Application Rules

domo78 · September 20, 2021, 8:07am

W10 Famille - 21H1 - 19043.1237 / CFW : 12.2.2.8012

Hello,

The FW is set at the level “Safe Mode”.
I use Glasswire to monitor my laptop’s Internet access.

I used the Microsoft PHOTOS program for the first time.
Its rating is “Trusted” (screeshot1).

Glasswire informs me that the PHOTOS program has connected to the Internet (screenshot2).

Because of the level “Safe Mode”, rules should have been created automatically in “Application Rules”. But no rule has been created.

There are no events in the FW and HIPS logs.

Would you have a possible explanation ?
Thanks

CISfan · September 20, 2021, 8:49am

Not unless you have “Create rules for safe applications” enabled for Firewall and/or HIPS in Safe Mode.

domo78 · September 20, 2021, 9:05am

On the laptop :

FW : “Create rules for safe applications” is enabled
HIPS : “Create rules for safe applications” is disabled

CISfan · September 20, 2021, 1:08pm

As a test / check:

Close the Microsoft PHOTOS program
Create a new FW rule for the Microsoft PHOTOS program and set it to Block and Log, IP In/Out, Address Any, Port Any.
Move the created FW rule to the top of the Firewall rules list.
Start Microsoft PHOTOS program again and check if it still connects to the internet (also check FW Logs).

domo78 · September 21, 2021, 4:03pm

To create the rule, I could not access the program directly because of a problem of rights on the directory.
I ran the program and created the rule using the “Running process” function and setting “Log as a firewall event if this rule is fired” enabled.

I closed the program and ran it again.
There is no event in the FW log.

Maybe the program accesses the Internet at its first launch.

CISfan · September 21, 2021, 5:23pm

It could be that the Microsoft PHOTOS program connects to the internet using the svchost service.