Time for a new firewall...

[JW]

Freeware Kerio (Firewall engine version 2.1.5, Driver version 3.0.0) is now
giving me an error message - for any new apps that I need to create a rule for -
"UsrRsltMd5AddApp: You have too many application already registered !"

Could I have hit a limit? I couldn't find any answers in google, google
groups, or the kerio or tiny sites (both of which have very little support
info.) Nothing in the kerio yahoo group, and there are less and less postings as
the months go by.

I am using ZoneAlarm in the meantime, but don't like the lack of control
compared to Kerio/Tiny (the free version of ZA is particularly lacking in basic
firewall features, and even the paid version doesn't have Kerio's MD5
validation, the ability to enable specific ports, inbound/outbound, etc. Plus I
love Kerio's ability to monitor open connections and transfers.). A search of
this group turned up Sygate and Outpost, but both seem to be buggy. Anything
else out there in freeware land? Time to find a new firewall? (And I hesitate to
ask about a commercial product in this group!)

 

[donutbandit]

Freeware Kerio (Firewall engine version 2.1.5, Driver version 3.0.0)
is now giving me an error message - for any new apps that I need to
create a rule for - "UsrRsltMd5AddApp: You have too many application
already registered !"

I've never run up against a limit. But there are common sense ways to deal
with this.

Long ago, I gave up letting Kerio make it's own rules. Why? Because it
would create 2 rules when only one was needed.

Example: xxx allowed out; xxx allowed in.

Solution: xx allowed both ways (1 rule rather than 2)

If you are using Sponge's ruleset, there are many things in there that are
not needed. He errs on the side of paranoia: this is good.

But after awhile, the only real deny rule you need is:

Deny All: deny everything unless specifically allowed. This rule goes at
the very bottom, and easily negates 2/3s of Sponge's deny rules. Anything
that isn't specifically allowed is denied by this rule.

Sponge's rules seem to be tailored for ex-Zone Alarm users who don't feel
safe unless there is a popup box every few minutes or so.

Put the "Deny All" rule at the very bottom, and then feel safe in deleting
all of Sponge's specific deny rules: you have them covered.

No, you won't get a popup box unless you specify it in "Deny All" and I do.
If THAT rule is challenged, I want to know about it.

 

[Bob Adkins]

Freeware Kerio (Firewall engine version 2.1.5, Driver version 3.0.0) is now
giving me an error message - for any new apps that I need to create a rule for -
"UsrRsltMd5AddApp: You have too many application already registered !"

You can increase the number of rules allowed. IIRC, it's pretty simple, and
instructions are found on the Kerio site.

Bob

Remove "kins" from address to reply.

 

[John Corliss]

I've never run up against a limit. But there are common sense ways to deal
with this.

Long ago, I gave up letting Kerio make it's own rules. Why? Because it
would create 2 rules when only one was needed.

Example: xxx allowed out; xxx allowed in.

Solution: xx allowed both ways (1 rule rather than 2)

If you are using Sponge's ruleset, there are many things in there that are
not needed. He errs on the side of paranoia: this is good.

But after awhile, the only real deny rule you need is:

Deny All: deny everything unless specifically allowed. This rule goes at
the very bottom, and easily negates 2/3s of Sponge's deny rules. Anything
that isn't specifically allowed is denied by this rule.

Sponge's rules seem to be tailored for ex-Zone Alarm users who don't feel
safe unless there is a popup box every few minutes or so.

Put the "Deny All" rule at the very bottom, and then feel safe in deleting
all of Sponge's specific deny rules: you have them covered.

No, you won't get a popup box unless you specify it in "Deny All" and I do.
If THAT rule is challenged, I want to know about it.

Donutbandit,
I just tried this and immediately started getting multiple popups
saying that the program had blocked attempts by the Tcpip Kernel
Driver to use the ICMP(3) protocol to contact an IP address that's
probably a DNS or somesuch. Luckily, I was able to restore the Kerio
folder files from my backup hard drive (not sure which file stores the
filter settings, but it doesn't matter since everything's back to
normal now.)

 

[JW]

You can increase the number of rules allowed. IIRC, it's pretty simple, and
instructions are found on the Kerio site.

Bob

Well I didn't see anything on the Kerio site and I checked the Knowledgebase and
the forums. But I DID see someone post the same question and his eventual reply:

"I gave up on waiting for an answer to this and switched to Outpost firewall "

jon

 

[JW]

I've never run up against a limit. But there are common sense ways to deal
with this.

Long ago, I gave up letting Kerio make it's own rules. Why? Because it
would create 2 rules when only one was needed.

Example: xxx allowed out; xxx allowed in.

Solution: xx allowed both ways (1 rule rather than 2)

(snip)

Yeah, it will also create separate TCP and UPD entries if a program uses both
protocols. I hate to keep having to keep cleaning it up, but guess I will if
there's no other choice.

jon

 

[JW]

Well I didn't see anything on the Kerio site and I checked the Knowledgebase and
the forums. But I DID see someone post the same question and his eventual reply:

"I gave up on waiting for an answer to this and switched to Outpost firewall "

Followup: I fixed this for now by going into the MD5 list and deleting old
entries (check paths option). As an aside, anyone know where this list is kept?
(Tried doing a filemon and a regmon, but I couldn't seem to locate it...)

jon

 

[bassbag]

Freeware Kerio (Firewall engine version 2.1.5, Driver version 3.0.0) is now
giving me an error message - for any new apps that I need to create a rule for -
"UsrRsltMd5AddApp: You have too many application already registered !"

Could I have hit a limit? I couldn't find any answers in google, google
groups, or the kerio or tiny sites (both of which have very little support
info.) Nothing in the kerio yahoo group, and there are less and less postings as
the months go by.

I am using ZoneAlarm in the meantime, but don't like the lack of control
compared to Kerio/Tiny (the free version of ZA is particularly lacking in basic
firewall features, and even the paid version doesn't have Kerio's MD5
validation, the ability to enable specific ports, inbound/outbound, etc. Plus I
love Kerio's ability to monitor open connections and transfers.). A search of
this group turned up Sygate and Outpost, but both seem to be buggy. Anything
else out there in freeware land? Time to find a new firewall? (And I hesitate to
ask about a commercial product in this group!)

I think youve already mentioned all the main free firewalls.As an outpost
user (using 2.1 now) , i never found outpost 1 (free) to be that buggy at
all.It does not support internet connection sharing , or I believe
hyperthreading which is common in todays pentium4s , but other than that is
as "buggy" as most of the other firewalls.Ive used sygate in the past and
never had a problem either , but stopped using it because i use a proxy
filter , and as you are probably aware sygate has a loopback issue whereby
it allows everything that connects to the proxy filter access ,using the
proxy allowed rules.
me

 

[Bob Adkins]

Well I didn't see anything on the Kerio site and I checked the Knowledgebase and
the forums. But I DID see someone post the same question and his eventual reply:

"I gave up on waiting for an answer to this and switched to Outpost firewall "

I had a problem somewhat similar to yours and used this registry edit. It
worked for me.

Go to:

HKLM\SYSTEM\CurrentControlSet\Services\fwdrv

Modify 'MaxBufferSize' to some higher amount (e.g. 12000).


Bob

Remove "kins" from address to reply.

 

[donutbandit]

Donutbandit,
I just tried this and immediately started getting multiple popups
saying that the program had blocked attempts by the Tcpip Kernel
Driver to use the ICMP(3) protocol to contact an IP address that's
probably a DNS or somesuch. Luckily, I was able to restore the Kerio
folder files from my backup hard drive (not sure which file stores the
filter settings, but it doesn't matter since everything's back to
normal now.)

Then the TCPIP Kernel driver is connecting out using your current ruleset,
and the Deny All rule blocked it.

If this is something you need, just write a rule to allow it: or tell the
popup box to allow it.

At any rate, all you would have to do is untick the Deny All rule.

 

[Antoine]

I think youve already mentioned all the main free firewalls.As an
outpost user (using 2.1 now) , i never found outpost 1 (free) to
be that buggy at all.

Seconded here. The sole problem I came across was with easyphp and I
hadn't found out which of the two (AOF or Easyphp) did something
'wrong'.

 

[John Corliss]

Then the TCPIP Kernel driver is connecting out using your current ruleset,
and the Deny All rule blocked it.

Yeah, I figured that part out. I guess this doesn't happen on your
machine.

If this is something you need, just write a rule to allow it:

Not that easy. Don't know what program to allow and frankly, don't
think that it's possible to do that way.
I did try adding a new rule for ICMP:

1. Entered "Allow ICMP #3" in the description field
2. Selected "ICMP" from the "Protocol" dropdown
3. Selected "Both directions" from the "Directions" dropdown
4. Pressed the "Set Icmp..." button
5. Ticked #3 (Destination Unreachable)
6. Set the action as "Permit"
7. Ticked "Log when this rule matches"
8. Ticked "Display alert box when this rule matches"
9. Pressed the "OK" button and verified that the rule was above the
"Deny all" rule (by default, when you make new rules by pressing
the "Add..." button, Kerio places the new rule right above the
bottom most one.)

This however didn't stop the alerts for some reason.

or tell the popup box to allow it.

That option wasn't present on the Alert popup box.

At any rate, all you would have to do is untick the Deny All rule.

No, that wouldn't work because I had (as you suggested) removed all
the other "Deny" rules. There would be no point of including the "Deny
all" rule if I can't get rid of all the other "specific" deny rules.

At any rate, as I mentioned I simply restored the program by copying
the Kerio folder from my backup hard drive. Note that a smarter way of
doing this would have been to have (before changing any rules) first
done this:

1. Right click on the Kerio tray icon
2. Select "Administration"
3. Select the "Miscellaneous" tab
4. Use the "Save..." button to back up the current rule configuration

That way, I could have more easily restored the rules to their
previous state.

 

[donutbandit]

Yeah, I figured that part out. I guess this doesn't happen on your
machine.

No. I do not allow "kernel" or "system" to connect out in any way. In most
cases, it's RPCSS or DCOM behavior, and can also be a Trojan.

At any rate, all you would have to do is untick the Deny All rule.

No, that wouldn't work because I had (as you suggested) removed all
the other "Deny" rules. There would be no point of including the "Deny
all" rule if I can't get rid of all the other "specific" deny rules.

I wouldn't have simply removed all the Deny rules - I would have unticked
them one by one to see what the result would be.

I consider "kernel" trying to connect out highly suspicious behavior. The
only thing that threw me was that you said it was TCP/IP.

The "Deny All" rule should be the last rule in any Kerio ruleset - in fact,
Sponge's rulesets have it.

 

[Richard Steinfeld]

|
| > I think youve already mentioned all the main free
firewalls.As an
| > outpost user (using 2.1 now) , i never found outpost 1 (free)
to
| > be that buggy at all.
|
| Seconded here. The sole problem I came across was with easyphp
and I
| hadn't found out which of the two (AOF or Easyphp) did
something
| 'wrong'.
| --
| Antoine

I'm interested:
Please explain "AOF" and "Easyphp."

Richard

 

[omega]

| Seconded here. The sole problem I came across was with easyphp and I
| hadn't found out which of the two (AOF or Easyphp) did something 'wrong'.

I'm interested:
Please explain "AOF" and "Easyphp."

Software names...

AOF: Agnitum Outpost Firewall, www.agnitum.com
Easyphp (my guess): Easyphp, www.easyphp.org

 

[Antoine]

Software names...

AOF: Agnitum Outpost Firewall, www.agnitum.com
Easyphp (my guess): Easyphp, www.easyphp.org

You assumed well ; sorry for the lack of clarity.

 

[John Corliss]

No. I do not allow "kernel" or "system" to connect out in any way. In most
cases, it's RPCSS or DCOM behavior, and can also be a Trojan.

I agree and am the same about any "system" calling out. However, this
was operating in the background and I believe may be a default hidden
Kerio rule to allow for normal or even required system activity. When
I run this program:

http://www.karenware.com/powertools/ptwinwatch.asp

I see the following listed:

WIN 95 RPC Wmsg Window

which is described in Karen's program as:

Window Handle: 0x000000A0 (160)
Window Title: WIN95 RPC Wmsg Window
Module File Name: C:\WINDOWS\SYSTEM\RPCRT4.DLL
Process Priority: Normal
Window Location: 0, 0
Window Size: 0h x 0w
Window is Hidden? Yes
Window is Enabled? No
Window is Menu? No
Window State: Normal
Window Class Name: OleMainThreadWndClass 0x########

I don't like having *any* RPC crap running in the background and may
try simply moving or renaming the RPCRT4.DLL file. In XP or 2000 (I
use ME), I understand that it's a real bad idea to disable RPC:

http://www.blackviper.com/AskBV/tech10.htm

Regarding the DCOM stuff, well I ran DCOMbobulator from this site:

http://grc.com/freepopular.htm

and verified that it had worked, so that should not be an issue.

As for the possibility of a Trojan, I've done an online scan, ran AVG
with its current signature and run the anti-Trojan program "a squared"
likewise. I've never used OE (I use Mozilla 1.6 final) on this current
install, so it's very unlikely that I have a Trojan.
I just added the "Deny all" rule back to the bottom of the list and
this time didn't remove any of the other "Deny" rules. I immediately
got an error message that the rule had some TCP and UDP incomings, and
then the activity stopped. There was no mention of the rule blocking
any outgoing ICMP "Destination Unreachable" at this time. Don't know
if that's because I left in the old deny rules or not.

I wouldn't have simply removed all the Deny rules - I would have unticked
them one by one to see what the result would be.

I can now see why addition of the "Deny all" rule at the bottom by
itself (without removing any other deny rules) is a good idea. Think
I'll turn off the "Display alert box when this rule matches" option
though.

I consider "kernel" trying to connect out highly suspicious behavior. The
only thing that threw me was that you said it was TCP/IP.

That's what the alert box said.

The "Deny All" rule should be the last rule in any Kerio ruleset - in fact,
Sponge's rulesets have it.

Donutbandit, sorry to have put you through this, but your idea
immediately struck me as such a good one that I felt that I had to
look into it more. Many thanks for replying and for your suggestion. I
doubt that I have any Trojans, but I do think that there might be
people out there who may have figured out how to hack in past Kerio
(or any other software firewall for that matter.) The "Deny all" rule
will stop those idiots dead in their tracks (well, at least for now.)
The alerts that I've gotten seem to indicate that this is the case.

Thanks again.

 

[donutbandit]

I don't like having *any* RPC crap running in the background and may
try simply moving or renaming the RPCRT4.DLL file. In XP or 2000 (I
use ME), I understand that it's a real bad idea to disable RPC:

I use ME also. I haven't had any problems with RPCSS - in fact, just to be
safe, I wrote a rule specifically denying it.

RPCSS.EXE - TCP & UDP - both directions - location
C:/Windows/System/RPCSS.EXE - all ports, etc - DENY

One thing you might check - look at Control Panel>Network, and see if
Windows Family Logon is installed. That's what causes "SYSTEM" to be
listening constantly. It's perfectly safe to delete that, as long as you
have Dial Up and TCP/IP installed there.

 

[John Corliss]

I use ME also. I haven't had any problems with RPCSS - in fact, just to be
safe, I wrote a rule specifically denying it.

RPCSS.EXE - TCP & UDP - both directions - location
C:/Windows/System/RPCSS.EXE - all ports, etc - DENY

No such file on my system. I may have simply deleted it somewhere
along the way.

One thing you might check - look at Control Panel>Network, and see if
Windows Family Logon is installed.

No, it's not installed. I'm the only one using this computer.

That's what causes "SYSTEM" to be
listening constantly. It's perfectly safe to delete that, as long as you
have Dial Up and TCP/IP installed there.

For some reason today I'm not getting the ICMP alerts that I was
yesterday. And even if I was, I unticked the "Log when this rule
matches" item on the "Filter rule" edit window.
I really think this "Deny all" rule you suggested is a great way to
go. Thanks again.