Jetico fw. Access to network requests - from apps that should never need a connection

Discussion in 'other firewalls' started by birdofprey, Aug 24, 2007.

Thread Status:
Not open for further replies.
  1. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    I couldn't replay to this thread so I'm quoting from it.
    Why would any parent processes request/need access to network ? :( o_O

    I'm asking this because I just stopped using my app launcher because I thought it was requesting access to network in order to call home through my browser. It never attempted to send packets directly though. And when I blocked it, my browser couldn't get a connection anymore. So how can I check whether my launcher is really a trojan or not ? Or how can I check whether it tries to pass information to firefox ? I really miss the program.:(

    One more question, does this "network" include 127.0.0.1 as well ?

    Thank you :)
     
  2. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello there :)

    This is a HIPS feature, has nothing to do with actual network connections. Basically, "access to network" is a warning on POSSIBILITY of a process to do network connections through a parent process.
    Jetico will warn on any subsequent network connections on IP address as well as the port number. There is nothing to worry about, your app launcher is connecting only if there is a warning on "network connections" (network activity table rule).

    I agree that this is not the happiest solution from Jetico developers (a bit too paranoid).

    Cheers.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Hi birdofprey,
     
  4. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    By definition I'd say... It's a warning on a possibility. But isn't that enough ? I mean if it's possible... some program might do it.

    Ok so the launched program will do a connection through the parent app? I thought it was the other way around.

    Thanks for the quick answer but I still have no answer on my question: Why would any parent processes request/need access to network ? What's the mechanism behind this ?

    I didn't say I'm dissatisfied with the feature, I only wish I'd understand it completly. And after I closed my app launcher, everything went back to normal... I think...

    If that's true, and it really can't use a trusted app through this "access to network" thing to broadcast instead of it... then I'll start using the program right away.
     
    Last edited: Aug 24, 2007
  5. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Hi everybody and thanks !

    Stem, you shed some light on things. I still have a few other questions though, cause I simply don't see how that "thus" fits into your post.

    Why ? HOW ? What's the mechanism/logic behind this ?

    Is x a parent or a sibling ? Does it even matter ?
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Hi birdofprey,
    If for example, the parent of the browser is a "bad" application, then the "bad" application could attempt connections via the browser. Jetico looks at the chain of events, so if you block the "bad" application, it will then block the browser (untill the "bad" app is terminated/out of memory)
     
  7. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Oh ! I see. So it's not a system/background thing. It's just Jetico being smart enough to... but wait a minute, what's a bad application ? Those I chose not to allow to gain "access to network", right ? So if they can't access the network, then there is no "chain of events"... and no need to block my browser unless, Jetico is not really able to deny access to the network and has to deal with the problem this way instead. If this is true, then this is really not the happiest solution at all, and have to say I am dissapointed. Is v2 better ?

    Btw. In short could somebody tell me how v2 is better than v1 ? After I decided to switch from Sunbelt Kerio, I tried LnS, Comodo, and it seemed to me that I'd be happy with Jetico v1... I hope there aren't any more surprises like this, are there ?
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    In Jetico v1, changes of hashes (i.e. an application is updated) may be a nightmare: new rules are created and the old ones don't disappear. The best solution (IMO)? Build tables for each application.
     
  9. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Thanks for the warning lucas1985 and yeah, power to the imagination ! :)

    I assume that my speculations in my previous post are correct... :(

    Anyhow I slept over things and I realised this morning that I still don't have the whole picture :)
    ...but only for this current process. The reason behind mass blocking is a Jetico "feature" :D Right ?

    Now, this app launcher of mine, has no auto-update feature so it never asked for any direct connections. So let's focus on indirect connection attempts. I still don't get why the parent process gets involved in this in the first place.

    If iexplorer is in need of a socket, how does explorer get into the picture? Another Jetico feature ? Or is it the way windows works ?
     
  10. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Ok maybe I bored you to death with my endless questions and I appreciate the fast replies from you all but, I'm still here wondering about what's really going on. Maybe someone who understands things better could ask the right questions for me...
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    I'm not bored (if you were referring to me) by your questions :)
    I don't know the inner workings of Jetico.
    Maybe asking in the official forums may help you further.
     
  12. kr4ey

    kr4ey Registered Member

    Joined:
    Aug 13, 2006
    Posts:
    187
    Location:
    Florida USA
    Yes. In Jetico your computer is direct and indirect access to network, so anything that needs access to your computer will alert you. If you block it, it won't work.
    Direct and indirect access to network is not the same as network activity in Jetico. Network activity is for your outbound and inbound network (Internet).


    Very good explanation.


    Been using Jetico for years and I never saw any suprises. Its the way Jetico works.
     
  13. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    I wasn't refering to anybody actually... :) I guess it's sort of a linguistic barrier thing :)

    That forum is a good idea. THANKS!
     
  14. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    kr4ey, thanks for your effort, but you really don't need to quote a previous post. Yes, Stem's answer was great, and it helped me get further but not far enough. I read it. I got it. I quoted from it my self.

    But to you that means probably more than to me... cause you know more about it, and the rest around it, I mean the topic. When you probably look at it, you see something you know by heart, I on the other hand see new information, and something more... that there's something still missing from it. I tried to figure what, hence these questions, but it seems they don't inspire you the right way. I mean, as far as I see, from your point of you, I have all the answers I needed... unfortunately that's not true. Anyhow, again, I apreciate you tried, it's all you can do. I on the other hand will have to dig deeper. Until then, I'll just click allow :)
     
  15. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    My english is bad, so I hope you understand me

    "Access To Network" allows the program to connect to the trusted zone , "use" global rules and connect indirectly. For direct connection attempts the program needs "Access to Network" + a rule allowing inbound/outbound connections from/to the specific Port and Address.

    Example:
    A) myprogram.exe attempts to connect to www.example.com (123.456.789.1:80)
    1) "Access to Network" for myprogram.exe
    2) "Outbound connection" to 123.456.789.1, Port 80

    B) myprogram.exe calls Internet Explorer to open www.example.com (Indirect attempt)
    iexplore.exe www.example.com
    1) "Access to Network" for myprogram.exe
    2) If you don't have rules for iexplore.exe Jetico will prompt you about "Access to Network" and "Outbound Connection" to 123.456.789.1, Port 80, for iexplore.exe.
    However if you use Internet Explorer usually you already have rules allowing access to network and outbound connections to Any IP, Port 80. In that case the only prompt you will get is "Access to Network" for myprogram.exe
     
  16. kr4ey

    kr4ey Registered Member

    Joined:
    Aug 13, 2006
    Posts:
    187
    Location:
    Florida USA
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    No problem. Just trying to give a easy example to how Jetico works.
    When I first started using Jetico it was hard to figure out.
    But, IMHO it is one of the best firewalls. And that goes for both versions.
     
  17. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    I think Jetico attempts to intercept some "OLE Automation" attempts. However the detection is not very reliable and there are some false positives. Comodo 2.3.* had this problem too but it was more frequent and easier to notice as the scared users were receiving constant prompts about an application hijacking another.
    Also take into consideration that some attacks may trigger an "Access to Network" prompt.
     
  18. birdofprey

    birdofprey Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    10
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Oh no ggf31416, I got that part already ! :)) I mean your first post said nothing new to me, and I can't do anything with your second one, since you're not sure about it, but again thanks for at least trying.

    kr4ey, I used a rule based firewall before trying out Jetico, so I can't complain, and I'm getting used to it. And yes, it seems to be one of the best, I like it... and am not alone. But again, I got what you explained from the previous posts already...

    I'm starting to hate to let you down like this. I'll try those forums and fill in the blanks my self, I'm sorry if I'm not clear enough, really.

    Again, thank you.
     
  19. kr4ey

    kr4ey Registered Member

    Joined:
    Aug 13, 2006
    Posts:
    187
    Location:
    Florida USA
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    OLE/COM communications, process code/memory modifications were
    just implemented in newest version of Jetico 2 and I have not seen any
    attempts of hijacking or false positives. And no attacks that trigger access to network prompts.
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Hi birdofprey,
    You would need to take time to look into windows sockets (winsock), its extensions and implimentations, (as example, with the winsock extensions, the winsock API is integrated with windows messages). You would also have to look at (one example) thread creation, which could be classed as local sockets, which is all caught up into the windows API.
     
  21. wat0114

    wat0114 Guest

    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    This does not mean myprogram.exe actually connects to 123.456.789.1, port 80 does it? iexplore.exe connects to it, with myprogram.exe somehow influencing iexplore.exe as a parent process, correct? I'm new to this fw so I am still trying to come to grips with how these "access to network" and "indirect access to network" rules work. I know the indirect access to network has been a bone of contention in the official Jetico forum.
     
  22. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Re: Jetico fw. Access to network requests - from apps that should never need a connec



    Your sig shows you are using Jetico 2. I'm using Jetico 1. Can you cite the advantages for 2 over 1?



    ....................... (pause) ...........




    Yeah, you're right: lazy question. ( :) )

    So I loaded the latest version of Jetico 2 and it seems nice, more robust and thorough than JPF 1. It's clean, simple, no-frills (with commensurately less drag on resources). So far so good.



    //
     
    Last edited: Aug 29, 2007
  23. Vulcan_

    Vulcan_ Registered Member

    Joined:
    Sep 1, 2007
    Posts:
    11
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    Stem, I have some quick questions about JPFv1. Could you confirm this information below and correct any inaccuracies. I think this information would help some people to understand which windows processes can be tamed, without worry of dialing home to Microsoft.

    JPFv1 definitions:

    "local sockets" = 127.0.0.1/loopback, all local ports that do not attempt an outbound connection to an external IP.

    "access to network" = 127.0.0.1/loopback, all local and remote ports including outbound connections to external IP.


    Assuming this is accurate, most "system applications" (windows processes) can be configured to "local sockets" in most rules. This would restrict those windows OS processes from outbound connections, but not cause JPFv1 to block traffic of other programs that have dependencies on system processes.

    Programs like DU meter should therefore be configured to "local sockets" instead of "access to network".

    One other question I had, which I may have missed in the 30 page Jetico thread. Does JPFv1 HIPS correctly scan applications using proxies over 127.0.0.1 such as Tor/Privoxy/Vidalia ?

    Vulcan
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    I would be interested to see how you can create a rule with such an event.
    This basically allows access to any open rule within the ruleset (including the trusted zone). Any application attempting direct internet connection (not allowed within the ruleset) would cause a popup.
    Please post a screenshot of a rule where the "Event" is "local socket"
    I am not completely sure what you mean by this.

    With default installation of Jetico the localhost(loopback) is added to the trusted zone, if a localhost proxy is in use then any application with access to network can access the trusted zone, therefore access the localhost. To correctly protect from this, you would need to remove the localhost entry from the trusted zone (and block the jetico configuration wizard (fwsetup.exe) from "access to network", so that this will not be automatically added again). You would then set up rules (or a ruleset) to give access to the applications for the localhost.
     
  25. Vulcan_

    Vulcan_ Registered Member

    Joined:
    Sep 1, 2007
    Posts:
    11
    Re: Jetico fw. Access to network requests - from apps that should never need a connec

    I'll probably end up re-installing JPFv1 in a couple of days. When I tried it out JPFv1 a few days ago, I restricted most windows process dependencies required for Mozilla Firefox to "local sockets". I was successful in passing most web browser traffic with that configuration. From what I recall Jetico's documentation for JPFv1 does not explicitly define what are considered "local sockets". This was why I hoped you might have a better understanding of what the firewall allows under that configuration.

    "local sockets" is not selectable from "Event" alert messages, but it is a selectable option if you manually configure a rule for an individual process from the Firewall tree.

    Thanks,

    I don't have JPFv1 installed at the moment, but hopefully that shed's some light on how to correctly configure JPFv1 rules with Tor/Vidalia/Privoxy.
     
Loading...
Thread Status:
Not open for further replies.