Windows update and jetico

Discussion in 'other firewalls' started by luvhirez, Jun 20, 2005.

Thread Status:
Not open for further replies.
  1. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hello,
    The default ruleset in the latest jetico isnt letting auto windows update do its thing.
    It keeps asking for different windows update addresses which are not in the "allow windows update" rule in system apps.
    I allow outbound connection to these new addresses.
    windows update asks me if i would like to download the available windows updates. Ok till now.
    the little windows update icon in the sys tray comes on but then disappears. svchost keeps trying to send datagrams to 127.0.0.1 through different ports each time. Ive tried allowing them and denying them, but nothing seems to work.
    Pleeeeaaaaseee help me!
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,088
    Hi luvhirez,

    Try adding the following network addresses into Jetico firewall's Trusted Zone via configuration wizard:

    windowsupdate.microsoft.com
    download.windowsupdate.com
    www.download.windowsupdate.com
    v5.windowsupdate.microsoft.com
    v5stats.windowsupdate.microsoft.com

    I have not tried this. I think it will work as above, but if the config wizard disallows it, run a ping command to capture IP address and enter that for each item in the list.

    -- Tom
     
  3. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    It's also because Jetico creates detailed rules for every pop up window, which means if the update uses a different port or different address then it will pop up. Your best bet is to change one of the update rules to allow all traffic for port 80 and delete the remaining update rules.
     
  4. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Are your rules for svchost.exe or services.exe? XP uses svchost.exe.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I believe you might need port 443 also. 80 and 443...
     
  6. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Thanks for the replies, I dont mind pressimg allow for the windows update addresses, I will try what you said lotuseclat79. but how do i ping. It is mainly svchost.exe(yes winxp) that keeps asking to send datagrams to 127.0.0.1 in a different port each time. I tried allowing it, and denying it. But the update just doesnt download.
     
  7. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    in my ruleset, i allow svchost.exe to do anything with 127.0.0.1 . if you don't know the exactly ip addresses for windows update servers, you could let svchost.exe connect to any remote address with remote ports 80 and 443. then after you finish the updates, just uncheck this rule.
     
  8. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Thanks shek I will try that. Svchost was tring to connect to other ports though. should i deny them?
     
  9. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Unfortunatley it does not put the entire range of each address's only a single address as it must go to a different address each time.

    i put a rule in for svchost to allow sending and receiving datagrams TCP to 127.0.0.1 to any port. it got to 3% then it disapeared again
     
  10. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    svchost is used for lots of different things, like DNS access for example. By all means cut down its ports, but don't block it all together.

    Jetico also has the ability to Temp allow connections, if you don't check the remember box.
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,088
    How to ping:
    Start->Run->Cmd
    Then cd ../..
    C:\> ping windowsupdate.microsoft.com yields alias windoswupdate.microsoft.nsatc.net [207.46.18.94]
    C:\> ping download.windowsupdate.com yields alias
    download.windowsupdate.com.c.footprint.net [65.57.174.62]
    C:\> ping www.download.windowsupdate.com ping yields alias
    download.windowsupdate.com.c.footprint.net [65.57.174.62]
    C:\>ping v5.windowsupdate.microsoft.com yields [64.4.23.188]
    C:\>ping v5stats.windowsupdate.microsoft.com yields [207.46.157.124]
    C:\>exit

    Try inserting the above IP addresses under Network address radio button using the Configuration Wizard for Trusted Zone.

    Also, if you allow the datagrams to 127.0.0.1, i.e. your computer - localhost,
    be consistent and allow always with no denies.

    -- Tom
     
  12. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    thanks guys i will try that. Windows update has just told me that there are updates ready to install. I clicked on the balloon and it is only showing the malicius software removal tool. there were supposed to be around 7 critical updates
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,088
    Hi luvhirez,

    Yeah, the day after the recent update was available, I managed to get into the Windows Update site and that's what it told me, so I bogarted and decided to come back later when all of the hullabalu about getting the new update receded.

    I waited a few days and went back, and was able to get all 7 updates, surpriseingly enough during the middle of the day for which I have noticed is usually from 10-11AM or 2-3PM here on the East Coast USA.

    Keep on trying when the load on the update servers is not so great, and you'll get them.

    -- Tom
     
  14. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Thanks lotuseclat and everyone that has helped me, Ill keep patient and the other updates will come through hopefully. just another question, is it safe to let svchost roll with allowing any type of connection to 127.0.0.1. or should i untick the rule when finished with the update,
    I really appreciate all the help :) :)
     
  15. shek

    shek Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    342
    Location:
    SE CHINA/NYC USA
    if you don't use any proxy software, i think it should be safe.
     
  16. luvhirez

    luvhirez Registered Member

    Joined:
    May 13, 2005
    Posts:
    87
    Location:
    Melbourne
    Hi shek,
    I dont know what proxy software is, so I assume i dont have it.
    Ive now got all the updates,
    All of your advice helped me great.
    Cheers
     
Loading...
Thread Status:
Not open for further replies.