why can't a firewall block all the connection of a program?

Discussion in 'other firewalls' started by mantra, Jun 20, 2018.

  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    i have tried several firewalls , but i can't understand why can't a firewall block all the outgoing connections of a program

    a classic example ,it's a program that calls home and the only way to block this program is edit the host file

    is there a program that can detect such programs that could be blocked only editing the host file

    thanks
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,168
    Location:
    Canada
    This makes no sense. If you are blocking all outbound connections to the program, then this should work.
     
  3. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    i agree ,but i wanted to block a program with the firewall ,but it's still call homes
    i added some line in the host , i was able to block it at 100%
    i was just a test
    is there a program that let me find out what domain add in the host?
    NetworkTrafficView or HTTPNetworkSniffer
    thanks
     
    Last edited: Jun 20, 2018
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,588
    those are?
    which rules?
    never heard of such issues, seems that problem sits in front in a chair - several CANT fail this way.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,168
    Location:
    Canada
    Maybe it's attempting to call home, but the firewall is still likely blocking its outbound connection attempts. Any reputable software firewall or Windows firewall set to block all outbound attempts by default should block any application from establishing a remote network connection. You may have to ensure the application in question isn't in the firewall's allowed list.

    You could try Sysinternal's TCPView to see if the application really does establish an endpoint connection remotely.

    -https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
     
  6. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    the clasic example it's photoshop cc or lightroom cc (i pay the subscription for them) , you can block via firewall , but the still comunicate..
    if you block them via host files , they stops to comunicate for example to
    Code:
    activate.adobe.com
    thanks
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,230
    Location:
    Slovenia
    How do you know that they still communicate with their servers? What are indications?
    Did you block appropriate process from accessing internet?
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    889
    I think this is the answer.
    These programs use a special process for licensing purposes, they purposely don't make it obvious which process is doing the check.
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,523
    Location:
    Europe then Asia
    Why would you do that, you never update them ?
     
  10. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    well no , i updated them
    it was just an example , that's all
    but can you tell me why do they bypass the fireall?
    and how can i monitor these programs ?
    thanks
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,523
    Location:
    Europe then Asia
    1- What firewall?
    2- many possible reasons:
    - the application is whitelisted, the application uses a Windows process, etc...
     
  12. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    i have tried on a virtual machine outpost (i know it's outdated ,comodo ,spyshelter Firewall and the eset firewall
    but in all cases these program bypass the firewall and they are not in the whitelist
    is there a tool that let me track such programs?
    thanks
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,523
    Location:
    Europe then Asia
    any network monitor. TCPview, Process Hacker, Comodo Killswitch, etc...

    btw, what program is connecting out?
     
  14. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi
    but i mean maybe a program that can use a filter so i can narrow to specific programs , i can't create a filter in TCPview and process hacker

    another program is syncbackpro v8.5

    i'm not concering about them because i payed/bought them , but other software?
    i would like to run in a virtual machine , and find a tool to log them
    thanks
     
    Last edited: Jun 21, 2018
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,588
    that line in hosts is "strange" for used software. same for syncback - it has reasons to connect to home server. if you dont like it - uninstall. im out.
     
  16. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    343
    Location:
    united kingdom
    To identify which programs are connecting out I would use something Simple Wall Firewall (https://www.henrypp.org/product/simple wall)
    It's free and doesn't require installation, just Admin rights.
    if you set it to Whitelist mode it will not allow anything to connect out until you give it permission to do so. Simply start your Adobe app and then wait for the notification popup window to appear with details of the Adobe related application that wants Internet access.

    If it's not obvious from the popups which application is trying to connect to activation.adobe.com, you could make identification easier by creating a hosts entry for that host name with a made up ip address. E.g
    Code:
    99.99.99.99 activation.adobe.com 
    Then when you see a firewall notification popup with a destination ip address of 99.99.99.99 you know you have the right application.
    Hope this helps.
     
  17. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    @Brummelchen
    yes i know , there is a reason , the program need to connect to check if it's legit
    i bought it and there is nothing in my host file , and set the firewall to allow everything for syncbackpro

    the point is another, my question is why did & do not my firewall block them?
    i'm worried for other programs , i have few program installed (all legit) and many freeware (some of them are portable) , about them how can i use what are doing ?

    @askmark
    hi
    but does simple wall firewall catch such program?
    do you know why doesn't spyshelter Firewall/eset firewall catch such request ?
    thanks
     
  18. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    6,519
    By default, ESET's firewall as with most firewalls these days, will automatically allow, many trusted connections. However, you can configure its firewall to run in Interactive Mode, if you want to be alerted for every single connection.
    https://support.eset.com/kb3190/?locale=en_US&viewlocale=en_US
     
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,708
    Location:
    Poland - Cracow
    Simplefirewall should block this if will work in "Allow whitelisted" mode. What about SpyShelter? - its reaction depends on established level of protection and by this of way of using huge own builtin base od trusted publishers/vendors. Such list is not visible and accesible for user...user can create own list of trusted (command in "Settings"). In your case Adobe perhaps is marked as trusted so some actions aren't monitored including creating connection/port listening. If you try to set level on "ask user" probably you'll get an alert.
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    341
    Location:
    router
    try Simplefirewall or netpeeker(i think this is what you want)
    SpyShelter firewall dont catch services yet.
     
  21. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,513
    hi @co22
    in short only simplefirewall & netpeeker can catch them can't them?
    all the other firewall fails, i mean can't catch services
    for simplefirewall do you mean simplewall ?
    have you find freeware programs that uses windows service to send data?
    thank you so much appreciate it a lot
     
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    341
    Location:
    router
    hi @mantra
    yes i mean simplewall.sorry
    netpeeker can catch every connection if its ip then it show it as ip
    if its have url then show url.
    simplewall just ip
    i dont tested all other firewall i just know SpyShelter can not do it right know(maybe get fixed)
    but for sure simplewall & netpeeker can catch anything and popup for every connection
    find an older version of Malwarebytes Anti-Exploit then let it check for update
    SpyShelter cant get connection and prompt you
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,475
    Location:
    U.S.A.
    Both the Windows and Eset firewall will allow rule creation for individual services.
     
  24. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    497
    WFC could do this outbound blocking very well as a free tool.The loging feature will also help you.There may be a window of oportunity for some .exe to call home during the boot process though , you should turn off DNS cache in this case.
    You can also use and tweak Jetico Firewall 2 free with W7 and XP.
     
  25. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,018
    Location:
    Slovakia
    You should use LiveTcpUdpWatch, it logs all the traffic, unlike TCPView or ProcessHacker, which log only established connections.
    Code:
    https://nirsoft.net/utils/live_tcp_udp_watch.html
    If you use DNS Cache, then all DNS requests are allowed (since svchost.exe is) and some software consider DNS as a successful connection.

    In case, thst the process hijacks other processes to connect, then you have to use Zone Alarm or Comodo, which have HIPS capabilities and able to catch parent processes.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.