Windows Firewall with Advanced Security (Guide for Vista)

[m00nbl00d]

Quote:

Originally Posted by Greg S

Are you running the Beta of MSE. Mine just now updated to what I think is a release version of the Beta. Anywho, MSE now needs new rules for updating. A rule for msseces.exe is now required and possibly NisSrv.exe. Event Viewer shows them in the 64.xxx.xxx.xxx range. I wish there was an MS site to shed some light on what specifically needs allowed for MSE.

Yes, beta version.

These are the rules I've created:

NisSrv.exe - Protocol: Any (I still don't know how exactly the network scanning works, so I allow to scan all protocols); Remote port: Any; Remote IPs: Any

msseces.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MsMpEng.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MpCmdRun.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MpSigStub.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

[Greg S]

Quote:

Originally Posted by m00nbl00d

Yes, beta version.

These are the rules I've created:

NisSrv.exe - Protocol: Any (I still don't know how exactly the network scanning works, so I allow to scan all protocols); Remote port: Any; Remote IPs: Any

msseces.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MsMpEng.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MpCmdRun.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

MpSigStub.exe: Protocol: TCP; Remote port: 80, 443; Remote IPs: Any

Did your Beta update today?

[m00nbl00d]

Quote:

Originally Posted by Greg S

Did your Beta update today?

Yes, it did. Not sure if a final version, if that's what you mean't?

[m00nbl00d]

You might actually just need to add the full network to Windows Update so that MSE can update, because it will fail depending if it's still looking up the two IPs I previously mentioned or new ones.

Network: 92.122.208.0/22

http://www.dshield.org/ipinfo.html?ip=92.122.208.34

[m00nbl00d]

OK. I simply cannot make the command to audit events to work. I always get an error message 0x00000057 parameter incorrect.

Searching for this error, specifically in this case, resulted in nothing that I could I find.

Any thoughts

[Greg S]

Quote:

Originally Posted by m00nbl00d

OK. I simply cannot make the command to audit events to work. I always get an error message 0x00000057 parameter incorrect.

Searching for this error, specifically in this case, resulted in nothing that I could I find.

Any thoughts

Hmm, not offhand. Have you tweaked any services to disabled? <--- don't think that would really matter since I have way more than normal disabled myself. Here's what I am using from Admin cmd.

Code:

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

net stop MPSSVC

net start MPSSVC

[m00nbl00d]

Quote:

Originally Posted by Greg S

Hmm, not offhand. Have you tweaked any services to disabled? <--- don't think that would really matter since I have way more than normal disabled myself. Here's what I am using from Admin cmd.

Code:

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

net stop MPSSVC

net start MPSSVC

I have quite a few disabled, yes. SSDP Discovery, UPnP, DNS Client, and a few others like Media Center stuff, Windows Media Player Network Share (or something like that).

Even writing just auditpol /set results in the error message. So, the problem lies with auditpol itself. Odd.

[Greg S]

Quote:

Originally Posted by m00nbl00d

I have quite a few disabled, yes. SSDP Discovery, UPnP, DNS Client, and a few others like Media Center stuff, Windows Media Player Network Share (or something like that).

Even writing just auditpol /set results in the error message. So, the problem lies with auditpol itself. Odd.

Yea, I have all them disabled as well, and then some,lol.

[m00nbl00d]

I got it to work, but I had to enter each command separately and use my own language to substitute parts like "Filtering Platform Connection".

[Greg S]

Quote:

Originally Posted by m00nbl00d

I got it to work, but I had to enter each command separately and use my own language to substitute parts like "Filtering Platform Connection".

Yes, I started to state that each line in the code box is a different command. Sorry.

Have you made your custom popup dialog alert yet,lol

[m00nbl00d]

Quote:

Originally Posted by Greg S

Yes, I started to state that each line in the code box is a different command. Sorry.

Have you made your custom popup dialog alert yet,lol

Attachment 223370

Yeah, but far from being great. One still has to check the Event Viewer, though. lol

[Greg S]

Quote:

Originally Posted by m00nbl00d

Yeah, but far from being great. One still has to check the Event Viewer, though. lol

Exactly! We need some way of getting the Event information into an alert.

[m00nbl00d]

Quote:

Originally Posted by Greg S

Exactly! We need some way of getting the Event information into an alert.

I think it could be possible to create a PowerShell script to do that, for example. It's possible to run one to read the firewall log, but no good here, because it still lacks the processes names, so it would be possible to get info from Event Viewer. I just don't know much about Powershell scripting.

I guess it would be nice to have pop-up alerts for blocks, but once you have the rules in place for all necessary programs, then, really, how important is it to know what's being blocked? If one can accept Winfw for the type it is - a default deny fw (oops, where have we see that term before ), then most every block occuring henceforth will only be that of Internet "noise" or other inbound/outbound traffic types not necessarily needed like discovery and upnp, tcpv6...for example. IOW, probably not that important to know about anyway. If something isn't communicating that should be, the logs are at least there to check, even though their a bit cumbersome to access.

[Greg S]

Quote:

Originally Posted by m00nbl00d

I think it could be possible to create a PowerShell script to do that, for example. It's possible to run one to read the firewall log, but no good here, because it still lacks the processes names, so it would be possible to get info from Event Viewer. I just don't know much about Powershell scripting.

This article describes how to do it with some of the things already mentioned. Looks like #^^&*)(! to me. Anyone here knowledgeable enough to do this?

http://support.microsoft.com/?scid=kb;EN;815314

[Rilla927]

Is there anyone in this thread using Avast Pro? If so, can you tell me how you have the rules setup.

I just installed it yesterday and it could not update and right after that I lost me whole network. I'm wondering if my rules become corrupt. I'm using a Live CD right now.

[m00nbl00d]

Quote:

Originally Posted by Rilla927

Is there anyone in this thread using Avast Pro? If so, can you tell me how you have the rules setup.

I just installed it yesterday and it could not update and right after that I lost me whole network. I'm wondering if my rules become corrupt. I'm using a Live CD right now.

OK. Not avast! Pro, but I've been testing avast! free in a virtual machine and these are the rules I've created for it, so that it could update.
Since I have DNS Client disabled, I needed two rules for that update process:

Process name: AVAST.SETUP
Protocol: TCP
Remote Port: 80
Remote Address: Any

The other rule if for DNS.

Even if you do not see the process AVAST.SETUP, create the rule as if the process is there.

Later on, I'll check the other rules. I can't start the virtual machine right now, sorry.

Most likely, you've lost network connection, perhaps due to the Network Shield not having an Internet connection


Regards

[Rilla927]

Okay, I found out the web shield is blocking the net. I can't find anything in the program folders that refers to web shield.

I will try your rule, thanks.

How did you make the rule if you don't have the .exe to point too?

[m00nbl00d]

Quote:

Originally Posted by Rilla927

Okay, I found out the web shield is blocking the net. I can't find anything in the program folders that refers to web shield.

I will try your rule, thanks.

How did you make the rule if you don't have the .exe to point too?

Again, I don't remember the exact path, but I believe it is C:\Program Files\Alwil Software\Avast5\Setup\avast.setup

When creating the rule just write %ProgramFiles%\Alwil Software\Avast5\Setup\avast.setup

By the way, I don't remember if it's Alwil Software or Avast Software, because they changed from Alwil to Avast; so I don't recall whether or not the path reflects that change as well.

But, since you have it, you can simply see which one is, I guess.

[Rilla927]

Okay, I will try that.

I found this published by Avast.

Allow ashWebSv.exe or aswWebSv.exe (web shield) access to TCP port 80 and permission to act as a server and accept incoming connections from local host on TCP port 12080.

I looked in avast program files\setup and there is no .exe at all in there.

[m00nbl00d]

Quote:

Originally Posted by Rilla927

Okay, I will try that.

I found this published by Avast.

Allow ashWebSv.exe or aswWebSv.exe (web shield) access to TCP port 80 and permission to act as a server and accept incoming connections from local host on TCP port 12080.

I looked in avast program files\setup and there is no .exe at all in there.

I believe -not 100% sure - that that file is created when first needed, that is when the first update happens. I've seen it once - lucky fellow here. lol

But, go ahead and create the rule for avast.setup (no *.exe extension, just avast.setup). You need it so that avast! updates.

-Edit-

You mean there's no ashWebSv.exe or aswWebSv.exe in Setup dir? Maybe it's in one of the other dirs. I'll install avast! again in the virtual machine and see what I get.

[Kerodo]

Avast.Setup is created on the fly every time Avast updates, then it's deleted/removed when the update is done.

[m00nbl00d]

Quote:

Originally Posted by Kerodo

Avast.Setup is created on the fly every time Avast updates, then it's deleted/removed when the update is done.

Thanks! I wasn't entirely sure. I've seen it happening once, as I mentioned, but never again.


Regards

[m00nbl00d]

Quote:

Originally Posted by m00nbl00d

OK. Not avast! Pro, but I've been testing avast! free in a virtual machine and these are the rules I've created for it, so that it could update.
Since I have DNS Client disabled, I needed two rules for that update process:

Process name: AVAST.SETUP
Protocol: TCP
Remote Port: 80
Remote Address: Any

The other rule if for DNS.

Even if you do not see the process AVAST.SETUP, create the rule as if the process is there.

Later on, I'll check the other rules. I can't start the virtual machine right now, sorry.

Most likely, you've lost network connection, perhaps due to the Network Shield not having an Internet connection


Regards

The other rules are as follows:

Process name: AvastSvc.exe
Protocol: TCP
Remote Address: Any

Inbound rule for AvastSvc.exe:

Protocol: TCP
Local Address: 127.0.0.0/8 and 0.0.0.0

Process name: AvastUI.exe
Protocol: TCP
Remote Address: Any

These were the rules I had created back then. I haven't played with them much, though. But, for what I could see it was working fine, and Network Shield was blocking malicious websites, so... I guess those rules are, at least, what is required.

[Poni]

I got wierd problem with Windows 7 64bit Advanced Firewall. Iv allowed Chrome to access port 443 etc but it still blocks it..i cant access secure web sites ,only normal web sites.
I noticed something wierd..when i install SRWare Iron "Chrome alternative" to programs folder it can access all sites..but when i install SRWare iron portable to user folder like Chrome forces you to install, it doesent allow to connect secure sites.
Same goes to Opera with user folder secure sites no work but with normal programs folder all work.
Tried mIRC too and it doesent connect port 6667 etc when in user folder and when in the programs folder it works perfectly.
When i allow Firewall to connect all outbounds it does work.

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume2\users\tomi\appdata\local\google\chrome\application\chrome.exe

Network Information:
Direction: Outbound
Source Address: 192.168.11.2
Source Port: 51174
Destination Address: 62.13.0.79
Destination Port: 443
Protocol: 6

Filter Information:
Filter Run-Time ID: 89550
Layer Name: Connect
Layer Run-Time ID: 48