I always wondered what was going on with that; publisher certificate revocation is an excellent reason for that. CCleaner is notorious for attempting to ping an IP address first before trying to connect. Doesn’t matter, the CCleaner installer.exe don’t phone home by itself w/ out me clicking on it. Bottom line: I have neither D+ or FW rules for installers, or FW rules for Explorer. For either, each resource access name access attempt will generate an alert and its allowed on a case-by-case basis.
EVERY resource access name access attempt is denied by default in CIS D+ & FW by default unless implicit permission is explicitly allowed. The canary in the coal mine is singing in your logs. Pay very close attention to your logs: you’ll become aware of things trying to become prollems. Not only that, but you’ll become aware of prollems that are actually hidden and allow rules should be made to allow things to work properly. Its akin to scrutinizing the wife’s grocery list each week to make certain she’s NOT buying cocaine. I don’t need to run herd on that. Nor do I need to be aware she’s even going to the grocery store. But if she goes to the strip club, I DO want to know that.
LIkewise, I don’t have FW rules for Word, Excel, or any arbitrary PDF; no reason at all to implicitly allow interweb access for them. Word, Excel, AcroRd32, OpenOffice, etc., have D+ rules necessary for their inherent functionality / features and load / modify the required files. Interweb access is done explicitly case-by-case w/ out permanent rules created. If I open a DOC file, Word don’t need to be phoning home ANYWHERE unless I click on a link in the document.
To access iterweb any file will request D+ DNS client service resource access name permission. This is actually an RPC hook for TCP/IP. The next thing is that the app will try to hit DNS server with UDP on port 53 to resolve domain name to IP address. Then IP traffic to some IP address will be attempted. I have three chances to intercept the attempted interweb access. If I allow those: woe be me and not the monkey brained HIPS and/or FW.
I’ll qualify the above with an example of an exception, e.g., CCleaner installer files. I have a FW rule created for X:\Exe\CCleaner_v*.exe that contains all the IP address to the CCleaner - Piriform - home servers. It updates so frequently, I don’t want to be bothered with alerts if its phoning home to Piriform servers.
Another exception to that plausibly could be the in-app update feature. Obviously the app will need interweb access permission; first to DNS and secondly to home servers. But that exception scenario is by app, e.g., Word.exe, and not by file, e.g., SomeDocument.DOC, and will only occur through overt action on my behalf. I can constrain that behavior by not creating a permanent rule allowing access to DNS servers.
How do I know where an app phones home to? WHOIS will tell you the domain name owner for the IP address. If CCleaner wants to phone home to Piriform domain name IP address, that’s o.k., and I create a rule to allow that and it won’t bother me next time for that particular address. I pay attention to ranges too. For example, if I see XXX.YYY.ZZZ.18 XXX.YYY.ZZZ.59 & XXX.YYY.ZZZ.156 for the same app, I make rule w/ range: XXX.YYY.ZZZ.18 to XXX.YYY.ZZZ.156; you have 138 IP address to phone STOP BOTHERING ME now! That doesn’t always work though; ZZZ may become ZZZ+1 and then the range may be 126 to 254. But even so: WHOIS is your friend, because you may see that the domain name owner owns a block of 1000 IP address where ZZZ runs from, e.g., ZZZ-5 to ZZZ+3 (or something). Such is usually only a prollem for huge corp like M$, Java, Adobe, etc. In that case, YYY can change the same way, in addition to the ZZZ changing for each YYY change. Aaaaaarrrrggrgrgrgrgr!
