Interpreted scripts require separate policy

Hi,

I’ve been using CIS as anti-virus and firewall for a while now, but I updated to the latest version a couple of nights ago (I’m a bit behind in the updates) and have found that interpreted scripts now require a separate firewall policy for each script.

I can understand that this allows better control over what can communicate rather than just blanket allowing the interpreter, and is tied into the AV as well.

However, I run an Apache installation on my computer and use Bugzilla to track bugs in software I develop. It’s all written in Perl and therefore all the pages are interpreted. I used to be able to allow perl.exe and I would be fine, but now it seems I need to set permissions for every script/page in Bugzilla. Is there any way to set the firewall policy using one configuration, for example so that any scripts from directory “x” are treated as one application or using one of the parent processes (apache or perl)?

Cheers.

Edit: I should probably mention that this is on Win XP Pro SP3 x86, running CIS version 5.4.189822.1355 with Virus db 8931.

Got an example?

Is this issue concerning the scripts requesting internet access, or is this an issue pertaining to the scripts requiring system resources. The former generate Firewall alerts and the latter D+ alerts.

Try giving perl.exe the Installer/Updater policy.

CIS will make the rule and will place it somewhere underneath the “All Applications” rule. Please the rule for perl.exe to a place above the “All Applications” rule. This is because all rules under the All Application rule will follow the rule set by the All Application rule and not the rule set by the policy.

Is what you’re saying - I did request you clarify that on another thread - the difference between making a rule nd the auto rule and where they get placed?

FWIW: auto rules get auto-placed at the top of any rule-set. New rules get put at the bottom of rules-set for any app. You must drag user-rules to where they should be to become effective.

It is about the place of the rule. If you need another policy then the one trusted applications get by default you need to drag to a place above the “All Applications” rule.

Hi,

The issue is that of the scripts requesting internet access (actually a TCP connection to the localhost) not that they are requesting system resources. (Aside to moderators: could this topic get moved back to the Firewall help where it belongs please? Thanks.)

I have (in this order) the following firewall entries:

  • Apache (httpd.exe)
    [li]Allow TCP In Source Any:Any Dest Any:HTTP Ports
  • Allow IP Out Source Any Dest Zone Loopback Protocol Any
  • Block and log everything else
    [/li]
  • perl.exe
    [li]Allow IP Out Source Any Dest Zone Loopback Protocol Any
  • Block and log everything else
    [/li]
  • x:\path_to\bugzilla\index.cgi
    [li]Allow IP Out Source Any Dest Zone Loopback Protocol Any
  • Block and log everything else
    [/li]
  • All applications
    [li]Ask and log everything
    [/li]

In previous versions of CIS I did not need the index.cgi script in the firewall configuration. However, if I do not include that entry with the current version and I visit http://localhost/bugzilla/ then the script runs but gives me an error saying that it cannot connect to MySQL on localhost. I also have a firewall log entry saying that “x:\path_to\bugzilla\index.cgi” has been blocked. (This is how I know it is a firewall issue and not a D+ issue.)

However, any other pages also fail until I add them to the firewall configuration. There are 52 files in all, and I’m sure I could probably have added the same rule for all pages individually in the same time it took me to ask about it here :), but it just seems so inefficient to not be able to specify files in groups.

Perhaps I’ve missed something?

Moved back as per request.

Is your Bugzilla application on a local drive or on an external drive?

May be it is possible to make a more generic rule. It is possible to use wild cards in CIS. So, if there are a limited set of common denominators it may be possible to make more generic rules.

Hi EricJH

Thanks for moving the topic back to the firewall forum.

The Bugzilla application is on a local drive.

I did not realise it was possible to use wildcards in CIS. I never noticed it in the manual and when you select the application to create the firewall rules for the file selection dialog is only single select (so I never thought to try wildcards). I’ve just tried allowing access to *.cgi instead of index.cgi and it works for all the top level pages.

Thank you for your assistance.