Windows Firewall with Advanced Security (Guide for Vista)

Thank you my friend!

 

Is the localhost rule even needed? It should be allowed by default.

 

What do you mean with allowed by default? Allowed by Windows firewall? I guess that will depend on whether or not avast! installation process automatically creates the inbound rules, like what happens with AVG.

Or am I misunderstanding you?

 

I think allowed by Win fw by default. I say this because I don't have any localhost rules created for any applications. Maybe Avast! does need it, though, for its proxy-like Internet filtering? I've never used it so I can't lay claim to anything.

 

Oh, that.

I don't have any localhost rules created either. Those rules were created reflecting more or less what was created by Outpost Firewall PRO. I was only testing stuff back then.

But, yes, now that you mention localhost access is allowed. I just wanted to cover every scenario possible to help Rilla, and it wouldn't hurt to have it just in case.

You can easily verify that localhost is allowed; just open TCPView or other, browse for a while and you'll see connections to localhost.

 

What rules do you have for Adobe Reader to update? I got two that are needed and one more just in case:

ReaderUpdater.exe; Remote Port: 80; Remote Address: Any
AdobeARM.exe; Remote Port: 80; Remote Address: Any

Adobe_Updater.exe; Remote Port: 80; Remote Address: Any

The problem is that when I manually check for updates it detects new updates are available, I press download, the download box disappears and an icon shows in the tray bar. No problems with this; the problem is that the icon shows text saying it's downloading, but the it never seems to end, and looking at TCPView, I see that AdobeARM.exe is showing an UDP connection to Remote Address * and Remote Port *. No bytes or packets seem to be happening. This UDP connection is not for DNS, otherwise it would communicate with DNS IPs.

I have a rule for TCP (besides the one for DNS).

In Event Viewer there's this outbound traffic being constantly blocked:

Process ID: 1208
Application name: \device\harddiskvolume2\windows\system32\svchost.exe

Remote address: 92.122.208.152
Remote port: 80

Does Adobe Reader update via Windows Update (svchost.exe)?

Even if it does, it should run just fine, because I have 92.122.208.0/22 already allowed; but, somehow is being blocked.

I can't see any other process related, somehow, to Adobe Reader being blocked, or even starting when I'm monitoring both TCPView and Process Explorer.

 

Hi Moonblood,

I finally got some useful info from avast forum quoted here:

"In looking at my FW, the Avast related services that need to open for in/outbound for Avast to work is: AvastSvc.exe, avastUI.exe, and aswRdr.sys."

and here:

"Port 12080, is a localhost port and that is where the web shield redirects port 80 traffic, so you have a circular redirection, which is likely to go round and round until it disappears up its own backside."

I had 12080 as a remote port not local. Thanks for trying to help me.

 

I do not use Adobe Reader, but believe that it can/does use svchost->BITS for updates.

- Stem

 

@ Stem

That was my thought, after all many svchost connections were being blocked. But, it's actually better to just check for updates and then manually download and apply them.

@ all

This IP block is needed for Windows Update 128.241.0.0/16. Today, Windows Update were failing for MSE in a family member's system and IPs from this block were being blocked.

http://www.dshield.org/ipinfo.html?ip=128.241.220.112

 

I wonder if these Ip's for updates are region/area specific? I'm not seeing that range on the radar yet. I'm trying to keep mine at a minimum for updates etc. which has proven to be a challenge. I'm always amazed at some of these blocked addresses I get that are supposedly MS. If I feel confident about them being legit, I'll make an allow rule for them only to find out the next time it bounces to a different IP.

 

No idea, but I'm not from US, so... I'd say not? Most likely, at some parts some users will update via xxx.xxx.xxx.xxx IP and in other part via xxx.xxx.xxx.xxy IP so that updates won't get stuck.

Yes, Microsoft does seem to enjoy bouncing a lot regarding their IPs, for Windows Update, at least.

 

Although there is a regional element to the update process, the reason for the range of addresses used, is more one of security.

There is a useful article http://technet.microsoft.com/en-us/library/cc708605(WS.10).aspx that explains what needs to be configured to allow updates to a WSUS server behind a firewall. These addresses are also used for personal updates.

In addition to the MS servers you will almost certainly have to add an AKAMAI block, as failing to do so can prevent the updates (AKAMAI host MS servers). Personally, I only add one block for AKAMAI and it seems to work well enough, although the block ranges do change quite frequently and you may need to adapt your range to suite.

My Blocks, which correlate to the servers above:

Code:

MS
213.199.144.0 - 213.199.159.255
65.52.0.0 - 64.55.255.255
207.46.0.0 - 207.46.255.255
64.4.0.0 - 64.4.63.255 (hotmail so may not be needed for you) 
94.245.64.0 - 94.245.125.255
213.199.160.0 - 213.199.191.255

AKAMAI
92.123.68.0 - 92.123.71.255

 

Is anyone running AVG AV 2011 Paid version? Would you mind tell me what rules you got? A family member was offered this security app., and I cannot, in these days to come, test it by myself in a virtual machine, and AVG info is none regarding what ports need access.

I could only find this:

Some processes do not need Internet access like avgtray.exe and avgui.exe; what for?

Care to share?

-Edit-

Never mind, my relative made a mistake; it's avast!

 

My windows firewall does not let me know when something is blocked even though I have the box checked.

Is there a tweak I can apply to fix this?

 

The notifications are only effective for inbound rules. From the help guide:

There is a method described earlier in the thread to configure for outbound notifications.

 

Okay, this explains it. I have inbound/outbound blocked except explicit rules for each program so I will need to find out how to make a rule if that's possible for the notifications to show.

I seen this and tried it but I must have done something wrong cuz it didn't work for me. I hate to dump this FW just because no alert for blocks inbound/outbound.

 

Hey guys, maybe I'm going at this wrong. Do you guys make a rule for every program on outbound or do you have just block rules set into place with allow all for outbound?

 

Anyone have an idea why svchost.exe needs outbound for this?

 

If you're denying all outbound connections by default, which would be the smartest thing to do, then yes, you need to create rules for every application that you wish to allow Internet access.

Otherwise, it would just be insane to have outbound allowed, and then create block rules for each application (including malware) that we do not wish to allow Internet access.

 

Do you have anything related to McAfee installed in your system? If the answer is yes, then most likely it makes use of BITS service, which is bound to svchost.exe, to make certain connections like when it wants to update.

It happens with Adobe Reader, for example.

 

No McAfee installed here. That's what I don't understand. It's blocked and all works well but I am curious as to why it wants outbound. It usually does it on startup for about four trys.

 

Can someone shed a few lights on a doubt I'm having on whether or not something like this should be happening.

So, I was using a relative's system, which I had deployed Windows Firewall with Advanced Security, and obviously blocking outbound traffic and only allowing the needed inbound traffic.

I was looking at the event viewer, and saw at the Security tab that an Anonymous Logon session has occurred, and something related to HOD, which for what I could find is related to Host On Demand; couldn't find much though.

The source IP is 95.25.148.35, which is a Russian IP http://www.dshield.org/ipinfo.html?ip=95.25.148.35

I also saw for another IP http://www.dshield.org/ipinfo.html?ip=178.92.170.168

This IP is not from Russia.

Then, I also see that these inbound connections are done with success, from those IPs:

Application Name: System
Inbound
Source IP: The one assigned by the IP at the moment
Source Port: 445
Destination IP: 95.25.148.35 (The Russian IP)
Destination Port: 2554
Protocol: 6

Could anyone shed a light on what this sort of connection means? I've never come across such before, that I'm aware of. This would be something new to learn for sure.

How is this an inbound connection if the source IP is my relative's? I guess is related to the HOD (host on-demand thing).



Thank you for any feedback

 

-Edit-

I just decided to run ShieldsUP, and ports 135 and 445 were open! I checked Windows Firewall and there were rules related to file sharing enabled for both inbound and outbound. How so It beats me.

-edit 2 -

I guess this means I'll have to create explicit rules blocking communication with such ports. Can't we trust Windows Firewall to work as it should Heck

 

A little update regarding a few rules I mentioned sometime ago about Windows Live Messenger 2011. I looked for the post where I mentioned, but somehow I missed it, when searching this thread since the beginning. So, I'll mention the rules and update that info.

The rules I came up with, back then, were created after reading an article on a Microsoft's support page for Messenger; not version 2011, though. But, the article had a note mentioned the information would also be valid for newest versions. I wasn't sure whether or not 2011 was included.

The rules were, all regarding outbound, by the way:

Rules for authentication:

Process name: msnmsgr.exe

TCP, Remote ports: 80, 443 and 1863; Local address: any; Remote address: any;

UDP; Remote port: 53; Local address: any; Remote address: DNS IPs;

Rules for files transfer:

Process name: msnmsgr.exe

TCP; Remote ports: 6891-6900; Local address: any; Remote address: any.

Today, I received an e-mail from a relative to whom these rules were meant for, who was going to use Live Messenger, that the program complained it lacked permissions in the firewall.

I asked to see if any blocking rule would give alerts for any program related to Live Messenger.
It seems, that at least, two more rules are needed, but no other connection but to the DNS was attempted to be made by such processes, namely wlcomm.exe and wlidsvc.exe.

My relative is not that tech savvy, and I can't go check it for myself, unfortunately... and considering I don't know whether or not allowing the DNS connections would suffice, I'd like to ask to those of you, whether using Windows firewall or not, what kind of rules you got there, that reflect these two processes?

I'd be thankful.

Thanks.

 

Thanks Moonblood,

I was checking in to this very information for my daughter about the ports.