Blocking Adobe Reader or BITS?

Discussion in 'LnS English Forum' started by pantezuma, May 18, 2010.

Thread Status:
Not open for further replies.
  1. pantezuma

    pantezuma Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    14
    Hi to all.
    I've been testing LNS after my fresh Install of Windows 7.
    Sadly I installed Adobe Reader 9 and blocked all its attemps to connect to Internet.
    A few seconds later, I noticed that I had some internet activity, so I discovered that Adobe Reader somehow uses svchost (maybe via BITS) to download its updates and LNS wasn't able to block it (I saw this via LNS interface showing me active connections).
    Is there a way to block this?
    I don't know that much about networking or BITS (I tried to find a way just to allow Windows Update connections using this service but wasn't able to).
    Thanks in advance for any help!
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    it might be using some other .exe to download, there was a change in the autodownloader. I doubt it is using bits or svchost for downloading updates. Check other Adobe related .exe running or scheduled to run.
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  4. pantezuma

    pantezuma Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    14
    Hi to all.
    Thanks for your reply.
    Anyway I´m pretty sure of what I saw and being that I had previously blocked all Adobe apps and the network activity was due only to svchost, I'm really thinking that Adobe Reader uses BITS as a last resource to update itself.
    Please read following thread:

    http://forums.comodo.com/empty-t55882.0.html

    Anyway I'm not sure If blocking this kind of access is under the scope of LNS or Windows. I mean, if any software can use BITS to call home bypassing firewalls its a problem.
     
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    try blocking AdobeARM.exe and see if you are prompted by LNS for access as I think you will be
     
  6. pantezuma

    pantezuma Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    14
    I already did that and didn't work.
    Even more, I blocked everything related to Adobe that asked my permission (putting LNS in advanced mode).
    I read somewhere that Adobe Reader first tries to update via AdobeARM.exe and if it fails it does it via BITS.
    I'm sure that the only network activity before I had the "New update notification" from adobe was svchost's (it lasted for about 10 or 15 seconds).
    Anyway, I uninstalled this and went to a more reliable and simplier PDF reader... I don't need something that tries to connect to Internet all the time just to read PDFs... (I know I can uncheck automatic updates, but just don't feel comfortable with that kind of software).
    My question was directed to whether is possible to certain program to use BITS to avoid a firewall and if LNS was able to block this (even when this might be a MS flaw).
    Thanks anyway!
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I don’t use Adobe Reader, but don’t be fooled, just because updaters say something like ‘no updates available’, often they say this or something similar even when they fail to make an connection.

    Have the main adobe Reader application set with the deny attribute for allowing software that will connect (requires advanced mode enabled).


    Not sure why anyone would want to block Adobe Reader updates, Adobe Reader is one of the most known targeted application existing today. They constantly releasing vulnerability patches, which people shouldn’t put off.



    Regards,
    Phant0m``
     
  8. pantezuma

    pantezuma Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    14
    Hi!
    I know that a lot of apps reports "Not updates available" when they can't connect to their server.
    My point wasn't that I didn't want to update Adobe Reader. My point it's that it did update itself even when I blocked all related applications in LNS and I'm pretty sure it did it using svchost.
    Maybe my english is not as good as I thought!
    I was worried by whether any software (call it Adobe Reader or whatever) can use BITS (svchost) to update itself or download stuff without the user notice or consent.
    That's all I was worried about!!!
     
  9. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    I discovered the same behavior by Adobe about two months ago and it alarmed me so much I uninstalled it and switched to PDF-XChange PDF Viewer which has its own issues ,but at least I can control whether it connects out to internet.what if other software starts using adobe tactics-I am no firewall expert but I have used LnS since the Becky forum days and I could not stop adobe even after blocking every likely .exe associated with adobe-the svchost and bits thing now explains the situation to me
     
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    that is strange, I also have Adobe and it certainly does not update without my say so
     
  11. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    the behavior is when you initiate update there is no lns alert whether to allow it or not and even after you have blocked dlls and exes update still connects-granted you have to initiate update.
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Like Cudni, I’ve never observed this.

    It would be interesting to see if you still get the same message when you have BITs service entirely disabled first. ;)
     
  13. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    If I remember correctly-I updated adobe-got alert-clicked allow this session.I then removed adobe from lns applications allow list.removed adobe dlls from lns options.went back to adobe updater to check update prefs got lns alert -chose do not allow-adobe seemed to connect got response no updates available(so it could have been as you said you may receive this response because adobe couldn't connect.blocked all likely adobe exes,dlls and initiated adobe update-adobe still seemed to connect.Removed adobe completly from lns applic,dll list-rebooted-initiated adobe update-now no lns alert and adobe seemed to connect-of course no updates were available because I had already updated.uninstalled adobe -did reg cleaning,folder removal etc-reinstalled adobe and from then on when I initiated adobe updater I no longer got any lns alert box and adobe seemed to connect and connectons were in lns log.this was version 9.1 or 9.2.Found situation alarming-do not have expertise- just communicating that I experienced similar situation to original poster.
     
  14. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what does that mean? did it connect or not, what did you use to verify? LNS is a well accomplished firewall and if well configured will block almost everything. And certainly Adobe; not that there is any reason to do so in home environment.
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    There is another means to know for certain, from the Internet Filtering layer, place an outgoing www-http blocking with logging rule... If Application filtering layer fails to block Adobe updater, you’d see the requests to adobe updater server being logged on the Look ‘n’ Stop - ‘Log’ screen. ;)
     
  16. no-idea4

    no-idea4 Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    12
    Location:
    usa
    It means what i said-i am not certain it connected-I have used lns for years and find it to be the best firewall for me.I have received much support from Frederick and Phantomn over the years and thought it might be something they with their extreme expertise might want to investigate.I am sure there is a way to block this behavior but i did not choose to investigate it.as to adobe-i have no problem with them either.I did not want to get into a chirping match with you.I will post no more and reply no more to this topic.Over and out.
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    no-idea4, & pantezuma, thanks for posting your observations.

    Frederic will investigate this, he probably uses bulky Adobe Reader anyways. :)
     
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Hey so do I ;)

    TH
     
  19. pantezuma

    pantezuma Registered Member

    Joined:
    Apr 19, 2010
    Posts:
    14
    Hey!
    Thanks to all for your concern.
    I remember exactly what I did first time.
    LNS was set to Advanced Mode and password protected with "Lock All" enabled.
    Suddenly I realized there was some internet activity (just after installing / ran Adobe Reader and before disabling automatic updates on its interface).
    So i clicked LNS and saw the only active application was svchost.
    After a few seconds I recieved a message alert in Sys Tray telling me that the "New Adobe Reader update was downloaded and ready to be installed".
    As I had LNS password protected and with "Lock All" enabled I didn't recieve any warning (later I blocked AdobeARM.exe and everything else, but nothing changed).
    If you google "adobe reader +BITS" or "adobe reader +svchost" you'll find some other posts like this and other users worries about this issue.
    Again, I don't know if blocking this is under LNS scope or if it's Microsoft who should let the user configure BITS and set which applications are allowed to use it.
    Thanks again!:)
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Curiosity finally got the best of me... I installed Adobe Reader and investigated the Updater, it does appear to use BITs service (svchost.exe) if the original means fails to make an connection ... persistent bugger!!

    The SVCHOST.EXE is usually one of the first alerts you get when you first have installed Look ‘n’ Stop, if you would have denied that from the beginning, you wouldn’t have the leak. ;)

    Unfortunately Look ‘n’ Stop doesn’t give you much control to what can use the trusted applications that’s making the connection.

    If you want to block BITs support for all other applications, try configuring SVHOST.EXE application filtering entry to deny TCP connections to IP address range outside of Microsoft.

    BITs is there, any product can use it, to ditch Adobe Reader because of it’s persistence to ensure user gets critical or otherwise .. updates ... is simply silly. ;)
     
  21. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Persistent indeed. Does it not honour if its own update is deselected? What if the following key placed?
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockdown]
    "bUpdater"=dword:00000000
    
    Funny thing is I don't see such behaviour with Adobe Acrobat (standard or pro) nor is any other means of updating invoked
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I don’t know, the experiment was with the default install of the latest version or version they have listed on their official product website. Anything else would be irrelevant. ;)
     
  23. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Understood. Just one more question to clarify for me. You specifically denied access to Adobe reader, the best you could, and yet it accessed the net?
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    LOL! yes, I did it properly. :p Everything associated with Adobe was set to deny for both attributes on the Application filtering screen.
     
  25. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    well, if you didn't do it properly ;)

    It wasn't that, I find the whole thing I little bit disappointing as I think a firewall should be able to deny access to any app
     
Thread Status:
Not open for further replies.