Programs that Call Home

Discussion in 'other software & services' started by Adric, Nov 3, 2014.

  1. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    I'm curious as to what others are using to monitor their systems when it comes to
    determining if programs are calling home or not. I know firewalls and sniffers
    have this capability, but I'm wondering if there are other possibilities that are
    less complicated to analyze and use. Ideal would be a log file over time specifically
    showing those culprits.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Adric,

    A firewall's log is about as simple as you can get. When you set a rule to block an application from connecting out, if an attempt is made, you see it in your log.

    Here, a Picture Information Extractor (PIE) for the EXIF of a digital image attempts to connect out, and is logged:

    kerio-pie-connect.jpg

    There may be other types of programs that do this--perhaps someone knows!

    -rich
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
  5. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Tried that, but it doesn't keep a running log over time that I can check later.
    Hi Rmus,

    Since I am behind a HW router, I haven't found it necessary to have an additional firewall and wanted to avoid installing one just for this purpose. Which one are you using and is it light enough and simple to use?
     
  6. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    @Adric
    A debateable subject. There are those who say using a HW router and software firewall is a good security combo.
    Others say there is no need for software firewall if using HW router with firewall capabilities. Still others say
    using a firewall whether it be Windows built-in or a third-party should be good enough.
    Can't forget those that say is a firewall even needed at all?


    I personally wouldn't connect to the Internet without some type of firewall in place.

    I also would check on your HW router.
    As mentioned on this forum and elsewhere the subject of backdoors in routers and also routers being hacked.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    66
    A hardware and software firewall combo is essential, but which is more important is debatable. I use TinyWall, which is a Windows Firewall supplement that can block everything (in/out) except those that I explicitly allow. Then it comes down to the system hosts file or a program such as PeerBlock for even finer-grain control (though I haven't needed those yet). With that aside, I don't have any recommendations for connection logging, I've only ever had use for a realtime TCP monitor so I can figure out which ports to unblock in the hardware firewall.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello Adric,

    In that case, one of the other tools mentioned might be a better solution for you.
    I use the old Kerio 2.1.5. It is light (memory usage shows less than 6K) and very simple to use. You have to learn about rule sets first. Then, it is easy.

    But if you use an OS later than WinXP it won't work, in which case, if you decide on a firewall for your solution, you will have to go to the firewall forum to learn about the options available.

    regards,

    -rich
     
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    A good HIPS monitors all happens in your system and all your programs do.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
  12. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Thanks Ichito. CrowdInspect seems to fit my needs. I like the history option and the information displayed. I see some rather strange DNS names for the System Idle Process showing up between entries. It's interesting to see just the amount of servers that get visited during a session.
    CrowdInspect.jpg


    CrowdInspect1.jpg
     
    Last edited: Nov 5, 2014
  13. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    66
    CrowdInspect looks like a nice piece of software, but its privacy policy is troubling (see section 4 and 4.2 of the EULA, yikes).

    You might also try TCPMonitor which does have a logging feature: http://www.itsamples.com/tcp-monitor.html
     
    Last edited by a moderator: Nov 5, 2014
  14. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Decided to use Currports which does logging and allows you to filter out connections that you consider to be okay.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There's quite a few utilities that can monitor and log outbound traffic, but the only thing that can intercept and either allow or block it in real time on a per-application basis is a software firewall. On XP, Kerio is one of the best pure firewalls available.
     
Loading...