Is Firewall Working Correctly?

[Techfox1976]

Quote:

Originally Posted by Critter2

"bloatware" or not I'm not going to run whats "seems"
to be two firewalls

Actually I didn't call WRSA by itself "bloatware" but running two
firewalls or two firewall UI's or whatever you want to call it
is something I'm am not going to do

Do or Do Not.
But quit griping. You're being petty.

[Techfox1976]

Pegas:

Go into your Internet Options via the control panel or IE.
Click the Connections tab.
Click the "LAN Settings" button near the bottom.

Is "Use a proxy server for your LAN (These settings will not apply to Dial-up or VPN connections)" checked?

[pegas]

Quote:

Originally Posted by Techfox1976

Pegas:

Go into your Internet Options via the control panel or IE.
Click the Connections tab.
Click the "LAN Settings" button near the bottom.

Is "Use a proxy server for your LAN (These settings will not apply to Dial-up or VPN connections)" checked?

Thx Techfox1976 for the hint however I am not using a proxy connection.

[PrevxHelp]

Quote:

Originally Posted by pegas

OK, after a very extensive testing of WSA firewall with the setting "Warn if any process connects to the internet unless explicitly allowed" and fiddling with setting Allow/Block under Network Applications, here's my conclusion.

First of all, if you apply the said firewall option WSA loads all allowed processes/applications which are allowed by the cloud heuristics and are present on your particular system. The list of these processes can be seen in Network Applications.

I changed a lot of applications from Allow to Block and tried every one to test if they can get out on the internet. The result was half-successful.

Some processes which were set to Block couldn't pass on the internet (for instance IE9, Revo, Picasa etc.). That's fine and what I had hoped.

On the other hand, some of the blocked processes could connect on the internet. Just to name a few ... Opera, Outlook, Webcam, VLC etc. I have to admit I am quite concerned especially for Opera and Outlook! Strange as IE wasn't able to connect.

Joe explained a few posts above that such applications (which went on the net even if being blocked) probably use another process for the outbound connection. If that is right and not just a firewall failure there has to be another prompt or whatever else that will warn a user about this fact and will let him/her to act accordingly (Block or Allow).

So my result is that if a process is alone connecting to the internet, i.e. don't use another one to do that, and you block this process it shouldn't be able to get on the net. However that is not the case for a process that use another one to connect out. In such a case you end up in surprise that the process is able to connect out even if set as Blocked.

So all in all, I don't think WSA firewall is bad but it needs to be more polished to ensure 100% success in blocking the outbound traffic.

Thanks & regards,
pegas

Thanks for the feedback - could you let me know what OS you're using for these tests so that we can try to reproduce them internally?

Thanks!

[pegas]

Quote:

Originally Posted by PrevxHelp

Thanks for the feedback - could you let me know what OS you're using for these tests so that we can try to reproduce them internally?

Thanks!

Hi Joe,

Vista Business SP2 32-bit fully patched and updated in the Czech localization.

Looking forward to hearing from you.

Thanks & regards,
pegas

[Critter2]

"Do or Do Not.
But quit griping. You're being petty."

Just your opinion

I'm a paying customer and I have the right too

[powser]

I hope all these gets fixed soon.

WSA just allows everything thru the firewall. No pop up even when I click the "warn if any process". Even after removing the app from the list.

And please add some way to delete the list. I have hundreds of items on allowed even though I've set "warn if any process" long ago.

[PrevxHelp]

Quote:

Originally Posted by powser

I hope all these gets fixed soon.

WSA just allows everything thru the firewall. No pop up even when I click the "warn if any process". Even after removing the app from the list.

And please add some way to delete the list. I have hundreds of items on allowed even though I've set "warn if any process" long ago.

You can right click on a process to remove it from the list. It's possible that the allowed state is being cached now as it was previously allowed.

[PrevxHelp]

Quote:

Originally Posted by pegas

Hi Joe,

Vista Business SP2 32-bit fully patched and updated in the Czech localization.

Looking forward to hearing from you.

Thanks & regards,
pegas

Could you try looking in the firewall list and right click "Remove" on the entry for one of the applications that's able to connect outbound, and try it again to see if it is blocked?

[TonyW]

Quote:

Originally Posted by Critter2

"bloatware" or not I'm not going to run whats "seems"
to be two firewalls

From what PrevxHelp has said, you've already been running the 'firewall' in the AV-only version previously. You just weren't aware of it.

Quote:

Quote:

We just didn't offer the user-facing configuration previously - the behavior monitoring and network event correlation has always been active.

[pegas]

Quote:

Originally Posted by PrevxHelp

Could you try looking in the firewall list and right click "Remove" on the entry for one of the applications that's able to connect outbound, and try it again to see if it is blocked?

Joe, I am off my PC now but I tried what you suggested today morning with Opera, so I removed Opera but once I run Opera its entry came back automatically with Allow. Other one I tried was VLC player, removed VLC process, run VLC again which conncted to the net without asking me for access. Checked the list of processes but VLC process wasn't back there.

[umbrapolaris]

I confirm what Pegas observed :

0- set the FW as "warn if any new, untrusted process connects to the internet..."
1- opened the Network Application" tab
2- launched VLC
3- observed the automatic allowance of VLC (no prompt)
4- did an update check of VLC via its GUI, connection authorized.
5- set VLC process to "Block", did an update check of VLC via its GUI, connection blocked.

http://i.imgur.com/dZGgm.jpg

6- deleted the VLC process from the list
7- redone the steps 1 to 5 with "Warn if any process...", same results.

[Triple Helix]

Quote:

Originally Posted by umbrapolaris

I confirm what Pegas observed :

0- set the FW as "warn if any new, untrusted process connects to the internet..."
1- opened the Network Application" tab
2- launched VLC
3- observed the automatic allowance of VLC (no prompt)
4- did an update check of VLC via its GUI, connection authorized.
5- set VLC process to "Block", did an update check of VLC via its GUI, connection blocked.

http://i.imgur.com/dZGgm.jpg

6- deleted the VLC process from the list
7- redone the steps 1 to 5 with "Warn if any process...", same results.

That tells me the program is already trusted in the Cloud database with the setting 0 but try again with this setting.

TH

[powser]

Thanks for helping, TH and Prevxhelper.

But TH, as u can see Umbrapolaris has already tried that (in step 7).

I have the same issue. Everything just goes thru the firewall unless I explicitly go to the list and select BLOCK. Removing it from entry justs adds it back as allowed whether or not I have "warn if any process.." turned on.

[Triple Helix]

Quote:

Originally Posted by powser

Thanks for helping, TH and Prevxhelper.

But TH, as u can see Umbrapolaris has already tried that (in step 7).

I have the same issue. Everything just goes thru the firewall unless I explicitly go to the list and select BLOCK. Removing it from entry justs adds it back as allowed whether or not I have "warn if any process.." turned on.

Thanks I need to open my eyes I don't use VLC but all my testing with that setting has passed Win 7 x64 and I just opened WinZip and checked for updates and I get the prompt as I did with the earlier posts.

TH

[umbrapolaris]

it seems that some softwares can bypass the FW but not all, i redone the test with some others apps , the FW caught them.

[pegas]

Today I was updating Adobe Flash player for IE9 as well as Opera 12.02 to the latest build (11.4.402.287). During the both updates a WSA prompt jumped out asking for the outbound permission to let Adobe online updater go on the internet. I chose Allow Once and the update finished successfully.

I have noticed later that the both updaters are listed in the network applications with action Allow (see below).



I tried a few other applications to access the internet and always opted to Allow Once and all these applications were automatically added to the allowed applications.

That's not correct behaviour because I opted Allow Once so these files shouldn't be automatically added to the allowed applications.

I verified the protected applications and they worked fine. I tried the Vista snippingtool and chose Allow Once and the snipping tool wasn't added to the protected applications. When I was trying to take another snapshot I was prompted to allow the file.

[Critter2]

exactly, not only was it forced upon us,
it does even work correctly

[Techfox1976]

Quote:

Originally Posted by Critter2

exactly, not only was it forced upon us,
it does even work correctly

You could always use it for its primary function as a Firewall Helper (ignore it completely but it will help in the event you get an infection and help to detect infections) as opposed to trying to use it in a capacity of a standalone firewall, which it is not and in no way claims to be. If you ignore it, pretend it's not there, has no configuration options, etc, as long as it doesn't get in the way in a way that it would not if the functionality weren't turned on, it doesn't hurt, and if it helps, that's even better.

[Critter2]

I never heard of a Firewall Helper before

Think I'll use one that does not need help

Oh well

[Techfox1976]

Quote:

Originally Posted by Critter2

I never heard of a Firewall Helper before

Think I'll use one that does not need help

Oh well

Oh, I didn't know your firewall was virus-aware.
The WSA is a firewall helper or firewall extender. That's why it's able to coexist with other firewalls and asks you to turn on Windows Firewall if no other firewall is installed. If you try to pretend it's a full firewall, you'll be just as disillusioned as if you try to pretend you're a unicorn.

- The code has always been there in the AV. It just didn't take action if there was something it would take action against.
- Now the code capability is activated, so if it sees something it should do, it will do it.
- If you can set it to default and ignore it and it does nothing negative, then it's just like not having it unless you are incapable of ignoring its UI.
- If you set it to default and it does something positive in the future, then it's a benefit.

So, other than the fact that you seem to be incapable of ignoring its UI, what negative impact has it had on your system at default settings?

[umbrapolaris]

Quote:

Originally Posted by Techfox1976

Oh, I didn't know your firewall was virus-aware.

hahaha mine is :p (aka OAP)

[kdcdq]

Quote:

Originally Posted by Critter2

I never heard of a Firewall Helper before

Trend Micro's top-of-the-line Titanium™ Maximum Security has a firewall helper also; that way the user can use the firewall of his/her choice.

Some of us like that; some of us like that a lot....

[Triple Helix]

@Critter2 Even Frederic said that Look'n'Stop will run with Windows Firewall http://www.wilderssecurity.com/showp...94&postcount=2 so in fact you can run all 3 firewalls together without issues or slow downs but alittle over kill IMO!

TH

[Critter2]

"Oh, I didn't know your firewall was virus-aware"
FIREWALL!! not AV, two different Programs

"firewalls together without issues or slow downs but alittle over kill"
of course this would be over kill, using more than one program to do
the same job is "bloatware"

I still prefer one that does not need help

and windows firewall doesn't even exist on my XP system at all,
along with 90% of the rest of it that has been removed