rugk 397 Posted December 21, 2014 Posted December 21, 2014 (edited) So in summary, if ALL users actually need the SAME rule then I agree it should be added to the predefined set. If not, then I would prefer to build my own rule. I hope this clarifies the contention. Yes, can I fully support this too. Edited December 22, 2014 by rugk
rugk 397 Posted December 22, 2014 Posted December 22, 2014 (edited) @Utini @edit: maybe create a fresh windows, custom rule all the request of those files (that fresh windows will be without malware) and then we know how those files communicate? If you really want this rules why don't make it yourself? Make it like you said, create a fresh VM, install a fresh copy of windows (and do not install any "integration components" or something like this), install ESS, do not install any other software at all and then you can create all the rules while using the VM. Before creating the rules I would suggest you to export the configuration, so you can compare it to the configuration later. Then you have to possibilities how to create these rules: Use interactive mode (and make it - more or less - manually) - but this would be very time-consuming... or configure a strict learning mode and use it to automatically create the needed rules - e.g. like this: 1 After this you can export the configuration and compare the configuration files, so that you can "extract" only the created rules. Here is how you can do this: https://forum.eset.com/topic/3512-eset-passive-quiet-install-to-include-pua-detection/?p=20461 Okay if you don't want to do the last step you can also send me the XML files and I do this for you. Then you finally will have a configuration file which everyone can import who wants to have the pre-defined system rules you talk about here. Okay there would be one exception: The users would have to use exact the same OS (e.g. Windows 8.1 Pro, 64bit) otherwise there could be rules which are not needed or some rules are missing. I would even try - if you use the learning mode - to let it create rules over several days and try to use nearly all common windows features that use a connection. 1 Okay there is still something on which you should pay attention: Create a rule for Internet explorer manually (which allows the connection to any IP) - otherwise it would be very crazy. because you will get a rule for every website you visit and for every connection IE is accessing:Or don't open the Internet Explorer at all. Maybe not do it as shown in my screenshot, so uncheck the box to include the local port for outgoing connection. Usually this is quite irrelevant and would only cause the creation of unnecessary rules. Additionally would suggest you to set the network mode to "public" so you won't create any rules with local IP addresses (because this local IP addresses may of course change in every new network and so the aren't the same for every ESET user) And when all rules are created you maybe even want to unify rules. E.g. a rule which allows "spoolsv.exe, outgoing connection to port 1234, IP: 12.34.567.89" and "spoolsv.exe, outgoing connection to port 4321, IP: 98.76.543.21" could be unified to "spoolsv.exe, outgoing connection to port 4321 and 1234, IP: 98.76.543.21 and 12.34.567.89" Edited December 22, 2014 by rugk
Utini 1 Posted December 22, 2014 Posted December 22, 2014 @Utini @edit: maybe create a fresh windows, custom rule all the request of those files (that fresh windows will be without malware) and then we know how those files communicate? If you really want this rules why don't make it yourself? Make it like you said, create a fresh VM, install a fresh copy of windows (and do not install any "integration components" or something like this), install ESS, do not install any other software at all and then you can create all the rules while using the VM. Before creating the rules I would suggest you to export the configuration, so you can compare it to the configuration later. Then you have to possibilities how to create these rules: Use interactive mode (and make it - more or less - manually) - but this would be very time-consuming... or configure a strict learning mode and use it to automatically create the needed rules - e.g. like this: 1ESS_FirewallStrictLearningMode.png After this you can export the configuration and compare the configuration files, so that you can "extract" only the created rules. Here is how you can do this: https://forum.eset.com/topic/3512-eset-passive-quiet-install-to-include-pua-detection/?p=20461 Okay if you don't want to do the last step you can also send me the XML files and I do this for you. Then you finally will have a configuration file which everyone can import who wants to have the pre-defined system rules you talk about here. Okay there would be one exception: The users would have to use exact the same OS (e.g. Windows 8.1 Pro, 64bit) otherwise there could be rules which are not needed or some rules are missing. I would even try - if you use the learning mode - to let it create rules over several days and try to use nearly all common windows features that use a connection. 1 Okay there is still something on which you should pay attention: Create a rule for Internet explorer manually (which allows the connection to any IP) - otherwise it would be very crazy. because you will get a rule for every website you visit and for every connection IE is accessing:ESS_FirewallManyInternetExplorerRules.png Or don't open the Internet Explorer at all. Maybe not do it as shown in my screenshot, so uncheck the box to include the local port for outgoing connection. Usually this is quite irrelevant and would only cause the creation of unnecessary rules. Additionally would suggest you to set the network mode to "public" so you won't create any rules with local IP addresses (because this local IP addresses may of course change in every new network and so the aren't the same for every ESET user) And when all rules are created you maybe even want to unify rules. E.g. a rule which allows "spoolsv.exe, outgoing connection to port 1234, IP: 12.34.567.89" and "spoolsv.exe, outgoing connection to port 4321, IP: 98.76.543.21" could be unified to "spoolsv.exe, outgoing connection to port 4321 and 1234, IP: 98.76.543.21 and 12.34.567.89" I have thought about that and might do that but it is time intensive in any case. Plus I am not sure about all the ports & connections. Eventhough it will be a "fresh windows" I would still want to make sure about the connections & ports but google doesn't really give me much information for most of the firewall requests :/
rugk 397 Posted December 22, 2014 Posted December 22, 2014 If it's a fresh window and nothing expect windows and ESS is on it you don't have to give any thought to the ports/IPs it. You want pre-defined system rules and you won't block any Windows connection, so if that's what you then you can do it this way. And BTW please don't quote the whole post. It's clear that you're referring to my post before.
Utini 1 Posted December 22, 2014 Posted December 22, 2014 You are right, there shouldn't be anything to worry about in a fresh installation. Wel lwhat if the network is already infected by other users of the network? I hope it is not the case but it could be ;P Basically I would not like to blindly allow something but first want to know what its purpose is. I might give it a try within the next few days to see what the learning mode creates on a fresh vm
rugk 397 Posted December 22, 2014 Posted December 22, 2014 You have to make sure that the VM you set up is safe and your local network too. Also the host computer should be clean of course, so I would - before doing this - at least run a full system scan at your computer (and maybe all other computers in the local network) with a few tools. I recommend: ESET SysRescue Live, Herdprotect and maybe Malwarebytes Anti-malware/another "Rescue disk" from another AV vendor. Of course nowhere is 100% security so of course you have to trust the system and even the Windows installation disk/ISO image/... you download for installing Windows. Basically I would not like to blindly allow something but first want to know what its purpose is. You have to decide if you want to block "Microsoft adware/privacy" or if you want to create "pre-defined system rules" so Windows is allowed to do everything which it normally does. Any other thing is impossible, because you can't find for every connection out what it delivers to Microsoft or what not. Especially if there would be things Microsoft really want to get then they would of course use connection which have to be allowed (e.g. for Windows update) and then it doesn't matter what other connections you block. And I think you want to create "pre-defined system rules" and not firewall rules, which block Microsoft collecting user data or something else. That may be a reason why there aren't so many pre-defined rules, but if you really want "real pre-defined" rules which allow everything what Windows is connecting then mustn't care about it.
Patch 16 Posted December 23, 2014 Posted December 23, 2014 @edit: maybe create a fresh windows, custom rule all the request of those files (that fresh windows will be without malware) and then we know how those files communicate? If you really want this rules why don't make it yourself? Make it like you said, create a fresh VM, install a fresh copy of windows (and do not install any "integration components" or something like this), install ESS, do not install any other software at all and then you can create all the rules while using the VM. Before creating the rules I would suggest you to export the configuration, so you can compare it to the configuration later. ... After this you can export the configuration and compare the configuration files, so that you can "extract" only the created rules. Here is how you can do this: https://forum.eset.com/topic/3512-eset-passive-quiet-install-to-include-pua-detection/?p=20461 Okay if you don't want to do the last step you can also send me the XML files and I do this for you. Then you finally will have a configuration file which everyone can import who wants to have the pre-defined system rules you talk about here. Okay there would be one exception: The users would have to use exact the same OS (e.g. Windows 8.1 Pro, 64bit) otherwise there could be rules which are not needed or some rules are missing. ESS has the capability to import/add to a users current configuration. Multiple configuration XML files can be sequentially added to build up a desired configuration. Creating and sharing firewall configurations for standard applications is an interesting concept. By grouping sets of rules for a particular functions we may achieve an efficient way to customise the firewall configuration. Using/editing the rule names so their source is readily identifiable would further facilitate subsequent customisation/selective deletion. As well as OS firewall configuration, the same concept could be applied to application suites. Sharing configurations would also facilitate discussion on configuration options and their merits. The difficulty in sharing firewall rules is application path varies (drive letter, 32 vs 64 bit etc.). We may need multiple versions of configurations. Alternatively search and replacing the application path in a word processor prior to using the configuration snippet maybe optimal if a different installation directory is used.
rugk 397 Posted December 23, 2014 Posted December 23, 2014 (edited) Yes this is our idea. To group the configurations we could add - like you said - a small prefix - in our case maybe "System_Win6.3_x64_v001" where "System" indicates that this is from a rule pack Win6.3 indicates that this rule pack is for "Windows 8.1" (6.3 is the NT version number of Windows 8.1) x64 indicates that this is for an 64bit system and v001 indicates that this is the first version of the rule pack (so if there should be future changes, this can be found out) The rest of the rule name is - IMO - already quite good understandable when they are automatically created by the learning mode. This grouping is a good idea so that - if a rule is causing some issues - you directly know that this rule was imported by using the package. Yes rules for application suites or "types" (e.g. Browsers, which would be quite easy to make) would also be useful, but I think at first basic system rules are the first step of it. The difficulty in sharing firewall rules is application path varies (drive letter, 32 vs 64 bit etc.). We may need multiple versions of configurations. Alternatively search and replacing the application path in a word processor prior to using the configuration snippet maybe optimal if a different installation directory is used. Yes, that's why we had to make different packages for every OS and different packages for x64/x86 systems.For system rules this may be enough. If you create rules for applications then you surely don't want to create a new rule pack for every OS where the application can running, but maybe we can use environment variables in the rules, so that they will fit to any system. (This could we at least change when we export the configuration, so that we will there replace the static paths with environment variables) Of course if you install an application under a customized path (so you don't use the default path) you will have to adjust the rules too. Edited December 23, 2014 by rugk
Mike from Texas 0 Posted August 5, 2015 Posted August 5, 2015 Hey guys,There's a lot bigger and more dangerous breach in your PRIVACY secuity than this ..... Windows 10 ( and Windows 8.1)All of the Win 10 apps spy on you and send your actual personal data, emails, music played, web PAGES viewed, programs that are and will be intalled, MS Office actual document files in Word , Excell, Outlook, anything you do in Cortana, One Drive, One-Note, Calandar, microsoft Apps, Groove Music, X-Box, Edge, FTP App, Microsoft Account, etc, etc, etc !!!I installed it on my Dell XPS 8700, and wondered why I had soooooo many Microsoft connections in my firewall access list.I did a search on Start Page and found these (among many others):hxxp://www.rockpapershotgun.com/2015/07/30/windows-10-privacy-settings/hxxp://www.techtimes.com/articles/73725/20150802/windows-10-spies-on-you-by-default-heres-how-to-opt-out.htmJust search for "Windows 10 spy" in your favorite search engine (hopefully not Bing). It'll FLOOR you.Evidently Microsoft is using WINDOWS 10 as a huge personal data collector that they keep and sell to advertizers and other companies, Not just Edge, but all of Windows 10 (and Windows 8.1) !!!No wonder they were so happy to give it away free - it will generate more cash and profits for Microsoft than if you had to pay for it. It is (according to CNN) Microsoft's new revenue train.It's safest to turn off all of these apps, turn of your Microsoft Account, and permanently block all of your Microsoft connections in your firewall EXCEPT Windows Update.Boy, forget about the other stuff for now and get Microsoft out of your personal stuff rigt now.You need to fix thi F ing mess fast.Here's to fast machines and easy living.Mike From Texas
Recommended Posts