Sneaky Programs

Hi All,
After the recent uproar about Microsoft’s sneaky WU update, I got to thinking about how it happened. Well, I bet that the update mechanism was given permission to get thru the firewall by me. Of course it would. Why would I block that? Microsoft chose to use that permission in a very underhanded way. There was no harm done, but if the door is open, it’s open. Really tough to keep out the bad guys if they are invited in buy a welcomed guest.
I am wondering if there might be a way to use some rules in the firewall to prevent, or at least report on, this. While I leave my computer in most of the time, it is usually so if an IM comes in, I get it, or I’m checking email, or surfing.
How about a rule that says “these programs can use the net always, these must ask for net time, these can be scheduled net time, and these have no business on the net at all”
My mind hurts just thinking about what it would take to get that working smoothly. Oh boy!
Unfortunately, we have several bully’s on the net that think they own our computers, and wil do with them as they want. It is a sad day to realize that we need to protect our computers from the likes or Microsoft, Sun, and AOL! They have all abused their access to our systems, and if they can do it, so can someone under the radar!
So, is this doable? Is there interest it having this feature?

Btw, I do love CFP and CAV! Awesome apps!


If i understand you right, then your problem can be solved only by operating system authors :). Last time the news come up about the fact they are changing windows update datas without notice. The bad part: it is without permission, you didn’t count a single byte for this unknown activity, you can get mad cause you just don’t know what is sending/receiving datas. The good part (in logical term): we all remember when the windows update site was attacked you we couldn’t update our systems. When this happened, the malwares only attacked the basic dns address of the site so IF the target of these replaces is to avoid these cases (ex. you will get a random dns access), then it’s not a bad thing.
The opinion: the author of the operating system must have create at least a message box with OK/Cancel or alike.

Is there, or could there, be a way to identify what programs access the net, and to where, when the pc is idle? Maybe a way to tell the firewall to increase the logging level on some schedule? Unless I am downloading a cd iso or doing a large update, my pc has no need to be on the net at night. I just leave it on because it will suspend itself and I don’t need to think about it. I’d like to know what net activity is going on while i sleep.
I remember back in 1999, I used a firewall called atguard. It logged everything that came thru the firewall- time, data size, destination. I used it several times to track attackers. They never got thru, but they tried, and I was able to track them down, at least to their ISP.
Anything like that on CFP?
That way I could at least see after the fact who was surfing while I slept.


If you have disabled the automatics updates 100%. Then run as a limited user, i have found the sneaky updates may download but they cannot install and you have chance when the icon says “Something is downloaded and ready to install” you can tell it not to install.

I should include this in my “Reasons to run as limited user”.

I must admit, I gave up on running as a limited used with Windows 2000. Tried it in NT4 and 2000 both, but it was such a Pain, I just switched my account to admin rights and have not looked back. I have looked at many lists in the past about how to run in a LUA, but none erased enough of the problems for it to be a daily event. You mentioned your “Reasons to run as limited user”. I would like to read these reasons, and see if maybe you have something to offer for solutions for the problems a LUA brings. I agree that running in a LUA is best from a security perspective, but I learned the hard way many years ago on the first network I administered - security that is intrusive and cumbersome, or unduly limits the users ability to do their work, is not security at all because you will have to either reduce the security level, or turn off the computer, cuz the users will not tolerate it. So, hopefully you have some new insights for me.
I searched the web and this forum for the phrase “Reasons to run as limited user”, and found nothing. Where do I find this list?


You can schedule a batch file which contains this line:
netstat -nba >>report.txt
(or simple “netstat -b >>report.txt” or -ba)
A report.txt will be created and will be updated every time you run the batch file (ex. example.bat, you can write it with notepad, simple text). At first, i would recommend to test out how big the txt is cause it will be much bigger later and you might need a better text editor than notepad.

Reasons to run as limited user: I haven’t find this at the forum - we got some words in Hungary :slight_smile: -, maybe a new forum entry for you? :slight_smile: It’s quite a good idea to run executables with the runas command. Use Shift+right-click on a link, then choose Run as… The simple reason is - example - that a program won’t be able to write startup entries to the registy if the user has insufficent rights (ex. to HKLM’s Run).
You can also use GPO to set up various settings per user access, example: user can’t modify the browser’s home page or install ActiveX, etc.

I should search with “technet” word.