Discussion in 'other firewalls' started by alexandrud, May 20, 2013.
No way to keep this order.
Svchost Question: I have turned off the Time Service, Windows Update and Background Intelligent Transfer Service yet I can still can not access web with svchost blocked. I am thinking this is due to WFC needing Windows Firewall. Is there a way run WFC with svchost blocked?
Once you have all your rules in order, export a partial policy file which will contain your rules in XML format. You can also edit this file and then reimport it. Now your rules will be in the order they are in the XML file. But, I wouldn't bother with this kind of stuff.
This has nothing to do with WFC. You need svchost.exe for basic networking purposes. If you block svchost.exe, then you will have connectivity issues. Check the WFC recommended rules. There are a few svchost.exe rules which are mandatory to be able to access the Internet. This is Windows stuff, not WFC stuff.
@alexandrud....OK thanks. I was thinking that I could block it with the old Outpost and still get online. Maybe not. Also I have blocked it with WFC not so long ago and I was able to surf for awhile. Then I wasn't.
To access the Internet, you must have an enabling rule for svchost (DNS, remote port 53), or instead, individual enabling DNS rules for each program that goes to the Internet (browser, e-mail client).
@Rainwalker - You can block everything but this:
Core Networking - DNS (UDP-Out) Core Networking All Yes Allow %SystemRoot%\system32\svchost.exe Any Any UDP Any 53 Any
Do not allow the software that can be hijacked that easy ? Windows Firewall rules are applied per path basis, not per process basis, so nothing can be done regarding this matter.
Those sneaky software From my point of view, you should enable outbound filtering and create a few allow rules for the programs that you actually want to be allowed to connect to the Internet. Now, if you trust a software, just allow it, through the main process or through child processes, after all, you trust this software. For the others, just keep them blocked entirely. Nothing is perfect. Regarding Adobe Acrobat, if it has no allow rules, then it won't connect.
You know that your complaints are about Windows Firewall created by Microsoft, not about WFC which is not a firewall by itself ? Off course you know it. You also might heard that WFC is no longer mine and that it has another owner. Who wouldn't know this ?
Anyway, you are presenting a false problem. Let me tell you why. Let's say you have a security software that uses multiple modules to connect to the Internet. You would like to allow their updater to be able to download definition files but you don't like the same software to send telemetry data from other modules. If I would be the developer of it, I would put a method to send telemetry data from the same update module since my processes can communicate between them locally anyway. Then, if you allow the updater, you also allow the telemetry. The communication would be encrypted and you wouldn't notice if the updater module connects to check for updates or to send telemetry. The connecting module is just one, while the requests can be done by any of the modules and the communications will appear only for the updater module. You allow the updater, you allow everything. You block the updater, you block everything.
The same applies for parent-child processes. The parent process (blocked in the firewall) calls a method from the child process (allowed in the firewall). Child process will trigger a connection and you wouldn't know if the source of this was the child process or the parent process, but in the firewall, the connection is made by the child process.
This is how I see this "problem". If I am wrong, then please correct me.
Then why don't you simply apply strict rules to those and other child processes by tying them to specific port(s), IP address(es) and protocol? Ensure that Adobe, for example, can only connect to Adobe remote servers and nothing else.
Sure, but now you're asking for a firewall with a built-in HIPS. That's not what WFC is nor was meant to be. If you apply specific restrictions as I mentioned above to common processes used as child processes by other parent processes, then you will successfully limit how the latter can use telemetry connections.
I think you are comparing apples with tomatoes here. Windows Firewall is not a HIPS firewall. And, why is WFC in this discussion anyway ?
PCT Firewall just announced that a process launched another process. Nothing fancy here, just typical useless HIPS pop-ups. Again, I think you are presenting a false problem here. Programs use multiple dlls/executable files for different purposes. Instead of executing one large exe file that has 300MB, the software has the code spread over multiple assemblies with specific functionality. If it needs to update something, it launches a child process for this purpose. If you need a specific functionality it may launch another child process on request. This is good for the overall performance because you don't have the entire software loaded in the memory. The request is "genuine", it is the same software, the same publisher, it just has the code in a different module. How makes you feel better or secure if you know that an update was triggered from the main exe or from the updater exe ? Why should you care ? For large projects you just can't have all the code in the main exe. There is really no problem in having a process that launches other child processes on demand.
In the notifications dialog you can see the process ID and the parent process id and the name of the parent process, if this is so important. However, this shows only which is the parent process which launched the child process. You can't know how they communicate between them as there are several technologies for inter process communications which are out of the scope of filtering of a firewall.
in your example, the command would be "malicious.exe is executing IExplorer.exe to connect to 22.214.171.124 "
IE is not malicious by itself, it is even whitelisted, however the website IE will connect to may be.
This can be blocked, but not by WFC, WFC doesn't monitor process hijacking, but an HIPS/BB/anti-exe would.
WFC only prompt for outgoing connections from unknown processes/programs.
WFC would prevent a connection made directly by the malware, like "malicious.exe is trying to connect to 126.96.36.199"
You are confounding the firewall purpose with an HIPS/BB purpose.
WFC isn't a firewall, it is an outgoing connection monitor sitting on top of Windows Firewall. Windows Firewall is the firewall.
By default Windows Firewall allow all outgoing connections (whatever the program), so WFC was made to notify and give the user a way to allow/block on the fly certain programs to access the internet, not to prevent malware to use a legit program to call home.
Some users like me doesn't want a 3rd party Firewall eating resources and screwing my system, i'm fine with Windows Firewall.
This is a HIPS/BB mechanism.
This is an HIPS-like mechanism integrated in a Firewall, like comodo firewall or spyshelter firewall.
You are comparing Windows Firewall with an HIPS-firewall.
We all know the limitations/features of Windows Firewall. Complaining here about missing features of Windows Firewall has nothing to do with this topic which is about WFC.
PCTools FW (but also Comodo or ZoneAlarm) uses its own driver, WFC doesn't, so you can't ask @alexandrud to implement such a feature.
If you want more control, just install another FW that better suits your needs
i have anti-exe and SRP to prevent malware to abuse other processes, so no processes (legit or malicious) can even execute on my system unless i personally whitelisted it.
i have Windows Firewall set to block all outgoing connections which doesn't have an existing rule (allowed by myself), i use WFC just to create rules faster than if i did manually.
so no, nothing goes behind my back.
If you wait your firewall to warn you about malicious actions, it is already too late, you better reformat your system...
HIPS is the solution to your problem. Use a firewall that has a HIPS (COMODO, Outpost), or firewall + a separate HIPS (anti-exe).
All right, thank you for letting us know. We will pay more attention now that we are aware of how things are going on.
No complaints on this end and certainly no issues to toot about either. It's percolating along silent as a mouse until a traveler out triggers the alert box with options. Nothing fancy, just dependable each and every time on this end for what it was intended.
Are you sure you did not have any "traveler out" which did not trigger any alert?
with his security setup? no way (read his signature), if you don't see why, then you need to spend more time here
Agree. I'm still with 188.8.131.52 though, waiting till the install/upgrade problems are solved with the latest version.
What install/upgrade problems?
posts 4446, 4449, 4469, 4487. That's as far as I looked, but it seems like the update process is not as smooth as it could be.
btw, I don't mind the telemetry, it happens in most main security programs like Appguard, HMPA & Sandboxie paid (they make licensing connections & possibly gather a bit of info on client - who knows for sure).
What I really don's like are these persistent cloud connections. Eset recently did something that causes constant connections, even after I have disabled anything that resembles cloud protection. (I keep TCPView running constantly to monitor my connections). Using Windows Defender now.