Firewall Disabled?

Hello Holger,

the exclamation mark should correctly indicate the setting of Allow all traffic (after clicking Apply). If it doesn't "follow" your setting then something's not working as it should.

I assume your configuration is (or should be) Interactive. Is your PC managed by SEC and if, what are the policy settings? And how is your PC connected to the outside world? UDP 137 is NetBIOS which shouldn't affect "the internet connection" (what exactly means didn't work anymore?).

Christian

Edit: Thought about it on my way home yesterday. 192.168.178.255 is a broadcast address so it's probably your computer searching for "something" (shares) on the LAN. The svchost to port 80 is related - it's Windows "falling" back to WebDAV when NetBIOS doesn't work.

Excuse me for saying so but it looks like you are trying to configure SCF by trial and error. This won't work as it seems your computer needs some resources from the LAN (which exactly, I can't tell). Maybe you should start all over (there's a Restore Defaults button).

Another one - if the icon still incorrectly reports the state you should consider un-/reinstalling SCF.

Christian

Hi Christian,

thank you for help. I have to admit that my report of events and settings was just from memory of what happened just a few days before and maybe I have mixed up things a little bit. So I'll try to put it a little bit more clear. I'm sitting behind a LAN router with a built-in DSL modem: it's a FritzBox, which is a famous German manufacturer of home user equipment.

The correct order of events and settings was a follows:

1. SEC was reporting my system trying to connect to 192.168.178.255 on UDP port 137 which I identified as a class C broadcast which never has been occured before.

2. Having a kind of paranoid roots in my personality I disallowed this in the alert box (because I am running the firewall in interactive mode as you correctly assumed).

3. Immediately afterwards there was another alert on a connection attempt to a PC of my LAN with IP 192.168.178.123 on UDP port 55400.

4. I blocked this, too (it's always a good idea to be consistent in your paranoia).

5. I wanted to look up the meaning of port 137 which I remembered as being a system related service but forgot about it's specific meaning.

6. Firefox refused to open www.google.de. In the status bar I could see that name resolving didn't work properly as it stuck there and put out a message after several seconds like "ff was unable to connect to www.google.de"... I tried a few other URLs with the same result so I assumed that the internet connection was not working.

7. I used another computer in my LAN and had no trouble in opening the above mentioned URL (maybe someone can imagine the word "SUSPICIOUS" blinking up in my mind at that moment).

8. I was terrified and maybe that's why I didn't try to connect to google by using one of it's IP addresses in order to assess if DNS lookups didn't work or extra-lan connection from this specific computer was blocked by the firewall.

9. I did what everybody does if he gets this feeling of being persecuted: I shut down the machine. Maybe it was just a bad dream and everything is fine after a reboot.

10. After the restart nothing had changed. Back to live, back to reality. So what did I do? Yes, another restart. Probably it's this chewing gum machine trick from childhood: One coin in, no gum out. You always had to hit the machine twice in order to get it work properly. I believe there is some pancosmic conjunction between things.

11. After the next restart I started working with the firewall configuration. There I removed both rules for UDP 137 and UDP 55400 and when the connection alerts came again I allowed both connections.

12. After that internet worked fine - at least firefox was able to look up a google IP address and connect to the server.

13. The yellow exclamation mark is informing me that something with the firewall is not working. Maybe from my previous comments you can guess what this information does with my psyche. The rest is described in my first post.

Well, let me say sth about these port 80 connections. These appeared several weeks before and shortly after the change in the firewall configuration. All these were going to different internet connections which I looked up by a WHOIS service and which don't seem to belong to microsoft or other software companies of programs I was running on my system. That's why I blocked them. I can't imagine of any convincing reason why windows should try to connect to internet servers using WebDAV - except maybe that there is some global conspiracy going on and me being in the middle of it. That's not the idea you want to have in mind before you go to sleep.

Tonight, I changed the UDP 137 and UDP 55400 rules from "allow" to "disallow" and still internet connection is working. So probably there never has been any connection between blocking these and having no internet connection. That's what you were saying. Then I wonder, why the internet didn't work and at the same time there was this new connection alert for port 137. The exclamation mark hasn't disappeared, yet. It's still indicating to be alerted! Does anybody know if 137 has a special meaning in free masonry? Maybe it's a sign, a message from somewhere... I should take my pills.

Nevertheless, many thanks for your help. Maybe I'll do a restore or better a complete reinstall. Or much better I'll buy a new computer. Does anybody know a trustworthy computer store?

Kind regards,

Holger

Hello Holger,

starting near the bottom: The yellow exclamation mark is informing me that something with the firewall is not working.

Indeed this should be resolved first. Haven't seen it being inconsistent with the Allow all traffic setting (with the exception of an outstanding reboot after install/upgrade). Since you did already reboot several times this shouldn't be the cause of the exclamation mark.

BTW: As this is a home installation - where do you get your updates from (primary and if applicable secondary location)? Being paranoid is just a special case of imagination running wild - the latter I'm suffering from every so often. I can't imagine of any convincing reason why windows should try to connect to internet servers using WebDAV. Oh, just enter (for example) \\Junkhost\SomeShare in the Explorer's address bar (assuming you don't have Junkhost on your LAN). When NetBIOS can't find the host WebDAV (on WinXP systems with IE6 and IE7) kicks in with an OPTIONS /search?q=junkhost request to Host: www.google.com and later also with a PROPFIND /SomeShare to Host: Junkhost ... using IP-addresses belonging to a dubious domain named 1e100.net. Well, it's owned by a known company. Just checked, slightly different but still there with Win7. Can you remember some of these different internet connections?

Does anybody know if 137 has a special meaning in free masonry

Apart from the fact that the sum of its digits times the number of digits is 33 I don't see anything special -maybe I'm not paranoid enough :smileywink:. The only trustworthy computer store would be one which refuses to sell them.

Christian

Hi Christian,

sorry, I didn't have the time for answering so far. Nevertheless, I had a closer investigation of what's going on my system with sysinternals' (now MS') process explorer and tcpview. After that, I believe it was an Ad0be Reader associated module trying to phone home every 7 seconds. After I killed its process there was a scary silence in the firewall's protocol event view. It must have been kind of home sick this poor little reader. Seems that Ad0be is updating its applications at a very high rate. Every 7 seconds a new version - that's real innovation. The only other information system with a comparable ouput rate of new versions that I know is the HI virus that by this means is bypassing the defense of the immune system. So it's a strange world, a strange universe, and a strange pancosmic connection. Here we go again...

Regarding the exclamation mark nothing has changed, indeed. Nevertheless, the firewall still seems to work. As I have mentioned already, fw was reporting blocking events every 7 seconds until I killed the reader's process. Therefore I believe this week will be a week of innovation not only for Ad0be's customers but also for my computer. It's time for Windows 7 that I will obtain from a trustworthy computer store which will refuse to sell products to its customers. Actually, the only other company that I know which has such a liabilty is the public traffic company from my home town that refused to sell me a ticket for the bus when I wanted to pay with a 50,- Euro note. Great! I know where to begin. I only have to find this bus driver again and ask him where he would buy his computer if he was a paranoid customer of a trustworthy traffic company who enjoyed his walk through the rain instead of sitting in a heated and climated bus for he knew that this company really only was selling tickets to customers if this was necessary for some circumstances.

Back to WebDAV. Well, yes. You're right. Maybe it was NetBios. But what still is holding me from regarding WebDAV as the cause for these port 80 connections is the fact that connections alerts appeared out of nothing - when I was reading a pdf-file for example. This is supporting my Ad0be Reader theory. But of course it still could have been connection attemps initiated by NetBios. IP address was 92.122.188.x with x being either 83, 96, 112, 114, or 115. Is this related to WebDAV?

I get my sophos updates from the university. It's only for the primary location. I have no secondary location but as far as I remember from the instructions there was no secondary location path mentioned. Is there a public path on the sophos server somewhere? I ask because it sometimes feels as if updates from the university server are very slow.

Ok. Let's talk about the last and probably the most important thing. NetBios seems to be a gate for the temple knights! It is true. 1 + 3 + 7 = 11 and 11 * 3 number = 33! This is really scary! Jesus Christ - maybe the Holy Grail has been dematerialzed and is located somewhere on my harddisk between sector 32 and sector 34! Maybe that's why Ad0be Reader wants to call Mummy at home very excited: "He mum, do you know what I stumbled about when I was looking at my neighbour sector on harddisk? Behold, it was the Holy Grail! Nobody knows yet, but believe me! First, it looked a kind of FAT but after a little cleaning it was pure gold and King Arthur himself was sitting there with the Knights of his Grail Allocation Table, no kidding!"

Well, this all leaves some open questions to my mind which maybe will lead to answers important to the whole world. So @EVERYREADER if ever Sophos ENDPOINT Security and Control will indicate a yellow exclamation mark to you: Be aware as the ENDPOINT might be near!

BTW many thanks to Chris for your helpful and entertaining comments and answers!

Humble regards,

Holger

Hello Holger,

92.122.188.x is Akamai Technologies, a "Web Acceleration" provider. Many vendors provide downloads/updates using this service. So it's very likely a normal http-request and not WebDAV (as you described it it's probably the Acrobat Reader).

If your primary update location for Sophos is UNC (and not http) and the server is not reachable over internet (but perhaps over VPN) WebDAV might kick in. Normally you'd see that update failed but it might as well be that it switches to the VPN connection "in time" so you might not notice. And - connections over VPN can be slow.

trustworthy traffic company

It's probably written in the Beförderungsbedingungen (terms of transportation for our those not fluent in German) ... he was just doing it by the book. You don't want him to get mugged because he carries enough change with him to see you a ticket when all you have is a €50 note, do you?

Christian

trustworthy traffic company

It's probably written in the Beförderungsbedingungen (terms of transportation for our those not fluent in German) ... he was just doing it by the book. You don't want him to get mugged because he carries enough change with him to see you a ticket when all you have is a €50 note, do you?

Even if this is becoming a kind of off-topic:

Of course it was written in the terms of transportation that changes would be given only up to 10,- Euros. However, this doesn't contribute to your happiness if you stand in the pouring rain with 6 °C outside temperature and watch the backlights of the bus going the way without you because the only money you' had in your pocket was a 50 Euro note. Being a polite person as I am, I called the transportation company afterwards to let them participate in the tremendous joy that was created by this event and to discuss the striking analogy of their terms of transportation with these of a provincial one man rickshaw familiy business located somewhere in the suburbs of East Asia with a criminality rate of 5% murders per citizen per year. And what I have to bring up against this this bus-driver - whom I have in mind as being a very unfriendly person (but maybe my memory has a little bias here) - is that I was told that for these incidents there is the option to fill in a certificate of debt in the bus and to pay it at one of the company's offices within one week. So the driver either didn't know or - which is a more suiting explanation for my paranoid mind - didn't want me to tell in order to avoid some formality. It's really a hard life if the whole world is against you and the only one who's being wronged is yourself - I can tell. Well, the more I think about this event the clearer it becomes to me that there might be another explanation, too. It's just because the number of the bus line was 137...

Kind regards,

Holger

We're getting a Sophos shield with an exclamation mark on the right side.  I wasn't clear from your post what the solution was, or what the exclamation mark means.  Do you know?

Thanks,

Marc                                                                                                                                                                                                                                                   

Hello Marc,

for the possible meanings of the exclamation mark please see Changes to the shield icon .... If you have any additional questions please start a new thread.

Christian

Hi Marc!

In addition to Christian's reply regarding the meaning of the exclamation mark I can provide you with my solution. This only will suit your needs if you are facing the same "firewall disabled issue" as me.

I downloaded the latest sophos av version from our university's web server, cut the physical network connection and removed the old installation by the windows control panel. Then I reinstalled the new version, performed a full virus scan and reconnected physically afterwards. This helped to keep the exclamation mark away for a week or two but then it reappeared with the same information "firewall disabled".

A few weeks later there was an automatic update of the executable files of the av engine and after these have been replaced, the exclamation mark disappeared. After the restart, however, it was there again.

However, I still believe that the firewall is working as is being pointed out by the list of blocked connections attemps. I am running in interactive mode and at every system restart, I get a request from windows media sharing service for example. I assume that something in my system configuration makes the fw believe that all connections are open. I did a tcpview and everything seemed to work fine.

Holger

I seem to be having the same problem as of 5:10pm today.  The systray icon is a blue shield with a red circle and a white 'x'.  I normally see this when the update is not working, but I fussed with that for a while and got it to update.  I still have the circle with the 'x' and the mouseover text says, "Firewall: service failure".  The UI says the Firewall is disabled, but I do not have "Allow all trafic" checked in the Firewall configuration dialog. The firewall log lists the last report at 5:10 and it is 7:05.  So it clearly is not firewalling!  

Why would the firewall just quit like this?  The is the same time I installed an updated version of Bittorrent.  How would Bittorrent kill the firewall?