Greetings,
can I get exact description how to properly set up rule for an application to block it safely from connection to specific IP or host name? (any protocol, any port, just hide the destination completely from application’s sight)
I think I have tried so in the past and not always the app was blocked reliably.
Especially I need to know if the protocol should be TCP or UDP, ICMP or IP, and how should I fill in source and target address
You should create block rule for that app - Block Outgoing IP source - any destination - either hostname or IP that you want to block (not sure which is more reliable). The block rule should be above any allow rule(s) or preferrably at the top.
This is what I tried, but using Sysinternal Process Monitor I still can see that application connecting without any problem to that site.
15:36:33.3639045 KMPlayer.exe 1408 TCP Reconnect VAIO:24344 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:33.3689108 KMPlayer.exe 1408 TCP Reconnect VAIO:24334 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:33.8638964 KMPlayer.exe 1408 TCP Reconnect VAIO:24344 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:33.8689878 KMPlayer.exe 1408 TCP Reconnect VAIO:24334 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:34.4688891 KMPlayer.exe 1408 TCP Reconnect VAIO:24350 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:34.4689143 KMPlayer.exe 1408 TCP Reconnect VAIO:24351 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:34.9688982 KMPlayer.exe 1408 TCP Reconnect VAIO:24350 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:34.9689280 KMPlayer.exe 1408 TCP Reconnect VAIO:24351 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:35.8588962 KMPlayer.exe 1408 TCP Reconnect VAIO:24353 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:36.3568885 KMPlayer.exe 1408 TCP Reconnect VAIO:24353 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:36.8768929 KMPlayer.exe 1408 TCP Reconnect VAIO:24356 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
15:36:37.3768959 KMPlayer.exe 1408 TCP Reconnect VAIO:24356 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
Blocked in/out IP connection for single IPv4 target 209.137.130.253 and one single hostname target 61-111-8-189.kidc.net.
The rules are topmost, although I can capture real network traffic to these destinations…
Yes… that’s strange… you can’t block some IPs that way… althought you should be able to.
I mean you can block acces to some sites creating same rule for dragon.exe (if you’re using dragon) using IP (I got the IP from siteInspector), but at the same time you can’t block, for example google that way, not via app rule not via global rule.
I don’t get it.
Maybe someone else could test it?
If I let only the blocking rules and ask for every other attempts, I get a dialog for this application asking for permission connect to 127.0.0.1 port 3333. It looks like some applications connect to remote servers but granting permission for local host.
Otherwise is it necessary create 2 rules to completely block access for an app to remote address? (1st rule for incoming connections giving the remote address as source IP and one for outgoing connections to the site providing the remote address as target IP). This is quite confusing, more clear for me would be providing local and remote address/hostname.
Did you already place KMPlayer as a ‘Blocked application’ in the Network Security Policy…?
I see that the IP adress info is:
IP Information for 209.137.130.253
IP Location: United States United States Liberal Kdd America Inc.
ASN: AS4459
IP Address: 209.137.130.253
NetRange: 209.137.130.0 - 209.137.130.255
CIDR: 209.137.130.0/24
Have you tried placing the KMPlayer in:
Network Security Policy > Blocked Zones > Add Host name or address range
KMplayer sometimes launches the browser so I block it in D+ see images:
Defense>Computer Security Policy>Defense+Rules>Add>(KMPlyaer path),
I don’t use D+ and don’t want to place this application among blocked applications because it should still be able access internet by regular usage (i.e. playing web streams and internet radios), thus rather than putting massive restrictions around it I prefer blocking just the known suspicious addresses and cut it off completely from calling home. Also checks for updates are not important so that it is possible to block all websites websites bound to the developers.
I’m putting the known addresses to global blocked zones and see if it works…
/Edit
…hmm strange I added 209.137.130.253 and 61-111-8-189.kidc.net to global blocked zones and still see some communication in ProcMon:
19:25:46.0084312 KMPlayer.exe 1292 TCP Connect 192.150.14.69:4040 -> 192.150.14.69:33333 SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 8192, rcvwinscale: 8, sndwinscale: 8, seqnum: 0, connid: 0
19:25:46.0087733 KMPlayer.exe 1292 TCP Send 192.150.14.69:4040 -> 192.150.14.69:33333 SUCCESS Length: 36, startime: 16654, endtime: 16654, seqnum: 0, connid: 0
19:25:46.0128715 KMPlayer.exe 1292 TCP Receive 192.150.14.69:4040 -> 192.150.14.69:33333 SUCCESS Length: 84, seqnum: 0, connid: 0
19:25:46.0129180 KMPlayer.exe 1292 TCP Receive 192.150.14.69:4040 -> 192.150.14.69:33333 SUCCESS Length: 84, seqnum: 0, connid: 0
19:25:46.0132406 KMPlayer.exe 1292 TCP Disconnect 192.150.14.69:4040 -> 192.150.14.69:33333 SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:46.3531935 KMPlayer.exe 1292 TCP Connect VAIO:4039 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 65700, rcvwinscale: 2, sndwinscale: 0, seqnum: 0, connid: 0
19:25:46.8058583 KMPlayer.exe 1292 TCP Send VAIO:4039 -> 61-111-8-189.kidc.net:http SUCCESS Length: 160, startime: 16658, endtime: 16662, seqnum: 0, connid: 0
19:25:46.8058946 KMPlayer.exe 1292 TCP Receive VAIO:4039 -> 61-111-8-189.kidc.net:http SUCCESS Length: 117, seqnum: 0, connid: 0
19:25:46.8896608 KMPlayer.exe 1292 TCP Disconnect VAIO:4039 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:47.5566373 KMPlayer.exe 1292 TCP Reconnect VAIO:4041 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:48.0517011 KMPlayer.exe 1292 TCP Reconnect VAIO:4041 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:53.8716409 KMPlayer.exe 1292 TCP Reconnect VAIO:4045 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:54.3716393 KMPlayer.exe 1292 TCP Reconnect VAIO:4045 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
19:25:57.5486858 KMPlayer.exe 1292 TCP Connect VAIO:4046 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 65700, rcvwinscale: 2, sndwinscale: 0, seqnum: 0, connid: 0
19:25:57.8876608 KMPlayer.exe 1292 TCP Send VAIO:4046 -> 61-111-8-189.kidc.net:http SUCCESS Length: 200, startime: 16769, endtime: 16773, seqnum: 0, connid: 0
19:25:57.8876995 KMPlayer.exe 1292 TCP Receive VAIO:4046 -> 61-111-8-189.kidc.net:http SUCCESS Length: 92, seqnum: 0, connid: 0
19:25:57.9160609 KMPlayer.exe 1292 TCP Disconnect VAIO:4046 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
What probably happens is that the KMPlayer queries for a (or more) DNS address which is probably balanced over more IP’s.
What is important in this setups is that if you block an IP and the DNS starts to point to an other address the block rule no longer works.
The other important thing to keep in mind is that if a hostname is used in a block rule it will only block that specific address that get’s resolved by DNS on the startup of the PC.
If the DNS answer has a short time out it will probably switch to an other IP and your block rule won’t work anymore.
You can use the command below in a command-box to see what entries might relate to your KMPlayer quest.
ipconfig /displaydns
Can you post the names used?
p.s. doesn’t the KMPlayer allow to disable check for updates?
Turning off update checks is likely not to stop reporting usage information so this probably won’t make any change.
I have put those addresses into global blocked zones and it seems that the access was blocked:
20:58:13.8270704 KMPlayer.exe 3996 TCP Connect 192.150.14.69:16425 -> 192.150.14.69:33333 SUCCESS Length: 0, mss: 1460, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 8192, rcvwinscale: 8, sndwinscale: 8, seqnum: 0, connid: 0
20:58:13.8279314 KMPlayer.exe 3996 TCP Send 192.150.14.69:16425 -> 192.150.14.69:33333 SUCCESS Length: 36, startime: 2153092, endtime: 2153092, seqnum: 0, connid: 0
20:58:13.9278665 KMPlayer.exe 3996 TCP Receive 192.150.14.69:16425 -> 192.150.14.69:33333 SUCCESS Length: 84, seqnum: 0, connid: 0
20:58:13.9279182 KMPlayer.exe 3996 TCP Receive 192.150.14.69:16425 -> 192.150.14.69:33333 SUCCESS Length: 84, seqnum: 0, connid: 0
20:58:13.9283315 KMPlayer.exe 3996 TCP Disconnect 192.150.14.69:16425 -> 192.150.14.69:33333 SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:14.4779918 KMPlayer.exe 3996 TCP Reconnect VAIO:16424 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:14.9779981 KMPlayer.exe 3996 TCP Reconnect VAIO:16424 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:16.4520003 KMPlayer.exe 3996 TCP Reconnect VAIO:16427 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:16.9630002 KMPlayer.exe 3996 TCP Reconnect VAIO:16427 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:17.4139966 KMPlayer.exe 3996 TCP Reconnect VAIO:16428 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:17.9139899 KMPlayer.exe 3996 TCP Reconnect VAIO:16428 -> 61-111-8-189.kidc.net:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:18.0139948 KMPlayer.exe 3996 TCP Reconnect VAIO:16431 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
20:58:18.5139978 KMPlayer.exe 3996 TCP Reconnect VAIO:16431 -> 209.137.130.253:http SUCCESS Length: 0, seqnum: 0, connid: 0
Anyway a good tutorial how to securely block access to domains or IPs an application level would be useful