Kerio 2.1.5 - how to stop trusted sites accessing the internet?

Discussion in 'other firewalls' started by Bob2000, Aug 2, 2008.

Thread Status:
Not open for further replies.
  1. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    My hardware set up is three p.c.s running XP Pro, all linked to one 3Com OfficeConnect ADSL Firewall Router.

    My firewall is Kerio Personal 2.1.5. I am using Kerio's Microsoft Networking tab to protect use of NetBios so that the p.c.s can share files/printers.

    On one p.c., I am trying to configure Kerio to stop some Adobe programs (yes, they ARE legitimate) from accessing the internet without my knowledge. Unfortunately, Windows see these programs as trusted applications so permits them to use svchost.exe as a path which circumvents firewall control. I don't know which IP the Adobe programs contact.

    Does anyone who uses Kerio to overcome the same problem have a screenshot of their Kerio Filter Rules that I could copy, please?
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    If it's Svchost that's doing the actual outbound connection/traffic, then you'll need to know the destination IP address(es). There is no other way to stop it as Svchost connects out for other reasons, and on various ports. See if you can find out the destination IP. You might set up logging on Svchost.Exe and then run your Adobe program or whatnot and see if it triggers the outbound traffic. Then check the logs for IP's. Also, be aware that many apps use more than one destination IP for such traffic, sometimes many. But there is no easy or simple way other than to find the IP and block that.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    You can also take a look through the stickies at the top of this forum for help.
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    in my personal experience I have found that svchost.exe only needs to connect to your ISPs DNS server for DNS requests.

    I am using comodo 3 and in my setup svchost.exe is only allowed to connect to my isps dns servers IPs at port 53 all other connection attempts to other places is BLOCKED and my pc hums along quite nicely.

    From memory Kerio has very limited configuration abilities for individual programs, where as with comodo3 you can setup different packet filtering rules
    for every individual program.

    So to this day I still wonder why there are people here who still prefer to use
    Kerio 2.1.5?? with its limited configuration abilities??
     
    Last edited: Aug 2, 2008
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Some people plain want a firewall and not HIPS. ;)
     
  6. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    Good point.

    The annoyance is when HIPS's applications are named like Firewall programs.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Actually, as a traditional firewall or packet filter, Kerio 2 has very good configuration capatilities for apps, you can control everything as far as ports, addresses, local and remote, logging on a rule by rule basis, and much more. When you start injecting HIPS type features, as in the case of Comodo, then you wind up with something other than what I would call a "firewall", but I suppose that is the trend today. Kerio 2 was one of the best rule based firewalls and rule making gui's, a classic, that's why people loved it, and many still use it on the older OS's.
     
  8. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    If you had Nirsoft's 'Curr Ports' Bob I wonder if you could see Adobe's
    attempts - or for instance in 2.1.5 I use the rule,

    Block Leaktest.exe
    UDP/TCP
    Application Leaktest.exe
    Any Port - Any addy
    4.79.142.200

    That's to stop Steve Gibson's (GRC) Leaktest from accessing the net but I use
    that rule for many others so long as I have managed to get their individual IP addy via Curr Ports.
    Otherwise I would try nearly the same via only using the Adobe name but it may be using another name to call home which Kerodo's log idea might
    produce - you really could do with the IP addy.
     
  9. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I agree with Arran. The best way is blocking svchost.exe. I usually block it completely and I have individual rules for the DNS for the applications that I want to, i.e. the browser, the av update, the email client and very few others. Naturally, I don't use Windows Update, I prefer to download manually security updates that I need.
     
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum


    No, it's not. On Windows XP svchost don't need to connect out, not even for DNS (DNS can be handled by apps themselves). So why use a firewall to block it, when you can stop the comm attempts by disabling (unneeded) Windows features?

    I use Adobe apps (PS, Illustrator, Acrobat & InDesign CS3 currently) on a daily basis and have never noticed them using svchost for calling out. There is the "auto-check-for-updates" feature, yes, but you can disable it from within Adobe apps.
    If you don't mind, can you please post a screenshot (or something similar) showing this attempts?
     
  11. wat0114

    wat0114 Guest

    From my experience I have found that svchost is a sneaky SOB, even with auto updates and dns client disabled.
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe


    On Windows XP svchost - as also wat0114 said - try always to connect to internet. Svchost it's not depending from a single service, but from a multiform group of processes related at DLLs. Moreover, most of firewalls have it allowed by default, so anyway you need to block it.
     
  13. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum


    Always? Well, you need to be specific here, as it certainly does not try that "always".



    "Processes related as DLLs" are windows' services, as the name of the host implies (svchost). If you have a service calling out and you don't want it, you can simply disable the service. There are exceptions, but certainly not on http comms.

    I'm on Vista now for more than a year (and this does connect very differently from XP) but if memory serves, XP's svchost (on default installation) could be easily controlled without a firewall. I mean, except for controllable MS stuff (Windows services - DNS, Updates, NTP...) svchost did not make any suspicious unwanted comms by itself. I have never had a "block" rule in my firewalls regarding svchost, this is pretty much certain. 3rd party service injecting itself into svchost is another issue, and the topic of this thread.

    I could be wrong here, but I have never seen Adobe injects svchost. Adobe apps have its own process for auto-updates.

    wat, this is calling out to redmond ship. you might wanna use process explorer (or similar) to investigate which services are hosted by the svchost to debug this.

    Cheers,
     
  14. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yes, I think he needs to show what is going on in more detail. Seems kinda unlikely that Adobe would call out via Svchost. Svchost does all kinds of stuff so it's easy to be confused by it. Adobe would most likely connect out directly, at least that's my thinking on it, could be wrong though...
     
  15. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    More detail:

    I have recently bought some programs in the Adobe CS3 suite. I have yet to load them before I iron out the following problem...

    The Acrobat Pro 8 and the Adobe CS3 programs are Macrovision FLEXnet enabled products and will only work properly if the user allows a spy called FNPLicensingService.exe to be installed and run concurrently with the Abobe program. There is some debate about what this spyware does. I believe it reports information about the user's hardware configuration to Adobe every time the Adobe program runs. There is an associated dll which is launched by svchost.exe

    Some CS3 programs will not start if you disable FNPLicensingService.exe.

    Installation of the CS3 suite also installs another dial-home program called mDNSResponder.exe, removal of which can render the system unstable.

    Whatever the reason for these spyware programs (heavily debated on Adobe forums), I want control over whether they can get internet access.

    I could try blocking svchost.exe and installing the program to see what happens, I suppose.
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Pardon me, mDNSResponder is NOT a phone-home application, it's a more or less abandoned Zeroconf (a.k.a. Bonjour in Apple slang) implementation. :rolleyes:
     
  17. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    http://kb.adobe.com/selfservice/viewContent.do?externalId=kb400982

    I don't really want to change this thread into a discussion of what these programs do. I just want to control their access to the internet using Kerio 2.1.5

    Apologies if I offended.
     
  18. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    That would be correct. Stopping this service (setting it do "disabled" state) stops certain local comms (can remember exact port # now) and has no side-effects on Adobe apps functioning whatsoever.

    FLEXnet licensing service does NOT phone home nor does it need internet access (sockets). CS3 (and I believe CS and CS2 as well) apps will fail to start if the service is disabled. You need FLEXnet running whaen you use Adobe stuff to verify an existing (valid) license. It is simply an anti-piracy device. As soon as you quit the app, FLEXnet is stopped as well. I have this service set to manual and it never attempted any spying job. However, there is a slight possibility that YMMV.
     
  19. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    OK. Putting Adobe to one side, could I ask about using Kerio to intercept a hypothetical third-party service that is launched by svchost.exe

    If I simply block svchost.exe, are my browser, email and antivirus applications and LAN likely to stop working properly?
     
  20. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum

    A 3rd party service is not launched by svchost, it is launched by itself and could be injected into svchost (piggyback ride) in order to phone out.

    But if I got your drift, you would hypothetically need to have a HIPS capable of monitoring dll injections. I do not think Kerio can do such thing.

    On a typical (more or less default) home setup, yes.
     
  21. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    You're right, a quick experiment at blocking svchost.exe stopped my browser and email client. But I found that if I allowed UDP traffic to/from my router IP adress at remote port 53, those applications started working again.

    I'll keep experimenting/learning.
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    In XP, Svchost does your DNS lookups, so yes, you need to allow it out on remote port 53, but only to the IP addresses of your ISP's DNS servers. ANything else you can probably block. I'm still not sure why you think that it's Svchost that's doing the outbound connection(s) that you are concerned about(?) what leads you to that conclusion?
     
  23. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
    Because of it's speed, very low resource use, compatability with other programs, and of course it's excellent configuration abilities. :D
     
  24. Bob2000

    Bob2000 Registered Member

    Joined:
    Jul 21, 2008
    Posts:
    27
    Unfortunately that didn't work for me the way my p.c. is configured.

    My ethernet adapter is configured within XP Pro to obtain an IP address and DNS address automatically.

    When I enter in ipconfig /all after a command prompt, the DNS server and DHCP server listed are identical to my router's IP address. The router is DHCP enabled.

    In Kerio's rules, I tried entering my ISP's DNS address instead of the router address and lost access to the internet.

    I must be missing something very simple?

    With regards to your question regarding my suspicions about svchost, I haven't verified the outbound connection for myself (because I haven't taken the software out of its shrink-wrap yet) but read about it on one of the Adobe forums (sorry, can't find the forum thread link). It may be incorrect but I hoped that I could use a firewall to help me check.
     
  25. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Ok, you are correct on the DNS, I didn't realize you have a router. So in Kerio's rules, your DNS rule for Svchost will use the router address and port 53, rather than the ISP DNS server addresses. Sorry bout that... :)

    I suspect that most apps, including Adobe, will try to make a direct connect out themselves. Unless there is something special about them that I am ignorant about (which could be). But usually you only need to deal with the apps themselves. Svchost can do any number of things, but it's usually Win related.

    I think what I'd do is just set up Kerio to log everything, on all your rules, then install your programs and see what happens. You will either get a popup asking for permission out, or if not, then you can check the logs and try to see what's going on.
     
Loading...
Thread Status:
Not open for further replies.