locked
Live OneCare and SoftGrid 4.5 beta RRS feed

  • Question

  • Hello

     

    I don't know exactly where to post my question. The problem is related to SoftGrid AND OneCare, but the main problem seems to be the built-in firewall of Live OneCare.

     

    Today I've done some tests with the Application Virtualization (SoftGrid) 4.5 beta. I have sequenced the application FeedDemon which allows to read RSS feeds. This application of course needs internet access. Now I'm starting this sequenced applicatio on a XP client with Live OneCare 2.0 installed. The first time FeedDemon tries to connect to the internet, the OneCare firewall asks to allow this access and I accept.

     

    The problem is, that altough I have granted access to the internet, FeedDemon is unable to retrieve any RSS feeds. If I go to the advanced settings of the OneCare firewall, FeedDemon is not listed as a granted application and I cannot manually add this application, because the access to the Q: drive (from SoftGrid) is denied for the user.

     

    And exactly this permission problem seems to generate my problem with the internet access from sequenced appications. As soon as I disable the OneCare firewall, everything works fine.

     

    This tests were done on a fully patched XP client AND on a fully patech Vista client and of course I have tested other application too.

     

    Does anyone have an idea how to solve this problem?

     

    Thanks for any comment and help.

    Rene

    Tuesday, February 19, 2008 8:42 AM

Answers

  • Hello Rene,

     

    The root of the problem here appears to be the permissions issue with the Q: drive.  Specifically, you mention "...I cannot manually add this application, because the access to the Q: drive (from SoftGrid) is denied for the user."

     

    The OneCare firewall uses hash technology to store information on specific binaries that have been allowed/blocked.  This requires us to access the binary location each time it is launched (which I'm guessing is being blocked due to the permissions issue).  We do this as an extra security measure to ensure binaries have not been tampered with.

     

    I don't know exactly how the Zone Alarm firewall stores binary information, however, I'm guessing (by your results) that it uses a path based solution.  Utilizing information offered by the operating system, applications are able to determine the path of a binary that is being launched (which I'm guessing Zone Alarm compares to their list of known "good" paths).  Thus, their solution would work in this scenario.

     

    Let me know if you have any additional questions, comments, etc.

     

    Thanks,

    Scott

    OneCare Firewall PM

    Monday, February 25, 2008 11:51 PM

All replies

  • I have no experience with SoftGrid, but having a quick look at the information about what it is and how it works, I don't know if it can work with the OneCare firewall.

    As a point of reference, OneCare v2 finally recognizes if the PC is configured with Dynamic partitions and, if found, it won't install. The reason for this is that OneCare recognizes applications based on identifying characteristics about the program, including the footprint of the program. Since SoftGrid actually virtualizes the application environment, the actual code is "rebuilt" for the client application, it would seem (based on my limited scan of the documentation I saw...). If this is the case, the program can never be identified permanently to the firewall. The OneCare firewall blocks outright and then asks for permission. Once the block has occurred, and after you allow the traffic, the allowed program needs to request access again and be recognized. It doesn't seem that an application running in the SoftGrid environment is going to work this way since it is virtualized to the client PC.

    All of the above is speculation on my part. I'm going to ping the Firewall Program Manager to have a look at this thread. My recommendation is to check with support for SoftGrid as there may be documentation on firewall issues and how to overcome them, if possible. I would suspect that OneCare support will not know anything about SoftGrid...

    -steve

    Tuesday, February 19, 2008 1:25 PM
    Moderator
  • Hi Steve

     

    Thank you for your anwer. As you wrote, you believe that the virtualized application does not request access to the internet again.

     

    I know we're not talking about other client security solutions in this forum, but I did just a quick test on the same computer with ZoneAlarm. All the virtualized application work correctly with the ZoneAlarm firewall installed.

     

    ZA doesn't recognize the correct name or the correct executable of the virtualized application, but it shows me a message that a program is requesting access to the internet and I can successfully grant this permission.

     

    If I grant this access for only one time in ZA, close the virtualized application and reopen it, ZA shows me the same message again and already knows, that the application already was granted the access right before.

     

    The OneCare firewall does only show the message for the first time, after closing and reopening the virtualized application it doesn't even seem to notice that FeedDemon is requesting access to the internet.

     

    I would be glad to hear anything about this issue from you or maybe from the Firewall Program Manager. I have already setup a case on the OneCare support, but as you have already written, I'm not sure if they'll be able to help me.

     

    It's a pity that two great technologies from Microsoft cannot be used on the same computer at the moment...

     

    Rene

    Tuesday, February 19, 2008 2:04 PM
  • Yes, I think that the problem is the way that OneCare identifies the applications allowed or blocked. Since the app is virtualized, OneCare sees it as a new app every time it requests access. Even after allowing it, having the app resend the call for network access will fail since it is new app as far as OneCare is concerned. Again, that's my guess.

    I'll await an official answer from the Firewall PM.

    -steve

     

    Tuesday, February 19, 2008 3:04 PM
    Moderator
  • Hello Rene,

     

    The root of the problem here appears to be the permissions issue with the Q: drive.  Specifically, you mention "...I cannot manually add this application, because the access to the Q: drive (from SoftGrid) is denied for the user."

     

    The OneCare firewall uses hash technology to store information on specific binaries that have been allowed/blocked.  This requires us to access the binary location each time it is launched (which I'm guessing is being blocked due to the permissions issue).  We do this as an extra security measure to ensure binaries have not been tampered with.

     

    I don't know exactly how the Zone Alarm firewall stores binary information, however, I'm guessing (by your results) that it uses a path based solution.  Utilizing information offered by the operating system, applications are able to determine the path of a binary that is being launched (which I'm guessing Zone Alarm compares to their list of known "good" paths).  Thus, their solution would work in this scenario.

     

    Let me know if you have any additional questions, comments, etc.

     

    Thanks,

    Scott

    OneCare Firewall PM

    Monday, February 25, 2008 11:51 PM