How to use PC Tools FW + version 5.0.0.38 LT # 5

Hi Escalader,

A point I meant to put forward earlier.

Some windows applications, such as windows explorer are given "full access" by default. This is not necessarily a security problem, but I know some users prefer that windows applications that dont require internet access should not need to be given that access, certainly as windows explorer (XP) as the habit of connecting to MS when you make a search of the PC (but then again, I know some users who dont mind that)
.
Now, with PCT firewall it does intercept either the winsock access or the parent-child of windows explorer to (for example) FF. I do still need to check exactly what the interception is,.. however, which ever it is there is a need to allow windows explorer to "connect", if you block this, you will lose internet access.
So for windows explorer (on my setup) I do allow its full control of the system (problems can arise if various interactions with the OS is bocked), for the "connecting allowed" I set as "allow connect". The "Listening permission", I set that as "Prompt", but then place 2 blocking rules for inbound/outbound (as you are currently doing at the end of your application rulesets)

- Stem

 

Stem:

Let me see if I can replicate this on my set up and post the jpg's for thread review.

I'm having a mind crunch on it since in another FW set up I allowed windows explorer to "run" on my PC but blocked it's www access. Anyway let's see what trouble I can generate for myself first . I don't like explorer as a "by pass" to get to www if it doesn't need access. More later.

 

Well I have implemented in windows explorer 2 blocking rules 1 for incoming TCP/UDP and a second for outgoing. (see attached). As well, I have listening set to prompt and connections allowed as per Stems post on explorer.

So far only one or two prompts came up one was for MS Outlook which looks for new mail every 10 minutes or so. I allowed this BUT I assumed that a rule would be generated by this allowance of the prompt but I can't find the rule it has prompted since so something got changed to stop the prompt ( I think but don't know)

 

Hi Escalader,

Are you saying no rule was created for MS outlook, or that the prompt was for windows explorer with no apparent change in rules after the prompt?

- Stem

 

Hi Stem:

What I am saying is:

1) I got a prompt from Windows Explorer asking for permission to access the www via MS Outlook.

2) No new visible changed rules appear either in Outlook or in Explorer


However, please note:

• that I have prompt for connect and for listening set for MS Outlook
• that I have allow connect and prompt for listening set for Explorer
• that I have no DNS rule created for explorer, just the 2 posted earlier

 

Hi Escalader,

Unfortunately after checking, I see that windows explorer is NOT being blocked even with rules in place to do so. I have set the rules for windows explorer to log and even the firewall logs these packets being allowed, that should be blocked.

EDIT:

I am now removing this firewall until this issue is resolved. When a firewall cannot enforce blocking rules, then it as no place on my setup


- Stem

 

Hi Stem:

Yes, why put in rules that don't work. I'm at PC Tools FW+.

I will follow your lead and do the same and uninstall the product.

Some users may be upset after working hard with us on the LT but that's the way she goes. Maybe they learned about creating some rules if so all is not lost here! I hope so.

I'm wondering if the vendor sees these results? But that's not my job as I see it.

I'm leaving this thread now.

 

Hi Escalader,

I made post to the PCT forums concerning this:-

I actually expect this to be a problem with auto allow with windows applications (as we have seen with some other firewalls with white lists), but this bypass is not wanted or expected.

we can wait for an update to resolve the issue, then continue with the thread.


- Stem

 

Stem:

That's fine with me but we could wait a while!

 

this should not happen. The white list should only be used if there is no rules for the application. Can you please send me your AppRuleSet.xml .. or just the section that deals with explorer.exe so I can try it here with the exact same rules and try to produce the same results?

 

I worked out what is most likely the problem here.

when you look at the application in the application list, you have a couple of settings on the side.

under connection allowed, there is 3 options, Allow Connect, Block Connect, Prompt for permission. If you have allow connect set, or block connect set then it ignores the advanced rules and just allows or blocks. So you want it set to ask for permission.

Now here is the problem, part of the functionality of the firewall is if a child process is trying to connect to the internet it assumes that the parent had something to do with it. I believe this came from LnS originally. Which by it self is not an issue, the issue comes with the configuration/UI around the setting. If you allow the child connect, then it changes the permission of the app to connect, which basically disables the rules you just created. For most apps this is not a big issue. For explorer it is a big issue.

 

Hello nhamilton,

With the possibility of being possibly obnoxious, I do know how to set rules for firewalls and how some firewalls will intercept parent-child or even access to winsock.

There is no excuse for any defined blocking rules to be bypassed for what ever reason.

The fact you are taking time to post here, rather than relpylyng to my post at your own forums, is to me a bit insulting, as you take time to attempt to put forward a rather inferior explanation of the inability of simple block rules.

At the possibility of being in some violation with my own Admins,
Do not try and give me bull.



- Stem

 

I am replying here, cause I read here more often. I like to follow what is happening around in general. I meant no insult to you and am sorry you have taken one. I am not trying provide support just trying to understand what is happening.

I know you do, I did not mean to imply you didn't.

I agree.

Not trying to.

I am going to assume that the application has been set to allow connect, if it is not set then there is possibly some other issue (I know you did not select it)

There is design issues with the UI in making some things unclear and some configuration settings.

there are 3 outbound settings for applications
- Allow
- Block
- Rule Based (Part of the confusion is it is labeled prompt for permission)

The other big issue that I can see if that of child connect.

There is no way to be able for you to change that setting. To get a popup and say allow child connects changes the permission from rule based to allow or block. Which is wrong and what I believe is also part of the problem.

If what I have said above is not the issue I would love to know

 

As I put forward in a previous post, I am not sure as to what interception is currently being made, be it parent-child or wnsock access (or possibly parent-child based on winsock rather than threads) This is currently not the problem.
Bypass of blocking rules is unacceptable, be it for windows applications or vendors applications.

I await a reply to my post on vendors forums and will not continue with this possible roundabout discussion

- Stem