Component Monitor - Demystification required

I know, I know… might even be making up my own words… but oh well (:WIN)

Anyhow… my latest desire to know more is in the area of the component monitor.

So, what I did was delete all component monitor rules that existed and changed the mode to ON. And, as I had expected, got popups with show libraries buttons so that I could see the components the applications is wanting to load/use.

And while I was looking through this list, I noticed that the application still functioned (I asked Spyware Terminator to show it’s GUI, and it wanted to contact home to update its news section)… which I thought was odd as I was still working on defining it’s rules… then I noticed that the form I was looking at with all the components listed was defaulted to ALLOW. I assume this is why?

I can understand how Learn Mode might want to auto-allow… kind of a short-cut way to train… but when I am in ON mode… shouldn’t it BLOCK until I have said otherwise?

This mode forces the firewall to check for the applications? components in memory before granting them internet access.

If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied internet access and an alert is generated. If the firewall detects unknown components (those not listed in the firewall database) then the alert will contain a “Show Libraries…” button. Click to review the components and decide whether or not to grant them access.

Is this maybe a bug? If there were still missing ALLOW rules in the monitor the application should have failed access… but because the rule popped up with the components allowed… is that what gave the application access?

I’m thinking that ALLOW could be the default action in LEARN mode, but BLOCK should be the default action in ON mode… or else it is crippled in my mind; borderline disabled actually.

I even went into the logs hoping to see an initial “application blocked” entry, but only saw the Unknown Components entries (basically logging the popup i guess).

I also found it odd at this point that there was no Firefox Unknown Components log entry, whose list was at least 50 components (being the first application to popup for components). was this just a size/truncation of the log issue?

Back to the Component list for a second… I really think that the ability to ALLOW ALL, BLOCK ALL, and launch a components property page would be quite useful as well.

[attachment deleted by admin]

Hmm, do I sense a future “Explanation of Component Monitor Rules”?

My understanding is that in Learn, it’s auto-allow; with On, it will prompt if not found; in Off, well, it’s not even monitoring.

What if you were to turn Off, remove the rules, click Apply, reboot?

What if you were to change the rules to Block instead of Allow, click Apply, reboot?

Just thinking out loud…

LM

Well, not until any bugs are fixed (if there are any)… and even then, only if I want to risk typing for another 3-4 hours (:TNG)

I don’t think it is a complicated topic (doubt there’s a how to in it’s future), I just want to make sure it’s working.

I never did reboot at any point, so maybe my test is skewed… or reveals another issue related to changing modes and the firewall reacting properly.

I have seen a number of times (sorry, I cannot quantify the statement) where making changes don’t automatically set. Then a restart of the firewall would be in order. Any more, by default I just reboot when I make some changes, in order to clear out the memory and set the changes. Just to make sure everything is actually set.

Seems to help. Which by itself could be an issue. I think it’s been added to the Wishlist, to allow changes on the fly, without restarting the firewall, or rebooting.

LM

I dumped the components again and rebooted. Seems that gave me some more sense of joy… makes me wonder what the Apply button for for in the component monitor.

But I’m not 100% yet. I think things get muddled as more components are uncovered as you’re already half loaded. You see the activity, but are prompted for more rules… so is it blocked or not at this point?

A tough one to get a feel for.

So based on our mutual understanding… LEARN and OFF do the same thing… let it pass through… except LEARN makes a rule about it so it can be manipulated later.

Yes, and yes.

I haven’t messed with it much, although my perception of it has changed somewhat over time. At the present, I think it (and associated functions) is probably beyond the average user. And some advanced, too, LOL. Kind of in the realm of the OLE alert issue… ???

LM

The answer is… it is not blocked at this point. My case is as follows…

I have a program called mailwasher that loads at boot. And when it loaded on reboot, it asked for it’s first round of components.

[b]Date/Time :[/b]2007-01-22 13:27:35 [b]Severity :[/b]Medium [b]Reporter :[/b]Component Monitor [b]Description:[/b] Unknown Components (MailWasher.exe) [b]Application:[/b] C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [b]Parent:[/b] C:\WINDOWS\explorer.exe [b]Protocol:[/b] UDP Out [b]Destination:[/b] 192.168.16.1::dns(53) [b]Details: [/b]C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe contains 9 components to be approved Components: C:\WINDOWS\system32\olepro32.dll C:\WINDOWS\system32\hhctrl.ocx C:\Program Files\Common Files\System\wab32.dll C:\WINDOWS\system32\msoert2.dll C:\Program Files\Common Files\System\wab32res.dll C:\WINDOWS\system32\pstorec.dll C:\WINDOWS\system32\atl.dll C:\WINDOWS\system32\riched32.dll C:\Program Files\FireTrust\MailWasher Pro\MailAnalysis.dll

Then when I asked it to check my mail again (still loaded but idle since first loaded), i was asked for new components, but it still pulled down my mail while I was looking at the component list… obviously not blocked while components of it were not yet in the list nor allowed.

[b]Date/Time :[/b]2007-01-22 14:06:48 [b]Severity :[/b]Medium [b]Reporter :[/b]Component Monitor [b]Description:[/b] Unknown Components (MailWasher.exe) [b]Application: [/b]C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe [b]Parent: [/b]C:\WINDOWS\explorer.exe [b]Protocol: [/b]UDP Out [b]Destination:[/b] 192.168.16.1::dns(53) [b]Details:[/b] C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe contains 2 components to be approved Components: C:\WINDOWS\system32\apphelp.dll C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

I’ve not done any tests flipping components in the component list between Allow or Block in On or Learn modes, so none of my feedback is meant to imply that component rules no not function in the greater application. My scope is very specific in the moments between the time when an application (whether previously loaded or not) causes a popup for components not in the component list and user input (and/or defaulting to Allow).

The fact that the default is Learn (where Components have free rain) certainly does not test Component rules function, only it’s ability to add components to a list.

When I flip the switch to On and read the following in the CPF help…

This mode forces the firewall to check for the applications? components in memory before granting them internet access.

If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied internet access and an alert is generated. If the firewall detects unknown components (those not listed in the firewall database) then the alert will contain a “Show Libraries…” button. Click to review the components and decide whether or not to grant them access.

… i expand upon that and conclude that a component also not in the list must also not be allowed, hence considered blocked until the user selects otherwise… yielding that the entire application has been blocked.

Either:

• I assume too much
• the documentation is incorrect or
• the application has a booboo

Hmm, I would probably spell that problem, “BUG”. ;D

That does not seem to be the way it should work. :-\

LM

I was still updating my post… give it a reread (:WIN)