Client Security 14 firewall popup dialogs

Askoik

I thought, I finally managed to create an good ruleset for CS 14. Everything works fine, but users are getting annoying popups "Windows Firewall prevented some features of this program". It also shows path of that .exe but doesn't show any IP addr or TCP ports.

 

During my quick testing I haven't seen any problems with these programs, so maybe traffic flows nicely. For example Microsoft Teams gave that pop-up, when my colleague first time called me via voice call.

 

But how to get rid of these end user pop-up dialogs? Should I finetune my firewall rules or application control, or something else?

JamesC

Hi Ashok

 

It's expected behavior and that's how Windows Firewall works.

It allows all connections which we allow in Firewall settings and blocks ones which are blocked in firewall profile. But for unknown inbound ones it may ask for user to decide - that's why users see these dialogs.

To tell which rules exactly are needed, admin can check event log for Windows Firewall or C:\ProgramData\F-Secure\Log\Firewall\Blocks.log - this file logs all blocked connections by windows firewall.

You need to trigger these apps to be blocked and can read which connection was blocked in blocks.log - then can add rule which would allow it.

Note that Windows Firewall configuration will be altered even when the prompt is dismissed by selecting “Cancel”. Two inbound rules for the related application will be created with Block action for both TCP and UDP protocols.

Askoik

Really? Programs such as Teams will be asking permissions from the end user, when first time launching that program? Maybe it is ok for users sitting in offices with their laptops, but in schools, shops and industrial environments we want to minimize all pop-ups, so that we don't need to answer hundreds of phone calls.

 

If our workstations has a very important program foobar.exe listening incoming connections, I definetely do not want to bother end users with popups asking permissions. Actually if they try to give permission, they cannot do it since they are not local admins. Instead I'd like to allow foobar.exe on PMC, before I update CS from 13 to 14. In 13 I just allowed needed TCP-ports, but in 14 it is not enough? Where should I allow this foobar.exe, in Firewall rules or in Application Control? Is just the .exe name enough, or does it need full path?

 

Microsoft Teams teams.exe is installed into c:\users\%username%\appdata\local\microsoft\teams\current\teams.exe So can I use that username variable also when creating the allowing rule in PMC?

 

In Application Control there are three options for "default rule for untrusted applications": Allow, Block and Report. Do I assume correct, that "Report" actually is "Allow&Report"? Now I selected "Report" and also ticked "Block batch scripts started by Microsoft Office applications". Should it now block or not? I have an Excel file, with Macroscript, which calls Batch script, which prints into label printer. The printing still works, why?

 

Your suggestion to first block apps and then allow them one by one doesn't work for me. I cannot test all apps in lab environment. Instead I'd like to "allow all" first in production environment without any end user pop-up dialogs and then I can carefully block something if needed.

MonikaL

Hi Ashok,

 

Application control's exclusion rules give you a way to define the applications that you want to explicitly allow or block. Any applications that match the conditions that you set within the rules are excluded from the default rule for the profile. For example, if the default rule is Allow, you can create rules to specify the applications or locations that you want to block. Another example could be that you want to receive a report of any applications that match the triggering conditions, even though they are still allowed or blocked based on the default rule for the profile.

 

In Standard view:

1. Select the target domain.
2. Go to the Settings tab
3. Select the Application control
4. Select the profile that you want to edit from the Profile being edited drop-down list.
   Note: You cannot edit the exclusion rules for any profiles that are marked as Predefined.
5. Click Add rule. This opens the exclusion rule wizard.
6. Enter a name and description for the rule.
7. Select the Event and Action for the rule.                                                                                                  For example, if you select Run application as the event and Block as the action, the rule prevents applications from running if they match the conditions for the rule.
8. Click Add condition. You can add multiple conditions to the same rule to get the scope that you want. If multiple conditions are added to the rule, they all need to be true (AND operation) for the exclusion rule to apply.
9. Select the attribute, operator, and value for each condition.                                                                       
   The following table explains the attributes that you can select to match the condition values.

Selected attribute	Description
Target	Values of the actual application. For example, Target file name is the actual file that you want to block.
Parent	Values of the process that launches the application. For example, Parent file name is the file that launches the application that you want to block.

For example, if you want to block Internet Explorer, iexplore.exe is the target and explorer.exe (Windows Explorer) is the parent. 

10. Click OK.
11. Change the order of the rules if necessary.                                                                                                The rules listed for the profile are applied in priority order from the top down.
12. Click the following icon to distribute the policy:

 

 

 

In case you set Application Control setting "Default rule applied to untrusted application" to "Block", Application Control will allow application running from SYSTEM account, and any application that you have allow in the exclusion rule. Any other application will be blocked. Hence, we recommend to change the setting to "Report" to monitor the situation, and slowly creating new Application Control rule(s) to allow the application running in your environment.

 

By default, we do block batch scripts execution from any Microsoft Office application. In order to override the default rule applied to all applications, installers and scripts, exclusion rules are created to explicitly block or allow a specific access.

 

 

Regards,

Monika

MJ-perComp

Hi,
I feel thet the previous answers still do not answer the initial question, so I may add some comments:

1) F-Secure Firewall is no longer a driver. It is an adminstrative interface for the local Windows firewall. As such it is the Windows Firewall nagging the user, because of this setting:

 

2) Application Control (version 1) in CS <=13 was an AddOn to the F-Secure Firewall driver. As that driver no longer exists AC (version 1) no longer exists. (Honetsly it has never been an application control. Just a Communaction Control). The functionallity is now part of the Windows Firewall and can be configured in the scope of a Firewall rule:

This is no longer bound to the Reputation Service

 

3) Todays Application Control (version ) in CS14+ is what the name says. Which is way better than before, as you can block an application from execution, not only from communication. E.g a cryto trojan can be stopped before it starts, while the old only stopped it's communication to the Command&Controll Server. Any "default" rouge action can no longer be performed.

You can block execution of a binary, based on some 20 different conditions:

 

One of the conditions is "Target Reputation".

 

hth.
Matthias

Askoik

Thanks for good explanation about Application Control.

 

I now tested that "Notify user" checkmark with MS Teams. I found two incoming rules (UDP & TCP) which Teams has apparently created when I first time enabled Windows FW after CS 14 update.

 

I deleted those two rules from my laptop. In PMC I have "Notify user" ticked. I rebooted my laptop. When Teams launched, nothing happened. When a friend calls me, I got FW pop-up asking permissions. I didn't answer, but looked Windows FW rules and found that it already created those UDP&TCP rules back, but they are blocking, not allowing. Now I answered pop-up dialog, and FW rules changed into allowing.

 

 

Then a second test, now with "Notify user" unticked. After reboot, when a friend called me, I didn't get pop-up, so this really did the trick. But I assumed, it would create allowing rules into Windows firewall quitely. But no, it didn't create any rules for Teams. I'm not sure, should I be concerned about this or not? Teams is working fine. And those FW rules which I now am missing, were anyway disabled via "Ignore all firewall rules that are not listed in this profile" so maybe they weren't so important?

 

MJ-perComp

This is not an F-Secure problem.
I fear you need to ask Microsoft, why a positive answer would not create a local rule while a negative does.

 

In the end the result is: "working as expected"
- all other rules deactivated, i.e. rules created by F-Secure control the traffic.
- user gets informed about an APP trying to connect outside the system

 

You may conclude that "notify User" is a useless setting when "Ignore other rules" is active and I tend to agree.

@MonikaLMaybe R&D should look into this, because the local user would expect that the application, he denied, would be blocked.

 

MonikaL

Hello Askoik,
 
We would require the diagnostic information from the client machine and policy manager to check the scenario. Please provide this information to support along-with the description of the issue, and we will investigate further.
 
Best regards,
Monika

Askoik

Actually, positive answer is creating a rule as I already told. Pop-up first says "Windows Defend FW has blocked some functionality of this program" and there you have possibility to tick Domain/Private/Public and after that click "Allow use" or "Cancel". When looking FW rules, it acts similar: creates first blocking rule, which then can be turned into allowing rule.

 

Rule stays totally uncreated only when I untick "Notify user when firewall blocks a new application". So, were are not asking anything from the user and we are not creating own rules for every runnable exe. But that doesn't matter, since Teams seems to be working fine just with these default rules:
"Unknown inbound connections: Block"
"Unknown outbound connections: Allow"
Thats how it worked also in CS13, we didn't need to allow any inbound traffic for MS Teams. And FW didn't ask any stupid questions.

 

I think what Matthias said is true, if we ask opinion from local user, he would expect his answer is respected. But, if we have ticked "Ignore all firewall rules that are not listed in this profile" then we are not respecting local users answer, but creating an DISABLED rule, which would allow/block traffic, if it would be ENABLED.

 

I can't give you diagnostics information, since I'm not asking opinions from my end users. I'm now happy with this functionality, so I can't give suggestions how to make it better. Maybe if you could disable windows FW own pop-ups and replace those with F-secure pop-ups, where you give more information, whether it is now the enduser or admin who has the "mighty power".