Application filtering - can't make it work?

Please forgive my simple question, I just installed L'n'S, it's getting a little bit late and I can't seem to find how to get Application filtering working.

Background:

- XP SP2 (no security center, no MS fw), all patches
- Connection via Ethernet LAN, static ip 10.0.0.1 -> dsl router (10.0.0.13 -> WAN (public IP, so my router does NAT)
- L'n'S 2.52p2 with d1 lnsfw1.sys drive (to stop latest outbound attacks)
- Phantom v6 rule set

My LnS GUI reads as follow (I rather not post million of screen shots):

Welcome tab
- Connected (ticked with a greyed out mark) IP address: 10.0.0.1 (this is my active Ethenet adapter through which I connect)
- Statistics show outbound and inbound packets correctly (they increase as I use the net)

Application Filtering Tab
- Application filtering enabled (ticked)
- No application rules yet defined (List of apps is empty)
- List of Active applications is empty (does not get activated at all)

Internet filtering
- Internet filtering enabled (ticked)
- Phantom_v6_rule_set.rls (active)

LOG tab
- Log showing system access to my printer (10.0.0.20), my DNS servers and some blocked inbound activities

Options TAB
- Network intefaces: Intel PRO/1000MT .... 10.0.0.1 (ticked) (this is my active adapter connected to my router)
- Automatic selection: OFF (not ticked)
- Automatic Start: NONE (I have the service starter beta installed)


Now the problem.

I can use any and all applications to connect to Internet and LnS will not stop to ask for permission about their connection.

I have Application filtering enabled, but there must be some switch somewhere that I'm overlooking.

So, application filtering is not working with my setup and all software on my machine can access network any which way they want.

Any tips or check lists for me?

Thanks!

 

Hi halcyon,

Sometimes there is a problem with the load order of the application filtering driver.
Try the following patch:
http://looknstop.soft4ever.com/Tools/LnSRegPatch.exe

Regards,

Frederic

 

Before doing that - could you please contact Phantom here - he is trying to get a full solution for that problem

http://www.fluxgfx.com/ssc/index.php?

Ruben

 

I've conctacted Phant0m and I'm waiting for reply.

I'd really like to get the thing working asap though

I'll wait a while and then I'll run Frederic's patch.

Thanks for the tips.

regards,
halcyon

 

Hi halcyon

Please see http://www.fluxgfx.com/forum/viewtopic.php?t=6

 

Thanks Phant0m. I've sent you the files generated by the utility.

I then applied Frederic's patch (sorry, can't wait anymore) and rebooted.

Application filtering seems to be enabled now.

Time to start testing.

Thanks for the quick help, all of you!

cheers,
halcyon

PS BTW, what do I do now that I've authorized an application with Direct Network access and it still can't contact (or receive reply) from the Net? The software in question is Teamspeak client, which tries to contact a server at port 8767 and then fails (apparently due to not receiving a reply, although server is up and running).

 

Thanks, I had looked it over, and I'm not telling you something you don't already know, but it is a Driver Loading anomaly.

Loaded driver \SystemRoot\System32\Drivers\lnsfw1.SYS
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

lnsfw1.SYS suppose to be loading up after the tcpip.sys and not before it...

I think Look 'n' Stop should come bundled with official checking mechanism, this problem been going on long enough...

That is just my opinion however....

 

Agreed, even though I don't have a problem. Maybe for the next version.

What does this patch actually do, and what happens if you apply it to a configuration that already works ?

I ask because if it doesn't affect configs that already work, then the patch could be incorporated into the LnS release without to much effort.


Phant0m - From your investigations, is this Application Filtering problem always related to the LnS driver loading before the TCP/IP driver ?

 

If you run the patch on systems with Application-filtering functioning, I do believe it’ll just update anyways.

Patch is available so that those who doesn’t encounter the problems will have driver loading speedy, applying the patch will increase its driver loading.

The driver loading issue are linked issue with Application-filtering not functioning.

 

There is some other information in this thread:
https://www.wilderssecurity.com/showthread.php?t=50745&highlight=grouporderlist

And especially this:

The Lnsfw1 service is using a DependOnService set to Tcpip, so according to Microsoft documentation, lnswf1 should be started after Tcpip.
The root cause issue is there, I don't understand why this is not working on some PC.​

I really don't understand why lnsfw1.sys can start before tcpip.sys since the DependOnService is correctly set.

But anyway, yes, you're right, a solution has to be provided, even if this is not working as expected (I was only hopping to find an obvious fix about this problem, which would avoid the handling of a new tag).

Frederic

 

This is probably unrelated, but the things that differentiate my installation from a typical sp2 installation are as follows:

- Installation of MS KB 884020 tcpip.sys driver (v. 5.1.2600.2505)
- Patching of tcpip.sys (with XP-Antispy) from 10 to 50 connections

I don't think this should change the load order, but just so that you know.