Jump to content

EIS firewall's interactive mode and Windows 10 apps


Recommended Posts

Until recently I used EIS and ESS in Windows 7 with the firewall's interactive mode activated. That way I can control which applications on my computer can access the internet and which can't. Once this approach made me detect a virus even before ESS recongized it.

Recently I switched to Windows 10 and I continued using EIS firewall's interactive mode as I did before. Unfortunately the Windows apps that are located in C:\Program Files\WindowsApps keep moving to different subfolders when they are updated. This means that I have to continue adding new firewall rules for the same apps over and over again. This makes using EIS firewall's interactive mode quite annoying.

Is there a solution for this that I'm not aware of?

Link to post
Share on other sites
  • 2 weeks later...
  • Most Valued Members
2 hours ago, AGH1965 said:

No replies at all? Am I the only person on this world that uses the firewall's interactive mode?

I use interactive mode also , but don't find it that much of a chore to add one or two new rules following an update. If it was daily then it would be a problem, but every 6 months or so is not an issue.

Link to post
Share on other sites

I have the same issue. The app that is particularly annoying to me is the HxTsr.exe which is apparently associated with my Office 2013 installation. This file seems to get updated about once a week, and every time it updates the sub-folder changes based upon the apps version number. I think it is the same for everything in the WindowsApps folder, but don't quote me on that. I've posted in the past about this particular file (HxTsr.exe), and was met with pretty much the same worthless response. No REAL solution to the problem (I was told to change to "Automatic" mode to resolve the issue), and not even a "we'll look into it and see if we can come up with a fix." The problem has been ongoing for over a year now, and nobody seems to care. Apparently those of us that use interactive mode are in the minority, and spending time on a fix would require more resources to try to come up with a solution than they would benefit in return from.

Highly annoying to say the least! The worst part is, the firewall rules list keeps getting longer and longer as the old rules don't get automatically removed, and requires me to go in and clear out all the old, no longer relevant rules. It would be nice if the software could do something similar for the apps in the WindowsApps folder, like it does with the desktop apps when they get updated. The software notices that the executable has changed and asks me if I want to keep the same rules as before the change.

Link to post
Share on other sites

Thanks for your reply, FeMaster. Now I feel understood. You described exactly what I experienced. Indeed HxTsr.exe is one of the annoying apps. Switching to "Automatic" mode isn't a solution. I don't understand why the majority of users uses that mode, since if I would want to allow all outgoing network communication automatically, then I would probably use Windows firewall.

Link to post
Share on other sites

Here's the situation in regards to Win 10.

Microsoft designed  Win 10 to dynamically create Win firewall rules for its apps. When a new Windows OS or Microsoft app is created or revised, Win 10 deletes the old app inbound/outbound rule and creates a new inbound/outbound rule for it.

Third party firewalls obviously don't have this capability since Microsoft built it into Win 10. There appears to a vendor interface to the Win 10 firewall to create app exceptions. I know for a fact that Adobe Reader creates/updates Win 10 firewall exceptions for itself.

In regards to third party firewalls like Eset's when running in interactive mode, one should view any update to an existing Store app by Microsoft as a new program with new rule creation being required.

One enhancement Eset could provide would be an exception when in Interactive mode to allow/block all Microsoft code signed Store Apps. There obviously is some risk involved to deploying such an exception.

 

Edited by itman
Link to post
Share on other sites
22 hours ago, AGH1965 said:

Thanks for your reply, FeMaster. Now I feel understood. You described exactly what I experienced. Indeed HxTsr.exe is one of the annoying apps. Switching to "Automatic" mode isn't a solution. I don't understand why the majority of users uses that mode, since if I would want to allow all outgoing network communication automatically, then I would probably use Windows firewall.

I absolutely agree. Call me anal, but I want to know what is both coming in and going out. Being prompted for something wanting to go outbound, that I have never seen before, is a HUGE first step in determining if you might just have a problem somewhere on your system. While I'm plenty savvy enough to know the dos and don'ts to avoid infections, what I can't stop are baddies that just might sneak in because of exploits and holes in poorly coded software; something that seems to be getting more and more rampant these days.

Link to post
Share on other sites
  • Administrators
On 4/20/2018 at 5:02 AM, FeMaster said:

The problem has been ongoing for over a year now, and nobody seems to care.

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Some improvements have big benefits for all or most of users but take many resources and time to accomplish them (e.g. detection-related ones). Some have smaller benefits appreciated by a small number of users but can be accomplished quickly. Then there are improvements with smaller benefits for a small number of users but are quite expensive to accomplish in terms of resources and time. Unfortunately, support for wildcards in rules falls into the last group which is also why it hasn't been added yet. However, we didn't forget about it, it's on a to-do list and we plan to implement support for wildcards in the future.

Link to post
Share on other sites
4 hours ago, Marcos said:

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Wildcards are not my goal here, my goal is to not have to create a new firewall rule (and remember to delete the old one) every time an app in the WindowsApps folder is updated. Some of these apps (like the irritating HxTsr.exe ) are updated on an almost weekly basis and attempt to access the internet to varies different IP addresses multiple times an hour. This makes the need to create a firewall rule for it a necessity.

Frankly, I could care less how this is implemented, wildcards or not, as long as it works without having to turn off Interactive mode on the firewall. Personally I'd like to see the firewall recognize the updated app as just that, an update, and not a completely new piece of software just because the folder it was in changed. Since this seems to only be an issue with apps within the WindowsApps folder, whatever is implemented should probably be specific to just the things within that folder so as to not potentially weaken the firewall in normal folders.

Hell, at this point I'd be happy to be able to set an exception to never block outgoing connections from things inside just the WindowsApps folder. While this is definitely NOT an ideal situation, I am THAT FRUSTRATED with this that I am actually considering it as an option!

BTW, sorry AGH1965, I didn't mean to hijack your thread, I'm just glad to see that I'm not the only one frustrated by this, and am hoping that the more of us in a single place might help to push things on a little faster. Wishful thinking maybe...

Edited by FeMaster
Link to post
Share on other sites

Actually I don't think allowing wildcards is the best way to go. I just tried it as a temporary work-around. Personally I would like the firewall to recognize updated versions of apps that already have their own firewall rule. So basically the same behavior as with apps that are updated in the same folder. If the firewall recognizes an updated version in a new folder, then I want to be asked to keep and update the existing firewall rule or not.

Edited by AGH1965
Link to post
Share on other sites
3 hours ago, AGH1965 said:

Personally I would like the firewall to recognize updated versions of apps that already have their own firewall rule.

Actually, it does. That is what the "Application Modification Detection" setting is used for and is only applicable when in Interactive mode.

The problem is as I stated previously, Microsoft changes the name of these Store apps with each update. As far as Eset's or any other third party firewall is concerned, these are not updated apps but new apps since the executable name is not the same and obviously, the file hash has changed.

If anyone hasn't figured out what is going on here, Microsoft did this intentionally to make Store app outbound communication almost impossible to block.

Link to post
Share on other sites
  • Most Valued Members
On 21/04/2018 at 8:07 PM, Marcos said:

ESET Smart Security has been on the market since 2002 if I remember correctly and never supported wildcards in firewall rules. Moreover, there has never been a big demand for such feature. We appreciate your feedback and welcome any reasonable and feasible ideas that could make our products fit your needs.

Some improvements have big benefits for all or most of users but take many resources and time to accomplish them (e.g. detection-related ones). Some have smaller benefits appreciated by a small number of users but can be accomplished quickly. Then there are improvements with smaller benefits for a small number of users but are quite expensive to accomplish in terms of resources and time. Unfortunately, support for wildcards in rules falls into the last group which is also why it hasn't been added yet. However, we didn't forget about it, it's on a to-do list and we plan to implement support for wildcards in the future.

While i understand why wildcards aren't used as someone could for example allow too much, i would love to see eset handle dead rules better. I say better but as far as i know eset doesnt do anything with rules that point to programs that no longer exist. Id love to see a button that could automatically remove these rules. Obviously some people may keep rules for future use so may not use the purge button but you could even possibly have a way to save rules you want to keep that are dead

Link to post
Share on other sites

itman, apparently you don't use Windows 10. What you wrote, is not correct. Microsoft does not change the name of these apps with every update! No, Microsoft stores every update in a new folder. That is why "Application Modification Detection" does not recognize these updates as modifications.

Link to post
Share on other sites
1 hour ago, AGH1965 said:

Microsoft does not change the name of these apps with every update! No, Microsoft stores every update in a new folder.

The net effect is the same; the firewall believes its a new app that has not been detected before.

Note this. Firewall's require specific program identification of which the path where it is located is part of that identification. Some AV HIPS and like third part equivalents; e.g. NVT's OSArmor, have wildcard capability. This is such because they scan the PE header as the executable loads. I know of no non-Microsoft firewall with this capability including Comodo's which is one of the most feature-rich in this category.

I have been waiting years for Eset to provide HIPS file wildcard capability; e.g. *.exe. It still doesn't exist in the retail versions. I would say the likelihood of Eset providing firewall wildcard capability is equal that of hell freezing over ..............

Edited by itman
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...