Has anyone some generic hints regarding how to tell whether a CFP alert mentioning a “received connection from the Internet” is about an external intrusion attempt or instead it’s simply about regular activity by our legitimate applications ?
I mean, consider the attached screenshot; CFP is warning me that System is trying to receive a connection from the Internet. The security considerations CFP shows me are useful but IMO a strong technical expertise would be needed to take full advantage of them.
Most people (I for one) have no idea whether an external intrusion attempt would use System to have it receive a connection, or what. So can’t tell whether allowing this request will mean allowing the intrusion.
Now, this is only an example, and in this specific case I decide to allow because if I issue an “ipconfig /ALL” at the command prompt, I see - among a lot of other things - that my “IPv4 address” is 37.231.4.202, which seems somehow to include the remote IP showed by CFP in its alert.
But it’s not that I actually know what I’m doing, and I guess the vast majority of users are in the same situation when faced with these alerts.
What eventually happens is that many people will grossly go for “allow and remember”, but this can result - on the long run - in the firewall becoming useless. I have seen this happening to more than one person, and maybe it’s happening to me as well.
I realize that it’s impossible to have general and certain rules about how to interpret the alerts, but any more hints or suggestions would help. The problem is very real and common IMO.
Yes, it’s part of Windows, but does this mean that it won’t be involved in an intrusion attempt ? When an hacker breaks into my PC, he will be connected to some Windows component, or not ? (Not a rhetoric question, an actual question :)).
Why should I set System as “Outgoing only” ? In the attached screenshot isn’t it “ingoing” ? If I set it as outgoing, wouldn’t the connection in the screenshot be blocked by CFP ?
Looks like you don’t have a router, which gets rid of a lot of this chatter. The bad news: this is probably a port scan from a zombie machine hosted by your ISP. If you Google “port 445”, you will find it is a port commonly scanned by hackers because a vulnerable port 445 allows remote machines to take over some of your machine functions and do some damage. The way most ISPs work is to establish internet gateways-probably 37.231.43.1 in your case-and then assign IP addresses 37.231.43.x to users that connect through this internet gateway. So any inbound 37.231.43.x is usually an unfriendly computer on your “network” doing a port scan for vulnerable machines.
In general, you need to block all incoming connections, allow only by exception for things you understand. The stealth ports wizard generates such a global rule when you select “stealth my ports”. You may need to add some allows later, if you use things like active ftp, P2P, or are a gamer. But always block these, and then do a little investigation if something stops working. Things like http, passive ftp use tcp connections. tcp connections are bidirectional-you establish an outbound connection, and data flows in both directions. Unless you are a acting as a server, as in the exceptions above, you don’t need inbound tcp connections. Some other functions are handled by UDP-this includes DNS lookup, DHCP IP allocation, and other normal machine functions. You control and allow the outbound requests. The responses are handled by NAT/SPI rules automatically, where inbound responses to outbound requests you generated are allowed-you shouldn’t see popups. UDP is actually “connectionless”-you send datagrams back and forth individually and don’t establish a persistent connection as tcp. ICMP/IGMP are control and status datagrams and are generally just used by hackers to see if anyone is there.
So run a good virus scanner and spyware scanner ASAP. If you see outbound connection attempts you don’t understand, block them as possible Trojans until you can verify them.
As far as the “System is safe”, all this means that you should ok System sending stuff out. But the second part is not emphasized strongly enough-it is an inbound request to a known hacker port and should be blocked unless you understand it or something stops working because of the block.
[QUOTE]In general, you need to block all incoming connections, allow only by exception for things you understand.
[/quote]
This is a clear bottom line, I’ll try to go for it. I’ll certainly be blocking legitimate activities in the beginning, because I’ll allow only what I understand, which means I’ll allow very few things :D, then I’ll investigate when something will stop working.
My ISP is Fastweb (I’m in Italy); I know it has some technical peculiarities compared to most ISPs but I can’t explain more about that because I don’t understand enough. I also know that what I got isn’t an actual router, they call it “hag”; I can connect up to 3 PC via Ethernet port.
[QUOTE]So run a good virus scanner and spyware scanner ASAP.
[/quote]
Right. I am quite paranoid about viruses and spyware, so I do frequent scans for viruses (I have AVG) and for spyware / trojans (Spyware Doctor and Spybot). I don’t think I currently have viruses / spyware / trojans on my PC, unless these anti* tools are missing them. BTW I just removed any allow rule for System in CFP and when I’ll get new alerts I’ll be much more strict before allowing.
Vettetech, I’m sorry, I’m not 100% getting your point. I know that System is a Windows core component and that I’ll see it among the running processes; my doubt was whether when an hacker breaks into my PC it will be System that will handle that connection, making System the subject of CFP alert. BTW the new info I just got here suggest that I basically shouldn’t allow it for inbound connections, so your suggestion of setting it as outbound only is more clear to me, thanks.
And so is here too since now ;D Only svchost BTW, because I removed all rules for System a few minutes ago (I want to see whether new alerts for it will pop up, in which case I’ll set it as outgoing only), and explorer isn’t listed at all in my rules, which should mean it never tried to access the Internet :■■■■
By router, I really mean one with a NAT (Network Address Translation) capability that blocks up front most inbound traffic not a response to something you sent out. Not really as flexible as a firewall, but a pretty good tool. Sounds like you have a 3 port modem of some sort-do you get 3 different WAN IP addresses, or share the one with 3 diferent LAN addresses like a wired wireless setup? A few “block and log” rules as VetteTech suggests will help find out why things are being blocked and help you understand whether they should be allowed. Also a “block and log all” as the last of your application rules is sometimes useful to stop new applications from being allowed before you have a good chance to understand what they are really trying to do. I don’t use global rules, but the global “block and log all in” is a safe place to start. I mentioned some exceptions that require allows above, but there are plenty of threads and FAQ files for things like Skype, utorrent, games, etc. here to help you, along with other users who are regulars with them. And if you are the “average” user (whatever that is) you won’t need a lot of “allow inbound” rules. If you actually have a LAN, vs 3 computers accessing the internet independently, the stealth port wizard will help you set them up as a trusted network so they can talk to each other, share peripherals, etc. but not allow any inbound from the internet.
I manually added explorer.exe this time around but if you simple do a windows search and after the search is done you will see explorer.exe in your network security policy. Try it.
Take a look under “view active connections” and you will see “System” listening on port 445-it is the OS program the actually deals with the legitimate internal uses of port 445 for your system. An inbound connection is meaningless unless something is listening. Other port scan attempts may show up as blocked in Windows Operating System since nothing is listening.
This has developed into an interesting thread,i have a few queries
1.Why would “system” meaning the whole operating system,need to connect to the internet unless it is for sharing information between 2 computers
2.Windows as a program uses svchost to obtain things like its IP address and others for checking for updates etc.These are to my knowledge all grouped under “Windows Updater Applications” which comes set in the default configuration.Why have a seperate rule for svchost unless you take out the “Windows Updater” one
3.Since i started using V3 at official launch i have never had a rule for system and had no problems, i do know that anything which V3 cannot put a application name to it, calls it Windows Operating System.So why would you need a rule for system,is it really only useful if you have no “Global Rules”
[quote author=sded]Sounds like you have a 3 port modem of some sort-do you get 3 different WAN IP addresses, or share the one with 3 diferent LAN addresses like a wired wireless setup?
[/quote]
I think I get the same WAN IP address for all the PCs I connect to the “hag”: I just tried from two of these PCs to go to www.printmyip.com and the IP showed is the same for both. I hope this is what you mean :).
BTW the modem / hag / router / whatever is a “Thomson 7G”. I tried to locate a description on the Internet to post here but I failed; however it’s the “Thomson/Alcatel Speedtouch 7G router” mentioned here, which is an article discussing built-in vulnerabilities of the firmware or something like that :■■■■
[quote author=sded]Take a look under “view active connections” and you will see “System” listening on port 445-it is the OS program the actually deals with the legitimate internal uses of port 445 for your system.
[/quote]
Actually it’s there :).
That is what port 445 is used for, things like file sharing and remote logon, so “System” aka “kernel” is where it happens. If you don’t do those things, even on a LAN, should block System.
I don’t have separate rules for svchost. I suspect many do because the popups and block messages are a bit more explicit and show svchost.exe instead of WUA and they make additional rules for it. Most svchost.exe activities have nothing to do with WUA, but that was what was broken and fixed a few versions ago. The default network rules for CFP3 could still use some work.
I think System will come in if you do sharing or act as an ICS Gateway-I made a rule for it so long ago I don’t remember why. So will erase all except the block and log (for port 445) and try again and see if anything else is happening. Even that rule should be unnecessary if you watch your popups.
BTW, GRC actually has some useful information like GRC | Port Authority, for Internet Port 445 as well as all the tests.
If you have a router with a built in hardware firewall then thats your first line a defense. I dont even need a software firewall to pass shields up cause my modem covers all my inbounds and echo pings. I run Comodo mainly for the HIPS.
On my XP machine I have nothing for system but on Vista I have, I have fixed IP on XP machine not on the Vista or it could be I still need to do something else on the Vista machine to unbind the Netbios.
Dennis
I just did a search under Windows which brought up the pop up for explorer.exe which is fine.However i dont think remember my answer was checked(a rule would have been created wouldnt it) and do not have a specific rule for it in “application rules” yet if i try and do a subsequent search under Windows i receive no pop up.
So is it a case of if you answer the pop up once,it is then taken for the whole session.Gonna re boot and try again but if this is the case…!!
