Koosharem

Puzzling "Allowed Access" Alert

Recommended Posts

On several occasions I have gotten a "balloon" from OA telling me: "program xyz.exe has been allowed access to . . . . " with a Remote Address of "127.0.0.1" . I recognize this address as my computer's IP address (Localhost), and when associated with a domain name in the Hosts file, it will effectively block internet connection with that particular domain name.

So, is this what OA is doing -- "sending" program xyz.exe to my computer's IP address and thus "blocking" it?? This is puzzling because on other occasions, when a (albeit unknown) program attempted to access the internet, OA has blocked it and alerted me for a decision ("block" or "allow").

The most recent example of this type "balloon" concerned a program (DW20.exe) that I understand is associated with Microsoft's error reporting process, Have I unknowingly enabled a "setting" that tells OA to handle some cases this way?? :huh:

Share this post


Link to post
Share on other sites

If you have "Automatically allow trusted programs to access the internet" (I'm not sure if you do), then you will only be asked about internet access for unknown ones. Trusted programs will have their firewall rules created automatically and when this happens you'll see the balloon tip notifying you of this (you can disable the notification of automatic rule creation in the Options -> Firewall section by unticking "Notify me when programs are allowed to access the internet").

As for the local host reference, I'm not sure what program your example relates to, but many programs (such as Firefox and IE) use the loopback interface (127.0.0.1) for internal communication, so if you have "Intercept loopback interface" ticked (it is by default) in Options -> Firewall, you will see local host referred to a lot in the balloon tips mentioned above.

The loopback interface is also used by some ad-blocking and security related software (not OA) that add entries to the Hosts file to prevent your computer from connecting to potentially dangerous or advertising related websites by simply connecting back to your own computer (127.0.0.1) when a connection is attempted to one of the listed websites.

Share this post


Link to post
Share on other sites

If you have "Automatically allow trusted programs to access the internet" (I'm not sure if you do), then you will only be asked about internet access for unknown ones. Trusted programs will have their firewall rules created automatically and when this happens you'll see the balloon tip notifying you of this (you can disable the notification of automatic rule creation in the Options -> Firewall section by unticking "Notify me when programs are allowed to access the internet").

As for the local host reference, I'm not sure what program your example relates to, but many programs (such as Firefox and IE) use the loopback interface (127.0.0.1) for internal communication, so if you have "Intercept loopback interface" ticked (it is by default) in Options -> Firewall, you will see local host referred to a lot in the balloon tips mentioned above.

The loopback interface is also used by some ad-blocking and security related software (not OA) that add entries to the Hosts file to prevent your computer from connecting to potentially dangerous or advertising related websites by simply connecting back to your own computer (127.0.0.1) when a connection is attempted to one of the listed websites.

Catprincess -- Thank you for taking the time to reply to my post. I'm still climbing the OA "learning curve"!

First, in case my terminology is causing any confusion, let me make a minor correction to the title of this post by changing "Alert" to "Balloon". Balloon being a "notification" vs a "Popup" or "Alert" requiring a user decision.

Reference your para #1. We're good here. All three of those boxes are ticked. So, I understand I'll be notified with a balloon tip whenever the Firewall allows internet access for trusted programs.

I was prompted to make this post only because of my perception (perhaps mistaken) that the balloon tip included a specific reference to "127.0.0.1". (I was doing something else when the balloon arrived, and they don't last very long. I made a hasty note of the information it contained.) Briefly, the "127.0.0.1" translated (for me) to "internet connection blockage" (as you explained in your para #3). So, I was puzzled that internet access had been allowed, but the program (DW20.exe) was directed to my Localhost, and therefore blocked -- a seemingly contradictatory notification. (If the balloon did not include a 127.0.0.1 reference, then we're good, and OA is operating as you described in para #1.)

Now, on to para #2. Yes, I have the option for "Intercept Loopback Interface" ticked. But, why would this option relate to the balloon tip mentioned in para #1 ? (The "Intercept Loopback Interface" option seems to concern getting an OA popup (i.e., Alert) when an unknown program attempts to modify the Hosts file (so the user has a chance to block it) vs just a balloon notification of allowed internet access.)

And, a second question (one that you may prefer we address in a separate thread). In para #2 you also mentioned that "many programs use the Loopback Interface for internal communication". Indeed, Online Armor Help (at Using OA -> Files & Registry -> Options -> Firewall Tab/Intercept Loopback Interface) explains: "Most loopback connections are harmless system functions ..... ". But, "..... Online Armor will popup when the loopback interface is used ..." Also, in Help (at Using OA -> Files & Registry -> Hosts file), it says: "Online Armor will monitor the Hosts file for any changes, and popup (Alert)

when an Unknown program attempts to modify the Hosts file, giving you a chance to Allow or Block it." What is the relationship (or difference) between "the Loopback Interface", "Loopback Connections", and "Hosts file changes"; and, is there an overlap between the Firewall "Intercept option" and the Hosts file "prompt option" ??

Share this post


Link to post
Share on other sites

I was prompted to make this post only because of my perception (perhaps mistaken) that the balloon tip included a specific reference to "127.0.0.1". (I was doing something else when the balloon arrived, and they don't last very long. I made a hasty note of the information it contained.) Briefly, the "127.0.0.1" translated (for me) to "internet connection blockage" (as you explained in your para #3). So, I was puzzled that internet access had been allowed, but the program (DW20.exe) was directed to my Localhost, and therefore blocked -- a seemingly contradictatory notification. (If the balloon did not include a 127.0.0.1 reference, then we're good, and OA is operating as you described in para #1.)

I think you're confusing the hosts file with the loopback interface. The hosts file is a file that maps domain names to IP addresses. 127.0.0.1 is an IP address (the address of the loopback interface) that appears in the hosts file. A custom hosts file that blocks bad sites by mapping their domain names to 127.0.0.1 is only one possible use of the loopback interface.

Like I mentioned, some programs use the loopback interface for internal communication which would be what was happening in your case with DW20.exe. There are also other programs such as AV's and ad blockers that use a local proxy to filter web content - they do this by using the loopback interface. Let's look at an AV that uses a local proxy as an example, remembering that all web content is passing through this proxy using the loopback interface. If the option to "Intercept loopback interface" was not ticked, malicious software could use the AV's proxy to gain access to the internet without OA alerting you. Having "Intercept loopback interface" ticked allows OA to monitor the loopback interface that the proxy uses, so that it can "see" this traffic that it otherwise can't if you untick the option.

Now, on to para #2. Yes, I have the option for "Intercept Loopback Interface" ticked. But, why would this option relate to the balloon tip mentioned in para #1 ? (The "Intercept Loopback Interface" option seems to concern getting an OA popup (i.e., Alert) when an unknown program attempts to modify the Hosts file (so the user has a chance to block it) vs just a balloon notification of allowed internet access.)

This option doesn't alert you to changes to your host file. This option is indeed intended to produce a popup when a program uses the loopback interface. You will also see local host referred to on balloon tips, if you have ticked the options to "Automatically allow trusted programs to access the internet" and/or to "Autoconfigure trusted programs". The balloon tips are just informational.

And, a second question (one that you may prefer we address in a separate thread). In para #2 you also mentioned that "many programs use the Loopback Interface for internal communication". Indeed, Online Armor Help (at Using OA -> Files & Registry -> Options -> Firewall Tab/Intercept Loopback Interface) explains: "Most loopback connections are harmless system functions ..... ". But, "..... Online Armor will popup when the loopback interface is used ..." Also, in Help (at Using OA -> Files & Registry -> Hosts file), it says: "Online Armor will monitor the Hosts file for any changes, and popup (Alert)

when an Unknown program attempts to modify the Hosts file, giving you a chance to Allow or Block it." What is the relationship (or difference) between "the Loopback Interface", "Loopback Connections", and "Hosts file changes"; and, is there an overlap between the Firewall "Intercept option" and the Hosts file "prompt option" ??

Host file protection is monitoring the actual hosts file. If an unknown program attempts to add an entry to your hosts file (for example, malware could place a malicious IP address in your hosts file and map that IP with microsoft.com so every time you try to go to microsoft.com your computer connects to the malicious site), OA will alert you and ask if this program should be allowed to make changes to your hosts file. The "Intercept loopback interface" option doesn't monitor the contents of the hosts file - it's only concerned with monitoring traffic that passes through the loopback interface (127.0.0.1).

Share this post


Link to post
Share on other sites

I think you're confusing the hosts file with the loopback interface. The hosts file is a file that maps domain names to IP addresses. 127.0.0.1 is an IP address (the address of the loopback interface) that appears in the hosts file. A custom hosts file that blocks bad sites by mapping their domain names to 127.0.0.1 is only one possible use of the loopback interface.

Like I mentioned, some programs use the loopback interface for internal communication which would be what was happening in your case with DW20.exe. There are also other programs such as AV's and ad blockers that use a local proxy to filter web content - they do this by using the loopback interface. Let's look at an AV that uses a local proxy as an example, remembering that all web content is passing through this proxy using the loopback interface. If the option to "Intercept loopback interface" was not ticked, malicious software could use the AV's proxy to gain access to the internet without OA alerting you. Having "Intercept loopback interface" ticked allows OA to monitor the loopback interface that the proxy uses, so that it can "see" this traffic that it otherwise can't if you untick the option.

This option doesn't alert you to changes to your host file. This option is indeed intended to produce a popup when a program uses the loopback interface. You will also see local host referred to on balloon tips, if you have ticked the options to "Automatically allow trusted programs to access the internet" and/or to "Autoconfigure trusted programs". The balloon tips are just informational.

Host file protection is monitoring the actual hosts file. If an unknown program attempts to add an entry to your hosts file (for example, malware could place a malicious IP address in your hosts file and map that IP with microsoft.com so every time you try to go to microsoft.com your computer connects to the malicious site), OA will alert you and ask if this program should be allowed to make changes to your hosts file. The "Intercept loopback interface" option doesn't monitor the contents of the hosts file - it's only concerned with monitoring traffic that passes through the loopback interface (127.0.0.1).

I think we're almost there! :) Your last post gave me three "A-Ha Moments". I will summarize them here so you can "burst my bubble" if I've misunderstood anything. (Stuff in "[ ]s" are inserts; my wording.)

1.) In para #1: "127.0.0.1 is an IP address (the address of the loopback interface) that appears in the hosts file." [127.0.0.1 is the loopback interface.]

2.) In para #2: ". . . some [non-malicious] programs use the loopback interface [127.0.0.1] for internal communication . . ." "There are also other programs such as AV's and ad blockers that use a local proxy to filter web content - they do this by using the loopback interface [127.0.0.1]". And, "Let's look at an AV that uses a local proxy . . . all web content is passing through this proxy using the loopback interface [127.0.0.1]."

3.) In para #4: "The "Intercept loopback interface" option doesn't monitor the contents of the hosts file - it's only concerned with monitoring traffic that passes through the loopback interface (127.0.0.1) [i.e., the use of the interface]."

The operative feature in these A-Ha's is the definition (and use) of the IP address "127.0.0.1" (by itself) in writing about the "loopback interface". Until now, I assumed (guessed?) the term "loopback interface" referred to the singularly unique Hosts file mapping(i.e., "127.0.0.1 < to > localhost"), rather than the numerical IP alone! And this led me to associate the phrase "loopback interface" with "internet access-blocking". (I guess I've been the victim of "a little knowledge/info is dangerous".)

OK, if we're still in-sync at this point, I have just two residual questions:

1.) INTERCEPT LOOPBACK INTERFACE POP-UPs: As you explained, there is some (non-mallicious) traffic crossing the loopback interface for internal communication, as well as potentially malicious traffic enabled by proxy-using AV programs and spam filters etc. In the event of an OA pop-up due to loopback interface interception, will there be some guidance to the user regarding how to distinguish between non-malicious and malicious traffic? (I've been running OA since last May and have never seen such a pop-up.) ?

2.) HOSTS FILE MONITOR - PROGRAM STATUS PAGE: Why is my page still blank even though I'm running Spybot Search & Destroy. This program frequently adds to/changes the area of the Hosts file where loopback-blocking is implemented? (Online Help says: "Once a program has been allowed or blocked from modifying the Hosts file it will be added to the Programs list.")

Share this post


Link to post
Share on other sites

For more info on the localhost and IP designation, you can read the information here and find more about the standards organization here.

For point #1, OA will not allow a malicous program to have any network traffic at all. OA is a firewall (mainly) and is only concerned with weither or not the network traffic came from (or is going to) a known trusted / good program; it is not concerned that the file being downloaded (as an example) could be a virus (the down load could be zipped / compressed and thus inactive) but rather that the network traffic is proper according to established protocols and that the program recieving / requesting the traffic is an "allowed to do so" program. Once the "payload" of the network traffic is received, the data becomes the concern of other functions (such as File Gaurd / Behavior Blocker in EAM or other antimalware programs).

As to point #2, is the "Hide Trusted" checked in the Hosts File screen (Spybot is most likely a trusted program)?

If you find Spybot as a trusted "Hosts File" program (list in green and with an 'allow' status) then you will not get any notification when Spybot changes the Hosts file on your system.

Share this post


Link to post
Share on other sites

For more info on the localhost and IP designation, you can read the information here and find more about the standards organization here.

For point #1, OA will not allow a malicous program to have any network traffic at all. OA is a firewall (mainly) and is only concerned with weither or not the network traffic came from (or is going to) a known trusted / good program; it is not concerned that the file being downloaded (as an example) could be a virus (the down load could be zipped / compressed and thus inactive) but rather that the network traffic is proper according to established protocols and that the program recieving / requesting the traffic is an "allowed to do so" program. Once the "payload" of the network traffic is received, the data becomes the concern of other functions (such as File Gaurd / Behavior Blocker in EAM or other antimalware programs).

As to point #2, is the "Hide Trusted" checked in the Hosts File screen (Spybot is most likely a trusted program)?

If you find Spybot as a trusted "Hosts File" program (list in green and with an 'allow' status) then you will not get any notification when Spybot changes the Hosts file on your system.

dbrisendine -- Thanks for the two references. I just glanced at them for now, but will return to them for further study. Wish I had known about them sooner! :)

For point #1, OK, I understand now. The firewall's purpose in intercepting (and monitoring) Loopback Interface traffic is not content, but whether, as you have written: ". . . the network traffic is proper according to established protocols and that the program recieving / requesting the traffic is an "allowed to do so" program." So, OA will "pop-up" (block & alert vs balloon & notify) only if either the traffic is deemed improper, or the program recieving/requesting is deemed not trusted ?

For point #2, The "Hide Trusted" box is UN-checked and the the screen is blank. This is why I raised the question. I ran the "step-by-step" option during installation (back in May) and I'm sure Spybot was entered as "Trusted". However, I just now checked in all pertinent OA "Program" sections (Firewall, Programs, Autoruns -- "Hide Trusted" UN-checked ) and could not find Spybot ANYWHERE! And, I ran Spybot the other day! I don't understand this -- now I'm REALLY puzzled!! :huh:

Share this post


Link to post
Share on other sites

For point #1, you are correct.

Point #2, however, is a little puzzling. Do you have Teatimer enabled in Spybot? Has there been a version update since the last time you ran Spybot?

Share this post


Link to post
Share on other sites

Point #2. Yes, I do have Tea Timer enabled and, the Resident "SD Helper" (the IE malicious download-blocker) as well. I notice only Tea Timer shows up in Windows Task Manager (perhaps this is "normal".) I've searched OA again today and found NO TRACE of Spybot at all. Just a note in passing, I did find two other programs, that are definitely installed and running, but also don't show up anywhere in OA listings; and, a third program that appears only in Autoruns.

No, there have not been any Spybot version-updates since the last time I ran it (28 Feb 12). I check for (and usually get) detection and "program file" updates every week or so; I think I've been using V1.6 since Mar 09!

Not that it "explains anything" but, I have another program that (among other things) montiors the Hosts file for change-activity. Today, while I was browsing through Spybot, I clicked on "Add Spybot's Hosts File" and, after a brief pause, the other Hosts file monitor alerted me to this activity and asked for an "Allow/Block" decision. OA did not issue a similar alert/pop-up . . . . :(

I notice in OA/Options/General Tab, there is a "Run Safety Check Wizard" option. Is there any point in doing this, since it will not answer the troubling question of why OA isn't reacting to another program changing the Hosts file. And, is there a "down-side" to doing this after OA has been running for some months? :huh:

Share this post


Link to post
Share on other sites

@Koosharem, as far as I know Tea Timer (Spybot) and OA HIPS are incompatible - it's like runnig two HIPS at the same time: not a good idea.

However, just to be sure, you had better ask Emsisoft Team for confirmation before rinning Tea Timer.

Regards

Share this post


Link to post
Share on other sites

Not that it "explains anything" but, I have another program that (among other things) montiors the Hosts file for change-activity. Today, while I was browsing through Spybot, I clicked on "Add Spybot's Hosts File" and, after a brief pause, the other Hosts file monitor alerted me to this activity and asked for an "Allow/Block" decision. OA did not issue a similar alert/pop-up . . . . :(

You will only see a popup if an unknown program attempts to modify the hosts file. Trusted programs are allowed to do so without asking.

If Spybot is added to OA's exclusions list, you won't see entries related to it in any areas of OA (unless it was detected prior to you excluding it in which case you may see "some" residual entries).

Share this post


Link to post
Share on other sites

Catprincess -- OK, another "A Ha Moment"!

Yes, I have Spybot (and several other programs I thought might conflict with OA) listed as OA exclusions (OA Options/Exclusions Tab). As it says there, the programs/folders listed should be/are excluded from OA's protection -- meaning completely ignored, neither "Trusted", "Untrusted", "Unknown", nor "Absent", and OA imposes no restrictions of any kind on those programs. I mistakenly thought "exclusion" meant simply "trusted". :unsure:

Accordingly, I should not expect to see Spybot (nor any of the other excluded programs) listed in Programs, Autoruns, nor Anti-Keylogger even with the "Hide Trusted" box un-ticked.

So, we're good! We've come a long way from a "Puzzling Allowed Access Alert" -- and you and the others have cleared up a lot of my misconceptions! My thanks to all! :)

Regarding Nicks post concerning Spybot/Tea Timer and OA HIPS (Web Shield, Program Guard, & Anti-Keylogger) being incompatible, I've been running them together (with Spybot "excluded") for almost a year now without any problem that suggests incompatibility. I think their capabilities are pretty well "inter-laced" and therefore provide good, comprehensive "coverage".

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.