Why firewall messages are sometimes so vague

  • Thread starter Thread starter AndyHancock
  • Start date Start date
A

AndyHancock

After much web searching, it seems that anyone who has used older
firewalls (e.g Kerio, Sygate) will have been annoyed by messages like
"Generic Host Process for Win32 Services from your computer wants to
connect to some.changing.ip.address", or some outgoing ping (icmp).
The remote destination ip address often resolves to Microsoft or some
large content provider. The application that is doing this is always
nondescriptly described as svchost or tcpip kernel driver. Possible
causes are Windows update checker, Symantec, or possibly McAfee. I
know that Kerio will specify the full path of the executable trying to
connect out in some cases, so I'm not sure this information is so
elusive for these messages. Avast and Diskeeper connections to
outside are certainly reported more specifically than the above. From
the aforementioned web searching, such details are not elusive to
Kerio users. This makes it impossible to maintain a decent set of
firewall rules. I've already disabled automatic windows updates, got
rid of symantec, and such messages continue to occur, though less
often.

How do the more experienced maintainers of home firewalls deal with
this lack of detail in tightening up their firewall rules? I have,
and use, Spybot S&D. I'm hoping that there is a general appraoch that
doesn't entail that a user spend much less than 50% of his or her
computer time dealing with the security aspects. Currently, the
figure is well in excess of 50%, which really raises the question of
whether it is reasonable to convert to Luddite-ism.

Thanks!
 
> How do the more experienced maintainers of home firewalls deal with
> this lack of detail in tightening up their firewall rules?

Easy-- don't use personal firewalls that nag you all the time. If you're
following basic safe computing practices (keep your software updated,
anti-malware programs updated, and don't run as admin), then the firewall
built in to Windows is all that you need. A firewall's job is to watch your
network port and block inbound traffic that you didn't ask for. It's not the
job of a firewall to try to watch every single outbound connection. Indeed,
smart malware knows how to avoid these kinds of firewalls anyway. I've
written extensively about this in the past see
http://technet.microsoft.com/en-us/magazine/cc138010.aspx.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"AndyHancock" <AndyMHancock@gmail.com> wrote in message
news:b83e5223-a6e4-4de1-8e9f-51a4547094ca@8g2000hse.googlegroups.com...
> After much web searching, it seems that anyone who has used older
> firewalls (e.g Kerio, Sygate) will have been annoyed by messages like
> "Generic Host Process for Win32 Services from your computer wants to
> connect to some.changing.ip.address", or some outgoing ping (icmp).
> The remote destination ip address often resolves to Microsoft or some
> large content provider. The application that is doing this is always
> nondescriptly described as svchost or tcpip kernel driver. Possible
> causes are Windows update checker, Symantec, or possibly McAfee. I
> know that Kerio will specify the full path of the executable trying to
> connect out in some cases, so I'm not sure this information is so
> elusive for these messages. Avast and Diskeeper connections to
> outside are certainly reported more specifically than the above. From
> the aforementioned web searching, such details are not elusive to
> Kerio users. This makes it impossible to maintain a decent set of
> firewall rules. I've already disabled automatic windows updates, got
> rid of symantec, and such messages continue to occur, though less
> often.
>
> How do the more experienced maintainers of home firewalls deal with
> this lack of detail in tightening up their firewall rules? I have,
> and use, Spybot S&D. I'm hoping that there is a general appraoch that
> doesn't entail that a user spend much less than 50% of his or her
> computer time dealing with the security aspects. Currently, the
> figure is well in excess of 50%, which really raises the question of
> whether it is reasonable to convert to Luddite-ism.
>
> Thanks!
 
Yes, I was thinking that a builtin firewall would be handy because it
would recognize all the things that are legit. And won't bug the
user. However, I'm using Windows 2000. As far as I know, I need a
third party firewall.


On Apr 20, 10:41 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com>
wrote:
> > How do the more experienced maintainers of home firewalls deal with
> > this lack of detail in tightening up their firewall rules?
>
> Easy-- don't use personal firewalls that nag you all the time. If you're
> following basic safe computing practices (keep your software updated,
> anti-malware programs updated, and don't run as admin), then the firewall
> built in to Windows is all that you need. A firewall's job is to watch your
> network port and block inbound traffic that you didn't ask for. It's not the
> job of a firewall to try to watch every single outbound connection. Indeed,
> smart malware knows how to avoid these kinds of firewalls anyway. I've
> written extensively about this in the past seehttp://technet.microsoft.com/en-us/magazine/cc138010.aspx.
> steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
>
> news:b83e5223-a6e4-4de1-8e9f-51a4547094ca@8g2000hse.googlegroups.com...
>
> > After much web searching, it seems that anyone who has used older
> > firewalls (e.g Kerio, Sygate) will have been annoyed by messages like
> > "Generic Host Process for Win32 Services from your computer wants to
> > connect to some.changing.ip.address", or some outgoing ping (icmp).
> > The remote destination ip address often resolves to Microsoft or some
> > large content provider. The application that is doing this is always
> > nondescriptly described as svchost or tcpip kernel driver. Possible
> > causes are Windows update checker, Symantec, or possibly McAfee. I
> > know that Kerio will specify the full path of the executable trying to
> > connect out in some cases, so I'm not sure this information is so
> > elusive for these messages. Avast and Diskeeper connections to
> > outside are certainly reported more specifically than the above. From
> > the aforementioned web searching, such details are not elusive to
> > Kerio users. This makes it impossible to maintain a decent set of
> > firewall rules. I've already disabled automatic windows updates, got
> > rid of symantec, and such messages continue to occur, though less
> > often.
>
> > How do the more experienced maintainers of home firewalls deal with
> > this lack of detail in tightening up their firewall rules? I have,
> > and use, Spybot S&D. I'm hoping that there is a general appraoch that
> > doesn't entail that a user spend much less than 50% of his or her
> > computer time dealing with the security aspects. Currently, the
> > figure is well in excess of 50%, which really raises the question of
> > whether it is reasonable to convert to Luddite-ism.
>
> > Thanks!
 
Correct, Windows 2000 doesn't have a built-in firewall. But, you know, you
really should switch to at least Windows XP and be sure to install service
pack 3 on it when it becomes available on 29 April. If your hardware
supports it, go to Vista. Windows 2000 is really too old to be safe these
days.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"AndyHancock" <AndyMHancock@gmail.com> wrote in message
news:b82fb398-63d1-412f-b26d-ad03eb9dd3f0@f63g2000hsf.googlegroups.com...
> Yes, I was thinking that a builtin firewall would be handy because it
> would recognize all the things that are legit. And won't bug the
> user. However, I'm using Windows 2000. As far as I know, I need a
> third party firewall.
>
>
> On Apr 20, 10:41 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com>
> wrote:
>> > How do the more experienced maintainers of home firewalls deal with
>> > this lack of detail in tightening up their firewall rules?
>>
>> Easy-- don't use personal firewalls that nag you all the time. If you're
>> following basic safe computing practices (keep your software updated,
>> anti-malware programs updated, and don't run as admin), then the firewall
>> built in to Windows is all that you need. A firewall's job is to watch
>> your
>> network port and block inbound traffic that you didn't ask for. It's not
>> the
>> job of a firewall to try to watch every single outbound connection.
>> Indeed,
>> smart malware knows how to avoid these kinds of firewalls anyway. I've
>> written extensively about this in the past
>> seehttp://technet.microsoft.com/en-us/magazine/cc138010.aspx.
>> steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
 
It takes alot of resources. This machine runs at several hundred MHz,
has several hundred MB RAM, and the hard disk runs at some
forty-something hundred RPM. It's also missing some of the standard
peripheral interface taken for granted these days. Of course, if I
ever get another machine, XP it shall be, but with luck, it won't
happen soon.

On Apr 21, 11:39 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com>
wrote:
> Correct, Windows 2000 doesn't have a built-in firewall. But, you
> know, you really should switch to at least Windows XP and be sure to
> install service pack 3 on it when it becomes available on 29 April.
> If your hardware supports it, go to Vista. Windows 2000 is really
> too old to be safe these days.
>
> "AndyHancock" <AndyMHanc...@gmail.com> wrote in message
> news:b82fb398-63d1-412f-b26d-ad03eb9dd3f0@f63g2000hsf.googlegroups.com...
>>
>> Yes, I was thinking that a builtin firewall would be handy because
>> it would recognize all the things that are legit. And won't bug
>> the user. However, I'm using Windows 2000. As far as I know, I
>> need a third party firewall.
>>
>> On Apr 20, 10:41 pm, "Steve Riley [MSFT]"
>> <steve.ri...@microsoft.com> wrote:
>>> > How do the more experienced maintainers of home firewalls deal
>>> > with this lack of detail in tightening up their firewall rules?
>>>
>>> Easy-- don't use personal firewalls that nag you all the time. If
>>> you're following basic safe computing practices (keep your
>>> software updated, anti-malware programs updated, and don't run as
>>> admin), then the firewall built in to Windows is all that you
>>> need. A firewall's job is to watch your network port and block
>>> inbound traffic that you didn't ask for. It's not the job of a
>>> firewall to try to watch every single outbound connection.
>>> Indeed, smart malware knows how to avoid these kinds of firewalls
>>> anyway. I've written extensively about this in the past
>>> seehttp://technet.microsoft.com/en-us/magazine/cc138010.aspx.
>>> steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork...
 
Back
Top