Discussion in 'other firewalls' started by ultim, Oct 12, 2011.
The special exceptions is that in the behavioral shield or global exclusions?
Special Exceptions is part of TinyWall Firewall Settings. It allows internet connection to all Avast processes, except the two I listed.
I have been using TinyWall for some time and I like it. I do have one small problem with it. Every not and then I log in to Windows (Windows 7 64 bit) and it says something like "tiny wall service not running" and the interface will not work. If I reboot into my admin account I get a user account prompt and it does something and then it works. I guess it is installing an update.
I think I have this problem because I do not allow the UAC prompt with my normal limited user account.
1) Can I tweak TinyFW to always ask permission for NEW outbounds and so I designate the allow deny label?
2) To LnS users current & old. Does tinywall offer anything over & above my 'good ol' LooknStop win7x64?
I sometimes got the same and I allow UAC with my normal account. It has probably something to do with the antivirus (ultim mentioned that something like that happens if a hips is interfering), though I am not sure about that. I used KIS on the computers where it happened. At the moment it did not occur with KAV.
I find the 'Show connections' -window really helpful in allowing apps restricted.
I start an app and something is there blocked related to that application I Unblock them and open Manage-window. And have both windows open.
The apps unblocked are given unlimited access but as I can see like in this case with Java update that both javaw.exe and jucheck.exe need only outbound TCP 443 access. And if I get pissed off by that jucheck reminder, I then know to delete it from exceptions to be at peace.
An alternative approach would be I guess to change the Tinywall controller to 'Allow outgoing' to not get those kind of updaters into Application Exceptions at all.
No you cannot do that. You can whitelist them by the app window click or more difficult by the process or executable. Or use the Connections window approach I described in the previous post.
Deny is pretty much useless approach with Tinywall since all is denied by default unless allowed = whitelisted. It is an option though and you can make such rules too. It could be of use if you allow something and want to see it blocked and see what effects that might have without removing the rule from application exceptions.
Or if you are behind a router/hardware firewall you can also put Tinywall into Autolearn mode which basically allows all and makes rules for them exe's taking internet access while in the Autolearn mode. Just you know you are not having any kind of firewall protection from Windows firewall while you are in that mode.
Autolearn is not the same with Tinywall as with some 3rd party firewalls containing HIPS learning only for it. It is more dangerous since it concerns internet access to your computer and if you have some wireless public connection your Windows should be updated. It can be very useful though if you are behind some other protection to makes things easy sometimes.
I had the same problem because I had the UAC at the MAX, so I went back to 'NORMAL' and TinyWall Icon is ok now..... I had to re-boot a couple of times to get it back
I am really impressed by your efforts ultim to give us a Windows firewall controller. This might be the most popular controller so far, andruds not free one being the second. And I think the other Sphinks one is not exactly as much using the Windows firewall as yours 2s.
For me the main incentive to stay away from HIPS firewalls like Comodo and Online Armor etc is that they put some kernel hooks that will many times cause troubles with Sandboxie, my most trusted internet security program of keeping my computer clean while surfing. Or even with antiviruses like Avast I am currently using.
And what to trust with 3rd party firewalls with their to make svchost.exe allowed wide? Even if it is not they never tell exactly. It is we never know our computers are exactly clean and some services running wanting to go out by that loophole.
So yours is such a wellcome one that causes no conflicts to my Windows 7 system.
There is a bug in having a password set in TinyWall 2.1.4. It occurs at least in my normal limited right Windows 7 user account.
You should always keep the TW GUI locked!
If you unlock it, TW will autolock it after a while but it makes the GUI also loose the connection to the actual firewall control.
It does not show updated as locked and what I do is I 'Quit' it and reload it.
Takes only a few seconds, but if you don't know this bug of the GUI loosing the connection to the controller it can be most misleading. When not knowing why the TW does not seem working.
The developer is looking into it, according to their reply to my post.
Yes, I did think someone had found that out before me.
Another thing I just found out, which sure is not new to many others. You should export the rules. My TinyWall needed a reinstall because it stopped working and of course all the rules were gone.
Yes, had that today and I doubt that it has something to do with a HIPS. Or does the Kaspersky AV also has a HIPS?
Have you seen this 'FontCache-System.dat' ? Hitman Pro found it and wiped out Tiny Wall for some reason Tiny Wall disappeared and I rebooted and still won't install. Just running on Win 7 firewall now. Other people said they had it and it messed up everything. I'm trying Avast Free now for the last few weeks....Finally got it going ok now.
I have ~FontCache-System.dat in "C:\Windows\ServiceProfiles\LocalService\AppData\Local", but Hitman Pro never detected it.
If you Google or Bing it (What is FontCache......) you will see others had these problems too. It was bad, knocked out your security, can't move your pointer, had to do a ctrl-alt-delete to end the horror
Well there are a lot of files associated with FontCache, I don't know why HitmanPro would find them unless they were modified (possibly malicious). Don't forget to Maintenance > Export Settings or make a disk image next time.
ultim I've been checking your TW rules with my limited knowledge from kerio 2.1.5 firewall.
Using this approach: https://www.wilderssecurity.com/showpost.php?p=2282142&postcount=13
So far DHCP and DNS seem just fine and are service limited that was not possble with kerio 2.1.5. About ICMP filtering I don't know anything.
One possible tightening that should work if I remember right for Time sync. : your rule allows all local ports incoming for svchost.exe, W32Time-service from remote port 123 UDP protocol. Local port could be again if I remember right limited to also 123. But as the only service is W32Time that is maybe unnecessary.
Windows update is to all TCP remote ports svchost.exe, wuauserv-service. Again I don't know if limiting ports to what are actually needed brings any more protection as it is a service limited.
Thats what I have checked so far. Network Discovery rules go propably over my head but next to do.
Would be nice if there was a possibility to add/override these Special Exceptions. This is a nice firewall as it is though.
EDIT: I noticed you can make application exception being also a Windows service based and local and remote ports specific for TCP and UDP protocols so not much is in need for the Special Exceptions I did put into my wishlist. What is missing is the IP restrictions. Otherwise this is a very flexible firewall controller already.
ultim has vanished.
Here's what HitMan caught. Whatever it was, it made my security disabled, Tiny Wall was stopped/removed and my mouse died. Must have been a piggy back virus riding this......
That file should not be malicious unless it has been modified some way by malicious code. Hitman Pro detected that file on my machine about a month ago as suspicious, but i'm not really sure why. I checked it on Virus Total, and I did not get any hits. Right after that Hitman no longer detected it as suspicious. Is there anyone that does not have that file on their machine?
It would be interesting to know what the threat is if it is a threat. Try scanning it with Virus Total. Keep us posted.
I had an interesting experience a few minutes ago. Involves TinyWall and Sandboxie and google Chrome updating (I found that out later) Well I was running also a VPN internet connection but that is not involving it.
I sandboxed Firefox, ok. Then I tried sandbox Chrome and no internet connection for it. I knew I had a rule for it, so what is wrong. Checked if the Chrome internet settings had changed, no. Tried again, same result, no intwernet connection. Remembered TW connection window opened it and tried again and yes I saw what was blocked. It was Chrome but the path was the sandboxed one. I could unblock it fine and sandboxed Chrome worked.
I deleted the sandbox and removed the rule for sandboxed path Chrome. And yes unsandboxed Chrome could use the old rule. But it showed having updated. So somehow TW was needing that pathed rule while Chrome was updating.
Now Chrome gets into the Sandboxie with the old original rule again just fine. That rule did not need any renewal even if Chrome updated, but was not recognized while Chrome was updating for the sandboxed instance.
This could have happened if TW had been set to an average Joe /mom & pop and also their Chrome set to start only inside a sandbox and would have cause a bit of a puzzle. for the updating time at least.
Well I had Web Shield and Mail Shield stopped permanently for Avast, if they had been on the browser would have piggypacked through that proxy just fine. And no trouble would have been maybe noticed.
Why do you even sandbox Chrome in the first place? Anyways, TinyWall needs a specific path to the executable, but not the same checksum in my experience. Why Chrome was sandboxed probably has something to do with it creating files when updating.
Sandboxie is one of the best inventions for keeping your computer clean in regards to internet surfing. It is not a privacy tool against most things in that report. You can of course clean the sandbox to hide your surfings but some logs will remain.
So the answer to your question is to keep my Chrome clean and to keep my windows system clean. What ever you install or what viruses/malware you get will stay contained inside that sandbox.
I did not know Chrome had a sandbox too so thank you for the information. It explains what happened. I'll still keep SBIEing it. To protect my system if not the Chrome itself. As you mentioned there, executing downloads and starting other apps from Chrome. They are covered with Sandboxie, not Chrome.
My TW rules don't need any sandboxed instance rules specially made. If ultim was here , he could maybe answer why. It puzzles me since I would too imagine those kind of rules to be in need. None of the firewalls i have lately dabbled with, Comodo, Zone alarm and Online Armor need special Sandboxie rules for internet applications.
Edit: When you run sandboxed applications, Taskmanager or Process Explorer or TW Connections window will show real system paths for them. So it is some Ronen Tzur secret how he implements it.
Separate names with a comma.