Discussion in 'other firewalls' started by ultim, Oct 12, 2011.
Thanks, ronjor has already contacted me and seems to be handling the matter.
As I understand it to keep WFW running while running TW is perfectly safe in terms of function AND security. Do I have it right?
Version 3.0.2 out with a few minor improvements:
- Test for UWP support instead of OS-version checking
- Install hosts and database updates atomically
- Keep Windows Firewall settings as desired when enabled & changed externally
- Fix user GUI settings not migrated (effective starting with v3.0.3)
- Fix possible GUI crash when user selects Elevate
Yes, this also fixes the issue with the GUI settings getting lost on every update that I should have looked at long ago. Though, you'll only see that take effect on the next update, so you'll have to put up with the issue just one more time. No big or major issues 'till now with v3 that I know of, so things are looking really great and I should be enabling the auto-update for v2 users soon.
lol I was wondering when you were going to fix it.
Update from within TW says version 3.0.2 is available, but when clicking OK, it immediately pops up with "Download interrupted". I had the same issue once before (from 2.99.15 to 3.0.0, IIRC), but the previous update worked as it should from within TW. Not a big deal, as I can download it and install manually, but if I'm not alone in observing this, maybe it should be looked at?
Thx, it was a permission issue on the webserver, but fixed now.
Can you explain this change please?
If you use WFW with TinyWall, TinyWall normally makes two changes to it: it creates two rules, and disables WFW's notifications. 3.0.2 automatically and instantly reapplies these changes if another program or the user reverts them (for example, if TinyWall's rules in WFW are deleted, or another program enables notifications which sometimes happens, or if WFW is reset etc.).
Congrats to ultim, TW v3 really seems to be quite awesome. When I switch to Win 10, control of UWP apps will come in handy. BTW, I don't know if you have already answered this, but what exacty is "raw network traffic", and what type of apps would make use of this?
Short and simplified, raw sockets allow an application to skip the automatic TCP/UDP encapsulation by the OS and to send (almost) completely custom IP data. It also allows an application to eavesdrop on ("sniff") all incoming IP packets on the computer. Normally only research projects or network debug/diagnosis applications use raw sockets... and some malware.
Does this little ditty have a learning mode when in installed? thanks
3.0.3 - Maintenance release (01.04.2020.)
- Fix potential GUI crash during whitelisting in error case
- Fix potential GUI crash due to race while GUI is closing
- Fix tray icon sometimes wrongly showing Unknown state after a fresh boot
I can't seem to be able to download it from the web page. Is anyone else experiencing the same problem?
Yes, you can put it in learning mode.
Also, please keep in mind following FAQ entry if using the learning mode:
OK thanks, but can these apps and malware do this without modifyinging anything? With that I mean, do they first have to inject code, or make modifications to the registry or install a driver?
They can do this without modifying anything on your system. They don't need to install drivers, change settings, inject code, or anything like that. The only thing needed is to run under elevated privileges (how they achieve elevation is another question, but with some luck the user can be tricked into a UAC prompt, in which case it is very easy).
OK thanks. Strangely enough I couldn't really find much info about raw sockets being used by malware. I did read that the use of raw sockets has been restricted by the Win OS, but perhaps this is not what we're talking about. BTW, can it be true that TinyWall makes use of system processes like WmiPrvSE.exe and WmiApSrv.exe? Because it seems like they have become more active on my system.
A search on Google for "malware raw socket" delivers plenty of evidence even on the first results page, from Kaspersky classifying raw sockets as malicious in general, to a book mentioning malware using raw sockets, or an article describing the Linux-malware "Chaos" as using raw sockets (if there's a malware using this technique for Linux, you can be sure there are 100 others doing the same for Windows).
Yes, TinyWall v3.0 uses WMI primarily to monitor process start events. I can implement an optimization for 3.0.4 where this is disabled if no firewall exceptions are using the associated feature, if you'd prefer that, but I personally don't find WMI usage to be alarming: my computer is 6 years old and Process Explorer shows both WmiApSrv and WmiPrvSE as having "<0.01" % CPU usage almost constantly. Do you have a different experience?
Yes but as you can see, it's not a clear example of malware using this on Windows. Perhaps I need to search better.
No, I haven't got any problem with it, but it's a bit new to me, you would think that a third party firewall can do this without using any system process. But not a big deal I guess, in terms of resource usage.
I think part of the reason is because malware are often described publicly by what they do, and much less often how they do it. There is lot's of documentation (1, 2, 3, 4, 5, ...) of malware doing sniffing attacks, or packet sniffing, I'm sure that is not new to anybody. Using raw sockets is just one specific way out of many (and probably the easiest, as it doesn't require code injection or the installation of drivers) to do this. But you'll only read at most that something is doing packet sniffing, and not that it is using raw sockets to achieve it even when it does.
With the accelerated spread of encryption in recent years (thanks to many security campaigns, to the death of FTP, to free certificates from Let's Encrypt, and to browsers and search engines disfavoring unencrypted connections), packet sniffers are probably less useful today than they were some years ago, but certainly present.