Add (or block) several applications at once with Eset Firewall

[Guest Zozo]

Hello, 

Is there a way to add several applications at once to Eset Firewall rules?

Some programs use a lot of different processes, I'd like to block all of them at once. Creating a rule for each process is time-consuming. Is there at least a way to block all applications within a folder?

Thank you!

(NB: this catpcha is not so intuitive...)

[Marcos 4,842]

This is not possible unless more executables are signed by the same signer. You could then create a firewall rule based on the signer instead of a full path to the application.

[Guest Zozo]

Thank you for you answer.

I've just tried blocking applications using the signature application.

In my case, the digital signature of those many applications is a long name: "Beijing Sogou Technology Development Co., Ltd.". I have copy-pasted this signature name in the firewall rules, blocking both direction, TCP & UPD, and asked eset to warn me when applications with this signature is blocked. But Eset fails to block anything. Could you check on your side if the method for blocking apps according to digital signature is efficient? Is it because the name is too long? Would it be possible use only one word (i.e. "Beijing" or "Sogou") instead of the whole signature name? 

Thank you.

[itman 1,602]

Verify the "Apply to child processes" setting is enabled in the firewall rule. It is possible the main app is spawning a child process to perform network communication.

[Marcos 4,842]

1 hour ago, Guest Zozo said:

I have copy-pasted this signature name in the firewall rules, blocking both direction,

That doesn't make sense. If you want to create a rule for an application signer, you must select the application and the option "Signed by a specific signer":

[itman 1,602]

25 minutes ago, Marcos said:

If you want to create a rule for an application signer, you must select the application and the option "Signed by a specific signer":

You might want to clarify this statement further;

On 8/11/2023 at 3:08 PM, Marcos said:

This is not possible unless more executables are signed by the same signer. You could then create a firewall rule based on the signer instead of a full path to the application.

I interpreted this to mean no app with path specification is required when using publisher criteria.

Edited August 26 by itman

[Guest Zozo]

2 hours ago, itman said:

Verify the "Apply to child processes" setting is enabled in the firewall rule. It is possible the main app is spawning a child process to perform network communication.

Yes, it's checked! Thank you.

2 hours ago, Marcos said:

That doesn't make sense. If you want to create a rule for an application signer, you must select the application and the option "Signed by a specific signer":

I've done that using one application, but I can see that other modules (mini applications bulked with the same software, having the same signature) can always access the internet.

And thank you both for your help and advice!

[itman 1,602]

13 minutes ago, Guest Zozo said:

I can see that other modules (mini applications bulked with the same software, having the same signature) can always access the internet.

What do you mean by "mini-Apps?" If they are not .exe's, there is no way to create a firewall rule for them per @Marcosstatement.

[Guest Zozo]

7 minutes ago, itman said:

What do you mean by "mini-Apps?" If they are not .exe's, there is no way to create a firewall rule for them per @Marcosstatement.

There are a lot of .exe process within the install folder.

It's a Chinese IME (input method), very convenient, but it comes with many intrusive tools (.exe) that incessantly connect to internet, when you type English words, use emoticons, updating, saving user preferences etc. and these processes are checking everything you type... So I want to use if "offline", blocking all network activity, since it's very convenient to type in Chinese.

[itman 1,602]

20 hours ago, Guest Zozo said:

In my case, the digital signature of those many applications is a long name: "Beijing Sogou Technology Development Co., Ltd.". I have copy-pasted this signature name in the firewall rules

I have discovered part of the issue.

Publisher name is not always the same as the company name shown in the cert. of a signed .exe. Publisher name is shown by mouse hovering over the .exe which will show a Company name. That is the Publisher name that must be used. Also, not all .exe's are signed.

For example, I use an old Seagate hard drive utility. Its .exe is signed and its cert. shows a company name of Seagate Technology LLC. However when I mouse hover over the .exe, the company name shown is Seagate Technology.

Therefore, the name to be entered in the Publisher name of an Eset firewall rule is Seagate Technology. To further show the issue with Publisher names, there's an unsigned uninstaller in the same associated directory. Its publisher company name shows as Seagate Technology LLC.

Therefore the question is how specific is Eset's matching of Publisher name in a firewall rule to the .exe's actual publisher name? All software I have used in the past that has Trusted Publisher detection capability always provided a list of Publisher's to select from with the capability to add new ones as needed.

Edited August 27 by itman

[Marcos 4,842]

The name of signer populates automatically when you browse for the application in the application path field. I don't recommend entering the signer manually as it must 100% match the signer of the file.

[itman 1,602]

12 minutes ago, Marcos said:

The name of signer populates automatically when you browse for the application in the application path field

A further test shows that this is correct and Eset firewall Publisher setting only applies to signed .exe's. Therefore it's referring to cert. Company name.

In other words, the firewall rule field is for code signed publishers only.

[Guest Zozo]

Thank you for all these details and explanation.

However, in my case, when I look the app properties, I see this (and I am not sure which one is too be blocked):

 

When letting Eset selecting the signature/publisher, it finds this:

 

 

 

But ESET fails to block any exe process using this signature ( "Beijing Sogou Technology Development Co., Ltd.").

[itman 1,602]

3 hours ago, Guest Zozo said:

However, in my case, when I look the app properties, I see this (and I am not sure which one is too be blocked):

Err ........ none of your screen shots are shown.

Edited August 27 by itman

[Marcos 4,842]

I've tried it with Mozilla signer and it worked

[itman 1,602]

3 hours ago, Marcos said:

I've tried it with Mozilla signer and it worked

I just duplicated your rule and it didn't prevent Firefox from establishing Internet connectivity;

-EDIT- It work!s I forgot to enable child processes in the rule. I'll be damned ,,,,,,,,,,,

Edited August 27 by itman

[itman 1,602]

18 hours ago, Guest Zozo said:

However, in my case, when I look the app properties, I see this (and I am not sure which one is too be blocked

When you create the firewall rule, do so for an existing signed app. The Publisher info should be auto copied into the rule. Now delete the data shown in the Application path field and save the rule. Finally, edit the rule again and verify nothing is shown in the Application path field. Also verify this rule proceeds in the Eset firewall rule set any other existing rules you created for  Beijing Sogou Technology Development apps; better yet temporarily disable those rules. Now test.

Note and important - if there are .exe's for apps you're using from Beijing Sogou Technology Development  that are not signed, this Publisher based rule will not stop them from connecting to the Internet. You will have to create individual path based rules for those apps.

-EDIT- If after creating the Publisher firewall rule as noted above the apps can still establish Internet connectivity, the following may be the cause;

1. Not all the apps are being signed using the same cert. of the app you used to create the Publisher based firewall rule. That is the Publisher name used on those apps is different from the one specified in the firewall rule you created. In this case, a unique firewall rule would have to created for each different Publisher name.

2. Internet connectivity for these Beijing Sogou Technology Development apps is being established by means other than by the app .exe itself; i.e. hidden proxy connection, etc.. In this case, you would have to use something like Wireshark to determine what is actually performing Internet connectivity.

Edited August 28 by itman

[Guest Zozo]

Hi There!

Sorry for the late reply, I was travelling and could not see your last posts earlier.

I apologize for the screenshots, I don't know why they did not load, that's a well known website for uploading pictures...

Just wanted to show in the interface : blocking the signature of an .exe signed by "Beijing Sogou Technology Development " does not block all the other .exe with the same signature (and in the same folder...) to access internet. Settings in the screenshot below (sorry my Eset is in French):

 

What I've done, finally: I blocked all the .exe, one by one, in Eset Firewall settings. I did not find a better way.

But thank you very much for all the explanation above, I appreciate your help.

Previously I also tried to enable child processes in the rule, but I did not see any change, and I am not sure that other process are really "child processes", since this Chinese input method comes with a bunch of .exe in 2 or 3 different folders... Below is a preview of (part of) the processes I've blocked...

[itman 1,602]

1 hour ago, Guest Zozo said:

Just wanted to show in the interface : blocking the signature of an .exe signed by "Beijing Sogou Technology Development " does not block all the other .exe with the same signature (and in the same folder...) to access internet. Settings in the screenshot below (sorry my Eset is in French):

Looks like you didn't follow the instructions I posted in my August 27 dated reply. I specifically stated that after creating a firewall rule for a specific Beijing Sogou Technology Development app, you manually remove the .exe data from the firewall rule; i.e. the field is now blank, prior to saving the rule;

Once this rule is created, it should block all outbound network traffic for any app that is signed by Beijing Sogou Technology Development.

Edited September 7 by itman

[Guest Zozo]

Quote

Looks like you didn't follow the instructions I posted in my August 27 dated reply. I specifically stated that after creating a firewall rule for a specific Beijing Sogou Technology Development app, you manually remove the .exe data from the firewall rule; i.e. the field is now blank, prior to saving the rule;

Oops, my bad!

But I did it now, as you can see on the following screenshots (also enabled "Child processes"):

But then, I can see that most .exe with the same signature can connect to internet... So it does not seem to work. 

 

[Marcos 4,842]

Please keep in mind that the Quick questions forum is not intended for longer discussions on a subject. It should be basically question - answer and that's it. Otherwise I encourage you to sing up and ask in the appropriate product forum.

When posting screenshots, the best would be to temporarily install English version of your ESET product and also use English in rule names, etc. The above screenshot does not tell me anything since I don't speak Chinese.

[itman 1,602]

6 hours ago, Guest Zozo said:

But then, I can see that most .exe with the same signature can connect to internet... So it does not seem to work. 

My suspicion here is there is something not right with the certificate this app is using to sign it's .exe's. Chinese developers are great at using hacked certs. and the like.

Below is an example of how svchost.exe is signed;

Using one of these app .exe's you know the Eset firewall rule is not blocking; for example, SGMyInput.exe, access its Properties details. Post a screen shot showing Digital Signature and Certificate details of this .exe as I did for svchost.exe.

Finally, compare the the Signer name shown in the Digital Signature Details Signer Information for the .exe to that shown in the Name of signer shown in the respective created Eset firewall rule. The names should exactly match each other.

Edited September 9 by itman

[itman 1,602]

Well, I have one explanation as to why Eset firewall is not blocking the app associated with SGMyInput.exe. It's loaded with malware: https://any.run/report/0f41320c168d1755a34f788304b981f5af8f15be66e8774f0050356db2c2b455/d40f5fb9-5dcd-4d1e-92ed-a1f79fb4a019.

Full analysis here: https://app.any.run/tasks/d40f5fb9-5dcd-4d1e-92ed-a1f79fb4a019/

SGMyInput.exe and many other .exe's are also performing certificate manipulation activities.

Did Eset real-time protection detect any of these malicious processes?

Edited September 9 by itman

[itman 1,602]

As a follow up to my last posting, it appears there are a number of hacked versions of this software.

The official vendor's web site is here: http://pinyin.sogou.com/ . Of note is there is no like https web site.

In any case, there is a serious vulnerability in this software for all versions except the most current: https://citizenlab.ca/2023/08/vulnerabilities-in-sogou-keyboard-encryption/ .

[Guest Zozo]

Hi Itman!

I really appreciate your help and all your detailed messages. Many many thanks!

Thank you for the warning about Sogou vulnerability and for recommending the Any.Run website, I did not know this tool, and its analyses seem more convincing than many antivirus since it detects suspicious activities, not only "virus".

Most antivirus won't detect any virus for Sogou IME (I did carrefully installed it from the official website), and if I am trying to block it with Eset Firewall it's not because I am afraid of virus, I am more afraid of Sogou vulnerability and poor privacy policy. The software is very intrusive, it intercepts anything you type on your computer, next it wants to upload the data in the cloud. However, Sogou IME is one of the most convenient input method (and other IME have also vulnerabilities and privacy concerns...), so the best solution I found for now it to use it, but to block all its network activity, including updates!

Chinese software companies do not care much about privacy and most Chinese IT companies are more or less (usually more than less) affiliated with the government, many popular programs may contain "back doors". And, apart official software concerns, the Chinese web is full of non-official versions of many software packages that come with modified .exe, installer, bloated programs etc... you're right.

Coming back to Eset Firewall & Sogou, since I am not fully sure that signature blocking works, I've finally blocked all the .exe of the program (the Any.Run website is impressive since it list them all!). I would have preferred an easier way to block the main program and all its child, services etc... (but I am even not sure which one is the main program!). I'll try to export the firewall rules to save some time if I must reinstall Eset one day.

Again, thank you very much for your kind support.