Windows Firewall with Advanced Security (Guide for Vista)

Discussion in 'other firewalls' started by Stem, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    @Heimdall
    I see these CAPI2 entires in my application log (both the successes and failures), even though Cryptographic Services has no access to port 80 in my firewall configuration. So, I assume that either it uses a cache or it gets Windows Update to get the data interactively?

    Also, there's no correllation between any CAPI2 log entries and the 'mysterious' svchost dropped packet log entries we've been discussing...

    @wat0114
    I wasn't logging audit successes (unfortunately) so I can't confirm that, but the fact that you're no longer seeing these svchost dropped packets by allowing DNS Client access to port 80 seems to agree with my test.

    Hmmm...
     
  2. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Can you correlate the PID of a CAPI2 event with a svchost instance, It would be interesting to know if it's the one that contains wuausrv
     
    Last edited: Feb 24, 2011
  3. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Sadly, I've only been logging audit failures of event 5152 so I can't check. I'll switch on audit successes for a while. I'm not sure what action to perform to trigger a CAPI2 event on demand (do you know?), so I've set a popup against all the CAPI2 events...
     
  4. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Unfortunately, I don't know of a way to manually trigger an update. These typically occur when an untrusted root authority is encountered.

    As far as I'm aware, it's the wuausrv service that actually performs the update, at the behest of the cryptographic service provider.

    In theory, it would be pretty easy to put a trace on the process, by using something like procmon, unfortunately, it's knowing when to start the trace...
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    For those interested, I've provided the rules I created for AVG LinkScanner 2011 to do its job without any problems.

    I've already provided it in AVG LinkScanner 2011 free standalone is in the cloud thread at other anti-malware, but here it is as well:

    Process Path: %ProgramFiles%\AVG\AVG10\avgwdsvc.exe

    Protocol: UDP

    Remote Port: 53

    Remote IP(s): Your ISP DNS IPs/third party DNS service

    Rule Name: AVG LinkScanner - WatchDog Service (avgwdsvc.exe) (Protocol: UDP) (Remote Port: 53/DNS)


    Process Path: %ProgramFiles%\AVG\AVG10\avglscanx.exe

    Protocol: UDP

    Remote Port: 53

    Remote IP(s): Your ISP DNS IPs/third party DNS service

    Rule Name: AVG LinkScanner - AVG LinkScanner Quick Scan (avglscanx.exe) (Protocol: UDP) (Remote Port: 53/DNS)


    Process Path: %ProgramFiles%\AVG\AVG10\avgmfapx.exe

    Protocol: UDP

    Remote Port: 53

    Remote IP(s): Your ISP DNS IPs/third party DNS service

    Rule Name: AVG LinkScanner - AVG Installer Application (avgmfapx.exe) (Protocol: UDP) (Remote Port: 53/DNS)


    Process Path: %ProgramFiles%\AVG\AVG10\avgnsx.exe

    Protocol: UDP

    Remote Port: 53

    Remote IP(s): Your ISP DNS IPs/third party DNS service

    Rule Name: AVG LinkScanner - AVG Online Shield Service (avgnsx.exe) (Protocol: UDP) (Remote Port: 53/DNS)

    The rules written above are only necessary if you have DNS Client disabled. If you have DNS Client enabled or have created a global rule allowing DNS access, then such rules are not needed.

    You also need to create rules allowing protocol TCP and remote port 80 for process avgmfapx.exe, and outbound permission to remote ports 80 and 443 for processes avglscanx.exe and avgnsx.exe, and protocol TCP.

    I haven't found any issues regarding updates and functionality. I wonder what other rules some of you may have in outbound rules provided by other third-party firewalls.

    Any doubts, just give some feedback, and I'll see if I can be of any assistance.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    -Edit-

    I forgot to mention that you should restrict the rule that I named AVG LinkScanner - WatchDog Service (avgwdsvc.exe) (Protocol: UDP) (Remote Port: 53/DNS) to AVG WatchDog Service.
     
  7. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Hi,

    Is there any interest to configure local port for software and windows applications ?
    For example a rule like this : Mbam.exe local port 1024-65535 remote port 80,443 ?
    Does it increase security or just create potential problems ?

    Thanks.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    If you are on w7 you may want
    49152-65535
     
  9. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Hi,

    That's right i'm on 7 64 bits, 49152-65535 will be enough ?
    And what about 1024-49151 ? They aren't used ?
    The list you give me only concern software or windows applications too ?

    Thanks.
     
    Last edited: Apr 3, 2011
  10. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

    Port numbers are split into three groups:
    • 0-1023: Well known ports. Ports intended for system use.
    • 1024-49151: Registered Ports. Ports for individual application use. In theory, these should be assigned by ICANN/IANA.
    • 49152-65535: Ephemeral or Dynamic ports. Ports for temporary use, normally auto-allocated.
    On Windows 7 (and Vista and Server 2008 ), applications that just establish a temporary port for communication (like MBAM) should request a port from the Ephemeral range 49152-65535. You might sometimes want to make sure that an application does precisely that with a tighter firewall rule.
     
    Last edited: Apr 3, 2011
  11. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Thanks for the explication.
    But i tried 49152-65535 for Mbam (for example) and it works without problem.
    Which applications does i need to configure with this range ? Internet brower ? Mail client ?
    And about the windows programs : i configure or i don't touch :D ?
     
  12. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Yes, you're correct. I was in error and have amended my previous post.
     
  13. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Can you answer to my others questions ? I don't want to do a mistake, everything is well since i reinstalled my pc.
     
  14. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    You can restrict most installed applications that initiate outbound network connections to the local ephemeral/dynamic port range and that includes browsers and mail clients.

    People view outbound firewall protection in different ways. Some will lock down every application as tight as possible, restricting both remote and local ports and even the remote IP range, if possible. Some people may apply certain port/IP restrictions to certain programs only. Some don't bother with any port/IP restrictions at all, i.e. the application is either allowed network access or it isn't. (Some even advocate that using an outbound firewall is of little benefit). Perhaps tighter outbound rules only come into play once you're already infected with malware and then it's too late?

    It's up to you really. It does no harm restricting suitable applications to the local ephemeral/dynamic port range and takes little effort, but it may not provide a tangible benefit either.
     
  15. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    So i'll see. Many thanks for all this explications.
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Outbound FW's are mainly intended for those users (like me) who want to decide which applications can access the www and which can't. My view is that just because some vendor application wants www access doesn't mean they need it. Certainly not all the time.

    If the user doesn't care or want to be bothered the notion of outbound control has no value.

    But in the real world, the big issue is loss of private information via parasites or even normal software so the more restraint we place on outbound the better. Putting in the ephemeral ports is just one more link in our layers of protection.

    But again, to each his own.
     
  17. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    I agree.

    If putting in the ephemeral port restrictions ever "saves the day" then the other layers of protection probably need some revision... ;)
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    They certainly would if IT was the only bear trap for parasites.

    What is really strong is placing an ip restraint on outgoing for your update exe's. I have various secuity tools in the layers. I KNOW what ip's they use and put those in. The last thing we need is a false update site for your anti-virus product etc .

    Just a thought.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Has anyone restricted access to sites like Youtube in Windows firewall? The damn IPs are always bouncing... :argh:

    So far haven't been able to find a proper IP range to make the thing work without problems.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses


    The solution there I think is not to try in Youtube etc in a rule for a FW.


    I would reply on country range blocks so only ip's from your home country whatever use Youtube.

    Just a random thought.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That's a nice thought. But, it still wouldn't restrict as much as I would like. I'd only like to allow communication with the necessary domains/IPs for Youtube to work and nothing else.

    I was able to do just that using a Chromium/Chrome command switch, but it has been purposefully broken by Google developers o_O . Chrome 10 still allows to achieve such result, but I don't use Chrome, rather Chromium.

    It's actually going to force me to rethink some of my security measures for the Chromium e-mail profiles... There goes the redirection to unwanted domains protection out of the window. :thumbd:

    Only if Windows firewall would allow such... Doesn't Microsoft know that restricting access by domain is safer than IP.... shared IPs... rings any bells o_O :mad:
     
  22. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Hey m00nbl00d, if you fancy a challenge maybe you can come up with something using the info in this research paper: -http://www-users.cs.umn.edu/~viadhi/resources/youtube-tech-report.pdf-. It's a very detailed attempt to reverse engineer the youtube video delivery cloud!

    Happy reading... ;)
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Already downloaded it, and will for sure read it these coming days. I'm sure it will be an interesting reading.

    Thanks
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Today, I was going to update Windows 7, but it kept failing. It turns out Windows Update was making connections to IPs that were not part of the allowed IP ranges.

    The IPs are 97.65.135.176 and 97.65.135.170. See here for more info -https://secure.dshield.org/ipinfo.html?ip=97.65.135.176

    Other than Microsoft's own IP ranges and Akamai, I've never seen Windows Update communicate with other IPs before. Not that I can remember, anyway.

    Has anyone ever seen such communications?
     
  25. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Aren't those in a range that are part of Akamai

    -http://networktools.nl/whois/97.65.135.170 .
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.