Jump to content

Microsoft Outlook Communications (HxTsr.exe) Firewall Rules


Recommended Posts

Eset Smart Security Version 10.1.219.0, Firewall set to Interactive Mode.

I have been having an ongoing problem (for months now, even back on version 9.xx) with firewall rule creation involving only one specific file, HxTsr.exe (Microsoft Outlook Communications). I've created probably close to 50 rules to allow this file outbound access to the various email websites run my Microsoft (office365.com. hotmail.com. outlook.com, etc.) but a few days later it's popping up again asking for permission to allow outbound traffic.

I've determined that the problem lies with the files' path. It seems that the file gets updated very frequently, and each time it gets updated, it's path changes relative to it's current version number. For example, the current path to the file as I write this is: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8400.41195.0_x64__8wekyb3d8bbwe\HxTsr.exe

The problem is, I can create rules till my fingers bleed, but every time the file is updated, the relative path changes and negates all previous rules I've created.

I need a solution to this dilemma so that I am not constantly nagged every couple days to re-create firewall rules for this file, and then having to remember to go back into the rules and delete all the old ones that are no longer valid. Is there a way to create a rule for a specific file name, no matter what it's relative path may be, or perhaps a way to just ignore the file name all together?

Thanks for any incite into this!

Link to comment
Share on other sites

  • Administrators

Wildcards are not supported in firewall rules. Otherwise one could create a rule for svchost.exe for instance but since this is also a typical file name used by malware the rule would also be applied to both malicious and innocuous svchost.exe.

Link to comment
Share on other sites

Before I get into this, I will state that outbound monitoring of Win 10 Apps in a third party firewall is an "effort in futility."

Below is a screen shot from Process Explorer. Note that I do not use any of the Apps the OP listed. However, I do use IE11 that does use an Outlook add-in. What is shown is that an "internal" Win firewall rule was created for instance of HxTsr.exe that BTW is a rule to allow communication from user's IE11 cache directory:

HxTsr.thumb.png.3421171e00fdbaf73022bbadb3a4f490.png

 

Next is a screen shot of the outbound Windows Firewall rules that were created by IE11 to allow communication for Outlook . Again note that the rules specify outbound communication from the user IE11 cache directory.

HxTsr_Win_FW.thumb.png.0936732fa6cd1ef15baf2c786eaa8655.png

 

Bottom line - appears Win 10 creates firewall rules for Outlook for each application for which can employ it. Duplication of same rules are virtually next to impossible in conventional third party firewall rules; if for no other reason than they are SID dependent. Therefore it is recommended not to monitor Win 10 outbound connections in the Eset firewall.

One thing Eset could do is to also allow Win 10 outbound firewall rules as in currently provided for inbound rules. Then the user could block Win 10 App outbound firewall rules if so desired.

Edited by itman
Link to comment
Share on other sites

11 hours ago, Marcos said:

Wildcards are not supported in firewall rules. Otherwise one could create a rule for svchost.exe for instance but since this is also a typical file name used by malware the rule would also be applied to both malicious and innocuous svchost.exe.

While I completely understand the reasoning behind the inability to do this, there has got to be something that can be done about problem files like this. Can outbound traffic filtering be turned off and only filter inbound? Ideally I'd prefer keep both inbound and outbound, but the nagging has really started to rub me the wrong way. I'd really prefer not change the mode from interactive either.

Link to comment
Share on other sites

20 minutes ago, FeMaster said:

Can outbound traffic filtering be turned off and only filter inbound?

Yes.

The Eset default firewall setting is "Automatic" which allows all outbound traffic unless you specifically created an outbound ask/block rule.

Go into the Eset GUI -> Advanced setup -> Personal Firewall -> Advanced -> filtering mode and change to "Automatic mode." Then delete all the outbound rules you created. You can also reset the Personal Firewall settings to default which will recreate the default inbound and outbound Eset firewall rules and settings.

Edited by itman
Link to comment
Share on other sites

On 9/2/2017 at 4:20 PM, itman said:

The Eset default firewall setting is "Automatic" which allows all outbound traffic unless you specifically created an outbound ask/block rule.

Call me strange, but I like the interaction of knowing when new things want to reach out, so Automatic is not desirable setting for me. I'm going to try one last ditch effort to create broad rules, when prompted by the pop ups, to just allow access out to the specific email server IPs on the requested ports for ANY application. This is really not what I wanted to do, as it leaves the door open for anything to reach out to those email servers, but if it stops the annoyance, I guess I will have to live with it.

Thanks everyone.

Link to comment
Share on other sites

34 minutes ago, FeMaster said:

when prompted by the pop ups, to just allow access out to the specific email server IPs on the requested ports for ANY application.

You can do this in "Automatic" mode, by first creating an outbound rule allow rule for e-mail client app to e-mail server IP's. Then create a second outbound firewall to block any outbound traffic from the e-mail client app. Just make sure the block rule is below the allow rule. Eset firewall rules are parsed from top to bottom. 

Link to comment
Share on other sites

17 minutes ago, itman said:

You can do this in "Automatic" mode, by first creating an outbound rule allow rule for e-mail client app to e-mail server IP's. Then create a second outbound firewall to block any outbound traffic from the e-mail client app. Just make sure the block rule is below the allow rule. Eset firewall rules are parsed from top to bottom. 

Like I said before though, it's not the actual email client (which happens to be Outlook 2013) that is the problem, it's the other file from Microsoft (HxTsr.exe) that is causing all the havoc. Creating rules for this specific file is fruitless as the file path constantly changes, based on the file version, which seems to be updated every few days. Any rule created for the file is made worthless every time the path to it changes, hence my original request.

The file also doesn't look for access to the email servers on typical email ports, it only goes out on remote ports 80 and 443. It most commonly connects to outlook.office365.com, but occasionally to autodiscover.hotmail.com, and one other that slips my mind right now. Not sure what it's looking for or doing on those servers, but it's not retrieving email, that's for sure.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...