I’m having a problem with a program (web browser) which, a few seconds after being launched, spontaneously starts a huge download with no apparent reason.
As I don’t like programs acting without me knowing what they are doing (I know that happens quite often, but I’d like to prevent it at least when I notice), I tried tracking network activity and confirmed that the culprit is indeed that program.
I then tried creating in COMODO Firewall a “global rule” to block incoming traffic from the identified source IP address but, as I feared, the program, after a few moments of… uncertainty, launched the download from a different IP address.
I also tried to figure out which file was being downloaded and which was the destination folder, but I couldn’t find any answer.
So I’d like to know if and how I can create a CF rule in order to prevent that program from file downloading, while still allowing it to access the Internet as a browser.
I realise this might be simply impossible, because obviously a browser actually “downloads” everything it displays on web pages, but I thought that since I’m not very knowledgeable about this, maybe there’s some strategy I’m not aware of.
Because you did not provide much detail, there a many possibilities.
It is always good to start making sure you are running the most recent version of the browser, downloaded from a known-good source. There may be downloads by the browser from built-in blocklists, or originating from installed extensions. Verify that all eventual extensions are trustable and their downloads directly relate to their function, by looking up the download IPs and files dropped by them. You may also block the unwished IP(range) for the browser in the firewall module or block the port if it is not using HTTP(S). You can also resolve the IPs to hostnames and block those in the firewall and/or your Windows hosts file, but this last suggestion only works if the IPs are not hard-coded or pushed, so they do not require DNS-lookups.
Another possibility is that malware already present on your system hijacks your browser in order to hide its tracks, so check for that as well.
Thanks for your kind reply.
I’ll try to put your suggestions into practice, at least to the extent of my technical knowledge and skills.
Anyway, generally speaking, I seem to understand that a rule like the one I want, preventing a specific chosen program from making downloads while still allowing it to access the Internet, can not be created inside CF (and maybe also in any other firewall). Is that right?
Not necessarily; “You may also block the unwished IP(range) for the browser in the firewall module or block the port if it is not using HTTP(S).”:
This means you can block access for the specific program / web-browser in CF if the unwished downloads are done on ports not used for general web-browsing (HTTPS=443 and HTTP=80) or DNS lookups (generally via UDP port 53). If the unwished downloads are made via those ports, you can specifically block the used IPs or a relevant IP-range that are not used for your daily browsing.
In addition, “You can also resolve the IPs to hostnames and block those in the firewall and/or your Windows hosts file, but this last suggestion only works if the IPs are not hard-coded or pushed, so they do not require DNS-lookups.”
Thanks again.
Sadly this particular web browser seems to be quite… skilled in bypassing firewall rules based on blocking specific IPs or ports.
While monitoring network activity I clearly noticed that if the “usual” IP isn’t accessible, the program uses another; and if that one gets also blocked (thanks to another firewall rule), the program switches to yet another.
And something similar happens if you try to act on ports.
While setting blocks based on IP ranges results in some web sites or services not working.
It really seems like the program was designed specifically to perform that download in any case, regardless of any foreseeable obstacle. Which certainly doesn’t surprise me, these days, but still annoys me quite a bit.
Maybe it also depends on the advanced age (mine), but it’s really annoying for me to see my own computer start doing things “on its own”, without me having asked and without me being able to know exactly what those things are and what their purpose is.
My advice is to dump the web browser you use currently and replace it with a known-good one that does not display such evasive behaviour and where you can be in control. All the more so, because it is unknown to you what is going on behind the scenes. Look here for a comprehensive web browser overview to get you started: Comparison of Web Browsers
Unfortunately, the browser in question actually IS one of those which are usually considered known-good and reliable (or at least I thought so). It’s Chromium, an “ungoogled” (whatever the meaning) version of Chrome.
I’ve been using it for years, and only in the most recent versions has it started exhibiting the behavior described above.
Everyone and his mother can make Chromium builds from the open source code. They are NOT vetted like the vanilla standard Chromium builds. The fact that a build was good in the past, unfortunately absolutely does not mean they will be good at the moment or in the future. Builders may go rogue, builds named the same may be altered, etc. So it falls on the user’s responsibility to verify their integrity. To that end, it can be of help to submit the hash to VirusTotal a week after its release before actually start using that build, look at the comments of other users of that particular build, do your own investigation of its behaviour, etc.
As written before above, it is also possible that (possibly well-hidden) malware already present on your system or a malicious browser extension uses your browser to to download additional nefarious content from a command-and-control server.
First make sure you have a clean system and start to add from there. Run Norton Power Eraser: NortonLifeLock Rescue Tools and optionally after that Farbar Recovery Scan Tool: Download Farbar Recovery Scan Tool