Privatefirewall 7 - problems allowing program - internet access

Discussion in 'other firewalls' started by Iznogoud, Jan 26, 2012.

Thread Status:
Not open for further replies.
  1. Iznogoud

    Iznogoud Registered Member

    Joined:
    Jan 26, 2012
    Posts:
    3
    Hello,
    I have installed Privatefirewall since about 1 year ago or little more, and it seems to have worked well in most cases of online protection (from what I can tell with my limited firewall knowledge). I used Kerio before that (v2.1 iirc) and I liked the similar ask-respond interface.
    My problem is with an online game that uses nProtect (I mention this because I know sometimes these "evil" black-boxes 'cause various problems! ). The firewall works alright with it but at various stages of updating, either the game or the firewall, I come across some blocked process that is reported as "restricted parent process".
    From what I see all game-related files have been automatically identified from the firewall and I have allowed them. The report doesn't mention which the restricted parent process is.
    The odd thing is that sometimes apparently the process causing this isn't blocked, some pop up program/process alert from an updated file will appear and when allowed all works well. But some other time it will not, and my only solution is to remove firewall, remove/adjust file specific settings etc trying to make it work.
    Well this time I can't make it work.. so here it is!
    Any help appreciated and apologies for the long first post.
    Thank you

    PS Windows XP SP3, PF 7.0.25.5
     
  2. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Did you look in File-Settings-Advanced-Detected Applications at the list of "Parent" processes? You may find the app or file which needs your approval there.
    (Look for ones that are blocked, especially.)

    The other thing you might do (such as on a popup) is "trust" the app and allow all subsequent actions.

    PF should allow the parent process if it is allowed by you either via popup or via the manual method.

    If you can't solve it, I'd recommend that you contact Greg Salvato at PF via their website: https://www.privacyware.com/support.html
     
  3. Iznogoud

    Iznogoud Registered Member

    Joined:
    Jan 26, 2012
    Posts:
    3
    There are no processes in the advanced section that need to be allowed, all are already.
    In your "trust" recommendation, I wish it would pop-up with that, then I'd allow any new/updated file and be done with it. Unfortunatelly that doesn't happen.
    What I notice is that the same blocked-file when it's not in the list of PF to be allowed, it shows on log as blocked then as soon as pop-up appears and I allow it, same file appears on log but at the end it has this "restricted parent proccess" next to it so still isn't allowed.
    Thanks

    PS. In the end I may try for ticket-support if none happens to see this that can give me a solution. What keeps me from doing so is the request for a phone number on the ticket. I'm not very fond of giving out personal information. I should probably watch less movies!
     
  4. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    I know you don't know me so my opinions may not have much validity but Greg Salvato has proven himself to be not only a supremely helpful source but also one of the highest integrity imho.

    I shouldn't fear to provide the info requested insofar as PWI is concerned.

    Just my opinion but I think you'll find it seconded quite a bit here.

    Would "training/learning mode" help when you go to run that program? Sorry if I missed that you've already tried that.
     
  5. Iznogoud

    Iznogoud Registered Member

    Joined:
    Jan 26, 2012
    Posts:
    3
    I have read some of his replies in here and he seems an alright guy. On the "personal-info" topic, it's just me..internet paranoia gets to you!
    On a more related note: I think I have found the culprit! I ran process explorer (sysinternals, hope it doesn't break too many rules to mention it!) and I saw one .exe file that calls this blocked process and is then never to be heard of again.
    This one isn't blocked/allowed anywhere in PF among the Internet processes. I don't know how exactly firewalls work, but either it didn't catch it, or it doesn't access internet but since it calls for that other process as parent, I guessed it should be allowed.
    I added it manually in "parents" and seems to have solved the issue.
    Now I just wonder why it is that PF cannot recognise it from the blocked process. It has the same name but it's .exe whereas the other is .bin
     
  6. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Welcome to Wilders Security Forums Iznogoud

    nProtect GameGuard (sometimes called GG) is an anti-cheating rootkit developed by INCA Internet from Korea.

    Being that nProtect GameGuard is using Rootkit Technology, that process can not be filtered by Private Firewall,
    or any Firewall. The process can not be filtered because the process is hidden by the anti-cheating rootkit.

    The Rootkit container alone posses no threat, the Rootkit containers sole purpose is to protect by stealthing
    everything within the container. The threat therefore, is the contents of the Rootkits Container, not the Rootkit.


    Here are some reads that might change your mind about the continued use of nProtect GameGuard:

    nProtect GameGuard by Wikipedia:
    http://en.wikipedia.org/wiki/NProtect_GameGuard

    High possibility of nProtect Gameguard being a rootkit @ Wilders:
    https://www.wilderssecurity.com/showthread.php?t=136414

    How Do I Uninstall Nprotect Game Guard? by Bright Hub:
    http://www.brighthub.com/video-games/pc/articles/1709.aspx#0_undefined,0_


    HKEY1952
     
  7. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    No.....you should probably watch even more movies.....good security decision not releasing your phone number!


    EDIT: clarity


    HKEY1952
     
    Last edited: Jan 27, 2012
  8. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    So basically, you trust a company to the point of alowing them to monitor all the net traffic that goes in and out of your computer, that may include, depending on the way you use internet: your credit card number, your bank credentials, details of your finances, private pictures and documents, maybe all your work.........

    But you shouldn't give them your telephone number.

    In my opinion, sucumbing to paranoia is counterproductive and only makes you lose focus of what's really important. In this case, solving the OP's issue.
     
  9. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Point taken, vojta. :thumb:
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I had the same type of activity from PF 7 last time.

    I saw an auto-blocked outbound connction from Norton AV ccsvchst.exe in the Traffic Reports last night. CCsvchst.exe was denied tcp port 80 outbound access because it was running as a limited user under the primary ccsvchst.exe process? The subdirectory structure of both ccsvchst.exe were the same.

    Why is ccsvchst.exe loaded in Process Monitor as both a Parent and a Process? Dirertory structure of both are the same. Why is ccsvchst.exec loaded this was. Should it only not be loaded only once?

    Finally, why the outbound block on the real ccvchost? My browser was chosed.
     
Loading...
Thread Status:
Not open for further replies.