Firwall does not apply rules but leaks

xp sp3 pro
CIS 5.3.176757.1236/7670

no other AV/security solution except CIS.
Configuration Firewall: custom ,D+: clean PC mode , Sandbox :Enabled

I have a network rule for windows system application group which prevents them connecting to HTTp ports.

-Still the svchost.exe in my computer is able to make connection on port 80( please see attached screen shots)
these are for adobe ARM downloading updates for adobe reader.

what has happened to CIS, earlier this kind of problem was not there. it is a fresh install of CIs hardly 1 week old.

whats wrong with settings,

Regards

adi

[attachment deleted by admin]

It might be using the Updated rule or any other rule you have, it tends to be sneaky like this will use any way available to access the internet.

Dennis

It might be using the Updated rule

• i dont know what is updated rules.
  -i have very few rules in Network security policy ,I am uploading screen shot.

• havea look what wrong with the network policy

• second this connection was made by svchost.exe to download the updates for adobe reader.

• i guess when svchost is grouped with other applications, Network rules does not apply properly.

regards
Adi

[attachment deleted by admin]

By the look it most probably it uses your Executable rule you have.

If you want to restrict something like windows system application you have to restrict all.

You need to force it to use one way only, you can only do that by restricting all.

Other non OS processes you can restrict quite easily but not system applications.

Dennis

From what I can see of you screen shots, you’re mostly using the default rules, that means:

1. Any system service used in the process of updating Windows, is allowed to connect Out. (Windows Updater Applications)

Delete that and you’ll be fine.

The default rules allow all sorts of things, you may not want, do to just what ever they wish

Don’t take this the wrong way :a0

It’s not that difficult to craft restrictive rules for any System process, Dennis, it just takes a little patients to understand what each needs

Allowing svchost, system, taskhost, rundll32 or even explorer Carte Blanche, is really not the most sensible way to manage a firewall. But it’s the easy way for those that don’t care, or don’t want to learn.

No problem

Thanks for posting.

Yes if you use presets then it becomes difficult.

My usual job after clean install is to delete all

Dennis

aditya,

I see that you have several ports listening. Do you have a local network? If no, you should disable netbios on TCP/IP and close port 445.

Boris

it is using some rules at least or no rules at all.

earlier i used to delete preset rules and create custom rules for system services but this time I think of taking advantage of default file groups , after all they are to ease your work.

Radaghast

Any system service used in the process of updating Windows, is allowed to connect Out. (Windows Updater Applications)

-the connection is made by svchost which was requsted by Adobe ARM using COM ,svchost lies in “Windows system Application” groups ,I have attached a screen shot of file groups in my computer.

-Point worth noting is ADOBE ARM does not connected directly. similarly I know of Google Updater , it will connect direct to check update and when it comes to downloading it will be done by svchost.exe.

Dennis2

By the look it most probably it uses your Executable rule you have.

why it did so, FW rules are applied top down, so it should not be the case(presumably)

Boris3

I see that you have several ports listening. Do you have a local network? If no, you should disable netbios on TCP/IP and close port 445.

I will do that (disable netbios over TCP/IP), actually I have unchecked the " file and Printer sharing on Mocrosoft Network" but" client for MIcrosoft network" is checked with netbios enabled which is causing 445 to appear.

any way what should I do…?

Dennis2

Yes if you use presets then it becomes difficult.

My usual job after clean install is to delete all

• should users avoid preset groups…? they help make you clean rules.

I guess problem lies in rules for groups or FW rules are ineffective for certain aaplications.

regards
Adi

[attachment deleted by admin]

Apologies, it’s been a long time since I used Defence+. Nowadays I just use the firewall component and it would appear the groupings have changed.

That said, I can provisionally confirm that attempting to block svchost from connecting outbound on HTTP ports, by modifying the default rules (as described by the OP) fails. I will take a closer look at this a little later.

Boris3 I will do that (disable netbios over TCP/IP), actually I have unchecked the " file and Printer sharing on Mocrosoft Network" but" client for MIcrosoft network" is checked with netbios enabled which is causing 445 to appear.

any way what should I do…?

You can disable NetBIOS on the properties for TCP/IP v4 on the Network Adapter card. Alternatively, you can create a firewall rule that prohibits TCP and UDP outbound on ports 137-139 and port 445. Create a port set for ease.

Depending on your configuration, you could also create a Global rule that blocks Inbound access to these ports. Unnecessary, if you have a decent, properly configured, router.

If you need file and print sharing on your LAN, create a rule for the ‘System’ process that allows all LAN traffic, then create separate rules to block Internet traffic, for NetBIOS/SMB below this.

If you wish, you can also completely disable port 445, however, this requires modification of the registry. To perform this task, open the registry at:

"HKLM\System\CurrentControlSet\ Services\NetBT\Parameters

Locate and delete the value “TransportBindName”

Reboot the PC.

Dennis2

• should users avoid preset groups…? they help make you clean rules.

I guess problem lies in rules for groups or FW rules are ineffective for certain aaplications.

regards
Adi

Like Dennis, the first thing I do on any new installation is delete the defaults. The problem with using the default rules, especially the Systems Application Group, is that it allows access to the Internet for a number of services, which for most people, really don’t need Internet access. They also allow important services to make whatever connections they wish, to where ever they wish, when ever they wish. If you’re happy to forego this lack of control, use the defaults.

In your rule for the Systems Application Group, the block rule is prohibiting Inbound communication, if you change this to outbound it will work.

[attachment deleted by admin]

Yes top down but if their rule is not available, the OS processes will use any other one which works for them.
Dennis2

It depends what you want a nice easy secure firewall, or a firewall were you control every access to the internet.

You can go further and control what IP’s each process has access to, it all depends how much you want to control.

Dennis

thank you Radaghast and Dennis2

I will have separate rules for svchost and system process services , will not club them in a file group.

Dennis2

Yes top down but if their rule is not available, the OS processes will use any other one which works for them.

this one is eye opener, but it will leave me with many firewall rules, i would say one for every app on my computer.

-generally the common scenario is that users generally wants to block one or two apps phoning HOME, while permitting nearly all.

and second concern is to prevent svchst to connect any thing other than dhcp and DNS query.
i will make separate rules for each apps

Regards
Adi

In theory, you could create an Application rule that allows the ‘All Applications’ file group to connect on a couple of specified ports, such as 80 and 443, then create separate block rules for applications you don’t want connecting and place them above the more general rule. I wouldn’t recommend this approach, however.

If you play around with the sliders for 'Firewall Security Level and the Alert level, you’ll be able to create rules pretty quickly and effectively. you’ll also find an optimum setting that works for you. Personally, I use Custom Policy mode with Alerts on very high but I wouldn’t recommend this for everyone.