CIS can not determine when a program accesses a site through a system application or proxy (Proxifier), displays as if access to the loopback (127.0.0.1) zone, but not to an external resource.
That is how proxy connections work…you have a proxy server listening on the loopback interface and then you set applications to connect to the listening port using the localhost address. Then the proxy server makes the connection for the application and thus the connection looks like it originally comes from the proxy server.
Yeah, I know. But there are also programs where the transfer of data between the GUI and the service occurs through the loopback interface (for example Diskeeper) and I am confused with the choice of the rule … I used the Outpost Firewall so there it was clear when the program communicates with the GUI and when it goes online via a proxy
I would like to ask you to modify the CIS so that it would be clear when the program goes online via svchost.exe or Proxifier, and when it sends data to the GUI
Well in the firewall alerts you also have the destination port which tells you if the application is connecting through a proxy. If the proxy is listening on say port 8080 and you see a firewall alert to localhost with 8080 port then you know its going through the proxy. What you’re thinking of is RPC and COM interface access which is handled by HIPS. Another way an application can access the network through another running application is by interprocess memory access.
Here it is that, Ie, I can safely block everything), by the way, ports do not match, the proxy on the 9150 port weighs. The Proxifier works through winsock, and lets through a proxy even that that the proxy does not support. For me it would be more logical to display the IP address of the destination, but the fact that it works through a proxy, I already know it, but to which sites, I can not see. Through a proxy already all in a heap, it is more difficult to understand. Well, in general, everything is clear, thank you, you enlightened me
It is probably worth displaying two messages when accessing the loopback interface and when accessing through a proxy to an external resource. I think IP can be determined from the packet being sent