iWarren

Custom Behaviors being bypassed by firewall rule creation.

Recommended Posts

Emsisoft Internet Security

Version: 2017.6.0.7838 (Beta)

Windows 7 (32-bit)  Service Pack 1

(No other known conflicting software installed)

 

I think I have discovered a problem that could be a serious security risk.

If you have in your "Automatic rule settings", all of your entries set to "Ask" (for Advanced Firewall Settings)

Then you Allow/Disallow a firewall rule, an application rule entry is created. 

The firewall settings are being set, but the application rule is by default set to (All Allowed)

 

I think at very least, there should be an option in Application Rules to (Ask), just like in Firewall rules.
or that if Applications Firewall settings are being set to custom.... then so should the Behavior Blocker.

 

Here is why this is an issue... when I open utorerent.exe I first get a connection attempt, and when the
rule is created, the Custom Behavior is set to "All Allowed".

If i create a rule for utorrent.exe and set the Custom Behaviors to "Custom", I get about 5 different Custom Behaviors
that should have been given warning, but is being bypassed because it has by default been set to "All Allowed"
the behaviors were:  modify auto-run entries, backdoor activity, etc.

Basically, the rule creation for firewall settings, is affecting the security of application behaviors being detected.

Share this post


Link to post
Share on other sites

If I set utorrent.exe to (Custom) before I run it, I get the following Alerts:

Program is attempting to modify your documents in a suspicious manner.
Program is behaving in a similar manner to a Backdoor.
Program is attempting to download data invisibly from the internet.
Program is attempting to modify an autorun entry.

Where as, if is being set "All Allowed" by default, it runs smoothly, without alerting.

I think this could be fixed, by setting the application behavior to (Custom), whenever a new
a2rules entry is added, and the firewall rule is being modified.

Share this post


Link to post
Share on other sites

Keep in mind, this is also with "Look up reputation of programs" turned off.

If the utorrent.exe rule is not yet created... and in Firewall Settings, I have all of the automatic rule settings
set to "Allow"

When I open utorrent.exe i am not prompted with any of these alerts, and it is being allowed to run
without any of the mentioned alerts,  because there is not yet a rule for it, and it is being treated as "All Allowed"

It is only when I specifically set it to (Custom) is it warning me about these potential problems.

I think no matter whether you have a rule for it, you might need to have an option to treat all programs as if
they are being Custom monitored, otherwise, everything will be allowed.  The firewall doesn't seem to have
this issue... because of the advanced firewall setting to (Ask)
 

 

Share this post


Link to post
Share on other sites
1 hour ago, iWarren said:

If you have in your "Automatic rule settings", all of your entries set to "Ask" (for Advanced Firewall Settings)
Then you Allow/Disallow a firewall rule, an application rule entry is created. 
The firewall settings are being set, but the application rule is by default set to (All Allowed)

I would believe that behavior is intentional, however I will ask and verify that.

Share this post


Link to post
Share on other sites

Judging by the logic of the firewall settings, that you are being asked to confirm the allowance of a port,
it doesn't quite make sense to ignore the programs activity, or at least keep quiet about activity that is
surely questionable.

It would be like telling your kids, okay.. you can only make certain phone calls to certain people,
but feel free to do whatever you like, so long as it doesn't affect the rest of the house.

that is why i strongly feel we need an Automatic Application Setting, which does the same as the firewall,
so that it is by default going into custom detection mode. People with this setting enabled, would at least
know they are going to be addressing more alerts.  Plus... these types of alerts, you generally only have
to deal with once... and then its smooth sailing.

Share this post


Link to post
Share on other sites

I've confirmed that this behavior is intentional (it's actually how it's always worked).

Share this post


Link to post
Share on other sites

I realize v10 has always worked like this, but i do believe that it shouldn't be like this.

setting a firewall port, should not affect the monitoring condition of the application rules.
as they're separate entities. (under the same roof)

If no port activity was detected, everything is simply allowed, until it either does something critical
or an application rule is created.

i really think setting everything to all allowed, is a mistake.  that is one of the features i loved in v9,
was that you could have it question every custom behavior.  you would get a handful of alerts at first,
but after a bit of computer usage, alerts became minimal.

I've seen other firewalls do similar things, with an "All Allowed" arrangement by default, and in my eyes, that isn't
really protecting you, if its not making you aware of all that is going on.

 

By setting utorrent to monitor custom events, the following were observed:

Quote

Program is attempting to modify your documents in a suspicious manner.
Program is behaving in a similar manner to a Backdoor.
Program is attempting to download data invisibly from the internet.
Program is attempting to modify an autorun entry.

These behaviors, in my eyes, seem pretty serious...
with the "All Allowed" setting, I would not know these events are taking place.

sure I might get a few more alerts, and EIS might not be as "seamless" in the background as you might like,
but I think everyone here would rather take 10 more alerts, than not knowing that something questionable
was taking place in the background.

Its the Alerts, that are letting us know we are protected... Not the text in the right corner of the screen that says
"Your computer is protected!"

Share this post


Link to post
Share on other sites
2 hours ago, iWarren said:

setting a firewall port, should not affect the monitoring condition of the application rules.
as they're separate entities. (under the same roof)

The rule may have separate settings for firewall inbound/outbound and behaviors, however one rule covers everything, and if a rule is created manually to set specific inbound/outbound rules for the firewall then it's best to allow the program in the Behavior Blocker and let the firewall manage the inbound/outbound rules. If there's need to set specific rules for behavior as well, then that can be done too, however in most cases when people are creating custom inbound/outbound rules they are setting allow rules and thus would be rather confused if they continued to see alerts for an application that they had already created a rule to allow through the firewall.

Share this post


Link to post
Share on other sites

When I am alerted to a firewall conflict, I have almost never or rarely set the application rules for a program,
because the Alert, is to address a specific firewall issue, of whether this port should be allowed or blocked.

granted, that might come down to my specific habits, but i don't think i'm alone, in that when you are questioned
about a firewall issue, I'd guess most other people probably address the issue confronted with, and don't go
poking around the applications behavior blocker.

its like, if your boat springs a leak, you plug the leak... you generally don't stop there, and decide there are
other maintenance issues that need fixing. (even though its probably a good idea).

if the user is allowed to address one little issue at a time through these custom alerts... they typically won't have
to do them all at once.... and then, providing they made the right choices, their system will be more secure overall.

as far as the confusion over the application alerts vs the firewall alerts... i personally have never found any
confusion there... the firewall alerts, and the application alerts are dinstinctly different...

Surely even novice users would know there is a difference between internet activity, and application activity.

If the Firewall has the "Advanced Settings" to (Ask) a user for permission,
why wouldn't the Application Rules have it as well?

 

Share this post


Link to post
Share on other sites
On 8/4/2017 at 5:07 PM, iWarren said:

if the user is allowed to address one little issue at a time through these custom alerts... they typically won't have
to do them all at once.... and then, providing they made the right choices, their system will be more secure overall.

That would be great for advanced users, however we market our software to the average person, and they need things to be as simple as possible.

 

On 8/4/2017 at 5:07 PM, iWarren said:

as far as the confusion over the application alerts vs the firewall alerts... i personally have never found any
confusion there... the firewall alerts, and the application alerts are dinstinctly different...

There are plenty of people who don't see the difference, and/or don't understand it.

 

On 8/4/2017 at 5:07 PM, iWarren said:

If the Firewall has the "Advanced Settings" to (Ask) a user for permission,
why wouldn't the Application Rules have it as well?

We eliminated features like that due to user confusion, and the fact that with the Behavior Blocker not automatically allowing certain things can actually cause major issues.

Share this post


Link to post
Share on other sites
On 8/7/2017 at 1:35 PM, GT500 said:

We eliminated features like that due to user confusion, and the fact that with the Behavior Blocker not automatically allowing certain things can actually cause major issues.

I realize this probably best of all.  As when I first used this feature, I ended up blocking every vital Windows program.  I ended up, having to restart in safe mode, disable emsisoft,
restart, fix the settings, restart again.  So I, more than anyone probably understand what kind of issues this creates.   The goal was, to find what was the absolute minimum required
to run windows.

The  feature in question, I remember now, in EIS v9, it was called "Paranoid Mode", and when it was activated, it would put everything in this custom detection,
and give you all of the alerts.... which in my eyes, is still useful. 

Much of the "major issues" you speak of, could easily just be worked around by warning a user, not to block specific things.

On 8/7/2017 at 1:35 PM, GT500 said:
On 8/4/2017 at 2:07 PM, iWarren said:

as far as the confusion over the application alerts vs the firewall alerts... i personally have never found any
confusion there... the firewall alerts, and the application alerts are dinstinctly different...

There are plenty of people who don't see the difference, and/or don't understand it.

I think in this case, you are really over-simplifying the user here.  there are distinctly different Tabs.
marked "Application Rules" and "Firewall"  and then in the application rule, its-self there are 2 distinct tabs
for Applications, and Firewall...

However, if you insist on going the route of what might confuse a person, I think the "Behavior Blocker" and "Application Rules"
tabs, seem more confusing.  Behavior Blocker tab, serving as a sort of task manager.  Every program that is running should
already have an application rule... and you really only need to have the 1 tab listing all of the running tasks, and then split up
and grayed out showing tasks that are not running, but still have rules.   then just click on one to modify an application rule.

and having a Firewall tab, with "general firewall rules",  is more confusing, because the applications have their own set of firewall
rules, which are found in the application rules.

So initially, there are a few things that could be confusing, and its just a matter of becoming familiar with the application.

i think, what is more of a crime, is thinking you are protected in a certain way, and discovering you might not be, all because someone
thought that "you wouldn't understand"

On 8/7/2017 at 1:35 PM, GT500 said:

That would be great for advanced users, however we market our software to the average person, and they need things to be as simple as possible.

If they want things to be as simple as possible, they still have that option.... no one is forcing them to change their "advanced" settings.
The same theory applies to the firewall rules, for "Automatic rule settings",  no one "has" to change those settings, but when they do....
the behavior will change, and if they don't like it... they can change it back.

Same applied to every time in EIS v9, that i clicked the "Paranoid mode", and i had to reboot and change my settings every time
i "screwed up", it was my choice... and I must have found something of value,  to try to get it to return.

I've seen that remark about catering to the average person, and it doesn't cut it.  
you want a product that is easy to use, so do i. lol but bottom line is..... EIS is here for one thing, and one thing only.  Security.

It is a "perfect" example of the security pyramid,  compromising Security, for ease of use.

"Security" - "Functionality" - "Ease of use"
any time you compromise one of the 3 sides of this triangle,  the other 2 suffer.
In this case, you are willing to compromise the most important.... to satisfy Ease of Use,
and that is not good.  Functionality also suffers here too.

 

Share this post


Link to post
Share on other sites

The original issue here, is applications being set to "All Allowed" when addressing the firewall alerts.

It means that if a program connects first. BEFORE it initiates any program behavior, a rule will be created,
setting the custom behavior as 'All Allowed' ... Also, if you also 'expect' someone to change the custom
behavior to "Custom Monitoring",  could you not then... put it in "Custom Monitoring" and then 'expect' them to change it
to "All Allowed" ?  I mean,  by your logic, we should be configuring our application rules as well, so its just
as easy  setting it to "Custom Monitoring" by default, as it would be to put it into "All Allowed", as it is currently.
 

You said yourself, that there is confusion between Firewall and Application rules.

And.... by your own statement, you are trying to simplify EIS for 'average' users.

So by recognizing that, you would also want to 'separate' the distinction between
Firewall Rules vs Application Rules.

Have Firewall Alerts, address "only" firewall settings.  (No adjustments to application rules can be made from here)
Have Application Alerts, address "only" application settings (No adjustments to firewall rules can be made from here)

Because when I am prompted with firewall alerts... 'average' users, would not go about changing application rules....
That would be something, someone who has the time and know-how, would fiddle with.... which you would have to
classify as an 'advanced' user behavior.

All I really want GT500, is for the developers to really consider adding this as a feature. lol
and maybe have them weigh in too, on the rammifications. 

Advanced Firewall Rules, has this "Ask" feature.... and it doesn't have any issue.
What would it harm to setup an "Ask" feature for the application rules as well?

Thank you for your time.

 

Share this post


Link to post
Share on other sites
21 hours ago, iWarren said:

The  feature in question, I remember now, in EIS v9, it was called "Paranoid Mode", and when it was activated, it would put everything in this custom detection,
and give you all of the alerts.... which in my eyes, is still useful.

You are correct about the name of the feature. Essentially all it did was disable recognition of digital signatures, so that no files would be automatically all

 

20 hours ago, iWarren said:

It means that if a program connects first. BEFORE it initiates any program behavior, a rule will be created,
setting the custom behavior as 'All Allowed' ...

Considering the fact that it's allowed based on the same data that would allow it for the Behavior Blocker, this shouldn't cause any security issues.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.