RAW socket on Windows Vista/7?

Discussion in 'ESET Smart Security' started by genetix, May 12, 2009.

Thread Status:
Not open for further replies.
  1. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    Just wondering is this true. As they literally has blocked installations of every major Firewall software in world to Windows 7 OS.

    and why I am suspecting such is because I am testing an Virtual machine connected Windows 7 with ESET Smart Security and this takes connections beneat firewall to servers:

    65.54.89.xxx
    65.55.17.157
    199.7.xxx.xxx
    207.46.xxx.xxx
    213.155.158.xxx
    213.199.xxx.xxx

    Wonder when do we need 3rd party hardware IP-Filters to be sure of protection or server box of some sort, if OS can do this straight forward why couldn't anyone else do this?

    Also would be interested on the 'locked' system service firewall rules. Why I cannot remove them as well?
     
    Last edited: May 12, 2009
  2. bodgy

    bodgy Registered Member

    Joined:
    Sep 22, 2005
    Posts:
    2,387
    Location:
    Qld.
    I don't quite follow your point, but I've loaded ESS onto W7 RC1 and into the XP virtual machine with no problems.

    v4.0.417 with firewall build 1045
     
  3. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    What is the point of Firewall which cannot block connections?

    So, how can there be an connection made by system while it's not shown on firewall (as listed above if you keep firewall below the Virtual Machine you will see connections are established while firewall inside VM sees nothing) ?

    another good question would be why is there anything locked to firewall in any case (that is same in Local area/ethernet network as saying attack to this port it's always open) ?

    (Loading something in to system is completely irrelevant here. Sure it works great, but it doesn't block or inform of such connections.)
     
  4. bodgy

    bodgy Registered Member

    Joined:
    Sep 22, 2005
    Posts:
    2,387
    Location:
    Qld.
    Well now that you have explained yourself more clearly.

    Are you using the VirtualXP that is the add on to W7 or MS Virtual Machine?

    I suspect that the two might behave slightly differently, in that the XPvirtual hooks in to W7 and in practive there probably is no need to have a 3rd party firewall in this particular VM as it runs via W7 itself.
     
  5. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    'No need'? heh, now there's an statement. I just said firewall is leaking everything inside system there is by system.

    and I use VirtualBox or VMWare. There is no relation that the virtual machine would be causing connections. Why don't you just test this..

    1. Install any host system
    2. Install an Firewall to host system with connection confirmations.
    3. Install any Virtual Machine there is (VMWare, VirtualBox, VirtualPC)
    4. Install Windows 7 in the Virtual Machine
    5. Install Firewall to virtual machine with connection confirmations (or network connection monitor open)
    6. Let VM system run > Launch any application on virtual machine.

    Now see what your host system Firewall gets from Virtual machine NAT while Firewall under Virtual machine detects nothing. There's more connections that hell by system and Virtual machine Firewall sits blank.

    Now consider when there is no "host" system behind the system you run normally.
     
  6. bodgy

    bodgy Registered Member

    Joined:
    Sep 22, 2005
    Posts:
    2,387
    Location:
    Qld.
    Perhaps if you gave full details of what you are testing, rather than have to tease it out of you, we could save a lot of bother, and me some typing.

    Now you mention you are using VMWare! I thought you were using W7 with the virtualXP(beta) machine that Microsoft supply.

    Maybe others here have a degree in cyberspace neural synaptic transfer methods, but I don't. The thread is all yours now as I don't have VMware, so can't even attempt to help you.
     
  7. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    I do not think I am teasing anything. This is pretty damn serious issue.

    I did give exact way to replicate the issue. what else can you possibly need? I even collected range of IPs which are detected by simply replicating the setup.

    Only thing I am not sure about this should this issue be really questioned to Microsoft or as an general faulty firewalls. In general I simply wanted to hear what some tech people here had to say on this sort of background connections.
     
    Last edited: May 13, 2009
  8. guest

    guest Guest

    What if you just made an error while configuring the firewall??

    I use ESS4 in vista64 and I tested it in all sorts of ways... There is no "leaking" in any kind... The firewall is filtering everything!...

    Now... There may be leaks if you are infected with malicious code... but if you are, the system is already infected so I don't see the point here....

    You are also using windows 7... It is still a "beta"....

    And most of all, (it may be different in the beta of 7) but since xp sp2, there is no real raw socket support in windows....
     
  9. guest

    guest Guest

    But, as it is still a beta, it would be great to try it with vista to see if there is the same issue...

    You should also try to use a simple netstat -ba command to see where the connection is coming from... It might be helpful!

    And are you using version 4 of esso_O Is it in policy-based mode?? If so, what are your rules?

    And most important thing... I just thought... What if it isn't connections made by Windows 7 but by the virtual machine itselfo_O.... Are you sure that the connections are coming from the virtual machine??
     
  10. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    How exactly do you know this information when you cannot see below the system ??


    Vista has no sort of installments as Windows 7. Vista was never this well monitored through CEIP as Windows 7 is. The RTM of 7 will have exact same features what goes to ~26 different executions of their diagnoses from microsoft where in vista you got exactly 6. However, you can even use vista but vista won't hide (so well) the connections from applications as Windows 7 does.

    Cladly we are not speaking of malicious code (yet). These are just operating system 'lovely' implemented spyware under Windows 7. However, as this sort of connections can be made you can be very very sure that this will come as regular threat to system sooner or later form of malicious drivers or even as an service level, if I understand correctly where CEIP works.


    'netstat -ba' won't show you these connections. This is as I said completely hidden inside system as far I have seen there is no other way of detecting these connections other than host-to-guest operating system where host machine sees exactly what is going on on guest system.


    Of course firewall is not policy based How would you see the connections made on policy based. You need to have 'Ask when connection is made' style firewall with IP/Port.

    This is incorrect statement. The servers listed are Akamai technologies inc. The servers connected comes from Virtual Machine (3 different virtual machines cannot simply use same Microsoft gateways). So, that pretty much sums up statement that it even could be Virtual Machine itself. Even, if it could be possible this wouldn't happen under condition on Debian Linux -> Windows 7 virtual machine and on when Virtual machine is in idle. (btw, I also tested this through link on second computer as an Ad-hoc network firewall still on computer catches these connections been made while guest firewall sees nothing).



    There is the reason I assume they blocked most of firewalls because those would of expose the connections to public. Do you honestly understand that this kinda of network interactions could send your entire hard drive through net server without you knowing exactly duck... If system can do this why couldn't an 3rd party driver do this I wonder, I'am not too worries about MS stuff, but in general this is serious threat to everyone and indeed flaw in firewall or microsoft user policies (honestly not sure, if this issue is because Operating system denies the Firewall software to actually see the connections on it's user levels OR as topic says a RAW Socket connection which would be undetectable in any means at winsock level).

    Why don't you check up my instructions to replicate and then start bashing me with some none sense?
     
    Last edited: May 14, 2009
  11. guest

    guest Guest

    CEIP? Do you talk about customer experience improvement program?? On vista, it is able to disable it... And the traffic I saw from it was seen by ESS...

    I can say that there is no leaks because I monitored traffic in my gateway so it is not on the system...

    In policy-based mode, my firewall is set to log all blocked traffic so this is how I see it!...

    I understand how it could be a serious problem but well... It is the beta so it mught be better in the official version...

    Anyway, I don't think microsoft could do this... There must be a way to disable all that...

    But I don't really understand how it works (the CEIP and all that stuff you talk about...) Do you have some links so I can read about it?
     
  12. guest

    guest Guest

    For raw sockets... For vista, microsoft said that since xp sp2 they disabled it... I don't know for seven...
     
  13. guest

    guest Guest

    here is what I found in the microsoft website for CEIP in VISTA

    Default setting: By default, the Windows Customer Experience Improvement Program is turned off, but it displays a pop-up to a logged-on administrator no sooner than three days after someone first logs on. The pop-up asks the administrator whether he or she wants to participate in the program. The pop-up might be displayed once for each person who logs on to the computer, but it is not displayed repeatedly for a given administrator. The Windows Customer Experience Improvement Program remains turned off unless it is explicitly turned on.

    Could wou capture the packets?? It might give an idea about what's really happening ....
     
  14. genetix

    genetix Registered Member

    Joined:
    May 12, 2009
    Posts:
    7
    Sorry don't have that expensive equipment on hand to do this and don't know any software capable of doing this. Point me the way to correct software to capture process packets.

    yes, CEIP as in Customer Improvement Program by ms and yes I know you would supposedly be able to disable CEIP on GPO or in system registry. I just took it as an example in here because I know it's hidden very very well inside system, but this does not kill the problem that it is able to access through firewall even on complete Blocked mode and it is not reason why other applications in driver level/service level couldn't make similar access.
     
  15. guest

    guest Guest

    yeah... well... it is possible to do hidden network communications... but the os and legitimate software should not do this....

    To capture the packets, you could use wireshark... If it can't see the packets (who knows....)... install it on the host operating system.... and if this won't work, the only option is to use a hub... plus the computer in a hub, use another one in the same hub with wireshark so that every packet sent by the win7 computer is seen by wireshark in the other....
     
  16. guest

    guest Guest

    what i mean is well...it is always possible to do this if you write everything down to a device driver.... then you could hide connections.... but, I always assumed that legitimate software wouldn't do this....

    Of course malicious software could... but if you get some, it is already too late....
     
Thread Status:
Not open for further replies.