A trouble with Jetico 1

Discussion in 'other firewalls' started by Ghost_ARCHER, Jan 21, 2007.

Thread Status:
Not open for further replies.
  1. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Sorry if there is some similar threads.

    The problem is: I tried a program and found it started outbounding traffic. I uninstalled the application and blocked the traffic. Then I found it still in the application list in jetico. More funny, I found firefox and IE not working. It turns out that firefox and IE tries to launch that app to access internet. I have to restart the computer, everything goes ok again.

    Just wonder what happened.

    As I remember the xdict caused the similar problem on my laptop before.
     
  2. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    What application did you tried? Looks like an application which integrates itself also as a plugin, apllet, etc. into those browser.
     
  3. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Thanks for the quick reply, one as I mentioned is xdict.exe (www.iciba.com or www.kingsoft.com), which is a dictionary application, I think it tries to check for update at startup, therefore I blocked. There is no problem for weeks, but suddenly one day all the explorer can access internet. And popup told me it tries to access internet.

    The other one is an image processing soft, might be Ultimate Paint Freeware Edition 2.88 build 1135. After I see the menu and found the outbound traffic, I uninstalled right away. Only problem is I uninstalled it before I responsed to one of the popup about it.

    The problem is, no other resource shows that they were still running, or even the existance of the app.
     
  4. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    a tip please

    After installing/uninstalling many programs in my computer, I notice my ask user list in jetico get longer and longer. Anyway to handle it? Say, I have lots of installation program from c:\download trying to launch IE, there are in the list, and after update, bitdefender raise new popups, and something has already be uninstalled like avg also live there. ANY TIPS TO HANDLE THIS?
     
  5. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Need trouble shooting

    http://img147.imageshack.us/my.php?image=04060121406cr3zb.jpg

    Note that I don't know when the application trusted zone is inside ask user list. I am confused if the application trusted zone rule is located in this table or the one under root table.

    http://img254.imageshack.us/my.php?image=04060121402cr7cv.jpg

    ftp server application has make more than 4 rules that I can't tell the difference. There is at least another same one before these 4. How could they get there.

    I found lots of antrivirus entry, site advisor entry, is there any option to delete old rules automatically once the hash check is changed.
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Need trouble shooting

    You must have a rule in place in your "Ask User" table, that is making a jump to the "Application Trusted Zone"
    You may of created rules with local ports and/or remote IP`s, and you have been asked again for access by your FTP client. Delete them all, and re-run your FTP client to make a new "jump" rule.
    No, you need to do this manually.
     
  7. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Re: Need trouble shooting

    Thanks Stem, I just notice that should go into the ask user. While the one be outside should be disappeared. Seems only application trusted zone and block zone are expections. I can't delete any of them anyway.

    I just figured out that they might correspond to different processes. The ftp server (cererbus2.4) itself first go to checkmyip.com to get the ip address. Therefore should be a webbrowser rule applied before the ftp server. I don't know if there is other operation before or after. But to this point, should be just make a new rule to combine the two or just simple leave two entries in the ask user list?


    I have delete all the entries in the asked user list last night to start it over for a new learning process.

    I download the ruleset you made and it works great. Thanks. But I still need some advice on how to organize it. As I read browse the thousand mile long thread "jetico makes me crazy", it seems that most of the program that access internet only for updating should be handles as webbrowser? Am I right on this point?

    And for most application that not networking based, use allow other than put into application trusted area can increase the security, even there might be more entries in the list. The problem is, to what level should be a program to be put into the trusted zone. For example, photofiltre may want to access internet for some reason, should I allow it or not? Is there a general rule for this?

    Is it possible to make one rule for all the file sharing software, e.g., bitcomet, bittorrent, utorrent, bittornado and so on a common rule similar to ftpserver rule the jetico carries, in the case we set the listening port to range or a same value.

    I have some question marks on the several programs: ppstream (pplive ppmate or tvkoo) /tv2.0 -- the latter sounds like a web browser application while the former is something like bttorrent. I simply throw them into the trusted zone but feel uncomfortable about that. Is there any step by step tips on how to make a rule for a unknown or unpopular programs.

    I read the post by other about the test result from shield up. It said all stealth. However, mine port 80 is open for I have to access their web for the test and port 113 is closed instead of stealth. Is it possible to have port 80 stealth or even close when I have my webbowser open? :) and how can stealth port 113 in jetico instead of router?

    Oh, I forget to delete the process attack list.

    Last one for you ;) about the windows processes that might be vulnerable, like 239.255.255.250:1900 Upnp access, I don't know if there is something malfunction if I block it.
     
  8. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Re: Need trouble shooting

    I think I should not apply webbrowser rule, instead, I should simply allow access to specfied ip. BTW, it access checkip.dyndns.com. Hope this is the only one.
    Ok, it works:)
     
  9. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Hi, Stem.

    Please check if this is an proper method to set up a rule for beginner on an unknown applications.

    I first setup the temp rules by not remembering the decision
    Then I check if the decision is correct, if program running with no problem, change it into perm, example for icesword
    Or like adaware update, there are too many entries, create a rule table and name it as adaware update, copy summarize the temp rule into it. In this runnable update I recorded network access, tcp/ip on 80 to 207.44.136.40, 204.2.225.32, 82.99.19.16 therefore I add four rules there.
    http://img169.imageshack.us/img169/531/0096fx.jpg
    then the temp rule is deleted most unless one is modified to treat as update.
    http://img296.imageshack.us/img296/15/0108ix.jpg

    I can't test it until next update is available :) but I am eager to know if there is something wrong, because I am wondering if the update is host by different machine I will mess it up or not. Otherwise, If I treat it as trusted, every update I need to delete the old rule and make a new one.

    BTW, can download manager treated as webbrowser + ftp client?
     
  10. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    For bitcomet or utorrent, there are too many entries created. I simply use your instance for bit tornado and changed port. I add one entry for bitcomet in the table with application specified to bitcomet, one for utorrent, with port set to the listening port.

    I guess the online tv app will also create lots of entries if the decision is not remembered. Waiting for the rule file from you:) The application set are ppstream, pplive, ppmate, tvkoo,

    hxxp://dlb.pchome.net/multimedia/onlineplayer/ppstream_631_setup.exe
    hxxp://dlb.pchome.net/multimedia/onlineplayer/ppm-20035.exe
    hxxp://dlb.pchome.net/multimedia/onlineplayer/viviplay1226.exe
    hxxp://dlb.pchome.net/multimedia/onlineplayer/PPLiveSetup1.6.9.exe

    freeware and should have no ad or spy plugins
    Thanks for the help!
     
    Last edited by a moderator: Jan 22, 2007
  11. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    I created a table called, p2p client, which works fine with bt, emule, pplive, ppstream, tvants. In terms of ppmate and tvkoo, their configuartion should be similar.

    So when the pop-up window shows up, direct the p2p app to this table.if you have any questions, you could always enable the ask rule.

    ps: for incoming connection rules, the local ports could be fixed by configuring those apps.
     

    Attached Files:

  12. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    Warning: some of above p2p apps bundle up the tcpip patch which was alerted by AVs.
     
  13. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Thanks shek, I am reproducing it:)
     
  14. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    PPlive once bundled, now they removed. I think ppstream has as optional. Before pplive remove it, antivir, bitdefender will find them and forbid from running the function connection limits patch. I think now it is ok, but might because I changed to avs:)

    Thanks again for the warning
     
  15. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    Hi, Shek:

    How do you deal with the UDP listening port for pplive?

    A funny thing, TVKoo has no menu bar or control to the port to use. Turn out there is no listen port:)

    From http://tvxp2p.blogspot.com/

    it says:

    TVKOO!
    This program is very peculiar and rare. Equal I am saying burrada, but I would say that she does not use any port for incoming connections. I do not understand very well as it works from the moment that they themselves say that she is a program P2P, but nevertheless all the tests that I have made restrict to a single active connection that is changing of IP continuously. It seems as if a servant was in charge to make all the work to put in contact computers with others. Or this, or is that they have some type of western restriction of IPs. Not, at the moment little I can more say of this program.

    Which I doesn't quite understand.
     
  16. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    For jetico, sending/receiving datagram deals with udp.

    In terms of tvkoo, you could enable the ask rule and direct it to the p2p table. Then after several pop-ups and based on newly created rules for tvkoo, you could optimize the table.
     
  17. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    Hi,Ghost Archer
    What's the problem if I just add those p2p program,AV software to application trusted zone??I'm now very confused about it.I see you create new rules for well-known programs and sometimes fail to make it work but I can't understand.I add bitcomet,emule,KAV to application trusted zone and have no problem with it.Maybe it's not as safe as yours?:blink:
     
  18. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    At the beginning I treated it the same way you did --- allow some app if there is no too much network attempt, trust some thing if they have many. BUT I have met the problem as mentioned in the beginning of the thread, that makes me uncomfortable. So I want to limited the programs can access the IP or use the port it should. For av, you just need a several IP from download the update, other than might be malfunction or adware.

    Never be more careful.
     
  19. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    I finally set a temp rule for it by allow any in local. I tried to summarize but have not found the inbound entries. I will change the rule later. Recently it is not smooth.

    Thanks for the help Shek.
     
  20. Ghost_ARCHER

    Ghost_ARCHER Registered Member

    Joined:
    Jan 21, 2007
    Posts:
    62
    After the reorganization, the entries in the ask user list shrink to fit the page, and the workng set of the friewall is 6888 now, compared to 80** k yesterday:)
     
Thread Status:
Not open for further replies.