Jump to content

Firewall rules and Application Modification Detection


Recommended Posts

Hello all, I have two questions:

1) How do I get a firewall rule to the top of the list when I have multiple pages

2) Does the exception list for Application Modification Detection require an explicit path to an application, or can a folder or application name without a path be used? It accepts them as an entry, but I'm not sure if they are functioning or not.

Any help would be appreciated

Thanks

Link to comment
Share on other sites

  • Administrators

1, Selecting a rule and clicking the first double-arrow button should do it.

2, Since firewall rules require an explicit path to particular applications, the same should apply to exceptions for application modification detection.

Link to comment
Share on other sites

12 hours ago, j_mo said:

2) Does the exception list for Application Modification Detection require an explicit path to an application, or can a folder or application name without a path be used? It accepts them as an entry, but I'm not sure if they are functioning or not.

Application Modification Detection only works if the firewall is set to Interactive mode. As such, no need to add exceptions to it unless the firewall is set to this mode.

Link to comment
Share on other sites

  • Administrators
44 minutes ago, itman said:

Application Modification Detection only works if the firewall is set to Interactive mode. As such, no need to add exceptions to it unless the firewall is set to this mode.

Not really. For the feature to work it's necessary to have a permissive rule for an application which can be created in automatic mode as well.

Link to comment
Share on other sites

48 minutes ago, Marcos said:

For the feature to work it's necessary to have a permissive rule for an application which can be created in automatic mode as well.

I also believe this doesn't work right in Automatic mode.

The only time I have seen it trigger is in regards to explorer.exe. I have firewall rules that monitor; Ask mode, any outbound communication from it. Every once in a while, I get this an Application Modification detection alert after my firewall Ask rule has triggered. Believe this occurs when I manually allow the outbound traffic. I really could never figure out why that Application Modification alert appears. This certainly isn't because the explorer.exe rule is a "permissive" rule.

Link to comment
Share on other sites

1 hour ago, itman said:

Application Modification Detection only works if the firewall is set to Interactive mode. As such, no need to add exceptions to it unless the firewall is set to this mode.

I do use Interactive mode, that's why I'm trying to prevent having to make new rules every time I update a UWP application and the folder name changes to a new version

Link to comment
Share on other sites

9 hours ago, Marcos said:

1, Selecting a rule and clicking the first double-arrow button should do it.

2, Since firewall rules require an explicit path to particular applications, the same should apply to exceptions for application modification detection.

The double arrow only moves it to the top of the page and not to the top of the list.

Link to comment
Share on other sites

14 minutes ago, Marcos said:

It can be reproduced easily by creating a permissive rule for firefox.exe and then editing the executable:

The only time it appears for explorer.exe is when I am verifying a cert. for an .exe and explorer.exe has to connect w/Microsoft servers to download cert. data. This certainly would not cause explorer.exe to be modified in any way.

Link to comment
Share on other sites

Well I just confirmed that listing an executable by itself does not work...why doesn't the UI throw an error for invalid entries??

Link to comment
Share on other sites

7 minutes ago, j_mo said:

I do use Interactive mode, that's why I'm trying to prevent having to make new rules every time I update a UWP application and the folder name changes to a new version

Do you have the Application Modification setting of "Allow modification of signed  (trusted) applications" enabled? On the other hand, the UWP app might not be signed.

Link to comment
Share on other sites

6 minutes ago, j_mo said:

Well I just confirmed that listing an executable by itself does not work...why doesn't the UI throw an error for invalid entries??

Show the full path name for the .exe Application Modification is throwing an alert on.

Link to comment
Share on other sites

The following confirms my suspicion of what is occurring in firewall Automatic mode in regards to Application Modification detection:

Here's a firewall rule alert for explorer.exe for cert. data download on Aug. 3:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User
8/3/2020 8:53:01 AM;Decision on allowing communication delegated to user;Delegated to user;192.168.1.XX:58387;72.21.91.29:80;TCP;Block outgoing explorer.exe x(64) communication;C:\Windows\explorer.exe;9BF023766E369E6F6DE45F0C349749E6FC8ABDAC;

Here's a firewall rule alert for explorer.exe for cert. data download on Aug. 21:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User
8/21/2020 4:52:25 PM;Decision on allowing communication delegated to user;Delegated to user;192.168.1.XX:52248;23.60.139.27:80;TCP;Block outgoing explorer.exe x(64) communication;C:\Windows\explorer.exe;2537CD23F1FDA7FAA881D16C2636A119EAE0E80C;

Application Modification detection alert was also generated for Aug. 21 firewall activity. Notice that the hash value for explorer.exe has changed. Most likely due to Win 10 Aug. cumulative update. What is going on here is Application Modification is detecting any file size change; apparently since the last time the firewall rule referencing it was triggered. Not that explorer.exe has been modified "on the fly" by some external process. This type of Application Modification detection behavior makes absolutely no sense to me.

Edited by itman
Link to comment
Share on other sites

3 hours ago, itman said:

The following confirms by suspicion of what is occurring in firewall Automatic mode in regards to Application Modification detection:

Here's a firewall rule alert for explorer.exe for cert. data download on Aug. 3:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User
8/3/2020 8:53:01 AM;Decision on allowing communication delegated to user;Delegated to user;192.168.1.XX:58387;72.21.91.29:80;TCP;Block outgoing explorer.exe x(64) communication;C:\Windows\explorer.exe;9BF023766E369E6F6DE45F0C349749E6FC8ABDAC;

Here's a firewall rule alert for explorer.exe for cert. data download on Aug. 21:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User
8/21/2020 4:52:25 PM;Decision on allowing communication delegated to user;Delegated to user;192.168.1.XX:52248;23.60.139.27:80;TCP;Block outgoing explorer.exe x(64) communication;C:\Windows\explorer.exe;2537CD23F1FDA7FAA881D16C2636A119EAE0E80C;

Application Modification detection alert was also generated for Aug. 21 firewall activity. Notice that the hash value for explorer.exe has changed. Most likely due to Win 10 Aug. cumulative update. What is going on here is Application Modification is detecting any file size change; apparently since the last time the firewall rule referencing it was triggered. Not that explorer.exe has been modified "on the fly" by some external process. This type of Application Modification detection behavior makes absolutely no sense to me.

So then it is completely useless for UWP apps....

Link to comment
Share on other sites

So there really is no way to move a firewall rule up to a previous page...incredible.

Edited by j_mo
Link to comment
Share on other sites

11 hours ago, j_mo said:

So there really is no way to move a firewall rule up to a previous page...incredible.

The "arrow" options allow for moving a rule to top or bottom of existing rule set. Or to move a rule up or down in the rule set, one rule at a time.

Yes, it is a royal pain in the butt when you want to position a rule for example in the middle of a large existing rule set.

Link to comment
Share on other sites

On 8/27/2020 at 8:32 AM, itman said:

The "arrow" options allow for moving a rule to top or bottom of existing rule set. Or to move a rule up or down in the rule set, one rule at a time.

Yes, it is a royal pain in the butt when you want to position a rule for example in the middle of a large existing rule set.

Do you understand that I mean a ruleset large enough to extend over multiple pages? If a rule is on the last page, you can move it to the top, but it's stuck there. There's no way to move it up further up the list to a previous page. This makes it impossible to put newly created rules up to the highest priority. Why the list is broken up into pages anyway, and not just one scrollable list like most other firewalls, is beyond me.

Link to comment
Share on other sites

5 minutes ago, j_mo said:

Do you understand that I mean a ruleset large enough to extend over multiple pages? If a rule is on the last page, you can move it to the top, but it's stuck there.

I have firewall rules that extend over multiple pages. I have no problem with a rule moved to the top of the rule set and then using the arrow key to move the rule downward in the rule set; or upwards from the bottom of the rule set for that matter.

Link to comment
Share on other sites

13 minutes ago, j_mo said:

Why the list is broken up into pages anyway, and not just one scrollable list like most other firewalls, is beyond me.

Really don't know what you mean here. The firewall rule set is scrollable via use of the scroll bar located on the right hand side of the display:

Eset_Scroll.png.86b3523ebcaebd1b2fc0a60becc22b65.png

Link to comment
Share on other sites

  • Administrators

If there are too many rules, paging gets enabled according to what the OP wrote. Honestly I've never seen user's config with hundreds of fw rules. However, I personally have hundreds of rules created in HIPS and I agree that moving rules there doesn't work ideally (let alone the fact that unlike in the fw the order of rules in HIPS does't matter).

Link to comment
Share on other sites

8 hours ago, Marcos said:

If there are too many rules, paging gets enabled according to what the OP wrote. Honestly I've never seen user's config with hundreds of fw rules. However, I personally have hundreds of rules created in HIPS and I agree that moving rules there doesn't work ideally (let alone the fact that unlike in the fw the order of rules in HIPS does't matter).

The solution to this would be a technique used in some program code editors.

Both the Eset firewall and HIPS rules section could allow for existing rule highlighting to be used as a "place marker." When an existing rule is highlighted and a new rule is manually added, the new rule will be placed after where the highlighted rule exists; at least as far as the firewall is concerned.

Ideally, a place marker column should be added to the front firewall rule set. Mouse clicking on a place maker for a given rule would place a checkmark, whatever, in that column space. Pressing the existing up double arrow symbol would place the added rule at the bottom of the rule set above the check marked rule. Likewise, pressing the down double arrow symbol would place the added rule after the check marked rule.

As far as HIPS rules go, rule placement overall in immaterial since allow rules are always executed prior to ask or block rules. For the HIPS, again a place marker column should be added. However, it would have additional capability. It would use alpha characters to indicate rule repositioning. For example, use the "M" character to indicate the rule to be moved and the "A" and "B" characters to indicate where the rule to be moved should be placed after or before. Successive and contiguous entry of "M" flagged rules would allow for a block of existing rules to be moved. Also, this technique would be preferable for firewall rule movement over what I previously suggested.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...