Solved

Is Firewall Working Correctly?

  • 29 September 2012
  • 21 replies
  • 125 views

Userlevel 7
Hi,
 
Having the firewall setup "Warn if any process connects to the internet unless explicitly allowed" and wanted to check how it works ending up quite surprised in the end ... 
 
I chose vlc.exe process (VLC player) under Network applications and changed it to Block from Allow. Afterwards I had run VLC player and had triggered the update check supposing that VLC wouldn't be able to connect to the internet due to imposed the connection rule to Block. However to my surprise VLC could check for the updates.
 
Am I missing something as regards the firewall rules?
 
Is there any way how could I properly check the firewall blocks the blocked processes/applications for the outbound connections?
 
Thanks & regards,
pegas
 
EDIT: Strange ... I changed the firewall setting to "Warn if any new untrusted process connects to the internet", chose revouninstaller.exe for instance, changed to Block and tried to check updates of Revo Uninstaller what ended up in having the blocked connections message in Revo. So now it worked how I had supposed.

However I am missing an option to add my own process/application to block. Is there any other way how to do that?
icon

Best answer by JimM 1 October 2012, 18:32

View original

21 replies

Userlevel 7
Thought everything's alright but ... blocked admunch.exe (Ad Muncher) and surprisingly AM connects to the internet. See below
 
http://tinypic.com/r/35jayc1/6
 
I am quite confused, can you somebody shed more light on the firewall settings and how it should work.

Thanks & regards,
pegas
Userlevel 7
Badge +56
Hi pegas,
 
It seems to be working for me as I Blocked Hitman Pro and it couldn't connect. I would suggest try blocking something else and reply back and as you know WSA is only a outbound firewall maybe AM is only showing the inbound connections?
 
TH
 



 


Userlevel 7
Badge +56
Also see this Post in the Ideas Exchange.
 
TH
Userlevel 7
Thx TH for the valuable information ;)

I disabled/blocked a few other applications to see whether they could connect to the internet and it turned out that they couldn't connect, so they were blocked by WSA for the outbound connection. However some of the applications had to be closed and restarted to take the block effect.
Userlevel 7
Have a question though about trusted and untrusted processes.

If I correctly understand WSA determines processes based on the behaviour and cloud heuristics. However let's imagine that a process XY is trusted by the cloud but in my case I don't want that process connect to the internet. Yes I know that I can change that process to Block but it is too late. Therefore is there any way WSA could prompt me to decide if I want to allow or block even the trusted process by the cloud? In fact I mean to override the access rule imposed automatically by WSA at the first outbound connection.

Thanks & regards,
pegas
Userlevel 7
Badge +56
This setting would do as you ask but you would have to remove all entries under View Network Applications and start over and you should get a warning for every process that tries to connect. For a test I removed Firefox, Outlook, Opera and all were blocked until I allowed via a Pop-up.
 
TH
 
EDIT: And congrats on being a Community Guide!  ;)

 



 


Userlevel 7
Badge +56
Just to add looking at this closer I would like to see the count down removed because I don't believe in auto allow it should wait till user interaction! Also I put it in with the Ideas Exchange Here.
 
TH
Userlevel 7
Thx TH 😉 That's what I meant. Yeah, it could be quite lengthy to get over all default Windows processes. Nevertheless having this option with deleting all processes and starting from scratch gives me hundred percent control over all outbound processes.
Userlevel 7
@ wrote:
EDIT: And congrats on being a Community Guide!  ;)

 
:D I have completely overlooked it, thanks for the pointing me ;)
Userlevel 7
Congrats pegas on turning PINK!  😃
Userlevel 7
@ wrote:
Congrats pegas on turning PINK!  :D
Thanks ProTruckDriver! I personalized my avatar to the one I am used to and impersonate my nickname :D 
Userlevel 7
Congratulations Pegas!
 
New Community Guide. 😃
Userlevel 7
Thx Mike, I am proud of being Community Guide :D
Userlevel 7
OK, after a very extensive testing of WSA firewall with the setting "Warn if any process connects to the internet unless explicitly allowed" and fiddling with setting Allow/Block under Network Applications, here's my conclusion.

First of all, if you apply the said firewall option WSA loads all allowed processes/applications which are allowed by the cloud heuristics and are present on your particular system. The list of these processes can be seen in Network Applications.

I changed a lot of applications from Allow to Block and tried every one to test if they can get out on the internet. The result was half-successful.

Some processes which were set to Block couldn't pass on the internet (for instance IE9, Revo, Picasa etc.). That's fine and what I had hoped.

On the other hand, some of the blocked processes could connect on the internet. Just to name a few ... Opera, Outlook, Webcam, VLC etc. I have to admit I am quite concerned especially for Opera and Outlook! Strange as IE wasn't able to connect.

Joe explained on the Wilders that such applications (which went on the net even if being blocked) probably use another process for the outbound connection. If that is right and not just a firewall failure there has to be another prompt or whatever else that will warn a user about this fact and will let him/her to act accordingly (Block or Allow).

So my result is that if a process is alone connecting to the internet, i.e. don't use another one to do that, and you block this process it shouldn't be able to get on the net. However that is not the case for a process that use another one to connect out. In such a case you end up in surprise that the process is able to connect out even if set as Blocked.

So all in all, I don't think WSA firewall is bad but it needs to be more polished to ensure 100% success in blocking the outbound traffic.

Thanks & regards,
pegas
Userlevel 7
@ wrote:
Joe explained on the Wilders that such applications (which went on the net even if being blocked) probably use another process for the outbound connection.
Beat me to it!  For any onlookers not "in the know," Joe is our lead developer (and he's correct of course).
 
It's true that the idea linked to earlier in the thread would result in a more straightforward experience in blocking processes from connecting to the internet.
 
However, speaking more to the notion that auto-allow after a set time period is not good, I really must stress the point that the last thing you want is for the firewall to auto-block a "new" process.  Coming from a background where I supported the 2011 and prior version of our firewall, one of the top complaints was that users would miss the countdown completely.  Your computer doesn't necessarily need you to be present for something to connect to the internet.  Auto-updaters and certain semi-critical Windows processes would consistently get blocked, which was the intended behavior of the program, but it was not exactly a pleasant user experience to come back to your computer and wonder why you either can't get online at all or wonder why certain programs won't update anymore.  What had happened in those types of cases was that the user completely missed the countdown box, and it defaulted to block.  Other times, the user thought "Block everything!" and kicked themselves offline in the process.  This is particularly onerous, because unless you have support on speed-dial (and nobody should), and if it's your only computer, it might be tricky trying to contact support if you can't find a phone number and can't get online to look for one.  To compound things, you might suspect that if you allow an auto-updater, it will work from that point onwards.  That's not exactly correct, because as soon as that updater updates itself, it's a new program with a new MD5 value, and the problem repeats itself.  I actually wrote about this a while back.
 
I realize "wait until user interaction" is not the same thing as "block automatically," but you're in the same boat for as long as it takes you to come back to the computer.  Imagine you're going on vacation, and it's not at the top of your mind to change your firewall settings before you leave.  You come home expecting a bunch of downloads finished, updates completed, etc.  You better hope the program you're using to download stuff didn't auto-update.  You better hope the updaters didn't update themselves.  You better hope svchost didn't get updated by Windows Updates.  Pretty much nothing will be getting online if that's the case.  Maybe you intended to use a cloud service to remote into your machine while you're away from home.  Well, maybe that doesn't work as well as you'd hoped.  :(  Naturally, the counterpoint is that users need to be responsible for their own settings, but that often leads to a lousy user experience for less tech-savvy users because they don't want to be burdened with that much responsibility.
 
Speaking only for myself, I would hope that if Webroot decides to implement that kind of feature request that it is surrounded by ominous warnings with red, flashing lights that explain the kind of potential problems I just described, because they are the sort of things that the average user doesn't really think about.  I think I know everyone who has commented in this thread well enough by now to know that these kinds of problems are things you would anticipate and not be affected by if such a feature existed, but what about the average user who turns on the feature thinking "the more protection, the better?"  I see the benefit of the feature, but I'm not sure if it isn't outweighed by the potential issues it could generate.  I'd love to see more comments on this topic to gauge reactions to the potential issues I've brought up.
Userlevel 7
JimM wrote:. 
 I would hope that if Webroot decides to implement that kind of feature request that it is surrounded by ominous warnings with red, flashing lights that explain the kind of potential problems I just described, because they are the sort of things that the average user doesn't really think about. 
 
Totally agree with you Jim. ;)
 
Userlevel 7
@ wrote:
@ wrote:
Joe explained on the Wilders that such applications (which went on the net even if being blocked) probably use another process for the outbound connection.
Beat me to it!  For any onlookers not "in the know," Joe is our lead developer (and he's correct of course).
 
It's true that the idea linked to earlier in the thread would result in a more straightforward experience in blocking processes from connecting to the internet.
 
However, speaking more to the notion that auto-allow after a set time period is not good, I really must stress the point that the last thing you want is for the firewall to auto-block a "new" process.  Coming from a background where I supported the 2011 and prior version of our firewall, one of the top complaints was that users would miss the countdown completely.  Your computer doesn't necessarily need you to be present for something to connect to the internet.  Auto-updaters and certain semi-critical Windows processes would consistently get blocked, which was the intended behavior of the program, but it was not exactly a pleasant user experience to come back to your computer and wonder why you either can't get online at all or wonder why certain programs won't update anymore.  What had happened in those types of cases was that the user completely missed the countdown box, and it defaulted to block.  Other times, the user thought "Block everything!" and kicked themselves offline in the process.  This is particularly onerous, because unless you have support on speed-dial (and nobody should), and if it's your only computer, it might be tricky trying to contact support if you can't find a phone number and can't get online to look for one.  To compound things, you might suspect that if you allow an auto-updater, it will work from that point onwards.  That's not exactly correct, because as soon as that updater updates itself, it's a new program with a new MD5 value, and the problem repeats itself.  I actually wrote about this a while back.
 
I realize "wait until user interaction" is not the same thing as "block automatically," but you're in the same boat for as long as it takes you to come back to the computer.  Imagine you're going on vacation, and it's not at the top of your mind to change your firewall settings before you leave.  You come home expecting a bunch of downloads finished, updates completed, etc.  You better hope the program you're using to download stuff didn't auto-update.  You better hope the updaters didn't update themselves.  You better hope svchost didn't get updated by Windows Updates.  Pretty much nothing will be getting online if that's the case.  Maybe you intended to use a cloud service to remote into your machine while you're away from home.  Well, maybe that doesn't work as well as you'd hoped.  :(  Naturally, the counterpoint is that users need to be responsible for their own settings, but that often leads to a lousy user experience for less tech-savvy users because they don't want to be burdened with that much responsibility.
 
Speaking only for myself, I would hope that if Webroot decides to implement that kind of feature request that it is surrounded by ominous warnings with red, flashing lights that explain the kind of potential problems I just described, because they are the sort of things that the average user doesn't really think about.  I think I know everyone who has commented in this thread well enough by now to know that these kinds of problems are things you would anticipate and not be affected by if such a feature existed, but what about the average user who turns on the feature thinking "the more protection, the better?"  I see the benefit of the feature, but I'm not sure if it isn't outweighed by the potential issues it could generate.  I'd love to see more comments on this topic to gauge reactions to the potential issues I've brought up.
Many thanks Jim for your thorough explanation and your point of view.
 
However what I have pointed to is that the firewall lets you to block some application for the outbound connection but if these applications rely on another process for the outbound connection they won't be blocked in fact. That is bad thing and needs to be improved because users are expecting that the blocked applications won't ever go out on the internet unless they are changed back to allow. There has to be one thing clear for everybody ... if I set for an application Block it must be blocked then without excuses like other custom  firewalls do (ZA, Comodo, OA etc.).
Userlevel 7
Pegas, I'm trying to reproduce the issue with VLC Player. I found it reproduced if I didn't close VLC Player, but switched the setting in WSA from Allow to Block or vice-versa. However, if you change the setting in WSA, close VLC Player, reopen it, and try updating again, it does what it's supposed to do either way depending on the Allow/Block setting. Is this also what you're seeing?
Userlevel 7
@ wrote:
Pegas, I'm trying to reproduce the issue with VLC Player. I found it reproduced if I didn't close VLC Player, but switched the setting in WSA from Allow to Block or vice-versa. However, if you change the setting in WSA, close VLC Player, reopen it, and try updating again, it does what it's supposed to do either way depending on the Allow/Block setting. Is this also what you're seeing?
Jim,
I changed VLC entry from Allow to Block, then opened VLC and checked for update what VLC did successfuly even if it shouldn't because the entry was changed to Block. However I also changed Revo Uninstaller entry to Block and run the update check getting a prompt that the Revo cannot connect to the net. So two applications with two results.
Userlevel 7
Badge +56
@ JimM & pegas - Jim I have been testing the firewall with pegas over the weekend Here and all my tests passed and I`m using Win 7 x64 and the reason you gave about the auto allow I agree with now as sometimes I have to think as being a Non-Tecky user as you said someone could severely cripple there system if they Block a Good Known process with that being said I would like to retract my recommendation to change the default allow as WSA will keep track of the process and if it turns out to be bad it will be Blocked and Removed from the system!
 
Cheers,
 
Daniel  😉
Userlevel 7
Today I was updating Adobe Flash player for IE9 as well as Opera 12.02 to the latest build (11.4.402.287). During the both updates a WSA prompt jumped out asking for the outbound permission to let Adobe online updater go on the internet. I chose Allow Once and the update finished successfully.

I have noticed later that the both updaters are listed in the network applications with action Allow (see below).
 


 
I tried a few other applications to access the internet and always opted to Allow Once and all these applications were automatically added to the allowed applications.

That's not correct behaviour because I opted Allow Once so these files shouldn't be automatically added to the allowed applications.

I verified the protected applications and they worked fine. I tried the Vista snippingtool and chose Allow Once and the snipping tool wasn't added to the protected applications. When I was trying to take another snapshot I was prompted to allow the file.

Reply