OutPost Pro letting inbound connections even though there is no rule for this

I have took OP out of learning mode and realized I needed to make rules (for some reason auto rule creation didn't make them) for MBAM and Webroot Secure Anywhere AV and the rules I made where for "Outbound" only, no "Inbound" rules created.

OP then throws up pop-ups about a inbound rule(s) for MBAM and Webroot when I made no such rules. Does this happen to anyone else?

 

Could you please provide a screenshot of the settings you got for the Firewall portion in the GUI? I don't recall what's exactly there, but I do recall about a Wizard Mode or something like that. If that's selected, then it makes sense that Outpost alerts you for inbound connections. It's not letting them in; it's simply telling you those apps are attempting inbound connections, and if you'd like to allow them.

 

I don't know about Webroot, but MBAM only requires TCP out to remote port 80 (https). No inbound should be required, and no way should it be requesting for inbound, afaik.

By default, OP with Attack Detection enabled, will stealth all ports from inbound sctivity. With Attack Detection disabled, and depending on your current rules setup ports 135 & 49152 - 49157 might show open, with 139 and 445 closed in a Win7 setup. Inbound rules can be created under Settings -> Network Rules -> System-wide rules -> Global Rules to block any open ports, if one decides to disable Attack Detection.

 

Hi Moonblood,

Here are some screenshots. As you can see it says "Incoming connections allowed". I never made any rules for incoming for any program.

 

Your right there should be no incoming connections needed for either one.

Attack Detection is enabled. DCOM is disabled through services.

 

Hello,

I previously misunderstood you. I thought you were referring to OP prompts asking whether or not to allow traffic (inbound).

Did you look in the firewall rules to see if there's anything there regarding those applications? Could ImproveNet have added them there? You do have the option to automatically create rules for trusted vendors selected.

 

I have combed through every application (opening and double checking the direction) rule 4 times and there was no rules made for inbound.

I clicked on the "trusted vendor list" right before I uploaded your screenshots. That the first it has been enabled.

I would like to know why OP says that these inbound connections are allowed when there never was any rules made for that. I really don't know if this is a bug or what. It possibly could be saying it has allowed the inbound connections when there really is no such thing coming through.

Do you know where the trusted vendor list is?

Is there a way for me to really find out what's what with a programs connections by using software?

 

i'd suggest posting on agnitum's outpost firewall forums (-http://www.outpostfirewall.com-)

 

I'm afraid I cannot be more helpful. There's been a long time since I last used Outpost. I barely remember how it works.

But, I'd follow m0unds advise. You could also get in direct contact with Agnitum's support.

 

This is inbound traffic from your LAN. It's controlled in LAN settings. If you want no inbound connections than untick all options but be warned that printer and file sharing will break.

 

Nope.....svchost.exe is acting as an Server to the Internet.

WRSA.EXE exists permissions to transfer data to the Network on behalf of trusted applications.

Example: DNS API Request, Network-enabled application launch, OLE automation control, DDE communication.

Enable full logging and the Inbound Source will be revealed.

WRSA = Webroot SecureAnywhere


HKEY1952

 

That's possible if 192.168.11.14 happens to be the machine with OPF installed and auto rules for trusted vendor is enabled. But the OP said there are no inbound allow rules for any app. I took it that 192.168.11.14 was another LAN machine.

I don't know enough about Webroot SecureAnywhere but a quick perusal of its web page doesn't indicate that it can act as a server collecting inbound traffic. I guess it depends on whether or not it is installed.

 

Anti-Leak Control

By default svchost.exe acts an Server to both the Local Area Network and the Wide Area Network.

Server = Listen

Listen = Open Port if necessary

WRSA is using svchost.exe via WRSA Anti-Leak Control Permissions (Cloud Technology Anyone?)

EDIT: clarity


HKEY1952

 

My Lan settings are empty, nothing checked. This happens even when trusted vendor list is not checked.

 

@Mounds, Moonblood

I will get a hold of support after the holidays and see what happens.

Merry Xmas to all at Wilders.

Just wanted to show the rules for WRSA (that I supposedly have incoming connections being allowed).

 

I also have SecureAnywhere AV and Outpost Firewall Pro

My Outpost may be setup differently

Behind router / firewall , netbios checked

OFP - Rules Wizard , Auto Create and Update Rules, Auto Create rules for applications signed by trusted vendor

WRSA rules

I have the Outgoing TCP to HTTP
But not Outgoing UDP to DNS

Does your WRSA show up in Blue under Applications like how mine is shown in pics..Or It is Black ?

Full Screen pic
http://www.bild.me/bild.php?file=7827781oftpwrsa.jpg

 

Well, lets at least see if we can figure out which rule is producing this popup. The firewall report is generated from within a rule that says report this activity as shown in my screenshot below. Apparently it's not in WRSA ruleset so I'd suggest to start looking for it in the rules for scvhost. It could be a loopback rule doing what HKEY1952 suggests.

Does the IP address in this report belong to your machine?