WinXP and ICF

[Guest]

I turned on my ICF (Internet Connection Firewall) and allowed for no
exceptions. I then surfed to the Symantecs firewall scanner service site and
noted that my ports were pretty much closed. A good thing.

Then I made sure to uncheck and then deleted the exception for smartFTP;
restarted the system for good measure; and attempted to ftp to a Georgia Tech
FTP server using smartFTP. It worked!!!

Shouldn't it have been blocked? Shouldn't a warning popped up telling me
the program was trying to access the internet (I checked that option)!?!

Am I fundamentally misunderstanding how this firewall should work? How can
I make sure the firewall is actually up and running and stopping EXE's on my
machine from heading out onto the internet?

 

[Guest]

Also, it DID NOT block FireFox from surfing the internet!

 

[Harry Johnston]

I turned on my ICF (Internet Connection Firewall) and allowed for no
exceptions. I then surfed to the Symantecs firewall scanner service site and
noted that my ports were pretty much closed. A good thing.

You will probably need to ask the product support from the vendor that provided
your firewall software, or in a newsgroup dedicated to that software.

If you are talking about the firewall built into Windows, it will only prevent
other computers from connecting to your computer; it doesn't stop software on
your computer from connecting to other computers. This is by design. There is
some debate on the value of outgoing firewalls; there are reasonable arguments
on both sides.

Harry.

 

[Guest]

Well I am talking about the built in Microsoft firewall (ICF).

I remember early on when I installed XP SP2 that when I ran Dreamweaver a
pop up occured that said something like:

"Dreamweaver is trying to connect to the internet, do you want to let it?"

I did and a rule was made that is still in my exceptions list! If I
uncheck/delete it Dreamweaver, SmartFTP and any number of other outgoing
programs connect without any kind of warning. Once infected with a program
that tried to connect to the internet is would be good to be warned about
that attempted connection since it could be a keylogger. Sure not foolproof
but still a level a hacker would have to work around.

Honestly I don't think a pop up occured that would say, "Windows Messenger
tried to connect your machine" or "Java(TM) 2 Platform Standard Edition tried
to connect to your machine" or any other number of rules I created for my
firewall back then.

My question is then becoming:

"Have I been hacked or is this the new default behavior of a firewall I've
been using?"

It would be nice to get a real answer from a real Microsoft employee for
this product I've purchased for several machines. Or is this the kind of
answer that requires additional payment?

 

[Harry Johnston]

Well I am talking about the built in Microsoft firewall (ICF).

ICF was the name of the Windows XP firewall prior to service pack 2. If you
have service pack 2 installed, you have Windows Firewall, not ICF.

I remember early on when I installed XP SP2 that when I ran Dreamweaver a
pop up occured that said something like:

"Dreamweaver is trying to connect to the internet, do you want to let it?"

I did and a rule was made that is still in my exceptions list!

Again, Windows Firewall only controls incoming access. Either Dreamweaver must
have been attempting to establish a listening port or some firewall product
other than Windows Firewall was involved.

Some of the Macromedia products contain a web server that provides on-line help,
so this may have been what triggered the alert.

It would be nice to get a real answer from a real Microsoft employee for
this product I've purchased for several machines. Or is this the kind of
answer that requires additional payment?

You could contact Microsoft Product Support at the phone number listed on their
web site. However, yes, they will charge you for a support call.

Harry.

 

[Guest]

Thanks for pointing out the naming mistake for me. It led me to some more
reading.

I accept that the outgoing traffic is not monitored, which is a shame, but
what is the point of the "Add program... " button on the exceptions page?

If this firewall is not intended to monitor outgoing traffic that is
initiating a tcp/udp exchange then why have this button to add PROGRAMS to
the exceptions list?

I'm pretty sure early on that I would get dialog boxes asking me to confirm
various access attempts to the internet when using different programs. I'd
say yes and it would no longer be blocked. It looks like this firewall
product I have been relying on to behave a certain way has let me down for
several months w/out my knowing it!?!

 

[Guest]

Also,

"Windows Firewall Notifications
Applications can use Windows Firewall application programming interface
(API) function calls to automatically add exceptions. When applications
create exceptions using the Windows Firewall APIs, the user is not notified.
If the application using the Windows Firewall APIs creates an exception and
does not specify an exception name, the exception is not displayed in the
exceptions list on the Exceptions tab of the Windows Firewall item in Control
Panel. You can view exceptions with no names from the display of the netsh
firewall show state command at a Windows command prompt.

When an application that does not use the Windows Firewall API runs and
attempts to listen on TCP or UDP ports and the user is logged on with an
account with local administrator privileges, Windows Firewall displays a
Windows Security Alert dialog box. The following figure shows an example."

(source:
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx)


I've used the "netsh firewall show state" (and others command line
instructions) to look around; not happy.

It seems that the API for the firewall is available to application
developers and that entries can be made programatically to the firewall.
What is the point of a firewall that programs can automatically circumvent.
This firewall provides a false illusion of protection when compared to other
firewall products!!! I'd prefer to use Microsoft Firewall but not in this
state.

 

[Harry Johnston]

If this firewall is not intended to monitor outgoing traffic that is
initiating a tcp/udp exchange then why have this button to add PROGRAMS to
the exceptions list?

There are a number of programs that need to accept connections from other
computers in order to function correctly. This allows them to be permitted to
do so without having to know the details of which ports they listen on. Also,
some programs assign port numbers randomly each time they run, so this is the
only way to allow such programs to work.

Harry.

 

[Harry Johnston]

It seems that the API for the firewall is available to application
developers and that entries can be made programatically to the firewall.
What is the point of a firewall that programs can automatically circumvent.

It isn't designed to protect you from malicious programs running on your own
computer. It should be noted that it is quite easy for a malicious program to
bypass outgoing firewall protection anyway, for example by opening a connection
in the context of another program (such as a web browser) that has already been
granted access.

Also note that the malicious code would have to be running as an administrator
in order use this API. Even without the API, malicious code running with admin
privilege could easily disable any firewall software present.

This firewall provides a false illusion of protection when compared to other
firewall products!!! I'd prefer to use Microsoft Firewall but not in this
state.

It does achieve what it is designed to achieve. For example, if you have
Windows Firewall running and haven't activated an exception for file sharing,
you are protected against attacks against vulnerabilities in the file sharing
components. This would, for example, have protected against the Blaster worm
when it was first released. (If Windows Firewall had been on by default at the
time Blaster would have been far less effective.)

Incidentally, you should remove the exception for Macromedia Dreamweaver. It
isn't needed and may expose you to attack, if there happens to be a
vulnerability in the Dreamweaver web server. (The exception isn't needed
because you only need to connect to the web server from your own computer, and
such connections automatically bypass the firewall.)

Harry.

 

[Guest]

Thanks for the back and forth.

But you don't explain the reason for the "Add program..." button for the
exceptions tab on the Microsoft Firewall properties.

Why is possible to add an exception manually for programs? Even the link I
provided with the quote shows a dialog box that prompts a user to "Block",
"Keep Blocking", and "Ask Me Later" (Why?).

Exactly what is the point to this functionality. It is in fact non-sensical
to have it if you ask me.

You don't need to say it again I get that outgoing traffic protection is not
what this product does (even though it should ;-).

Also, you make assertions about running as an administrator and using other
software as a context for hackers to access the internet. I'd comment but
these would definitely end up with just statements of opinion and not fact.

 

[Harry Johnston]

But you don't explain the reason for the "Add program..." button for the
exceptions tab on the Microsoft Firewall properties.

This controls incoming access to those programs. Basically, it's for people who
are deliberately running servers or peer-to-peer software.

There are a number of programs that need to accept connections from other
computers in order to function correctly. This allows them to be permitted to
do so without having to know the details of which ports they listen on. Also,
some programs assign port numbers randomly each time they run, so this is the
only way to allow such programs to work short of turning the firewall off entirely.

Also, you make assertions about running as an administrator and using other
software as a context for hackers to access the internet. I'd comment but
these would definitely end up with just statements of opinion and not fact.

Wouldn't bother me.

Harry.

 

[Straight Talk (aka B. Nice)]

Thanks for pointing out the naming mistake for me. It led me to some more
reading.

I accept that the outgoing traffic is not monitored, which is a shame,

It's not. It's a resonable design choice to not waste ressources on
useless trials.

but what is the point of the "Add program... " button on the exceptions page?

If this firewall is not intended to monitor outgoing traffic that is
initiating a tcp/udp exchange then why have this button to add PROGRAMS to
the exceptions list?

You are confusing ingoing and outgoing traffic.

I'm pretty sure early on that I would get dialog boxes asking me to confirm
various access attempts to the internet when using different programs. I'd
say yes and it would no longer be blocked. It looks like this firewall
product I have been relying on to behave a certain way has let me down for
several months w/out my knowing it!?!

It hasn't let you down - since it never claimed to do what you are
asking for - which is silly anyway.

 

[Straight Talk (aka B. Nice)]

It seems that the API for the firewall is available to application
developers and that entries can be made programatically to the firewall.

Nice feature.

What is the point of a firewall that programs can automatically circumvent.

A program needs the nescessary priviliges to do so. Since you are
probably running as admin any program can add exceptions to any
firewall anyway. Have a closer look at your security concept before
blaming the firewall.

This firewall provides a false illusion of protection when compared to other
firewall products!!!

If you are running as admin any "protection" is an illusion.

I'd prefer to use Microsoft Firewall but not in this state.

Your choice - you are free to install some 3rd party illusionware
instead. If it makes you feel better it's fine - just don't expect to
enhance your security.

 

[Guest]

This controls incoming access to those programs. Basically, it's for people who
are deliberately running servers or peer-to-peer software.

I don't believe this is correct. But I can't roll back Microsoft Firewall
to verify the previous behavior. I believe that contrary to what you think
Dreamweaver was blocked because it attempted to find updates for the product.
SmartFTP was blocked the first time I tried to access an FTP server (as were
FireFox and Fireworks exceptions similarily made).

I may be wrong but I don't think so

 

[Harry Johnston]

SmartFTP was blocked the first time I tried to access an FTP server

It's worth noting that FTP (unless used in passive mode) requires an incoming
connection - that is, the FTP server "calls back" to your machine.

Harry.

 

[Guest]

It's worth noting that FTP (unless used in passive mode) requires an incoming
connection - that is, the FTP server "calls back" to your machine.

Harry.

Interesting note on passive mode to remember.

But it does not undermine my opinion that with all the freeware out there
and open source software (pre-compiled especially) it is nicer to have a
firewall that could not programmatically be easily over ridden.

And, that it in fact, did tell you that the JohnnyWare you just installed
that is supposed to keep your passwords safely encrypted is in fact
transmitting them to a site in Germany (or was that Russia), don't you think?

 

[Guest]

Nice feature.


A program needs the nescessary priviliges to do so. Since you are
probably running as admin any program can add exceptions to any
firewall anyway. Have a closer look at your security concept before
blaming the firewall.


If you are running as admin any "protection" is an illusion.


Your choice - you are free to install some 3rd party illusionware
instead. If it makes you feel better it's fine - just don't expect to
enhance your security.

The monikers of "Straight Talk aka B_nice" are kind of funny and evidently a
persona that is meant to anonymously, in a fashion, intimidate discourse on a
forum.

It is a transparent ploy that is found on countless forums and becomes
tiresome seeing over and over again. It quite literrally stultifies a forum
much quicker than any heated discussion ever could.

 

[Harry Johnston]

But it does not undermine my opinion that with all the freeware out there
and open source software (pre-compiled especially) it is nicer to have a
firewall that could not programmatically be easily over ridden.

The problem is that it isn't hard to programmatically override or bypass *any*
software firewall, though admittedly if you use an uncommon firewall the bad
guys are unlikely to have bothered to crack it. Of course, as previously
mentioned, it is easy enough to bypass an arbitrary firewall by sending the data
using Internet Explorer (which will almost certainly already have been given
permission).

(Check the MSDN documentation for CreateRemoteThread, which allows you to insert
your own code into any other application running in the same user context; there
are also other ways of achieving the same goal.)

<http://msdn2.microsoft.com/en-us/library/ms682437.aspx>

Harry.

 

[Guest]

By your argument there is no real point to the firewall because it ultimately
is hackable.

True.

But everything is about speed bumps not absolutes and this version of
Microsoft Firewall is not as much of a speed bump as it could be (my personal
opinion only). If I was working on a computer as a user who is able to
install software but not as an administrator, in that security context, I'm
sure that call to CreateRemote Thread would not be such a simple thing to
accomplish into a hardened firewall.

There we've devolved down to opinion.

 

[Straight Talk (aka B. Nice)]

The monikers of "Straight Talk aka B_nice" are kind of funny and evidently a
persona that is meant to anonymously, in a fashion, intimidate discourse on a
forum.

It is a transparent ploy that is found on countless forums and becomes
tiresome seeing over and over again. It quite literrally stultifies a forum
much quicker than any heated discussion ever could.

It seems hard for you to stay on topic. Most likely because the topic
here is security - something which you obviously don't have a clue
about.