Vista - Firewall with adv security

Could someone please tell me how to configure the outbound rule
to apply for a "Service Only", not for "App Only", "App and Service"
etc. The help says that it is possible but I can't find a way
to do so, it looks like a rule wizard GUI bug. How do I set up
an outbound rule for, say, "Windows Update" service?

thanks

Sorry, I'm not sure I am seeing what you say is the problem. Here is what I
did:
1. Right-click Outbound Rules
2. Select "New Rule"
3. Select "Custom" and click next
4. Click the "Customize..." button under Services
5. Click the "Apply to this service:" radio button and select "Windows Update"
6. Click "OK"
7. You must now select "All programs." Yes, that's a bit counter-intuitive
but as long as the Program screen remains on a specific program path you
can't proceed.
8. Finish building the rule.

Is that what you are trying? Are you not seeing what I am seeing? I could
see how step 7 could be confusing. There really ought to be a radio button
next to "Services" on that screen.

BTW, most of the services that can be meaningfully restricted from outbound
communications have already been restricted by detauls. What are you trying
to achieve with this?

"voidcoder" wrote:

>
> Could someone please tell me how to configure the outbound rule
> to apply for a "Service Only", not for "App Only", "App and Service"
> etc. The help says that it is possible but I can't find a way
> to do so, it looks like a rule wizard GUI bug. How do I set up
> an outbound rule for, say, "Windows Update" service?
>
> thanks
>

The confusing moment is that I have to select "All Programs"
in order to proceed with a single service. Haven't tried it
yet, but I would expect that the rule will apply to
"All Programs" as well, not only the selected service.
Otherwise what is the meaning of the "All programs" option
then?

I'm simply trying to use the outbound control and
can see that it is nothing but just useless feature
in vista firewall, mainly because of missing "learning"
mode or at least normal logging for the outbound traffic.
How do you determine what ports are used by some
program/service (and more important, how do you determine
the program binary and path) to add the corresponding outbound
rule manually?

>> BTW, most of the services that can be meaningfully restricted
>> from outbound communications have already been restricted by
>> detauls. What are you trying to achieve with this?

Windows Update service has no default rule, so if you turn
on the outbound control it will stop working.



Jesper wrote:
> Sorry, I'm not sure I am seeing what you say is the problem. Here is what I
> did:
> 1. Right-click Outbound Rules
> 2. Select "New Rule"
> 3. Select "Custom" and click next
> 4. Click the "Customize..." button under Services
> 5. Click the "Apply to this service:" radio button and select "Windows Update"
> 6. Click "OK"
> 7. You must now select "All programs." Yes, that's a bit counter-intuitive
> but as long as the Program screen remains on a specific program path you
> can't proceed.
> 8. Finish building the rule.
>
> Is that what you are trying? Are you not seeing what I am seeing? I could
> see how step 7 could be confusing. There really ought to be a radio button
> next to "Services" on that screen.
>
> BTW, most of the services that can be meaningfully restricted from outbound
> communications have already been restricted by detauls. What are you trying
> to achieve with this?
>
> "voidcoder" wrote:
>
>> Could someone please tell me how to configure the outbound rule
>> to apply for a "Service Only", not for "App Only", "App and Service"
>> etc. The help says that it is possible but I can't find a way
>> to do so, it looks like a rule wizard GUI bug. How do I set up
>> an outbound rule for, say, "Windows Update" service?
>>
>> thanks
>>

To be more specific, what I mean is that in order to add
some rule you need to know at least something about the
program/service and its networking. Things like local endpoint
address/port, remote endpoint address/port, program/service
name and path etc. So how do you determine all of these
using the vista firewall? Normally I would expect to be
a way to enable the "learning" mode, when the firewall
will popup some alarm window and say that something that
doesn't much the defined rules is trying to access the
network so do you want to block it, allow or define a
new rule for it.

While it is somehow implemented for the inbound traffic,
but not implemented at all for the outbound. Not clear
what is the use of the outbound control then. Seems I'm
again forced to buy some third party firewall It was
on XP, it is still the same on Vista.



voidcoder wrote:
>
> The confusing moment is that I have to select "All Programs"
> in order to proceed with a single service. Haven't tried it
> yet, but I would expect that the rule will apply to
> "All Programs" as well, not only the selected service.
> Otherwise what is the meaning of the "All programs" option
> then?
>
> I'm simply trying to use the outbound control and
> can see that it is nothing but just useless feature
> in vista firewall, mainly because of missing "learning"
> mode or at least normal logging for the outbound traffic.
> How do you determine what ports are used by some
> program/service (and more important, how do you determine
> the program binary and path) to add the corresponding outbound
> rule manually?
>
> >> BTW, most of the services that can be meaningfully restricted
> >> from outbound communications have already been restricted by
> >> detauls. What are you trying to achieve with this?
>
> Windows Update service has no default rule, so if you turn
> on the outbound control it will stop working.
>
>
>
> Jesper wrote:
>> Sorry, I'm not sure I am seeing what you say is the problem. Here is
>> what I did:
>> 1. Right-click Outbound Rules
>> 2. Select "New Rule"
>> 3. Select "Custom" and click next
>> 4. Click the "Customize..." button under Services
>> 5. Click the "Apply to this service:" radio button and select "Windows
>> Update"
>> 6. Click "OK"
>> 7. You must now select "All programs." Yes, that's a bit
>> counter-intuitive but as long as the Program screen remains on a
>> specific program path you can't proceed.
>> 8. Finish building the rule.
>>
>> Is that what you are trying? Are you not seeing what I am seeing? I
>> could see how step 7 could be confusing. There really ought to be a
>> radio button next to "Services" on that screen.
>>
>> BTW, most of the services that can be meaningfully restricted from
>> outbound communications have already been restricted by detauls. What
>> are you trying to achieve with this?
>>
>> "voidcoder" wrote:
>>
>>> Could someone please tell me how to configure the outbound rule
>>> to apply for a "Service Only", not for "App Only", "App and Service"
>>> etc. The help says that it is possible but I can't find a way
>>> to do so, it looks like a rule wizard GUI bug. How do I set up
>>> an outbound rule for, say, "Windows Update" service?
>>>
>>> thanks
>>>

As I said before: "Most of the services that can be meaningfully restricted
from outbound communications have already been restricted by default." What
exactly are you trying to prevent Windows Update from doing? What threat do
you see that you are trying to mitigate.

No, there is no learning mode, and yes, you have to know either the program
path of the service you are trying to restrict, or the service name. You can
get the service name using the Services management tool. You can get the
program path using Task Manager.

Learning mode is not particularly meaningful really. It will cause huge
numbers of popups, most of which have little if any meaning to the end user
as they provide no information on the action the user asked for or what the
program is trying to do for the user. It also does virtually nil to provide
any additional security as only those programs that want to be restricted
will cause the popups. The malicious ones will use any of a number of
techniques to bypass the popup if they know it is there.

"voidcoder" wrote:

>
> To be more specific, what I mean is that in order to add
> some rule you need to know at least something about the
> program/service and its networking. Things like local endpoint
> address/port, remote endpoint address/port, program/service
> name and path etc. So how do you determine all of these
> using the vista firewall? Normally I would expect to be
> a way to enable the "learning" mode, when the firewall
> will popup some alarm window and say that something that
> doesn't much the defined rules is trying to access the
> network so do you want to block it, allow or define a
> new rule for it.
>
> While it is somehow implemented for the inbound traffic,
> but not implemented at all for the outbound. Not clear
> what is the use of the outbound control then. Seems I'm
> again forced to buy some third party firewall It was
> on XP, it is still the same on Vista.
>
>
>
> voidcoder wrote:
> >
> > The confusing moment is that I have to select "All Programs"
> > in order to proceed with a single service. Haven't tried it
> > yet, but I would expect that the rule will apply to
> > "All Programs" as well, not only the selected service.
> > Otherwise what is the meaning of the "All programs" option
> > then?
> >
> > I'm simply trying to use the outbound control and
> > can see that it is nothing but just useless feature
> > in vista firewall, mainly because of missing "learning"
> > mode or at least normal logging for the outbound traffic.
> > How do you determine what ports are used by some
> > program/service (and more important, how do you determine
> > the program binary and path) to add the corresponding outbound
> > rule manually?
> >
> > >> BTW, most of the services that can be meaningfully restricted
> > >> from outbound communications have already been restricted by
> > >> detauls. What are you trying to achieve with this?
> >
> > Windows Update service has no default rule, so if you turn
> > on the outbound control it will stop working.
> >
> >
> >
> > Jesper wrote:
> >> Sorry, I'm not sure I am seeing what you say is the problem. Here is
> >> what I did:
> >> 1. Right-click Outbound Rules
> >> 2. Select "New Rule"
> >> 3. Select "Custom" and click next
> >> 4. Click the "Customize..." button under Services
> >> 5. Click the "Apply to this service:" radio button and select "Windows
> >> Update"
> >> 6. Click "OK"
> >> 7. You must now select "All programs." Yes, that's a bit
> >> counter-intuitive but as long as the Program screen remains on a
> >> specific program path you can't proceed.
> >> 8. Finish building the rule.
> >>
> >> Is that what you are trying? Are you not seeing what I am seeing? I
> >> could see how step 7 could be confusing. There really ought to be a
> >> radio button next to "Services" on that screen.
> >>
> >> BTW, most of the services that can be meaningfully restricted from
> >> outbound communications have already been restricted by detauls. What
> >> are you trying to achieve with this?
> >>
> >> "voidcoder" wrote:
> >>
> >>> Could someone please tell me how to configure the outbound rule
> >>> to apply for a "Service Only", not for "App Only", "App and Service"
> >>> etc. The help says that it is possible but I can't find a way
> >>> to do so, it looks like a rule wizard GUI bug. How do I set up
> >>> an outbound rule for, say, "Windows Update" service?
> >>>
> >>> thanks
> >>>
>

>> As I said before: "Most of the services that can be
>> meaningfully restricted from outbound communications have
>> already been restricted by default." What exactly are you
>> trying to prevent Windows Update from doing? What threat do
>> you see that you are trying to mitigate.

No, I do not try to prevent Windows Update from doing
anything. I'm trying to *allow* it doing its job when
the outbound protection is turned on. Go to the firewall
settings, then select your profile and turn on the outbound
control. Next goto Windows Update and try to check for updates,
it will fail since there is no outbound rule for it.


>> No, there is no learning mode, and yes, you have to know
>> either the program path of the service you are trying to
>> restrict, or the service name. You can get the service
>> name using the Services management tool. You can get the
>> program path using Task Manager.

You will not find too much information for the most
of native windows or third party software what ports
what exactly ports they are using internally nor what
addresses they are trying to connect and why they are
trying to connect. Run some normal firewall with outbound
control and you will be surprised how much native and
third party windows software is trying to connect somewhere
and send some data in background. Good if checking
for updates... That is why I'm actually like to have
an outbound traffic controlled as well, no only the
inbound.

Anyway in a half of situations you simply can't determine
what binary you have to specify in your rule. Some programs
are not a single binary exe located in the program folder.
Some a a gazillion of binaries calling each other and mixed
in the program folder, windows folders or elsewhere. You will
simply spend some days to determine what is related to the
app that you want to run and define a rule for each binary.

Another good example is when you install something that
need netwroking in order to install properly. Have you tried
to install say VS2005 with the outbound control turned on?
How do you know what ports VS2005 will be using while
installation, how do you implement a rule to allow all
the intermediate helper apps started in background by
the installer to run normally? In learning mode you can
just allow it to run while without it you have no chances.
Switching the outbound protection on/off every minute
is not an option.

>>Learning mode is not particularly meaningful really. It will cause
>>huge numbers of popups, most of which have little if any meaning to
>>the end user as they provide no information on the action the user
>>asked for or what the program is trying to do for the user. It also
>>does virtually nil to provide any additional security as only those
>>programs that want to be restricted will cause the popups. The
>>malicious ones will use any of a number of techniques to bypass the
>>popup if they know it is there.

The learning mode is not to popup on every inbound/outbound
packet. It is to help you to define quickly rules for the
programs that you trust (just because you can't know any
networking details for each native or third party program
to be able to do it manually). So once the rules are defined,
you wont see any popup for years until you don't install
something new.



Jesper wrote:
> As I said before: "Most of the services that can be meaningfully restricted
> from outbound communications have already been restricted by default." What
> exactly are you trying to prevent Windows Update from doing? What threat do
> you see that you are trying to mitigate.
>
> No, there is no learning mode, and yes, you have to know either the program
> path of the service you are trying to restrict, or the service name. You can
> get the service name using the Services management tool. You can get the
> program path using Task Manager.
>
> Learning mode is not particularly meaningful really. It will cause huge
> numbers of popups, most of which have little if any meaning to the end user
> as they provide no information on the action the user asked for or what the
> program is trying to do for the user. It also does virtually nil to provide
> any additional security as only those programs that want to be restricted
> will cause the popups. The malicious ones will use any of a number of
> techniques to bypass the popup if they know it is there.
>
> "voidcoder" wrote:
>
>> To be more specific, what I mean is that in order to add
>> some rule you need to know at least something about the
>> program/service and its networking. Things like local endpoint
>> address/port, remote endpoint address/port, program/service
>> name and path etc. So how do you determine all of these
>> using the vista firewall? Normally I would expect to be
>> a way to enable the "learning" mode, when the firewall
>> will popup some alarm window and say that something that
>> doesn't much the defined rules is trying to access the
>> network so do you want to block it, allow or define a
>> new rule for it.
>>
>> While it is somehow implemented for the inbound traffic,
>> but not implemented at all for the outbound. Not clear
>> what is the use of the outbound control then. Seems I'm
>> again forced to buy some third party firewall It was
>> on XP, it is still the same on Vista.
>>
>>
>>
>> voidcoder wrote:
>>> The confusing moment is that I have to select "All Programs"
>>> in order to proceed with a single service. Haven't tried it
>>> yet, but I would expect that the rule will apply to
>>> "All Programs" as well, not only the selected service.
>>> Otherwise what is the meaning of the "All programs" option
>>> then?
>>>
>>> I'm simply trying to use the outbound control and
>>> can see that it is nothing but just useless feature
>>> in vista firewall, mainly because of missing "learning"
>>> mode or at least normal logging for the outbound traffic.
>>> How do you determine what ports are used by some
>>> program/service (and more important, how do you determine
>>> the program binary and path) to add the corresponding outbound
>>> rule manually?
>>>
>>> >> BTW, most of the services that can be meaningfully restricted
>>> >> from outbound communications have already been restricted by
>>> >> detauls. What are you trying to achieve with this?
>>>
>>> Windows Update service has no default rule, so if you turn
>>> on the outbound control it will stop working.
>>>
>>>
>>>
>>> Jesper wrote:
>>>> Sorry, I'm not sure I am seeing what you say is the problem. Here is
>>>> what I did:
>>>> 1. Right-click Outbound Rules
>>>> 2. Select "New Rule"
>>>> 3. Select "Custom" and click next
>>>> 4. Click the "Customize..." button under Services
>>>> 5. Click the "Apply to this service:" radio button and select "Windows
>>>> Update"
>>>> 6. Click "OK"
>>>> 7. You must now select "All programs." Yes, that's a bit
>>>> counter-intuitive but as long as the Program screen remains on a
>>>> specific program path you can't proceed.
>>>> 8. Finish building the rule.
>>>>
>>>> Is that what you are trying? Are you not seeing what I am seeing? I
>>>> could see how step 7 could be confusing. There really ought to be a
>>>> radio button next to "Services" on that screen.
>>>>
>>>> BTW, most of the services that can be meaningfully restricted from
>>>> outbound communications have already been restricted by detauls. What
>>>> are you trying to achieve with this?
>>>>
>>>> "voidcoder" wrote:
>>>>
>>>>> Could someone please tell me how to configure the outbound rule
>>>>> to apply for a "Service Only", not for "App Only", "App and Service"
>>>>> etc. The help says that it is possible but I can't find a way
>>>>> to do so, it looks like a rule wizard GUI bug. How do I set up
>>>>> an outbound rule for, say, "Windows Update" service?
>>>>>
>>>>> thanks
>>>>>

> No, I do not try to prevent Windows Update from doing
> anything. I'm trying to *allow* it doing its job when
> the outbound protection is turned on. Go to the firewall
> settings, then select your profile and turn on the outbound
> control. Next goto Windows Update and try to check for updates,
> it will fail since there is no outbound rule for it.

Did you change the default action of outbound filtering to block? That's
highly unadviced. It already blocks that which can be meaningfully blocked by
default. You will end up with hundreds of custom rules to punch holes in it,
many of which will serve as perfect portals for malware on your system to get
out through, assuming that you can actually enumerate all the things that
need to communicate out on your system.

> You will not find too much information for the most
> of native windows or third party software what ports
> what exactly ports they are using internally nor what
> addresses they are trying to connect and why they are
> trying to connect.

No, that is correct, you won't. Such information is virtually impossible
for the vendor to collect, as the destinations will be different in every
environment. The firewall can only tell you which host it is going to now,
and which port it is trying to connect to, but not why. That is why prompting
for outbound blocks is not implemented in Vista. The most you will find is
the Port Requirements for the Windows Server System article:
http://support.microsoft.com/kb/832017/en-us.

>Run some normal firewall with outbound
> control and you will be surprised how much native and
> third party windows software is trying to connect somewhere
> and send some data in background.

Yep. It turns out that the more you use your computer, the more the computer
tries to communicate on the network to do what you are asking it to do. All
the "learning mode" firewalls have popups that allow you to open the ports,
and every one I have seen have a default action to "allow all traffic by this
program." As long as the first action the user sees is innocuous there is a
near-100% chance that subsequent malicious actions will be allowed as well.
Using "learning mode" to do anything even close to meaningful to build
firewall rules makes your computer just about useless; and annoying.

> Anyway in a half of situations you simply can't determine
> what binary you have to specify in your rule. Some programs
> are not a single binary exe located in the program folder.
> Some a a gazillion of binaries calling each other and mixed
> in the program folder, windows folders or elsewhere.

Yep. That's how programs are designed, which is why it is virtually
impossible to build a coherent outbound firewall policy.


> Have you tried
> to install say VS2005 with the outbound control turned on?

No, because restricting outbound communications for user applications is
totally meaningless for security. Therefore I have never bothered wasting
time on it.

> The learning mode is not to popup on every inbound/outbound
> packet. It is to help you to define quickly rules for the
> programs that you trust

So, why are you running programs you don't trust? It seems to me that you
would be able to solve this problem easily enough by not running programs you
don't trust.

Sorry Jasper, I do not agree. If the outbound control
is useless so why it is there at all in the first place?
Personally I'm using it since the days of win95 and
NT3 and not going to stop, doesn't matter what OS
I'm running on. I do not like that any piece of
software is able to send something in background
without to let me know what it is doing.

I do not understand why this is an open door for
the malware, actually it is preventing and notifying
you about any malware running on your PC, while
with the uncontrolled outbound *any* running
process can connect to *any* address on any port
and send some data and you will never detect it.


Jesper wrote:
>> No, I do not try to prevent Windows Update from doing
>> anything. I'm trying to *allow* it doing its job when
>> the outbound protection is turned on. Go to the firewall
>> settings, then select your profile and turn on the outbound
>> control. Next goto Windows Update and try to check for updates,
>> it will fail since there is no outbound rule for it.
>
> Did you change the default action of outbound filtering to block? That's
> highly unadviced. It already blocks that which can be meaningfully blocked by
> default. You will end up with hundreds of custom rules to punch holes in it,
> many of which will serve as perfect portals for malware on your system to get
> out through, assuming that you can actually enumerate all the things that
> need to communicate out on your system.
>
>> You will not find too much information for the most
>> of native windows or third party software what ports
>> what exactly ports they are using internally nor what
>> addresses they are trying to connect and why they are
>> trying to connect.
>
> No, that is correct, you won't. Such information is virtually impossible
> for the vendor to collect, as the destinations will be different in every
> environment. The firewall can only tell you which host it is going to now,
> and which port it is trying to connect to, but not why. That is why prompting
> for outbound blocks is not implemented in Vista. The most you will find is
> the Port Requirements for the Windows Server System article:
> http://support.microsoft.com/kb/832017/en-us.
>
>> Run some normal firewall with outbound
>> control and you will be surprised how much native and
>> third party windows software is trying to connect somewhere
>> and send some data in background.
>
> Yep. It turns out that the more you use your computer, the more the computer
> tries to communicate on the network to do what you are asking it to do. All
> the "learning mode" firewalls have popups that allow you to open the ports,
> and every one I have seen have a default action to "allow all traffic by this
> program." As long as the first action the user sees is innocuous there is a
> near-100% chance that subsequent malicious actions will be allowed as well.
> Using "learning mode" to do anything even close to meaningful to build
> firewall rules makes your computer just about useless; and annoying.
>
>> Anyway in a half of situations you simply can't determine
>> what binary you have to specify in your rule. Some programs
>> are not a single binary exe located in the program folder.
>> Some a a gazillion of binaries calling each other and mixed
>> in the program folder, windows folders or elsewhere.
>
> Yep. That's how programs are designed, which is why it is virtually
> impossible to build a coherent outbound firewall policy.
>
>
>> Have you tried
>> to install say VS2005 with the outbound control turned on?
>
> No, because restricting outbound communications for user applications is
> totally meaningless for security. Therefore I have never bothered wasting
> time on it.
>
>> The learning mode is not to popup on every inbound/outbound
>> packet. It is to help you to define quickly rules for the
>> programs that you trust
>
> So, why are you running programs you don't trust? It seems to me that you
> would be able to solve this problem easily enough by not running programs you
> don't trust.

:-)

Good question. I asked myself the same thing, because on Windows XP, it is
useless. You cannot restrict malicious software that is either omnipotent or
has access to permitted applications from communicating out. To think that
you can would be like asking a burglar inside a jewelry store to be a nice
little boy, not touch anything, and wait for the police instead of jumping
through any of about a thousand windows to get away. I wrote before that the
myth of outbound host-based filtering in Windows XP being a necessary
security measure is probably the greatest hoax perpetrated onto unsuspecting
consumers by the security industry.

In Vista, outbound filtering is not actually useless. It can be very
valuable in restricting services from communicating out . This only works as
long as those services are barred from compromising other services running in
the same user context though. That was impossible to do before Vista. The
infrastructure was not there. In Vista that infrastructure exists, and the
default rules make use of it.

"voidcoder" wrote:

>
> Sorry Jasper, I do not agree. If the outbound control
> is useless so why it is there at all in the first place?
> Personally I'm using it since the days of win95 and
> NT3 and not going to stop, doesn't matter what OS
> I'm running on. I do not like that any piece of
> software is able to send something in background
> without to let me know what it is doing.
>
> I do not understand why this is an open door for
> the malware, actually it is preventing and notifying
> you about any malware running on your PC, while
> with the uncontrolled outbound *any* running
> process can connect to *any* address on any port
> and send some data and you will never detect it.
>
>
> Jesper wrote:
> >> No, I do not try to prevent Windows Update from doing
> >> anything. I'm trying to *allow* it doing its job when
> >> the outbound protection is turned on. Go to the firewall
> >> settings, then select your profile and turn on the outbound
> >> control. Next goto Windows Update and try to check for updates,
> >> it will fail since there is no outbound rule for it.
> >
> > Did you change the default action of outbound filtering to block? That's
> > highly unadviced. It already blocks that which can be meaningfully blocked by
> > default. You will end up with hundreds of custom rules to punch holes in it,
> > many of which will serve as perfect portals for malware on your system to get
> > out through, assuming that you can actually enumerate all the things that
> > need to communicate out on your system.
> >
> >> You will not find too much information for the most
> >> of native windows or third party software what ports
> >> what exactly ports they are using internally nor what
> >> addresses they are trying to connect and why they are
> >> trying to connect.
> >
> > No, that is correct, you won't. Such information is virtually impossible
> > for the vendor to collect, as the destinations will be different in every
> > environment. The firewall can only tell you which host it is going to now,
> > and which port it is trying to connect to, but not why. That is why prompting
> > for outbound blocks is not implemented in Vista. The most you will find is
> > the Port Requirements for the Windows Server System article:
> > http://support.microsoft.com/kb/832017/en-us.
> >
> >> Run some normal firewall with outbound
> >> control and you will be surprised how much native and
> >> third party windows software is trying to connect somewhere
> >> and send some data in background.
> >
> > Yep. It turns out that the more you use your computer, the more the computer
> > tries to communicate on the network to do what you are asking it to do. All
> > the "learning mode" firewalls have popups that allow you to open the ports,
> > and every one I have seen have a default action to "allow all traffic by this
> > program." As long as the first action the user sees is innocuous there is a
> > near-100% chance that subsequent malicious actions will be allowed as well.
> > Using "learning mode" to do anything even close to meaningful to build
> > firewall rules makes your computer just about useless; and annoying.
> >
> >> Anyway in a half of situations you simply can't determine
> >> what binary you have to specify in your rule. Some programs
> >> are not a single binary exe located in the program folder.
> >> Some a a gazillion of binaries calling each other and mixed
> >> in the program folder, windows folders or elsewhere.
> >
> > Yep. That's how programs are designed, which is why it is virtually
> > impossible to build a coherent outbound firewall policy.
> >
> >
> >> Have you tried
> >> to install say VS2005 with the outbound control turned on?
> >
> > No, because restricting outbound communications for user applications is
> > totally meaningless for security. Therefore I have never bothered wasting
> > time on it.
> >
> >> The learning mode is not to popup on every inbound/outbound
> >> packet. It is to help you to define quickly rules for the
> >> programs that you trust
> >
> > So, why are you running programs you don't trust? It seems to me that you
> > would be able to solve this problem easily enough by not running programs you
> > don't trust.
>

Sorry, I also forgot to answer your last question. The reason outbound
filtering does not work is because any process running in the context of a
particular user can (until certain limited cases in Vista only) hijack any
other process running as the same user and make that other process do its
evil bidding. To do so takes something like 20 bytes of machine code. In
Vista it is possible to restrict the process token in such a way as to make
this impossible. It is only done for services though, which is why filtering
services is useful in Vista.

"voidcoder" wrote:

>
> Sorry Jasper, I do not agree. If the outbound control
> is useless so why it is there at all in the first place?
> Personally I'm using it since the days of win95 and
> NT3 and not going to stop, doesn't matter what OS
> I'm running on. I do not like that any piece of
> software is able to send something in background
> without to let me know what it is doing.
>
> I do not understand why this is an open door for
> the malware, actually it is preventing and notifying
> you about any malware running on your PC, while
> with the uncontrolled outbound *any* running
> process can connect to *any* address on any port
> and send some data and you will never detect it.
>
>
> Jesper wrote:
> >> No, I do not try to prevent Windows Update from doing
> >> anything. I'm trying to *allow* it doing its job when
> >> the outbound protection is turned on. Go to the firewall
> >> settings, then select your profile and turn on the outbound
> >> control. Next goto Windows Update and try to check for updates,
> >> it will fail since there is no outbound rule for it.
> >
> > Did you change the default action of outbound filtering to block? That's
> > highly unadviced. It already blocks that which can be meaningfully blocked by
> > default. You will end up with hundreds of custom rules to punch holes in it,
> > many of which will serve as perfect portals for malware on your system to get
> > out through, assuming that you can actually enumerate all the things that
> > need to communicate out on your system.
> >
> >> You will not find too much information for the most
> >> of native windows or third party software what ports
> >> what exactly ports they are using internally nor what
> >> addresses they are trying to connect and why they are
> >> trying to connect.
> >
> > No, that is correct, you won't. Such information is virtually impossible
> > for the vendor to collect, as the destinations will be different in every
> > environment. The firewall can only tell you which host it is going to now,
> > and which port it is trying to connect to, but not why. That is why prompting
> > for outbound blocks is not implemented in Vista. The most you will find is
> > the Port Requirements for the Windows Server System article:
> > http://support.microsoft.com/kb/832017/en-us.
> >
> >> Run some normal firewall with outbound
> >> control and you will be surprised how much native and
> >> third party windows software is trying to connect somewhere
> >> and send some data in background.
> >
> > Yep. It turns out that the more you use your computer, the more the computer
> > tries to communicate on the network to do what you are asking it to do. All
> > the "learning mode" firewalls have popups that allow you to open the ports,
> > and every one I have seen have a default action to "allow all traffic by this
> > program." As long as the first action the user sees is innocuous there is a
> > near-100% chance that subsequent malicious actions will be allowed as well.
> > Using "learning mode" to do anything even close to meaningful to build
> > firewall rules makes your computer just about useless; and annoying.
> >
> >> Anyway in a half of situations you simply can't determine
> >> what binary you have to specify in your rule. Some programs
> >> are not a single binary exe located in the program folder.
> >> Some a a gazillion of binaries calling each other and mixed
> >> in the program folder, windows folders or elsewhere.
> >
> > Yep. That's how programs are designed, which is why it is virtually
> > impossible to build a coherent outbound firewall policy.
> >
> >
> >> Have you tried
> >> to install say VS2005 with the outbound control turned on?
> >
> > No, because restricting outbound communications for user applications is
> > totally meaningless for security. Therefore I have never bothered wasting
> > time on it.
> >
> >> The learning mode is not to popup on every inbound/outbound
> >> packet. It is to help you to define quickly rules for the
> >> programs that you trust
> >
> > So, why are you running programs you don't trust? It seems to me that you
> > would be able to solve this problem easily enough by not running programs you
> > don't trust.
>