Vista firewall not blocking outbound traffic despite explicit rules to do so

Discussion in 'Windows Vista Security' started by Roof Fiddler, Feb 4, 2007.

  1. Roof Fiddler

    Roof Fiddler Guest

    I installed Adobe Reader 8 on Vista RTM. In Windows Firewall with Advanced
    Security, I added six outbound firewall rules, one for each of the .exe
    files in the Adobe directory, to block all outbound traffic. My Vista
    firewall settings are otherwise set to the installation defaults. When I run
    Adobe Reader and choose Help/Check for Updates, it successfully connects to
    Adobe's servers and tells me whether any updates are available.
    Why isn't the firewall blocking it from doing this?
     
    Roof Fiddler, Feb 4, 2007
    #1
    1. Advertisements

  2. Maybe the rules are in the wrong profile? Vista distinguishes three network
    profiles, public, private and domain. Each can have different firewall
    rules. Look in the "Network and Sharing Center" to see which profile is
    active.
     
    Martin Hueser, Feb 4, 2007
    #2
    1. Advertisements

  3. Roof Fiddler

    Roof Fiddler Guest

    The rules are set for all three profiles.
     
    Roof Fiddler, Feb 4, 2007
    #3

  4. Check the following settings:
    01. Open the Firewall GUI and select "Windows Firewall Properties"
    (hyperlink styled text) from the (center)main page.
    02. Check if the setting "Outbound connections" (drop-down button) in
    section "State" is set to "Block". Otherwise do so...

    IMPORTANT NOTE: please keep in mind that by performing this action, all
    outbound traffic without explicit rules to allow outbound traffic will
    be blocked. Including Windows Update etc. For all the application you
    should make seperate rules allowing them to connect...

    Good luck!


    --
    ABoyCalledSilly

    - windows vista ultimate 64-bit en
    ---------------------------------------
    - cooler master stacker 830
    - asus p5b deluxe
    - conroe e6600
    - 2x corsair memory (twin2x2048-8500c5)
    - 3x seagate barracuda 7200.10, 320gb (sata ii, 16mb)
    - ati sapphire x1950 pro
    - creative x-fi xtreme gamer
     
    ABoyCalledSilly, Feb 5, 2007
    #4
  5. Roof Fiddler

    Roof Fiddler Guest

    But I don't want to block all traffic by default. (Well actually I do, but I
    gave up in frustration while trying to do that months ago while running RC1
    and RC2 because Vista wouldn't honor my rules to allow certain outbound
    connections.)
    I need to block particular programs from initiating outbound connections,
    not block all programs.
     
    Roof Fiddler, Feb 7, 2007
    #5
  6. Ok, now i understand completely... frustrating situation ;

    Can you specify the "rules it wouldn't honor"? Maybe there's a solutio
    around the corner :

    Another option is using your Hostfil
    (C:\Windows\System32\drivers\etc\hosts). Have you tried using it

    Example: suppose a certain application tries to connect to a specifi
    url/ip. Entering the following lines (use notepad or something) in you
    hostfile will redirect all traffic to ip 127.0.0.1 (local
    127.0.0.1 'www.domainname.com' (http://www.domainname.com
    127.0.0.1 update.domainname.co
    127.0.0.1 123.456.789.

    Good luck

    --
    ABoyCalledSill

    - windows vista ultimate 64-bit en
    ---------------------------------------
    - cooler master stacker 830
    - asus p5b deluxe
    - conroe e6600
    - 2x corsair memory (twin2x2048-8500c5)
    - 3x seagate barracuda 7200.10, 320gb (sata ii, 16mb)
    - ati sapphire x1950 pro
    - creative x-fi xtreme game
     
    ABoyCalledSilly, Feb 7, 2007
    #6
  7. Roof Fiddler

    Roof Fiddler Guest

    Outbound rule:
    name: "block network for adobe reader"
    profile: any
    enabled: yes
    action: block
    program: %ProgramFiles%\Adobe\Reader 8.0\Reader\AcroRd32.exe
    local address: any
    remote address: any
    protocol: any
    local port: any
    remote port: any
    allowed computers: any
    properties\programs and services\services\settings\apply this rule as
    follows: apply to all programs and services
    properties\advanced\profiles: all profiles
    profiles\interface types\customize\This rule applies to connections on the
    following interface types: All interface types

    I have one such rule for every EXE in the %ProgramFiles%\Adobe directory
    (six EXEs total), including AcroRd32.exe.

    Yet when I run the program and tell it to check for updates over the
    internet, it does so with no problem.

    Not that it should matter, since those outbound rules I have in place should
    cover all cases, but my active profile is Public, and I have inbound
    connections blocked by default and outbound allowed by default. I'm running
    RTM, UAC is enabled, and I'm using an administrative account. I don't have
    any firewall software installed other than the default one included with
    Vista, and I don't have any configuration complications which I could
    imagine might be causing my problem. I know that specifying the programs
    using the pathname %ProgramFiles%\Adobe\Reader 8.0\Reader isn't the problem
    because Vista itself chose to specify it that way; I just used the New
    Outbound Rule wizard to create the rules, and selected the programs using
    the file dialog box.

    That won't work because I'm not trying to block all programs from accessing
    particular sites, but block particular programs from accessing any sites.
     
    Roof Fiddler, Feb 8, 2007
    #7
  8. Roof Fiddler

    sd321 Guest

    In the followin directory is a AdobeDownloadManager :

    \Program Files\Common Files\Adobe\ESD\

    Maybe it is doing the update downloading?
     
    sd321, Feb 10, 2007
    #8
  9. Roof Fiddler

    Rock Guest

    On this installation it's in \Program Files\Common Files\Adobe\Udater5
    AdobeUpdater.exe is the file.
     
    Rock, Feb 10, 2007
    #9
  10. Roof Fiddler

    Roof Fiddler Guest

    That was it! Thanks an bunch.
    Now I have another question. If this is how Vista works, then doesn't it
    mean that outbound rules are useless as a security measure on a system where
    outbound connections are allowed by default? If a program finds that it
    can't get a connection, all it has to do is create a new .exe file and then
    run it, and the new .exe can get to the network. That means on Vista, in
    order to have outbound security, you have to disallow outbound connections
    by default and add rules to allow connections for particular trusted
    programs.
    Wouldn't it make more sense for an outbound rule for a program to apply not
    to the program, but to all _processes_ started from that program? (And of
    course to children of that process too.) That would solve the problem, and
    allow outbound connections to be allowed by default without allowing blocked
    programs to get around the rules this way.
     
    Roof Fiddler, Feb 12, 2007
    #10
  11. --------------

    "Wouldn't it make more sense for an outbound rule for a program t
    apply no
    to the program, but to all _processes_ started from that program?

    Wouldn't it be sweet being able to block a whole directory. ea
    "\Program Files\Common Files\Adobe\*.*

    And there is an option to block services. Create a new Outbound rule
    make it a 'custom' on select services. You either select predefine
    ones, or enter your own (use short names). In addition, you could als
    specify an IP(range) + Port(range) to shut it down completely..

    --
    ABoyCalledSill

    - windows vista ultimate 64-bit en
    ---------------------------------------
    - cooler master stacker 830
    - asus p5b deluxe
    - conroe e6600
    - 2x corsair memory (twin2x2048-8500c5)
    - 3x seagate barracuda 7200.10, 320gb (sata ii, 16mb)
    - ati sapphire x1950 pro
    - creative x-fi xtreme game
     
    ABoyCalledSilly, Feb 12, 2007
    #11
  12. Roof Fiddler

    Rock Guest

    You're welcome.

     
    Rock, Feb 12, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.