How2 Monitor "phone home" from Browser

I am using a competitors FW/AV and thinking of switching to CIS.

I use WAMP on my XP desktop to test Joomla! add-ons and scripts; as well as other php scripts before I upload to the WWW and go live.

So, I installed a trial addon to J! that required a ‘key’ from the developer and thought that my FW would alert me to the outgoing connection that the add-on was making to verify the key; but it didn’t/can’t.

I’ve considered installing a VM, but am not sure how a VM works so that I would be alerted to outgoing connections from a script.

Just to clarify - I realize many apps have license bots that phone home to verify its a legal copy. I’m not trying to circumvent that. It just that with over 4K of extensions available for J!, I’d like to be certain that once installed, the extension is not reading the member list, etc. and sending that info to who knows where. For example, I paid a small fee for a neat WHOIS script that, come to find out, connects to the developers site every time a query is run. Not saying that he’s “tasting” the lookups but, I wished I’d known that before I uploaded it to my site.

So to recap - when I run WAMP and enter 127.0.0.1 or localhost in my browser (FF3 or IE7) and launch J!, or any other script, I’d like to be alerted to any attempts by the browser to send outgoing packets. I also would like to be able to open another tab and browse say. to commodo.com without any restrictions.

Possible?

Trying to figure this out on my own, but in case anyone’s watching …

Under Firewall > Firewall Tasks > Advanced - it seems possible to create a rule using either Network Security Policy or Predefined Firewall Policies. Question arises if I use NSP will PFP inherit the rule? Seems not or I’m not understanding how to do it.

In NSP I created new rules for FireFox. Ask for IP Out and Ask for TCP or UDP OUT from IP 127.0.0.1 and changed my ND Security Level to Custom.

So if I choose CommunityBuilder and click the link to check for version updates, CIS is still allowing the connection >:(

If you run Defense+ in Paranoid Mode, it will produce an alert based on protocol, direction, port and destination for every outbound attempt. While this will give you a mountain of info (which would contain any possible “phone homes”) you would need to work out which was which.

How does the joomla addon work - as a browser add-in (BHO or similar) or as an externally called app? If its an externally called app, then you can create specific rules for the app, not the traffic.

Ewen :slight_smile:

Is your clock set correctly? What are you doing up so late?

If you run Defense+ in Paranoid Mode...
but this would require enabling and disabling that mode every time I wanted to just browse and not just test an app, correct?

I’m not clear on what localhost - 127.0.0.1 - really is as far as CIS is concerned. Is it Looopback, an IP or a Network address? Seems to me either Network Security Policy or Predefined Firewall Policies is where a rule could be added.

J! is a PHP/MySQL app and the add-ons are Modules or Plugins that extend it. But take for example, the WHOIS script I mentioned. So the directory structure of WAMP includes a WWW dir on my C: drive. Under WWW is the ubiquitous site “mydomain.com” where I have index.html, etc. and below that another dir, whois, where the script and its index.php file is stored. I load WAMP and go to 127.0.0.1/mydomain.com and click the link to the whois script. Not only is it connecting to some registry to fetch the data, but its contacting the developers site. I need to be alerted to the fact that these outgoing connections are being called/requested.

And btw - Ewen :slight_smile: =?

Que?

but this would require enabling and disabling that mode every time I wanted to just browse and not just test an app, correct?

Correct. As far as I can see, the outbound traffic is sent by the browser itself. Therefore, it would difficult to parse “phone home” traffic from normal browser traffic.

J! is a PHP/MySQL app and the add-ons are Modules or Plugins that extend it. But take for example, the WHOIS script I mentioned. So the directory structure of WAMP includes a WWW dir on my C: drive. Under WWW is the ubiquitous site "mydomain.com" where I have index.html, etc. and below that another dir, whois, where the script and its index.php file is stored. I load WAMP and go to 127.0.0.1/mydomain.com and click the link to the whois script. Not only is it connecting to some registry to fetch the data, but its contacting the developers site. I need to be alerted to the fact that these outgoing connections are being called/requested.

This could only be done by monitoring ALL browser traffic, unless you knew some specifics of the destination address/site. If there is no way to discriminate, our only options are monitor all or monitor none.

And btw - Ewen :-) =?

Ewen = my name :slight_smile:

:slight_smile: = :slight_smile:

Really to bad. I’ll keep testing other FW’s then …