OutPost Pro letting inbound connections even though there is no rule for this

Discussion in 'other firewalls' started by Rilla927, Dec 17, 2011.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I have took OP out of learning mode and realized I needed to make rules (for some reason auto rule creation didn't make them) for MBAM and Webroot Secure Anywhere AV and the rules I made where for "Outbound" only, no "Inbound" rules created.

    OP then throws up pop-ups about a inbound rule(s) for MBAM and Webroot when I made no such rules. Does this happen to anyone else?
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Could you please provide a screenshot of the settings you got for the Firewall portion in the GUI? I don't recall what's exactly there, but I do recall about a Wizard Mode or something like that. If that's selected, then it makes sense that Outpost alerts you for inbound connections. It's not letting them in; it's simply telling you those apps are attempting inbound connections, and if you'd like to allow them.
     
  3. wat0114

    wat0114 Guest

    I don't know about Webroot, but MBAM only requires TCP out to remote port 80 (https). No inbound should be required, and no way should it be requesting for inbound, afaik.

    By default, OP with Attack Detection enabled, will stealth all ports from inbound sctivity. With Attack Detection disabled, and depending on your current rules setup ports 135 & 49152 - 49157 might show open, with 139 and 445 closed in a Win7 setup. Inbound rules can be created under Settings -> Network Rules -> System-wide rules -> Global Rules to block any open ports, if one decides to disable Attack Detection.
     
  4. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Moonblood,

    Here are some screenshots. As you can see it says "Incoming connections allowed". I never made any rules for incoming for any program.
     

    Attached Files:

  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Your right there should be no incoming connections needed for either one.

    Attack Detection is enabled. DCOM is disabled through services.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello,

    I previously misunderstood you. I thought you were referring to OP prompts asking whether or not to allow traffic (inbound).

    Did you look in the firewall rules to see if there's anything there regarding those applications? Could ImproveNet have added them there? You do have the option to automatically create rules for trusted vendors selected.
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I have combed through every application (opening and double checking the direction) rule 4 times and there was no rules made for inbound.

    I clicked on the "trusted vendor list" right before I uploaded your screenshots. That the first it has been enabled.

    I would like to know why OP says that these inbound connections are allowed when there never was any rules made for that. I really don't know if this is a bug or what. It possibly could be saying it has allowed the inbound connections when there really is no such thing coming through.

    Do you know where the trusted vendor list is?

    Is there a way for me to really find out what's what with a programs connections by using software?
     
    Last edited: Dec 18, 2011
  8. m0unds

    m0unds Guest

    i'd suggest posting on agnitum's outpost firewall forums (-http://www.outpostfirewall.com-)
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm afraid I cannot be more helpful. :( There's been a long time since I last used Outpost. I barely remember how it works. :blink:

    But, I'd follow m0unds advise. You could also get in direct contact with Agnitum's support.
     
  10. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    This is inbound traffic from your LAN. It's controlled in LAN settings. If you want no inbound connections than untick all options but be warned that printer and file sharing will break.
     
  11. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Nope.....svchost.exe is acting as an Server to the Internet.

    WRSA.EXE exists permissions to transfer data to the Network on behalf of trusted applications.

    Example: DNS API Request, Network-enabled application launch, OLE automation control, DDE communication.

    Enable full logging and the Inbound Source will be revealed.

    WRSA = Webroot SecureAnywhere


    HKEY1952
     
  12. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    That's possible if 192.168.11.14 happens to be the machine with OPF installed and auto rules for trusted vendor is enabled. But the OP said there are no inbound allow rules for any app. I took it that 192.168.11.14 was another LAN machine.

    I don't know enough about Webroot SecureAnywhere but a quick perusal of its web page doesn't indicate that it can act as a server collecting inbound traffic. I guess it depends on whether or not it is installed.
     
  13. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Anti-Leak Control

    By default svchost.exe acts an Server to both the Local Area Network and the Wide Area Network.

    Server = Listen

    Listen = Open Port if necessary

    WRSA is using svchost.exe via WRSA Anti-Leak Control Permissions (Cloud Technology Anyone?)

    EDIT: clarity


    HKEY1952
     
  14. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    My Lan settings are empty, nothing checked. This happens even when trusted vendor list is not checked.
     

    Attached Files:

  15. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    @Mounds, Moonblood

    I will get a hold of support after the holidays and see what happens.

    Merry Xmas to all at Wilders.

    Just wanted to show the rules for WRSA (that I supposedly have incoming connections being allowed).
     

    Attached Files:

    • WRSA.jpg
      WRSA.jpg
      File size:
      62.2 KB
      Views:
      263
    Last edited: Dec 23, 2011
  16. Corepcx

    Corepcx Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    16
    I also have SecureAnywhere AV and Outpost Firewall Pro

    My Outpost may be setup differently

    Behind router / firewall , netbios checked

    OFP - Rules Wizard , Auto Create and Update Rules, Auto Create rules for applications signed by trusted vendor

    WRSA rules

    I have the Outgoing TCP to HTTP
    But not Outgoing UDP to DNS

    Does your WRSA show up in Blue under Applications like how mine is shown in pics..Or It is Black ?

    Full Screen pic
    http://www.bild.me/bild.php?file=7827781oftpwrsa.jpg
     
  17. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Well, lets at least see if we can figure out which rule is producing this popup. The firewall report is generated from within a rule that says report this activity as shown in my screenshot below. Apparently it's not in WRSA ruleset so I'd suggest to start looking for it in the rules for scvhost. It could be a loopback rule doing what HKEY1952 suggests.

    Does the IP address in this report belong to your machine?
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.