Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 6703 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Disabled?

Holger_S

Hi!

SESC 9.5 firewall is telling me that it's deactivated but it appears to work? Since a few days I have this strange thing that the tray bar icon is indicating a yellow exclamation mark. The tooltip tells me that the firewall configuration is letting through all data traffic. In the SESC 9.5 GUI the firewall entry says "deactivated", active location: "primary".

I tried to reconfigure the firewall but in the fw config menu the checkbox for "allow all data traffic" is disabled for the primary location. I haven't configured any secondary location.

This all started a few days ago after the update for the engine was distributed. I haven't installed it and just hibernated my win xp for several days. But then suddenly, there was a message telling me the system wanted to connect to my local network on 192.168.178.255 on UDP port 137 what I initially disallowed. It followed another alert for a connection to another LAN computer on UDP port 55400 which I disallowed, too. But then the internet connection didn't work any more so that I restarted the system. Nevertheless, this activated the SESC update but didn't solve the connection block so that I removed both firewall rules.

After another restart I got the UDP 137 alert again and allowed it as well as the UDP 55400 to the LAN computer. Now, the internet connection works again. The firewall says it has been disabled but it still prompts me from time to time with HTTP-connection requests from the SVCHOST-Service which I generally block by adding new rules each time. So the firewall appears to work from my point of view and I don't get the impression that all data traffic is going through.

What is this all about? As anyone experienced the same issue or has anybody an idea how to solve it?

Thanks in advance,

Holger

:5838


This thread was automatically locked due to age.
Parents
  • 0

    Hi Christian,

    sorry, I didn't have the time for answering so far. Nevertheless, I had a closer investigation of what's going on my system with sysinternals' (now MS') process explorer and tcpview. After that, I believe it was an Ad0be Reader associated module trying to phone home every 7 seconds. After I killed its process there was a scary silence in the firewall's protocol event view. It must have been kind of home sick this poor little reader. Seems that Ad0be is updating its applications at a very high rate. Every 7 seconds a new version - that's real innovation. The only other information system with a comparable ouput rate of new versions that I know is the HI virus that by this means is bypassing the defense of the immune system. So it's a strange world, a strange universe, and a strange pancosmic connection. Here we go again...

    Regarding the exclamation mark nothing has changed, indeed. Nevertheless, the firewall still seems to work. As I have mentioned already, fw was reporting blocking events every 7 seconds until I killed the reader's process. Therefore I believe this week will be a week of innovation not only for Ad0be's customers but also for my computer. It's time for Windows 7 that I will obtain from a trustworthy computer store which will refuse to sell products to its customers. Actually, the only other company that I know which has such a liabilty is the public traffic company from my home town that refused to sell me a ticket for the bus when I wanted to pay with a 50,- Euro note. Great! I know where to begin. I only have to find this bus driver again and ask him where he would buy his computer if he was a paranoid customer of a trustworthy traffic company who enjoyed his walk through the rain instead of sitting in a heated and climated bus for he knew that this company really only was selling tickets to customers if this was necessary for some circumstances.

    Back to WebDAV. Well, yes. You're right. Maybe it was NetBios. But what still is holding me from regarding WebDAV as the cause for these port 80 connections is the fact that connections alerts appeared out of nothing - when I was reading a pdf-file for example. This is supporting my Ad0be Reader theory. But of course it still could have been connection attemps initiated by NetBios. IP address was 92.122.188.x with x being either 83, 96, 112, 114, or 115. Is this related to WebDAV?

    I get my sophos updates from the university. It's only for the primary location. I have no secondary location but as far as I remember from the instructions there was no secondary location path mentioned. Is there a public path on the sophos server somewhere? I ask because it sometimes feels as if updates from the university server are very slow.

    Ok. Let's talk about the last and probably the most important thing. NetBios seems to be a gate for the temple knights! It is true. 1 + 3 + 7 = 11 and 11 * 3 number = 33! This is really scary! Jesus Christ - maybe the Holy Grail has been dematerialzed and is located somewhere on my harddisk between sector 32 and sector 34! Maybe that's why Ad0be Reader wants to call Mummy at home very excited: "He mum, do you know what I stumbled about when I was looking at my neighbour sector on harddisk? Behold, it was the Holy Grail! Nobody knows yet, but believe me! First, it looked a kind of FAT but after a little cleaning it was pure gold and King Arthur himself was sitting there with the Knights of his Grail Allocation Table, no kidding!"

    Well, this all leaves some open questions to my mind which maybe will lead to answers important to the whole world. So @EVERYREADER if ever Sophos ENDPOINT Security and Control will indicate a yellow exclamation mark to you: Be aware as the ENDPOINT might be near!

    BTW many thanks to Chris for your helpful and entertaining comments and answers!

    Humble regards,

    Holger

    :6043
Reply
  • 0

    Hi Christian,

    sorry, I didn't have the time for answering so far. Nevertheless, I had a closer investigation of what's going on my system with sysinternals' (now MS') process explorer and tcpview. After that, I believe it was an Ad0be Reader associated module trying to phone home every 7 seconds. After I killed its process there was a scary silence in the firewall's protocol event view. It must have been kind of home sick this poor little reader. Seems that Ad0be is updating its applications at a very high rate. Every 7 seconds a new version - that's real innovation. The only other information system with a comparable ouput rate of new versions that I know is the HI virus that by this means is bypassing the defense of the immune system. So it's a strange world, a strange universe, and a strange pancosmic connection. Here we go again...

    Regarding the exclamation mark nothing has changed, indeed. Nevertheless, the firewall still seems to work. As I have mentioned already, fw was reporting blocking events every 7 seconds until I killed the reader's process. Therefore I believe this week will be a week of innovation not only for Ad0be's customers but also for my computer. It's time for Windows 7 that I will obtain from a trustworthy computer store which will refuse to sell products to its customers. Actually, the only other company that I know which has such a liabilty is the public traffic company from my home town that refused to sell me a ticket for the bus when I wanted to pay with a 50,- Euro note. Great! I know where to begin. I only have to find this bus driver again and ask him where he would buy his computer if he was a paranoid customer of a trustworthy traffic company who enjoyed his walk through the rain instead of sitting in a heated and climated bus for he knew that this company really only was selling tickets to customers if this was necessary for some circumstances.

    Back to WebDAV. Well, yes. You're right. Maybe it was NetBios. But what still is holding me from regarding WebDAV as the cause for these port 80 connections is the fact that connections alerts appeared out of nothing - when I was reading a pdf-file for example. This is supporting my Ad0be Reader theory. But of course it still could have been connection attemps initiated by NetBios. IP address was 92.122.188.x with x being either 83, 96, 112, 114, or 115. Is this related to WebDAV?

    I get my sophos updates from the university. It's only for the primary location. I have no secondary location but as far as I remember from the instructions there was no secondary location path mentioned. Is there a public path on the sophos server somewhere? I ask because it sometimes feels as if updates from the university server are very slow.

    Ok. Let's talk about the last and probably the most important thing. NetBios seems to be a gate for the temple knights! It is true. 1 + 3 + 7 = 11 and 11 * 3 number = 33! This is really scary! Jesus Christ - maybe the Holy Grail has been dematerialzed and is located somewhere on my harddisk between sector 32 and sector 34! Maybe that's why Ad0be Reader wants to call Mummy at home very excited: "He mum, do you know what I stumbled about when I was looking at my neighbour sector on harddisk? Behold, it was the Holy Grail! Nobody knows yet, but believe me! First, it looked a kind of FAT but after a little cleaning it was pure gold and King Arthur himself was sitting there with the Knights of his Grail Allocation Table, no kidding!"

    Well, this all leaves some open questions to my mind which maybe will lead to answers important to the whole world. So @EVERYREADER if ever Sophos ENDPOINT Security and Control will indicate a yellow exclamation mark to you: Be aware as the ENDPOINT might be near!

    BTW many thanks to Chris for your helpful and entertaining comments and answers!

    Humble regards,

    Holger

    :6043
Children
No Data