I’ve recently noticed that CIS doesn’t enforce all of my firewall rules when I have CG running. For instance, Notepad++ is blocked from accessing updates, and it works when I’m not running CG. However, once CG is running I can tell Notepad++ to check for updates and it does. I’ve searched the forum for “Cyberghost” and found many older posts regarding some driver issues, but nothing really related to what I’m seeking help for. I did go into the TAP adapter and check the box for the CIS driver, but it didn’t make any difference. Does anyone know how I can force my firewall rules to be followed regardless of whether CG is running or not? I’m running the latest version of CIS (12.2.2.7098) and CG (8)
If you have CG running and than set CIS FW to “Block All” mode is notepad++ than still able to check for updates (i.e. able to make an outbound connection)?
Thanks for suggesting that test. When I set CIS FW to Block All, Notepad++ returned an error that it could not connect, which is the same error I get when I don’t have CG running.
Ok, thanks for trying that.
If you (with FW set to “Safe Mode” for instance) add a FW rule “Block IP In/Out” for Notepad++ and move that rule to the top of the FW application rules list is Notepad++ than still able to make an outbound connection with CG running?
Notepad++ doesn’t actually connect to the Internet to check for updates, it uses a standalone application so blocking notepad++ executable will not work and never has.
Then he should create a FileGroup called Notepadpp (or something like that) and add the Notepad++ installation directory appended with the * wildcard to that FileGroup (like C:\Notepad++* ) and than create the same “Block IP In/Out” FW rule for that FileGroup and move that FW rule to the top of the FW rules list.
That should stop the Notepad++ updater from making outbound connections.
Either way, the issue was that Notepad++ updater did connect out when CG was running, it didn’t when CG was not running.
Notepad++ launches a generic update executable named GUP.exe. That process is correctly blocked by CIS when CG is not running, it is not blocked when CG is running.
Does Notepad++ updater still escape out with the two above mentioned FW rule sets (a FW rule on the exe or a FW rule on the FileGroup)?
Maybe you have such FW rule(s) already in place, I don’t know.
Yes, that is the issue and honestly I don’t think creating a special rule or FileGroup is the correct fix. My concern is if the updater is being allowed thru the FW, what else is? In the end I want to fix CIS so it follows the same FW rules regardless of whether I’m using a VPN or not.
I understand but in order for the FW to be able to block the notepad++ updater from making an outbound connection it has to have some kind of FW rule to block it. The FW may allow Notepad++ making connections by default I think (depending on settings).
But I already have that rule in place, and it works as expected when the VPN is disabled. I went into the FW rules settings and edited the existing rule so that it wasn’t blocking a specific in or out IP address, but now any address. I tried the updater, and it still showed an update was available. I then deleted the rule altogether and added a new one specifically set for blocked application, added GUP. exe to it, then saved it. I again ran the updater and it still got thru. So then I tried creating a specific Ruleset, and the updater got thru yet again.
Thanks for the detailed feedback. This is indeed odd.
Do you have other application examples that pass thru the FW when CG is running?
I haven’t checked for other applications, just Notepad++. I forgot to add that as another test, when I deleted the rule altogether, I ran the updater. CIS did NOT display the traffic alert as was expected, so it also didn’t ask whether the application should be allowed or blocked. That tells me that CIS isn’t even seeing the Internet request, so it can’t block it.
I was thinking in the same direction.
Seemingly the notepad++ updater uses the VPN connection to make the outbound connection which seemingly CIS doesn’t or can’t capture, monitor or control.
I’m not sure whether CIS is able or capable to capture, monitor or control VPN traffic in general.
I don’t know if this helps or not, but the other day I was extracting the contents of an archive file from the VPN PC to a networked PC. The FW did prompt me to allow or block WinRar from the networked PC’s internal IP address.
If I understand it correctly then CIS FW was monitoring the local network traffic (addresses 192.168.xxx.yyy or alike) which fired the WinRar allow/block prompt.
It blocks for me, so you need to make sure the firewall driver is enabled on the vpn adapter as it was disabled when I installed cyberhost, and if it is disabled you need to reboot after enabling or re-install the firewall to have the driver properly enabled. Also if you are using wireguard then it won’t work as the firewall does not work with wintun type adapters.
Thanks for the info. I did previously check the box for the CIS driver and rebooted, but that didn’t help. I just double checked and it’s still checked, and I don’t use WireGuard.
The driver really isn’t enabled and you can confirm this by setting firewall to custom ruleset mode and running the ping command, if you don’t get an alert from ping while connected with the VPN, the firewall is not filtering VPN traffic across the VPN adapter. You should uninstall 7098 and install 8012 and check again, recommended to run uninstaller tool after uninstalling using windows to uninstall.
Yes, that’s probably the best thing to do. I’ll try that later today and see what happens. Thanks for the help!