In SIW I can I see all network info (screen), even when it should be blocked.
I booted to safe mode (to be without network) and I get only 127.0.0.1 info.
I just tried Jetico 2 and it asked me to block SIW, I did and it did not leak info.
A friend has Jetico 1, with SIW blocked, he gets only 127.0.0.1 info too (screen).
Just for the record, when I was using Outpost Pro 3.5, SIW was leaking there too.
When I allow asking, SIW asks only for DNS, which I deny, but it still gets the info.
I did not pay atention to it, but today I have noticed others PCs there too (screen).
Maybe they can see me as well, even with NetBIOS, DCOM and other stuff disabled?
Any idea, how to fix it, to block SIW completelly, so it would not be able to get info?
It’s difficult to say what port(s) protocol(s) and ip(s) have to be blocked, because I am not familiar with SIW. However, i see al your “Block” rules are at the bottom of your Network rules hierarchy. It may be necessary to move the one or more higher up in order to block SIW. Just my theory.
I do believe that with CPF, the network rules work from top to bottom - it starts at the top, and will stop once it reaches a block rule; thus, your blocks are at the bottom. But this is not application-specific.
Have you set an application rule to block the specific SIW behavior? I’ve attached a screenshot for example. You can create a rule for each “parent” and each protocol that SIW uses, per the CPF logs.
I use SIW from time to time, and have a block in place. I don’t see the kind of results you’re seeing. All it is collecting from mine is information stored on my computer; it’s not searching my network.
Please be informed that application does not connect to the network. It queries locally
stored data such a DNS servers, DHCP etc. It does not need any network connection to obtain these details. It sometimes performs DNS queries in this case CPF asks.
Hmm, I looked on this problem via RegMon, it looks that SIW asks lsass.exe for permissions to view TCP/IP keys, so I guess, that Jetico 2 denies SIW to access regedit file based on the security policies, because as far as I know, Jetico 2 does include registry monitoring. Well, I will see, how CPF 3.0 will handle SIW with the sandbox in the future and for now I will look for some registry monitoring software to see if I will be able to block SIW from reading registry.
That might be addressed once they add a full HIPS to CPF; I don’t know if it will do that or not, to that extent.
Not sure what might monitor/protect the registry in the way you want, but there’s bound to be something… Here’s a couple I found you might look into: DiamondCS RegProt 2.0 (free), and RegDefend 2.001 (free trial). Looks like they primarily monitor for changes to the registry, rather than viewing access, tho.
Thanks, but it seems, that it is more difficult than I thought.
Both software protects registry from being modified or deleted.
And since SIW “only” reads info from there, it does not really help.
I run as a system admin, so I should try to run SIW with limited rights.
Oh no, I can not do it, DropMyRights needs a junk called NET.Framework.
Nevermind, as long as it is not network issue, I can learn to live with that.
Maybe a HIPS-type app - Prevx, Process Guard, System Safety Monitor, Neoava Guard, or even CyberHawk. I’m thinking what would probably happen, tho, is that they would just ask you if you want to allow SIW to run, rather than go to the level of detail to ask if you wanted it looking at the registry…
Just the last thought, I was so busy with this, that I forgot about main reason, why I posted this.
The problem was, how can I see other PCs from my LAN? It can not be read from registry or can it?
Anyway, I just let it go, I am quite tired of all those setting, so I will just ignore it for the time being.
You know, I really don’t know. I don’t see how that’s registry-related. I can see that SIW looks at the registry to retrieve some of its information, but that’s only software-related. The IP configuration is available from your computer/network card, which will show your network name (if applicable), DNS, Gateway, etc.
Here’s something I thought of, tho… Go to Security/Advanced/Miscellaneous, and see if the “Skip loopback” boxes are checked. If so, uncheck them, reboot, and run SIW again. If it’s getting what you’re seeing from the 127.x.x.x info, this will alert you to stop that (it may also alert you on a whole lot of svchost.exe/system/services traffic as well).
I still don’t get the same thing you’re getting, so there must be a setting different, somehow, or a network control rule. FYI, I do skip the loopbacks, I have an application rule blocking SIW.exe TCP/UDP Out, and Ido not have a network or trusted zone defined (I’m on a LAN, but not thru a server, don’t need to share any files/drives, and do not want anyone else to have access to my computer. Since it’s, in essence, a direct connection, I skipped all that to remain anonymous…).
Perhaps you have a defined network?
What do you see if you go to Start/Run, type “cmd” to open the DOS window, and type “ipconfig /all”? Is more than just your computer/gateway/dns shown? Are other network computers visible there?
I do not skip loopback and I can not use ipconfig, I removed it with nLite.
I had this problem before I knew nLite, but maybe it is due my reg settings?
I have so many registry settings, that I even do not know, what they are for.