Is Firewall Working Correctly?

Discussion in 'Prevx Releases' started by pegas, Sep 29, 2012.

Thread Status:
Not open for further replies.
  1. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Hi,

    Having the firewall setup "Warn if any process connects to the internet unless explicitly allowed" and wanted to check how it works ending up quite surprised in the end ...

    I chose vlc.exe process (VLC player) under Network applications and changed it to Block from Allow. Afterwards I had run VLC player and had triggered the update check supposing that VLC wouldn't be able to connect to the internet due to imposed the connection rule to Block. However to my surprise VLC could check for the updates.

    Am I missing something as regards the firewall rules?

    Is there any way how could I properly check the firewall blocks the blocked processes/applications for the outbound connections?

    Thanks & regards,
    pegas

    P.S.: Sorry for the same post at Webroot Community but I know that not all wise brains from the Wilders are visiting Webroot Community :)

    EDIT: Strange ... I changed the firewall setting to "Warn if any new untrusted process connects to the internet", chose revouninstaller.exe for instance, changed to Block and tried to check updates of Revo Uninstaller what ended up in having the blocked connections message in Revo. So now it worked how I had supposed.

    However I am missing an option to add my own process/application to block. Is there any other way how to do that?
     
    Last edited: Sep 29, 2012
  2. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Thought everything's alright but ... blocked admunch.exe (Ad Muncher) and surprisingly AM connects to the internet. See below

    snap.JPG

    I am quite confused, can you somebody shed more light on the firewall settings and how it should work.

    Thanks & regards,
    pegas
     
  3. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hi pegas,

    It seems to be working for me as I Blocked Hitman Pro and it couldn't connect. I would suggest try blocking something else and reply back and as you know WSA is only a outbound firewall maybe AM is only showing the inbound connections? I also posted the same at the Webroot Community forums!

    TH

    29-09-2012 6-10-46 PM.png 29-09-2012 6-11-05 PM.png
     
    Last edited: Sep 29, 2012
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Ad Muncher looks to be just communicating locally (over a local socket or similar connection) which is always allowed, otherwise it may break some applications.
     
  5. guest

    guest Guest

    Well that was one of the reasons I uninstalled

    This was one of the first things I checked
    and when I blocked something, it went right thru
    the firewall as if it wasn't even there:thumbd:
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you let me know what application you tried to block and what your overall settings are?
     
  7. guest

    guest Guest

    The program I tried to Blocked was Total Uninstall 4

    as far as the setting go, I do not have WSA installed anymore
    but I went into the block function and directly block it
    as a test

    I didn't try it on other programs, I felt if one can get thru
    then my other firewall was doing a better job

    It seems like it not just me by reading this thread
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure what Total Uninstall would actually access from the internet, but are you certain it wasn't just local socket traffic between its processes? If you re-read pegas' posts, it was working normally - you may just need to modify the overall firewall settings as it wouldn't apply a block operation when the overall configuration wouldn't apply.
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    It doesn't block local connections...
    127.0.0.1 <-> 127.0.0.1 is a local connection...
    So if you have a global proxy set in Internet settings and the proxy is running on the local machine (Tor, Privoxy, etc), a program that uses MSHTML or checks system settings will always be able to connect to that proxy...
    Then since the proxy isn't blocked, the program will have access to the internet.
     
  10. guest

    guest Guest

    no, it went on the internet for updates
    it would had not known about an update
    if it could not connect to the internet

    I plainly block it and it was the first program
    I tried with to see if it could make it thru the firewall

    I don't let any program or anything connect unless "I"
    see a need for it to, this is my first requirement of any
    firewall or the out going protection of it
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It could be using an external process to download its update - I haven't used it so I'm not sure. You can, however, use another firewall alongside WSA if you really want to block it differently, but you may want to just try again and configure WSA to prompt for untrusted processes.
     
  12. guest

    guest Guest

    Like I said I don't have it installed anymore
    but I know before I did this firewall test I configured
    it to let me know if any processes tried to connect
    or at least the best I understood it I did
     
  13. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    The WSA firewall is primarily for security purposes and works very well when used as intended. If you're trying to use it as a primary firewall, that's not as intended. I suppose if you didn't want to use WSA for its AV properties, then trying to use it as a firewall is just silly. But if you normally would use it for AV properties, and uninstalled it because you aren't using the firewall as it's meant to work, well that's silly too. :)
     
  14. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Thx Daniel & Joe for the valuable information :thumb:

    I disabled/blocked a few other applications to see whether they could connect to the internet and it turned out that they couldn't connect, so they were blocked by WSA for the outbound connection. However some of the applications had to be closed and restarted to take the block effect.
     
  15. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Have a question though about trusted and untrusted processes.

    If I correctly understand WSA determines processes based on the behaviour and cloud heuristics. However let's imagine that a process XY is trusted by the cloud but in my case I don't want that process connect to the internet. Yes I know that I can change that process to Block but it is too late. Therefore is there any way WSA could prompt me to decide if I want to allow or block even the trusted process by the cloud? In fact I mean to override the access rule imposed automatically by WSA at the first outbound connection.

    Thanks & regards,
    pegas
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    This setting would do as you ask but you would have to remove all entries under View Network Applications and start over and you should get a warning for every process that tries to connect. For a test I removed Firefox, Outlook, Opera and all were blocked until I allowed via a Pop-up.

    TH

    30-09-2012 7-36-56 AM.png 30-09-2012 7-51-00 AM.png
     
  17. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Thx TH :thumb: That's what I meant. Yeah, it could be quite lengthy to get over all default Windows processes. Nevertheless having this option with deleting all processes and starting from scratch gives me hundred percent control over all outbound processes.
     
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    I'm going to post this here as well as I did at the Webroot Community Forums. Just to add looking at this closer I would like to see the count down removed because I don't believe in auto allow it should wait till user interaction!

    TH
     
  19. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Joe, can you kindly elaborate on what the firewall settings you do mean and how to modify them?
     
  20. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    Hi Joe,

    While I am grateful to TH for pointing me to the firewall settings which would give me complete control over the outbound traffic (Warn if any process connects to the internet unless explicitly allowed), do you recommend to remove all automatically made entries and to start it from scratch? I ask purposely as there are dozens of Windows legitimate processes which all of them have to be set Allow to get through and I don't want to screw up my PC :D

    Thanks & regards,
    pegas
     
  21. guest

    guest Guest

    OK, I did go check "Warn if any process--unless explicitly allowed"
    and then went to "View Network Applications" and Blocked "Total Uninstall 4"
    and it still went right thru the firewall

    also the poster that thought I was silly to think a outgoing firewall should block an outgoing connection, Well I guess your idea is little different from my idea of what a outgoing firewall should doo_O o_O o_O
     
  22. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    You don't need to remove all but the one's you want control over and they all are checked with the Webroot Cloud Database anyways the biggest reason is to stop malware calling home or download other files and exe's.

    TH
     
  23. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    We have told you to continue to use LNS with WSA as I do because they work together very well with no issues.

    TH
     
  24. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    OK, does it mean that even if I remove all entries and I do a scan afterwards, all the processes will be back? If so, what happens with processes I would have blocked or removed, will they be overwritten back to Allow?
     
    Last edited: Sep 30, 2012
  25. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Again I just did a test and Blocked Firefox & Opera and did a scan and they where still Blocked so to be Allowed it needs user interaction. :thumb:

    TH


    Firefox
    Capture30-09-2012-12.04.08 PM.jpg
    Opera
    Capture30-09-2012-12.05.26 PM.jpg
     
Thread Status:
Not open for further replies.