EIS firewall's interactive mode and Windows 10 apps

[AGH1965 12]

Until recently I used EIS and ESS in Windows 7 with the firewall's interactive mode activated. That way I can control which applications on my computer can access the internet and which can't. Once this approach made me detect a virus even before ESS recongized it.

Recently I switched to Windows 10 and I continued using EIS firewall's interactive mode as I did before. Unfortunately the Windows apps that are located in C:\Program Files\WindowsApps keep moving to different subfolders when they are updated. This means that I have to continue adding new firewall rules for the same apps over and over again. This makes using EIS firewall's interactive mode quite annoying.

Is there a solution for this that I'm not aware of?

[AGH1965 12]

No replies at all? Am I the only person on this world that uses the firewall's interactive mode?

[Marcos 5,070]

The ESET firewall currently doesn't support wildcards in paths to applications.

[cyberhash 188]

2 hours ago, AGH1965 said:

No replies at all? Am I the only person on this world that uses the firewall's interactive mode?

I use interactive mode also , but don't find it that much of a chore to add one or two new rules following an update. If it was daily then it would be a problem, but every 6 months or so is not an issue.

[AGH1965 12]

Trying to use wildcards was one of the first things I did, but indeed the firewall doesn't accept these. 

[FeMaster 0]

I have the same issue. The app that is particularly annoying to me is the HxTsr.exe which is apparently associated with my Office 2013 installation. This file seems to get updated about once a week, and every time it updates the sub-folder changes based upon the apps version number. I think it is the same for everything in the WindowsApps folder, but don't quote me on that. I've posted in the past about this particular file (HxTsr.exe), and was met with pretty much the same worthless response. No REAL solution to the problem (I was told to change to "Automatic" mode to resolve the issue), and not even a "we'll look into it and see if we can come up with a fix." The problem has been ongoing for over a year now, and nobody seems to care. Apparently those of us that use interactive mode are in the minority, and spending time on a fix would require more resources to try to come up with a solution than they would benefit in return from.

Highly annoying to say the least! The worst part is, the firewall rules list keeps getting longer and longer as the old rules don't get automatically removed, and requires me to go in and clear out all the old, no longer relevant rules. It would be nice if the software could do something similar for the apps in the WindowsApps folder, like it does with the desktop apps when they get updated. The software notices that the executable has changed and asks me if I want to keep the same rules as before the change.

[AGH1965 12]

Thanks for your reply, FeMaster. Now I feel understood. You described exactly what I experienced. Indeed HxTsr.exe is one of the annoying apps. Switching to "Automatic" mode isn't a solution. I don't understand why the majority of users uses that mode, since if I would want to allow all outgoing network communication automatically, then I would probably use Windows firewall.

[itman 1,659]

Here's the situation in regards to Win 10.

Microsoft designed  Win 10 to dynamically create Win firewall rules for its apps. When a new Windows OS or Microsoft app is created or revised, Win 10 deletes the old app inbound/outbound rule and creates a new inbound/outbound rule for it.

Third party firewalls obviously don't have this capability since Microsoft built it into Win 10. There appears to a vendor interface to the Win 10 firewall to create app exceptions. I know for a fact that Adobe Reader creates/updates Win 10 firewall exceptions for itself.

In regards to third party firewalls like Eset's when running in interactive mode, one should view any update to an existing Store app by Microsoft as a new program with new rule creation being required.

One enhancement Eset could provide would be an exception when in Interactive mode to allow/block all Microsoft code signed Store Apps. There obviously is some risk involved to deploying such an exception.

 

Edited April 21, 2018 by itman

[FeMaster 0]

22 hours ago, AGH1965 said:

Thanks for your reply, FeMaster. Now I feel understood. You described exactly what I experienced. Indeed HxTsr.exe is one of the annoying apps. Switching to "Automatic" mode isn't a solution. I don't understand why the majority of users uses that mode, since if I would want to allow all outgoing network communication automatically, then I would probably use Windows firewall.

I absolutely agree. Call me anal, but I want to know what is both coming in and going out. Being prompted for something wanting to go outbound, that I have never seen before, is a HUGE first step in determining if you might just have a problem somewhere on your system. While I'm plenty savvy enough to know the dos and don'ts to avoid infections, what I can't stop are baddies that just might sneak in because of exploits and holes in poorly coded software; something that seems to be getting more and more rampant these days.

[Marcos 5,070]

On 4/20/2018 at 5:02 AM, FeMaster said:

The problem has been ongoing for over a year now, and nobody seems to care.

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Some improvements have big benefits for all or most of users but take many resources and time to accomplish them (e.g. detection-related ones). Some have smaller benefits appreciated by a small number of users but can be accomplished quickly. Then there are improvements with smaller benefits for a small number of users but are quite expensive to accomplish in terms of resources and time. Unfortunately, support for wildcards in rules falls into the last group which is also why it hasn't been added yet. However, we didn't forget about it, it's on a to-do list and we plan to implement support for wildcards in the future.

[FeMaster 0]

4 hours ago, Marcos said:

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Wildcards are not my goal here, my goal is to not have to create a new firewall rule (and remember to delete the old one) every time an app in the WindowsApps folder is updated. Some of these apps (like the irritating HxTsr.exe ) are updated on an almost weekly basis and attempt to access the internet to varies different IP addresses multiple times an hour. This makes the need to create a firewall rule for it a necessity.

Frankly, I could care less how this is implemented, wildcards or not, as long as it works without having to turn off Interactive mode on the firewall. Personally I'd like to see the firewall recognize the updated app as just that, an update, and not a completely new piece of software just because the folder it was in changed. Since this seems to only be an issue with apps within the WindowsApps folder, whatever is implemented should probably be specific to just the things within that folder so as to not potentially weaken the firewall in normal folders.

Hell, at this point I'd be happy to be able to set an exception to never block outgoing connections from things inside just the WindowsApps folder. While this is definitely NOT an ideal situation, I am THAT FRUSTRATED with this that I am actually considering it as an option!

BTW, sorry AGH1965, I didn't mean to hijack your thread, I'm just glad to see that I'm not the only one frustrated by this, and am hoping that the more of us in a single place might help to push things on a little faster. Wishful thinking maybe...

Edited April 21, 2018 by FeMaster

[Azure Phoenix 11]

@FeMaster

You can do the following:

Setup > advanced setup > firewall > advanced > IDS and advanced options > allowed services > Allow Metro applications

[AGH1965 12]

Actually I don't think allowing wildcards is the best way to go. I just tried it as a temporary work-around. Personally I would like the firewall to recognize updated versions of apps that already have their own firewall rule. So basically the same behavior as with apps that are updated in the same folder. If the firewall recognizes an updated version in a new folder, then I want to be asked to keep and update the existing firewall rule or not.

Edited April 22, 2018 by AGH1965

[itman 1,659]

3 hours ago, AGH1965 said:

Personally I would like the firewall to recognize updated versions of apps that already have their own firewall rule.

Actually, it does. That is what the "Application Modification Detection" setting is used for and is only applicable when in Interactive mode.

The problem is as I stated previously, Microsoft changes the name of these Store apps with each update. As far as Eset's or any other third party firewall is concerned, these are not updated apps but new apps since the executable name is not the same and obviously, the file hash has changed.

If anyone hasn't figured out what is going on here, Microsoft did this intentionally to make Store app outbound communication almost impossible to block.

[peteyt 393]

On 21/04/2018 at 8:07 PM, Marcos said:

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Some improvements have big benefits for all or most of users but take many resources and time to accomplish them (e.g. detection-related ones). Some have smaller benefits appreciated by a small number of users but can be accomplished quickly. Then there are improvements with smaller benefits for a small number of users but are quite expensive to accomplish in terms of resources and time. Unfortunately, support for wildcards in rules falls into the last group which is also why it hasn't been added yet. However, we didn't forget about it, it's on a to-do list and we plan to implement support for wildcards in the future.

While i understand why wildcards aren't used as someone could for example allow too much, i would love to see eset handle dead rules better. I say better but as far as i know eset doesnt do anything with rules that point to programs that no longer exist. Id love to see a button that could automatically remove these rules. Obviously some people may keep rules for future use so may not use the purge button but you could even possibly have a way to save rules you want to keep that are dead

[AGH1965 12]

itman, apparently you don't use Windows 10. What you wrote, is not correct. Microsoft does not change the name of these apps with every update! No, Microsoft stores every update in a new folder. That is why "Application Modification Detection" does not recognize these updates as modifications.

[itman 1,659]

1 hour ago, AGH1965 said:

Microsoft does not change the name of these apps with every update! No, Microsoft stores every update in a new folder.

The net effect is the same; the firewall believes its a new app that has not been detected before.

Note this. Firewall's require specific program identification of which the path where it is located is part of that identification. Some AV HIPS and like third part equivalents; e.g. NVT's OSArmor, have wildcard capability. This is such because they scan the PE header as the executable loads. I know of no non-Microsoft firewall with this capability including Comodo's which is one of the most feature-rich in this category.

I have been waiting years for Eset to provide HIPS file wildcard capability; e.g. *.exe. It still doesn't exist in the retail versions. I would say the likelihood of Eset providing firewall wildcard capability is equal that of hell freezing over ..............

Edited April 24, 2018 by itman