locked
OneCare 2.0 Firewall vs Application Updates RRS feed

  • Question

  • The OneCare firewall rules appear to be more restrictive than the configured Windows Firewall rules. 

    In particular, the Windows Firewall does not prevent services running as SYSTEM from establishing outbound ports regardless of whether or not the process is in the acceptable process list.   The OneCare firewall blocks the outbound communications until such time as the user adds the service process to the approved list. 

    How is an end user supposed to know that a SYSTEM service should or should not be permitted?  The user (or their administrator) gave permission for the service to be installed.  That should be enough.

    What makes this especially frustrating is that the rules is kept per file version.  Therefore, each time the service executable is updated, the user is queried again.  This is not a useful process.

    What will the service need to do in order to add itself to the OneCare firewall rules?


    Wednesday, November 14, 2007 7:34 PM

Answers

  • If the program requesting access is not known to be safe by OneCare it is blocked and the user is prompted if they want to allow it. If it is known to be safe, it is allowed. To be known to be safe, the process/program needs to be signed or needs to be on the firewall allow list, either put there by the user or included in the base firewall rules maintained by OneCare with the virus signatures. When a program changes, it needs to be allowed or denied once again as it could well be infected. So, yes, the OneCare firewall affords higher protection by design.

    -steve

     

    Thursday, November 15, 2007 3:01 AM
    Moderator

All replies

  • If the program requesting access is not known to be safe by OneCare it is blocked and the user is prompted if they want to allow it. If it is known to be safe, it is allowed. To be known to be safe, the process/program needs to be signed or needs to be on the firewall allow list, either put there by the user or included in the base firewall rules maintained by OneCare with the virus signatures. When a program changes, it needs to be allowed or denied once again as it could well be infected. So, yes, the OneCare firewall affords higher protection by design.

    -steve

     

    Thursday, November 15, 2007 3:01 AM
    Moderator
  • Steve:

    Then the question becomes "what are the criteria for being included on the OneCare approved list?"

    All of my products are signed and for each release the binaries are registered with Microsoft via the Windows Error Reporting Service. 

    Jeffrey Altman

    Thursday, November 15, 2007 4:24 AM
  • Steve,

     

    Has this changed? In earlier versions a valid digital signature had been enough, as long as the software wasn't included in the malware detections.

     

    I wasn't aware that it was now also required that an application be in the policy files, I thought this was just a supplement list for widely recognized applications that weren't signed. If this has really changed I think it's a foolish move, as it would allow no reasonable method for small application developers to gain the ability for their software to pass the firewall.

     

    Personally, I don't believe this makes sense at all, so I'd like to know where there is any confirmation.

     

    OneCareBear

    Thursday, November 15, 2007 5:14 AM
    Moderator
  •  OneCareBear wrote:

    Steve,

     

    Has this changed? In earlier versions a valid digital signature had been enough, as long as the software wasn't included in the malware detections.

     

    I wasn't aware that it was now also required that an application be in the policy files, I thought this was just a supplement list for widely recognized applications that weren't signed. If this has really changed I think it's a foolish move, as it would allow no reasonable method for small application developers to gain the ability for their software to pass the firewall.

     

    Personally, I don't believe this makes sense at all, so I'd like to know where there is any confirmation.

     

    OneCareBear

    No, there hasn't been any change that I'm aware of. The recognized application list are either in the list maintained by the firewall team for OneCare *or* have been digitally signed, as far as I know. Sorry for being unclear in my reply. I will seek confirmation officially on thie, too.

    -steve

    Thursday, November 15, 2007 9:59 AM
    Moderator
  • OK, it probably hasn't changed then, since I'd think we'd have heard quite a few complaints during beta testing if it had.

     

    Jeffrey, give your application a try to see how the OneCare firewall reacts. The last I knew it would simply display a pop-up to inform a user that it had added [a digitally signed] application and automatically allowed it. I'm less certain of the interaction with services, however, so if you're seeing something different please let us know.

     

    OneCareBear

    Thursday, November 15, 2007 1:09 PM
    Moderator
  • This has not changed.  Please send us the support log after turning detailed packet logging on

    1. Ensure that Change Settings>Logging>Included detailed firewall information checkbox is checked. Hit OK

     2. Run c:\Program files\Microsoft Windows OneCare Live\OneCareSupport.exe to create the zip file

    3. Send it to us via customer support

     

    Thanks

    Thursday, November 15, 2007 5:27 PM
  • Steve:

    I must apologize for this report.  After reading your post I went and double checked.  The build in question was a test build and not a release build.  Somehow built an installer that included signed binaries for all but the actual service executable. 

    I rebuilt the application with an increased file version number, made sure it was signed, and installed it.  As you described, with the signed executable in place there was no prompt displayed to the user after the service was restarted.

    Thank you and once again I'm sorry for raising a none existent issue.

    Jeffrey Altman
    Thursday, November 15, 2007 6:57 PM
  • No problem, Jeffrey, and thanks for confirming. Actually, it is good to bring this topic up now and again to help people understand what the OneCare firewall does. :-)

    -steve

     

    Thursday, November 15, 2007 7:18 PM
    Moderator