Vista firewall not blocking outbound traffic despite explicit rules to do so

  • Thread starter Thread starter Roof Fiddler
  • Start date Start date
R

Roof Fiddler

I installed Adobe Reader 8 on Vista RTM. In Windows Firewall with Advanced
Security, I added six outbound firewall rules, one for each of the .exe
files in the Adobe directory, to block all outbound traffic. My Vista
firewall settings are otherwise set to the installation defaults. When I run
Adobe Reader and choose Help/Check for Updates, it successfully connects to
Adobe's servers and tells me whether any updates are available.
Why isn't the firewall blocking it from doing this?
 
Roof Fiddler said:
I installed Adobe Reader 8 on Vista RTM. In Windows Firewall with Advanced
Security, I added six outbound firewall rules, one for each of the .exe
files in the Adobe directory, to block all outbound traffic. My Vista
firewall settings are otherwise set to the installation defaults. When I
run Adobe Reader and choose Help/Check for Updates, it successfully
connects to Adobe's servers and tells me whether any updates are available.
Why isn't the firewall blocking it from doing this?
Click to expand...

Maybe the rules are in the wrong profile? Vista distinguishes three network
profiles, public, private and domain. Each can have different firewall
rules. Look in the "Network and Sharing Center" to see which profile is
active.
 
Martin Hueser said:
Maybe the rules are in the wrong profile? Vista distinguishes three
network profiles, public, private and domain. Each can have different
firewall rules. Look in the "Network and Sharing Center" to see which
profile is active.
Click to expand...
The rules are set for all three profiles.
 
ABoyCalledSilly said:
Check the following settings:
01. Open the Firewall GUI and select "Windows Firewall Properties"
(hyperlink styled text) from the (center)main page.
02. Check if the setting "Outbound connections" (drop-down button) in
section "State" is set to "Block". Otherwise do so...

IMPORTANT NOTE: please keep in mind that by performing this action, all
outbound traffic without explicit rules to allow outbound traffic will
be blocked. Including Windows Update etc. For all the application you
should make seperate rules allowing them to connect...
Click to expand...

But I don't want to block all traffic by default. (Well actually I do, but I
gave up in frustration while trying to do that months ago while running RC1
and RC2 because Vista wouldn't honor my rules to allow certain outbound
connections.)
I need to block particular programs from initiating outbound connections,
not block all programs.
 
ABoyCalledSilly said:
Ok, now i understand completely... frustrating situation ;)

Can you specify the "rules it wouldn't honor"? Maybe there's a solution
around the corner :)
Click to expand...
Outbound rule:
name: "block network for adobe reader"
profile: any
enabled: yes
action: block
program: %ProgramFiles%\Adobe\Reader 8.0\Reader\AcroRd32.exe
local address: any
remote address: any
protocol: any
local port: any
remote port: any
allowed computers: any
properties\programs and services\services\settings\apply this rule as
follows: apply to all programs and services
properties\advanced\profiles: all profiles
profiles\interface types\customize\This rule applies to connections on the
following interface types: All interface types

I have one such rule for every EXE in the %ProgramFiles%\Adobe directory
(six EXEs total), including AcroRd32.exe.

Yet when I run the program and tell it to check for updates over the
internet, it does so with no problem.

Not that it should matter, since those outbound rules I have in place should
cover all cases, but my active profile is Public, and I have inbound
connections blocked by default and outbound allowed by default. I'm running
RTM, UAC is enabled, and I'm using an administrative account. I don't have
any firewall software installed other than the default one included with
Vista, and I don't have any configuration complications which I could
imagine might be causing my problem. I know that specifying the programs
using the pathname %ProgramFiles%\Adobe\Reader 8.0\Reader isn't the problem
because Vista itself chose to specify it that way; I just used the New
Outbound Rule wizard to create the rules, and selected the programs using
the file dialog box.

Another option is using your Hostfile
(C:\Windows\System32\drivers\etc\hosts). Have you tried using it?
Click to expand...
That won't work because I'm not trying to block all programs from accessing
particular sites, but block particular programs from accessing any sites.
 
In the followin directory is a AdobeDownloadManager :

\Program Files\Common Files\Adobe\ESD\

Maybe it is doing the update downloading?
 
sd321 said:
In the followin directory is a AdobeDownloadManager :

\Program Files\Common Files\Adobe\ESD\

Maybe it is doing the update downloading?
Click to expand...

On this installation it's in \Program Files\Common Files\Adobe\Udater5
AdobeUpdater.exe is the file.
 
Rock said:
On this installation it's in \Program Files\Common Files\Adobe\Udater5
AdobeUpdater.exe is the file.
Click to expand...

That was it! Thanks an bunch.
Now I have another question. If this is how Vista works, then doesn't it
mean that outbound rules are useless as a security measure on a system where
outbound connections are allowed by default? If a program finds that it
can't get a connection, all it has to do is create a new .exe file and then
run it, and the new .exe can get to the network. That means on Vista, in
order to have outbound security, you have to disallow outbound connections
by default and add rules to allow connections for particular trusted
programs.
Wouldn't it make more sense for an outbound rule for a program to apply not
to the program, but to all _processes_ started from that program? (And of
course to children of that process too.) That would solve the problem, and
allow outbound connections to be allowed by default without allowing blocked
programs to get around the rules this way.
 
You're welcome.

Roof Fiddler said:
That was it! Thanks an bunch.
Now I have another question. If this is how Vista works, then doesn't it
mean that outbound rules are useless as a security measure on a system
where outbound connections are allowed by default? If a program finds that
it can't get a connection, all it has to do is create a new .exe file and
then run it, and the new .exe can get to the network. That means on Vista,
in order to have outbound security, you have to disallow outbound
connections by default and add rules to allow connections for particular
trusted programs.
Wouldn't it make more sense for an outbound rule for a program to apply
not to the program, but to all _processes_ started from that program? (And
of course to children of that process too.) That would solve the problem,
and allow outbound connections to be allowed by default without allowing
blocked programs to get around the rules this way.
Click to expand...
 
Back
Top