Anyone using Outpost Pro with Windows 7?

Discussion in 'other firewalls' started by mrfargoreed, Oct 7, 2009.

Thread Status:
Not open for further replies.
  1. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    I'm trying out Windows 7 with Outpost Pro and am getting some request that I am unsure how to answer. I never received these alerts in Vista and don't want to leave Outpost in learning mode if these requests should not be allowed. They are outbound TCPv6 I've searched on the Outpost forums and apart from one answered thread (which doesn't really answer the question) I can't find anything else. I am also unsure whether to allow Services.exe to load WerSvc driver. Like I said, I never got these requests with Vista and i set outpost to automatically create rules, so I am assuming that these are not 'normal' Windows 7 alerts.

    I'm also getting a stream of blocked outbound IGMP at startup, too. I've run a couple of scans and both reveal nothing malicious.

    Any help here would be really helpful, thanks :thumb:

    Outpost 1.JPG

    Outpost 2.JPG

    Outpost 4.JPG

    Outpost 3.JPG
     
  2. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    536
    Location:
    Europa
    i use outpost pro for several years and since i installed windows seven rtm pro x64 along with outpost pro 6.7.1 (2983.450.0714) i get some issues like no network during 60 seconds at startup, not all rules are automatically created in learning mode and the big one when i share files on my personal ftp only 1/3 of the files is writingo_O

    I check outpost forum and advice for remove issue but no result for me.

    So i get a lifetime licence and can't use it:mad:


    Best Regards

    Rules.
     
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You might have better luck looking for these services / exe files in google.
     
  4. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    I already have, huangker. The search for the server request alert sent me to the Outpost forums to a thread with no real solution. I searched for WerSvc and discovered what it was, but not how to allow/deny with a firewall. The same with the IGMP requests. I searched but could not find the answers I was looking for, so thought I would ask here where there would be more experts and opinions that I trust to give me correct and/or helpful advice :thumb: .
     
  5. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    I've found this:

    so I'm assuming it's safe to allow these ports to act as servers.

    WerSvc is Windows Error Reporting Service, which again I'm assuming is okay, but is it safe to allow to load drivers to Services. exe? Is this normal behaviour?
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Error Reporting Service is a driver, which is among many other services hosted by Services.exe. If you wish to have it run, then you must allow its loading into Services.exe. So this is normal behavior.

    I would personally not allow any unsolicited inbound unless I am absolutely certain that I need it. Do you have any media devices on your network that you use and need sharing? If not, and as the quote you found said, this is worth further investigation, so I'll return if I find how these servers can be stopped natively (including the IGMP outbounds). I recommend blocking the comms with your firewall for now.
     
  7. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Hey Seer!

    No, I have no media devices that I'm sharing at all. And thank you for your help :thumb: . I did install CIS just to check what ports and services were allowed by default, and both 2869 and 10245 were both allowed and 'listening'.

    I was concerned about letting drivers load to Services.exe, which was the alert I received after allowing both ports to act as servers with Outpost in my first experience.

    I'll block these for now, as you recommend, and thanks again.
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    mrfargoreed,

    you're welcome. I have to say that I'm using neither Win7 nor Outpost, so I am just trying to give a basic advice.
    Do you have a service called "Windows Media Player Network Sharing Service" (or something similar, the term may have been changed in Win7) in "Sevices" MMC? If so, check it's status, and set it to disabled and stop it. Now, when you delete the blocking rules for the above mentioned 2 TCP ports, does Outpost still prompt you? And how about those outbound IGMPs, do they still appear on reboot?
     
  9. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Hey Seer!

    I did what you suggested which did stop the two alerts to the ports, however, I still got the alert for WerSvc, and when I blocked and terminated it I got an error message telling me that I'd disabled a critical system service and my laptop rebooted before I had a chance to do anything - I probably shouldn't have actually terminated the service :rolleyes: . I will keep trying to see if I can clear this up.

    Many thanks :thumb:
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I'm glad that we cleared out those unnecessary servers. But I did not actually suggest to block or stop the WER service as I do not know in which relations with other services it is on Win7. You certainly should allow it with Outpost HIPS. What happens when you allow it?
     
  11. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Yep didn't mean to actually terminate the service totally, but once I allowed it everything seemed okay. I'm still getting regular IGMP outbound connections blocked by Outpost though :doubt: .
     
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    :thumb:

    Since this is an outbound multicast to a non-routable address, I wouldn't worry much about it for now. Even if the firewall wasn't blocking this, it would be of no concern. However, as I do not like unneccessary comms running, I would certainly seek the way to stop it natively as well. As I said, I do not run Win7, and many services could cause this, so I can't give a proper advice at the moment. I would suspect that some media sharing is the cause (so I'm actually surprised that disabling media sharing service didn't stop it), but the problem with Win7 is that the correct info is not readily available yet. Anyway, I'll try to do some research when I find more time (tomorrow or weekend in the worst case) and I'll repost here.
    Perhaps someone will appear with something useful on IGMP and Win7 in the meantime.

    Cheers,
     
  13. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Thanks Seer - I really appreciate your help on this. I'll keep testing and see if I can work out what's going on and if it's a problem with all versions or just a problem on my machine :thumb: .
     
  14. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Just to say that I did a clean install of Windows 7 without any updates, software, etc and then installed Outpost Pro. The IGMP entries were blocked immediately, so it has to be an 'error' (although, as you say, the address is invalid, so it's not exactly harmful) with Windows 7. At least I know that it's nothing wrong with any software or malware sending out information. The alert for port 2869 appears every time I start Windows Media Player, so I've blocked it acting as a server :thumb: .
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    It is not just your machine, and it's not an "error" either. IGMP multicasts by default are quite common lately. People connect who-knows-which media devices (playstations, xboxes, ipods, etc) to their Windows boxes and share and automate all kinds of stuff (I have no experience with these consoles so I'm just babbling). So Microsoft obviously decided to have IGMP running by default for convenience.
    It would only be nice if they gave a straightforward and civilized way to stop this for users that have no use of IGMP.
     
  16. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    OK, I'm sure this can't be right. Just checked my Outpost log and I have pages and pages of the following:

    Capture.JPG

    It's literally every second. Am I being paranoid? Surely this is not normal behaviour.
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    These blocked ICMPs are, I believe, a port-unreachable (type 1 code 4 with ICMPv6) messages generated as a result of remote port 135 being blocked for one of the transport protocols (TCP, UDP). I have installed Outpost on a VM to check, and I see these 2 global rules -

    rpc111009.jpg

    If a TCP protocol was blocked, it would reply with a TCP packet (RST) instead of an ICMP message, so my guess is that the upper rule of the 2 I pointed out in the screenshot (Block incoming RPC (UDP)) is the culprit. If you are behind a router, you can try disabling the rule (#66 in the screenshot) and see if the ICMP entries in logs will disappear.
     
  18. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Thanks Seer!

    I am behind a router, yes. I seem to have made a little discovery since my last post, too. If I configure Outpost to start in learning mode, I don't get very many reports apart from the small surge of about 30 outbound IGMP blocks, which as you've explained is nothing to worry about. But, if I start Outpost and try to create rules myself, I seem to get many messages of blocked connections. Seems those two original messages in my first post about the two ports trying to act as HTTP servers isn't remembered by Outpost. Whenever I started my machine it would ask for these connections regardless of the fact that I'd already allowed the connection already. Also, if I set Outpost to block these two connections, which I also did, upon restart I get asked again, so in the end I just allowed them :cautious: .

    In learn mode, I just let Outpost do it's thing and many of the blocked connections seem to have disappeared. So long as this is 'normal' behaviour and not harming my privacy, then I'll not worry about it. I was just concerned that something malicious was trying to get in/out of my machine and I couldn't stop it.

    Once again, thanks for your time in explaining all this to me, although I still find it all quite baffling - I just can't seem to get my head around some of these firewall connections no matter how much I read and try to understand them.

    Cheers again, Seer :thumb:
     
Loading...
Thread Status:
Not open for further replies.