. All I need to do is justify to myself why I need another one. This could become my main firewall.

Yes that is correct! Even if you would have incomming checked, Mcafee would still ask you if the connection is ok to establish.. Like I stated before, if you don't have any inbound connection(s) than leave the inbound learning rule off...You will notice that if you turn of the app hook-app/monitor learning mode that nothing else that isn't allready on your list will be able to connect. So it is a good idea, to let the learning mode stay enabled for a few days (running all the apps that connect to the inet) and than turn it off... Also set the policy to high client security..

Regards
Jazzie

Thanks, Jazzie1. Got it, except for Client Security Policy. I don't see anything anywhere about it. It's listed in the help files, but doesn't say where to find it. I've checked all 4 of the policy areas.

Hi! on the Firewall Policy page (first page) there is a drop-down arrow for Protection Level: Custom, Client medium,Client High, ect...Now you might not want icmp or bootp, so you can deselect those by simply removing the checkmarks...



Regards
Jazzie

Strange, I don't have a drop down arrow for protection level. There's no place on any of the tabs to set the protection level. I hadn't noticed that before.

I'm trialing this firewall, haven't purchased it. Maybe that's something that comes with purchase.

Reference above post. I uninstalled and reinstalled McAfee firewall and the protection level setting showed up. Thanks for the help Jazzie1. Guess the first unzip and install didn't get it all.

Weird, glad you got it going!

Regards
Jazzie

All is stelth for me but ping reply failed on GRC how do I correct it

Just ran this firewall through a few leaktests. I was curious how it would perform. It passed all that I tried. I was warned of the applications trying to open, denied them, and they didn't open.

I'm assuming that if I had allowed the .exe to open I would have granted permission for the test to run. By not allowing it to open, it couldn't run. I've never run leaktests before, and am guessing that's how it's supposed to be done.

The more I play with this McAfee firewall, the more impressed I am.

{QUOTE-> Well i just tried to download this v8.5 McAfee Firewall. Filled in the form and hey presto! tells me i'm in a country that USA can not sell to by law. So please tell me, since when did the USA change the law so that they can't sell to a resident of the United Kingdom? What hope for the firewall if their form can't even recognise i'm in England!!!

muf <-QUOTE}

On my first attempt to download it, I was also rejected, but I just thought they didn't properly recognize Texas! Second attempt was successful.

Rob

{QUOTE-> By defualt you should place your clients behind the 'High Client Security' <-QUOTE}every time i try to put my protection level at client high all my rule made from learning disappear and my protection level goes back to custom.how can i save the rules made from learning mode.???

you can save all your rules by clicking task>export policy.It will be saved as a MDFPolicy.pfr file.You can save it (with any name) where you want to.It will then show in the protection level dropdown (where all the other levels are).If you want to load high level for example you will have to untick 1 or both learn mode boxes.
ellison

{QUOTE-> Just ran this firewall through a few leaktests. I was curious how it would perform. It passed all that I tried. I was warned of the applications trying to open, denied them, and they didn't open.

I'm assuming that if I had allowed the .exe to open I would have granted permission for the test to run. By not allowing it to open, it couldn't run. I've never run leaktests before, and am guessing that's how it's supposed to be done.

The more I play with this McAfee firewall, the more impressed I am. <-QUOTE}

Totally agree with you.This is a keeper.I dont know if it will help anyone here but ive been sorta transposing a lot of the rules from here....
http://www.dslreports.com/forum/remark,8023708~mode=flat
and here..
http://www.dslreports.com/forum/remark,6642367~root=kerio~mode=flat
into the mcafee firewall
They are kerio rules for 2.15 but are very easy to fit into this firewall.
I think this firewalls gonna be big.Its just like an uptodate kerio 2.15 only much much better.
ellison

{QUOTE-> Just ran this firewall through a few leaktests. I was curious how it would perform. It passed all that I tried. I was warned of the applications trying to open, denied them, and they didn't open.

I'm assuming that if I had allowed the .exe to open I would have granted permission for the test to run. By not allowing it to open, it couldn't run. I've never run leaktests before, and am guessing that's how it's supposed to be done. <-QUOTE}

I ran leaktests also, but did differently than you. I allowed the processes to execute(how else can you test the leaks?) and then ran the leaktests.

McAfee failed on several as listed at: http://www.fluxgfx.com/ssc/showthread.php?t=173

This is a great firewall, but it could use some work on the Application Hooking Monitor. If you were to run a program you thought was clean and it contained some of these leaks, you wouldn't even know it was accesing the internet.

ou can save all your rules by clicking task>export policy.It will be saved as a MDFPolicy.pfr file.You can save it (with any name) where you want to.It will then show in the protection level dropdown (where all the other levels are).If you want to load high level for example you will have to untick 1 or both learn mode boxes.thanks.for the reply ellison64.

{QUOTE-> I ran leaktests also, but did differently than you. I allowed the processes to execute(how else can you test the leaks?) and then ran the leaktests.

McAfee failed on several as listed at: http://www.fluxgfx.com/ssc/showthread.php?t=173

This is a great firewall, but it could use some work on the Application Hooking Monitor. If you were to run a program you thought was clean and it contained some of these leaks, you wouldn't even know it was accesing the internet. <-QUOTE}

I have never paid much attention to leak tests myself, but if you go to this site here: http://www.firewallleaktester.com/ and look at the test results, you'll notice that no firewall passes them all. So what's the point of worrying about it? It seems pretty clear to me that it is possible to circumvent any personal firewall with the right techniques. So to think otherwise seems foolish. Why not just accept that firewalls can be compromised and work on keeping the bad stuff off your machine to begin with? That, to me, would be the best approach.

{QUOTE-> I have never paid much attention to leak tests myself, but if you go to this site here: http://www.firewallleaktester.com/ and look at the test results, you'll notice that no firewall passes them all. So what's the point of worrying about it? It seems pretty clear to me that it is possible to circumvent any personal firewall with the right techniques. So to think otherwise seems foolish. Why not just accept that firewalls can be compromised and work on keeping the bad stuff off your machine to begin with? That, to me, would be the best approach. <-QUOTE}

That site is out-of-date. I know for a fact that Outpost passes all of them, there is also Tiny Personal Firewall(with its Windows Security*) that passes all of them. I heard that the new Kaspersky firewall passes all of them also. Ohh and I almost forgot that L'n'S passes them all.

If security is the point, than having maximum security seems like a good idea. I believe that an application firewall mise well detect every instance of an application using the internet. Why shouldn't it? Just because it doesn't? I love McAfee Desktop Firewall, and do keep all the bad stuff out, but I think things should be made right.

Anyways, that's just my 2 cents.

Ok, I don't know about the site, just found it yesterday and I'm not up on all those types of sites anyway. But just because a few of your firewalls pass "all" of them today, doesn't mean it will stay that way. In fact, you can probably bet it won't. And also, these known "leak tests" should not be the objective in firewall development anyway. These are just examples of ways to get around firewalls. They show that it's possible. So to say that Outpost for example can pass "all" the tests, means very little. If I were writing malware or spyware or whatever, I think I'd be a lot more devious and ingenous at finding new and better ways around all the firewalls. Like Jazzie said, it's a cat and mouse game. What's the point? The game never ends. It's a moving target. Why not just make sure you keep the bad stuff off your PC in the first place? Then one doesn't have to worry so much about whether the latest release of xxx-firewall passes all the current known leak tests.

My 2 cents too. :)

PS - There is some merit in trying to keep most or as much as you can under control. But one has to remember that this does not guarantee "security". It's just our best attempt to date. Things will always keep changing..

In that case you should disable the anti-hooking in McAfee firewall, because you keep the bad stuff out before it ever has a chance to affect the application filtering in your firewall. Better yet, you should disable your anti-virus, because it is a possibility(a very likely one) for a new undetected virus to be made. Making signatures and detections for new outbreaks is a cat and mouse game as well. :P

Yep, sure is. Best thing for a user to do is use common sense and keep it clean.

I for one would like to have issue less firewalls with no slow downs or surprises like BSOD, for that I would be willing to sacrifice so called leak tests as the validity of these tests don't mean that hackers are trying to use the very same methods, that would be amateurish on their part. ZAP also passes leak tests as does Jetico, does that make Outpost, ZAP and Jetico the best firewall out there? Certainly not.

I don't know anyone that likes issues, slow downs, and suprise Blue Screen of Deaths, but why not hope for the best? If McAfee updated their Desktop Firewall with the ability to not only stop hooking of applications, but also the ability to pass all known leaktests, how would this be a bad thing? They have already went in that direction when adding application hook control. I never mentioned any firewall being better than McAfee Desktop Firewall, nor did I mention the posibility of a perfect firewall. I just like to think positive.

{QUOTE-> ...leak tests as the validity of these tests don't mean that hackers are trying to use the very same methods, that would be amateurish on their part. <-QUOTE}

So an amateur with the ability to bypass your current antivirus signatures/heuristics can potentially send your information all over the internet without you even knowing?

AJohn, I think I'd have to take the position that if you keep putting your faith in passing all the leak tests, then you're doing something wrong. What is it that users are doing to get all this crapola on their machines to begin with? Isn't that where the effort should go? Into changing habits, educating users, and avoiding the problem by nipping it in the bud? Instead most of us rely on firewalls with ever increasing complexity and features, leak test passing, and so on and on. When does it end? What was once a simple firewall is now a monster! So I would say if you're worrying about an amateur sending your "information" out over the net, then first, you shouldn't keep your "information" on your PC, and second, you're doing something awfully wrong to even get into that situation.

I never said I was concerned about anyone sending my personal information through my internet connection, just the possibility of anyting being sent through my internet connection without my consent. Do you think it is an impossible situation for you to install something with bad intentions? Do you not ever try new software out? Safe habbits are great, but not full-proof. What have I said to support firewalls becoming resource hogs? All I have been doing is supporting the idea of McAfee Desktop Firewall being updated to meet todays publicly known exploits. I never said it would be cool if McAfee turned their product into a resource consuming monster. If a company is going to stop application hooking they should also attempt to prevent the exploits that come along with it.

Ok, I'll leave it at that.. Sure, I am constantly trying out new apps and programs, firewalls and AVs and so on. I try to be smart and stay safe as possible. I'm sure it would be nice if McAfee improved their product yet I don't think chasing leak tests is the way to do that. Just my opinion, you surely disagree on that one. No problem. :)

I do not disagree, only think that 'patching' known exploits is a step in the right direction. Either way we will both have a Merry Christmas :D (or whatever you do for the season)

Yep, Christmas here also. Approaching fast too.. :)

It appears that it could be the lack of all that other stuff that makes this firewall appealling to some. While others may want to see improvements or added features, doing so would likely turn off those that like it the way it is. As always, different strokes for different folks :)

Regards,

CrazyM

{QUOTE-> It appears that it could be the lack of all that other stuff that makes this firewall appealling to some. While others may want to see improvements or added features, doing so would likely turn off those that like it the way it is. As always, different strokes for different folks :)

Regards,

CrazyM <-QUOTE}

McAfee Desktop Firewall already has application hooking prevention; I was just wishing it could detect more methods of applications using the internet. I think the reason we disagree is because some think these more advanced impletations would effect the footprint of the firewall. Being the optimistic fool I am, I believe it could be done without doing so. Either way you are right, different strokes for different folks.

If passing leak test for McAfee comes with a price tag of instabilities and issues, then I am definitely not interested, point is, its just not that important to adhere to a concept of hacking when the variables are simply many more than the leak tests indicate and I will repeat at the cost of being redundant, passing leak tests does not make or indicate a good firewall for sure.

And about bypassing virus signature, yet to be seen.

Another example of how this leak test obsession totally takes the fun out of PC is Jetico, a legitimately good firewall with very good SPI and yet, pop up hell due to its compliance to the leak test standards.

Even a router feels faster as compared to loading your system with a leak test passing hog.

L'n'S a hog? Jetico's path of choice for their firewall is their decision. There are other ways to implement for sure.

{QUOTE-> ...I think the reason we disagree is because some think these more advanced impletations would effect the footprint of the firewall.... <-QUOTE}

User interface is not an issue here. McAfee could simply use the same screen it uses for hooking.

I know someone I could pay 300$ that would gladly implement any of the exploits of my choice into a trojan and guarantee it be undetected by any AV until reported by a user. Believe me, bypassing AV isnt impossible. New threats are out daily, even hourly.

And bypassing firewalls which pass the so-called leak tests is not hard enough, bypassing high security Kerebros implemented hardware and software firewalled systems are not that impossible either as the Chinese hackers prove that day in day out, as for LnS, not my category of stable FWs, no matter what tests it passes, others may disagree.

{QUOTE-> I think the reason we disagree is because some think these more advanced impletations would effect the footprint of the firewall. Being the optimistic fool I am, I believe it could be done without doing so. <-QUOTE}
I disagree mostly because I don't think the leak tests are important. Again, what would having McAfee pass the current known leak tests do for you, except to lull you into a false sense of security?

{QUOTE-> Again, what would having McAfee pass the current known leak tests do for you, except to lull you into a false sense of security? <-QUOTE}

Nothing false about knowing current exploits are covered. I don't understand why you use application-hook control, but don't see why it would be beneficial for McAfee to cover it fully.

Well in your case, it seems that you see the leak tests as being the method all hackers use, dont think thats the reality, as I said, I would not execute any unknown stuff and the hooking feature will prevent or alert me from that possibility.

{QUOTE-> ...I would not execute any unknown stuff and the hooking feature will prevent or alert me from that possibility. <-QUOTE}

What possibility do you mean?

{QUOTE-> Nothing false about knowing current exploits are covered. <-QUOTE}

The idea is, if you think you're covered because your firewall passes the current leak tests, then aren't you more likely to get lazy and with your false sense of security, do all kinds of things that are even more risky than usual, until eventually one of those programs actually does break out somehow?

I understand where you're coming from, but that's up to the user whether they become lazy or not. I see no point in having application-hooking monitoring running if it doesn't detect all known instances of the issue. If you are going to depend on the monitor at all, it should cover all known techniques.

How bout unknown?

When they become known, they should be taken care of. Like any exploit.

Only if the are being used as know methods of hack and attacks, all the leak tests are based on orchestrated presumptions, not truly reality, tell me how many in the past have become victims of these so called published hacks when not running a outbound protection. Hacking is a far more advanced world than these leak tests make it look, far more sophisticated too.

Why not just run ZA Pro then? It probably does a better job with all that stuff anyway. I would like to see them keep it simple. It's already annoying enough when it asks for permission for every app to execute. That can be turned off though, so it's ok. If McAfee were to do what you want, then they'd have to commit themselves to adding more code every time a new exploit turned up. You seem to like this idea, I would like to spare them this effort.

The point is that McAfee is aimed at corporates, if they go the ZAP or Outlook or Jetico way of pop ups, they will loose all corporate clients for sure. McAfee can be implemented with secure and safe policies across the network and thats exactly what a network admin wants in a corporate environment.

{QUOTE-> ...so called leak tests as the validity of these tests don't mean that hackers are trying to use the very same methods... <-QUOTE}

http://www.firewallleaktester.com/malwares.htm

Firewalkleaktester is just one person's take on malwares, however true that may be and there are far more variation to the malware situation that one website and person can cover.

If you look at my last thread, it says it all, McAfee 8.5 is solely aimed at corporate environment where pop ups like Outpost, ZAP and Jetico will mean contract getting cancelled.

{QUOTE-> http://www.firewallleaktester.com/malwares.htm <-QUOTE}
When I posted that link to you, you claimed that site was dated. Now you're referring to it??

Let's try and keep this thread to discussing McAfee.

Regards,

CrazyM

This refers to McAfee, because it shows the potential vulnerabilities in its application hooking monitor. firewallleaktester.com's tests results are for a fact dated. Worse case, if that link to malwares.htm I posted above is dated, than there are even more situations where exploits are being used, since the exploits on that page have already been released.

I have already stated my opinion on that matter, and wish to discuss it no further since it has no possibility of leading anywhere. Even if I somehow manage to convince you, McAfee will still do nothing about this. How about we agree to disagree and leave it at that.

So should application hooking be on or off?

On if you want to detect applications hooking into other applications, Off if you don't. Just keep in mind that it will not detect all methods.

thanks

{QUOTE-> How about we agree to disagree and leave it at that. <-QUOTE}
Yep, how boring would it be if we all agreed on everything anyway? ;)