Why, with OA up, is Windows Firewall active too? (in XP)

[JeremyNicoll 58]

XP Pro SP3 etc  

 

My Security Event log shows typically between 2 and 6 event log records per second, all created - it seems - by the Windows Firewall.  Examples are

 

----------

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Detailed Tracking
Event ID:    861
Date:        10/07/2013
Time:        11:01:26
User:        NT AUTHORITY\NETWORK SERVICE
Computer:    DELL-650
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1124
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 52814
Allowed: No
User notified: No

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------

 

Looking at a few seconds' worth, these are all for the same pid.  Just at the moment, pid 1124  is executing

 

  C:\WINDOWS\System32\svchost.exe -k NetworkService

 

SysInternals' ProcExp tell me that this is running: dnsrslvr.dll - I assume that's the DNS resolver.

 

This event is described as a "Failure Audit" and I also see "Allowed: No"  - which strongly suggests Windows Firewall blocked something.  Why is Windows Firewall doing anything at all?    On this system OA started at boot, which was approx 10:15.

 

 

 

Much less often - once per minute I see

 

----------

Event Type:    Success Audit
Event Source:    Security
Event Category:    Detailed Tracking
Event ID:    861
Date:        10/07/2013
Time:        11:03:01
User:        DELL-650\Administrator
Computer:    DELL-650
Description:
The Windows Firewall has detected an application listening for incoming traffic.
 
Name: AboutTime cient/server
Path: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
Process identifier: 2260
User account: Administrator
User domain: DELL-650
Service: No
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1658
Allowed: Yes
User notified: No

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------

 

- which is caused by a once-per-minute NNTP time check being executed by: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe

 ... but I still don't understand why Windows Firewall is reporting this.   AboutTime was started at 1042 - well after the system was booted, and certainly well after OA started at 10:15.

 

 

 

 

 

[Fabian Wosar 390]

Usually the Windows Firewall is being disabled by Online Armor automatically and turned back on only if you close Online Armor. It could be that one of your other applications turned it on again or that disabling it somehow failed during the Online Armor start up. In both cases I would suggest to just disable it yourself manually.

[JeremyNicoll 58]

Hmm.  OA is on, at least according to its log.  According to the Windows Security Centre, the firewall that's on is OA.

 

Via Control Panel - Admin Tools - Services, I see that "Windows Firewall/Internet Connection Sharing" is Started, both on the machine that's generating the Event records, and also on an XP Home machine I have, which is not generating equivalent records.   I think I'd want to know more abouut this - is it normal for the service to be Started, so that it's there to take over if OA is shut down?

 

Do other XP users of OA also have their Windows Firewall Service started?

 

If it's meant to be disabled, and isn't - or isn't fully disabled - how can I help you find out why?

[Fabian Wosar 390]

We disable the firewall component using the official Windows APIs. That does not mean that we stop or mess with the firewall service, as doing that could interfere in cases where people use the Windows internet connection sharing features. So it is completely normal that the service is still running. If you want to check whether the Windows firewall is enabled or not you can use the following netsh command:

netsh firewall show state

If Online Armor is running, Operational Mode should be disabled. If you close Online Armor, it should switch to enabled. If it is enabled even with Online Armor running, someone is turning it on again after Online Armor turns it off. If it is disabled and there are still event log entries, chances are it's a bug in the Windows firewall. In those cases you may want to contact Microsoft.

[JeremyNicoll 58]

Thank-you.  It does seem to be disabled; the reposnse from that command (in case anyone else is interested, or wants to compare what they see) is

 

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile                           = Standard
Operational mode                  = Disable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = None
Remote admin mode                 = Disable

Ports currently open on all network interfaces:
Port   Protocol  Version  Program
-------------------------------------------------------------------
13     TCP       IPv4     C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
37     TCP       IPv4     C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
37     UDP       IPv4     C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
17500  UDP       IPv4     C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\
Dropbox.exe
17500  TCP       IPv4     C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\
Dropbox.exe
137    UDP       IPv4     (null)
139    TCP       IPv4     (null)
138    UDP       IPv4     (null)
445    TCP       IPv4     (null)
4588   UDP       IPv4     C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
2869   TCP       IPv4     (null)
1900   UDP       IPv4     C:\WINDOWS\system32\svchost.exe
 

I hope the second part of the display - the "ports currently open" part, doesn't mean those ports are under Windows Firewall's control, and is just a list of network activity on this machine now...

 

I'll see if I can find out what "Exception mode:" and "Notification mode:" mean.

:

[JeremyNicoll 58]

Googling I've found other people asking the same question about Event Log records being generated even when WF is disabled, but no answers.

 

There's lots of info about how WF works at:  http://technet.microsoft.com/en-us/library/bb457029.aspx        including a list of which Event log records are generated in which cases, but not explaining how one might turn these off, nor why a disabled WF is still monitoring anything at all.

 

 

Control Panel - Windows Firewall ... opens a dialog allowing one to configure the thing; I have found that I must have seen some of this before because I find I have defined 'Exceptions' ie rules to allow some kinds of traffic.  I also find that in the Advanced pane of this dialog where one can configure a WF log - at C:\Windows\pfirewall.log - that it was last recording traffic in March 2013, which is when I uninstalled ZoneAlarmPro and started playing with OA.   (Incidentally I found I could not open pfirewall.log to read it until I'd copied it elsewhere AND renamed the copied file to something else.)

 

The first pane on the WF config dialog says that 'Exceptions' (ie user-created firewall rules) are a bad idea if one's on a public network.  Although this dialog shows that my WF is disabled, that does not prevent one from using the Exceptions or Advanced tabs to see what would be allowed/blocked if the WF was enabled.

 

Exception mode - enable/disable - seems to correspond to the Control Panel - Windows Firewall - main pane option (if the WF is on) whether Exceptions are to be allowed.

 

Notification mode - seems to match whether or not one has ticked the "Display a notification when WF blocks a program" option on the WF Exceptions tab.   Presumably such a notifcation is a pop-up, and has nothing to do with the Event logs I'm seeing.

[Fabian Wosar 390]

I have found that I must have seen some of this before because I find I have defined 'Exceptions' ie rules to allow some kinds of traffic.

Not necessarily. The Windows firewall rules are pretty much unprotected. So plenty of applications will just add themselves to ensure they are working correctly.

[JeremyNicoll 58]

I've read that I might be able to suppress the 861 eventlog records, by turning off the "audit process tracking" option in my Local Security Policy (something one can only do in XP /Pro/ of course).  However as that flag also controls whether the event logs show process (pid) creation, exit etc and I find those records really useful for chasing other problems, I won't be turning that off. 

 

I'm guessing that the reason I'm not seeing the 861s in an XP Home system I have is that although that machine does have a Security log, I have no control over the sorts of records being written to it; it also doesn't contain any records for process creation/exit etc.