Network Access

Hi Jason,

I have doubts if this feature works as it should:
in my case, for any application launched to reach network AppDefend issues an alert about the "system" trying to connect. It is repeated until I check "allow always" network access for system. In that case I have no more network related alerts, even if new programs are trying to connect. Seems like it was only a global switch, not application based. For info, I am running Win2K Pro.
Thank you for any comments.

isnogood

 

hi isnogood,

is your "DNS Client" service running? if so, please disable and try again. hope this helps.

 

Yes I do run DNS client service. I'll have to change my firewall settings when I disable it, but reflection made it effectively may be the reason of my problem. Thanks for the hint, Alley, I will try this evening. Nevertheless, it is still strange that Appdefend does not detect the application originating the call, but indicates the system service.
isnogood

 

Ok, I tried to desactivate DNS client service, but it does not help. I still have only "system" process alerts (different process Id). For example, when I start firefox, the first alert is loopback (127.0.0.1) then it indicates unknown IP's and ports. This is repeated multiple times before I get effectively connected, and later on when browsing. It's really unusable. Any other ideas, please ? Am the only one experiencing this ?

 

Are your alerts about Unknown IP's and Ports possibly what Jason is talking about at the bottom of this message, https://www.wilderssecurity.com/showpost.php?p=610767&postcount=2? If you can, a screenshot of the alert would be helpful. My experience with Maxthon, an IE based browser, is once I Always Allowed Network Access I have not gotten those alerts again.

Just for clarity I have to ask, what did you do to stop the DNS Client Service? It is a 2 step process; 1 - stop the service if it is running, and 2 - set the service to Disabled to prevent it from starting again. Another thing is you will probably be presented with an alert for svchost.exe wanting Network Access, this is normal Windows XP uses svchost.exe for DNS resolution with your ISP's DNS servers.

 

Firefox will try to connect to 127.0.0.1 (the loopback address) on startup - it is apparently for the Password Manager feature. If you do not use this, you can block such connections but since AppDefend's network access is all-or-nothing you really need to allow it.

Svchost will request network access for DNS lookups if the DNS Client Service is running but disabling this, as per Disciple's post, will mean DNS lookups being done by the application itself (i.e. every application that tries to connect will then start with a DNS request). Svchost does also handle DHCP so you will need to allow it access if you are using it (almost certainly yes) but otherwise you could probably it from doing anything else.

Svchost is a good example of the problems with allow-or-deny network control - some things (DHCP, DNS) are critical and blocking them will result in loss of network access while others are optional (NTP for clock synchronisation) and some downright dangerous (DCOM/RPC).

 

Paranoid, I know all about this DNS/DHCP stuff. Except that for me it's not svchost but system, because I am on Win2k, not on XP. The first loopback connection is also common for many browsers, IE will also call 127.0.0.1 at first. I have special rule in my firewall (Tiny) to allow that. In my original setup I have been running DNS client service, so DNS lookup was always done by system, not the application itself. That's why I thought that Alley could be right in his post. So I desactivated DNS service (properly, verified) and created rules in the firewall to allow all internet applications to call DNS port themselves (originally they may only connect to a specific port like HTTP,HTTPS,FTP etc).
To my surprise, this does not help. I still have only alerts concerning system, not the calling application. The DHCP is still handled by system but I don't think I can stop this service without loosing network access. Not sure, but I believe DHCP cannot be handled by user applications.

Me too, if I set "Allow Always" for system, I have no alerts, that's normal. But if you start Maxthon - do you have alerts about svchost/system or about Maxthon ??
This is my principal question actually. I don't see any sense of this feature if the switching on/off permission for system means de facto allowing/denying any application the network access.
In this case it is better to plug off the modem cable or use the "block all" / "allow all" button of your firewall. Really, I can't imagine this is the purpose of the network access control developed by Jason. I rather think of a bug or not finished feature in beta version.

Jason, please, can you comment on this ?

 

For Win2K this should be services.exe - can you confirm this?

This should only happen if you are running a proxy server (e.g. a web filter like Proxomitron or anonymising client like JAP or Tor) - or have anti-virus software with a web-filtering option (e.g. NOD32's IMON - try disabling it if you have).

The only way to avoid using DHCP is to use a static IP address. If you connect via a router (and therefore always receive a 192.168.x.x address) you can do this via the Network Properties for your LAN connection.

 

Yes, that's right.

Are you sure? I have a direct connetction, without proxy, and as I recall Firefox still needed loopback rule enabled. But that doesn't matter in fact.

I am behind a router and I already have a fixed local adress, but I never disabled DHCP service. I will try this, thanks.
Nevertheless, can you tell me if you other guys also experience the same behaviour, or you have network access alerts based on application name ?

isnogood

 

Well, I disabled both DNS and DHCP services, set properly my local IP and DNS server adresses in the Network Connection Properties.
The behaviour od AppDefend does not change, however.

Let me describe the alerts I have when I start Firefox:

1) AD Alert: system -> loopback connection
2) AD Alert: system -> Udp send (unknown IP/port)
AD Alert: system -> Udp send (unknown IP/port)
3) AD Alert: system -> Connection (remote IP , port 80) - Mozilla
5) AD Alert: system -> Udp send (unknown IP/port)
AD Alert: system -> Udp send (unknown IP/port)

Browser window is now open. These alerts correspond exactly to my firewall logs for firefox.exe. Now, If I set "allow always" network access for system.exe, I have no more alerts for any other application connecting outside.

isnogood

 

Firefox will for the Password Manager feature as mentioned above. However you did mention loopback connections for IE also and that should only occur with a proxy.

 

Nor should it be, I can't see any reason a user application would need to have any involvement with a NIC getting/refreshing an IP address. That is more a function of the OS. Well I guess there might be some third party software that does Internet Connection Sharing, which in that case might/would need to handle DHCP.

No, all is quiet. However if svchost.exe does not have internet access (Network Access), no application can connect to an internet destination. Svchost.exe has some involvement with DNS resolution between said app and the internet. In your case services.exe may have the same functionality of involvement with DNS resolution that svchost.exe does on XP. Which may come down to a change in how things are done between the older W2k OS and the newer XP OS.

Or if you think of the Network Access function from the stand point of who developed AppDefend and the firewall (GhostWall) from the same person/company it may make more sense. GhostWall, as I understand it, operates on inbound packets only and does nothing for outbound connections. In the GS Freeware board there are two threads dedicated to Application Control in GhostWall, and I think it is mentioned in some other threads as well. Now comes AppDefend and as one of its many features is the ability to Allow/Deny, on a per application basis, Network Access. Is there program overlap between Network Access in AD and say your firewall, yes. But no more so than say the program overlap that exists between say; Spybot S&D, Ad-Aware, PestPatrol, or MS Antispyware, just to name a few. Its there for you to choose whether to use it or not, you can edit the .Default setting for this to Allow and then control it with your preferred application.

 

This is exactly my point of view, Disciple. In my understanding, Jason does not want to add any application control to the GhostWall, to keep it simple and light. Very good, it's fine like that. I won't ever use it because my router does exactly the same job, but is clearly interesting option for many people. Its popularity prooves it. Now, I believe that Network Access component in AppDefend is something going in the direction of the outbond control, to make happy other kind of guys. The idea makes sense, obviously. Of course it may overlap with many existing security apps, especially firewalls but the choice is yours. Personally I use Tiny, which covers all network and system security aspects. This overlap does not bother me actually, I'm testing only. Perhaps I will dump Tiny one day if I find AppDefend or other program worth it.
What I do not understand, is the purpose of actual implementation of Network Access control, because it is not application based at all. I can't choose separate rules for different applications event the most simple as allow or block, since for firefox.exe or backdoor.exe I get always an alert telling me that it's service.exe willing to connect outside. It does not inform me what program is in the origin of the call. That does not make sense for me.

isnogood

 

It could be an issue due to you using Windows 2000 operating system. I will take a look into this for a future build.

 

I'm not sure if this has anything to do with it but if you go to internet options in ie, connections, then lan settings, uncheck the automatically detect settings box, this may have something to do with ie checking 127.0.0.1 or proxies. I doubt this will solve the services.exe thing but I was just reading along and thought about it.

Best of luck
Marc

 

Thanks, Jason. At least I am confirmed it is a bug, no intended feature I am really interested to see all the future developement of AppDefend. Looks very promising.

No, aparently it's a browser feature, not depending of the internet option/connection settings, at least if you use direct connection. If you disable DNS and DHCP services, yo need to fix your local IP and DNS server adresses in the connection parameters. Anyway, it has nothing to do with the problem.

isnogood

 

I would like to be able to specify allowed and dis-allowed IP and port ranges for each application. This would help to harden network protection.

 

If there is any chance to have this, I will buy this product the next hour.

Regards
joter

 

Kind of misleading example I think. Logically, Spybot, ad-aware etc depend on signatures to detect malware, so there is some gain if the signature databases are different. Emperically, we have seen reports that yes, it's a good idea to use several scanners since any single one miss quite a bit.

I don't think this applies to Network access on either grounds. Not unless you are one of those people who believe the word "redunancy" can justify everything.

 

There are several firewalls that already offer this feature. While it would be an improvement on the existing AD network access control, it would also require more monitoring of network traffic (hence more CPU usage) and a significant expansion of the AD code and UI to cover all the configuration possibilities (TCP and UDP protocols, other IP protocols like ICMP, IGMP, IPv6, RIP, port ranges, address ranges, network interface, stateful inspection options, etc) which could only detract from AD's current focus on application control.

If Jason wishes to add a fully-fledged firewall to his suite, more power to him. But doing one that covers all the necessary network-related options is a major piece of work (take a look at the pace and range of updates for Look'n'Stop for an example of how difficult it is for a lone developer to keep up with everything) and I'd suggest that the process/registry control area is the part of Windows security less served by current offerings - and therefore in more need of new utilities.

 

Not really when taken in the context of what Network Access does.

I agree with you about this, but to borrow a word from you, but with those programs there are "redundant" detections.

Not at all. I am "one of those people" that believe in using what works for the given hardware and situation. I accept the fact that with computer programs I may/will have to put up with some amount of redundancy. I made that statement from the point of view that if you deny a program Network Access if AD then it does not get access to any network be it a LAN or the Internet, and that statement holds true for a firewall. Take for example Spybot, to update its signature file it must access the Internet. Now deny/block that access in your firewall what happens, Spybot does not get updated. Similarly if Spybot has Internet access permission in the firewall but not in AD what happens, again Spybot does not get updated. Network access must be allowed in both programs where they are both running on a computer, for Spybot to update its self.

I don't have an AD log entry to back this up but I believe I have seen an AD Alerts for Network Access to the localhost, 127.0.0.1, also Win XP uses 239.255.255.250 to talk to its self. Which all of this really boils down to how a program/programmer defines/detects network access.

 

Some of them yes, but not all of them. It's not the other part, that isn't overlapping that is really useful. E.g if you told me ad-aware detected exactly the same stuff as spybot I wouldn't borther using both unless i buy the redunacy idea. In fact, they differ not only in detection ability but also removal ,so things are not so straight forward.

But I don't think anyone is claiming Network access in AD can block events different from that of a firewall. Or are you? If so, than yes, you can start using the example of people running spybot and ad-aware.

If not, you are just being misleading.

Yes you mean your firewall works exactly like Network access for appdefend.

That's an interesting comment, based on the idea that AD network access would notice something that a firewall wouldn't.

But you do know that for many if not most firewalls, these events (including localhost) would be detected too, right?

 

There are several possible causes here:

• You are using a hosts file that redirects known ad/malware domains to 127.0.0.1 (in order block access to the real domain);
• You are using proxy software (e.g. web filtering software like Proxomitron - some anti-virus web and email scanners also work in this fashion);
• Some software (e.g. Firefox) tries to connect to itself;
• Some Windows components (e.g. Microsoft Management Console) use 127.0.0.1 to communicate with other parts of Windows.

In many cases, even though the 127.0.0.1 address doesn't involve Internet access, a connection to it is very likely to precede such access so receiving a warning on this would be useful in many cases.

This is Universal Plug and Play - best disabled if you don't need it (i.e. you don't have a router needing uPnP) since it does pose security risks.

 

Paranoid2000 wrote:

correct, or perhaps a Anti-Spam application or a network- tool/application
etc.

Perhaps you can download Port Explorer and check for yourself:
http://www.diamondcs.com.au/portexplorer/index.php?page=download

 

Exactly, I am only talking about Network Access in AD and Application Control in a firewall. I am only pointing out that the Network Access in AD and Application Control of a firewall are similar enough in end result to be considered redundant features. I agree that each product arrives at the end result in a different way, if they did not I would suspect some legal posturing happening between the two companies.

No I am not. I would be very surprised that Network Access in AD would function as it does in a firewall, however the end result is still the same. I still stand by my analogy of the redundancy of some detections in Ad-Aware and Spybot when comparing the end result of AD's Network Access and Application Control in a firewall.

My firewall of choice for my desktop computer does not alert me to any traffic over the computers LocalHost, while AD does present an alert when a program/component wants this access. i.e. This morning AD alerted me that acrord32.exe, Adobe Reader 7.0, wanted network access to 127.0.0.1:4034 while my firewall did not. The only way I would find out about this in my firewall would be to read the log file regularly, not something I am interested in doing. So in this instance AD actively pointed out an activity, while the firewall did not. Which, for me, gives me a proactive means of knowing what is going on with the programs on my computer.