Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Hijacking. Manage the application.

Hijacking. Manage the application.

Postby metal450 » Sun Dec 25, 2016 9:53 pm

I just got a pop-up notification which, in the box under “Create / Edit Application’s Zone Rule(s),” said “Hijacking. Manage the application.” The .exe shown in the popup actually wasn’t running at that time, & I’m certain it’s not malicious as it’s actually software of which I myself am the sole developer ;) I had been working on it several hours earlier in Visual Studio, but both the app itself & Visual Studio had been exited, & I was doing stuff completely unrelated. The event log didn’t show anything about that particular event after I dismissed the notification.

I wasn’t going to report this, thinking that maybe it was just a one-time fluke - but again today I got the same dialog for the same exe, this time almost immediately after a system reboot.

Any idea?
metal450
 
Posts: 50
Joined: Tue Dec 20, 2016 6:19 pm

Re: Hijacking. Manage the application.

Postby VistaFirewallControl » Mon Dec 26, 2016 11:31 am

> “Hijacking. Manage the application.”

WxFC traces the rules changes.
If a change (adding/removing) is detected beyond WxFC, WxFC shows the popup.

>The .exe shown in the popup actually wasn’t running at that time,

The application in the prompt is irrelevant.
The prompt means the application related network permissions were changed by a third party, it may be not the same application.

>I wasn’t going to report this, thinking that maybe it was just a one-time fluke - but again today I got the same dialog for the same exe, this time almost immediately after a system reboot.
Any idea?

If the problem repeats and you did not manage the applications network permissions intentionally, it’s most probably a third party influence.

Theoretically it may be a problem of WFP (very) slow response. If the problem is reproducible easily we could send you the logging version to verify the WFP related hypothesis.

Unfortunately the logging version is not a 100% remedy. If a rule is actually altered by a third party, there is no way to find the application caused the alteration. The alteration fact is available only.

Looking forward to hear from you.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Hijacking. Manage the application.

Postby metal450 » Mon Dec 26, 2016 11:35 am

I've seen it happen twice now, but seemingly at random...it's definitely not easily reproducible. Anything I should try to pay attention to if/when it happens again?
metal450
 
Posts: 50
Joined: Tue Dec 20, 2016 6:19 pm

Re: Hijacking. Manage the application.

Postby VistaFirewallControl » Mon Dec 26, 2016 12:44 pm

If it happens once a day (for instance) the logging version could be useful to exclude a possible related problem.
If once a week, the log may be too long to find anything useful.
Did you manage the firewall evidently during 1-2 mins before the prompt is shown?
It's the only reason of possible internal problem (just possible, there are no known related problems at the moment)

>Anything I should try to pay attention to if/when it happens again?

-A recently installed software that may try to manage the underlying network security core (WindowsFilteringPlatform WFP, BFE service)
-thinking about what kind of permissions are applied to the application in the prompt. What other app may not "like" it.

Actually all the WFP rules are available for management, it's not a good practice to manage "foreign" rules, but it's technically feasible, WxFC can just detect/promptt and sometimes repair the rules automatically.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Hijacking. Manage the application.

Postby metal450 » Mon Dec 26, 2016 6:53 pm

>>Did you manage the firewall evidently during 1-2 mins before the prompt is shown?

I'm really not sure. That's what I'll keep an eye out for next time it happens :)

>>A recently installed software that may try to manage the underlying network security core (WindowsFilteringPlatform WFP, BFE service)

I've no other such software that I'm aware of

>>thinking about what kind of permissions are applied to the application in the prompt. What other app may not "like" it.

The app has its own zone that isn't applied to any other apps, so it doesn't seem like this could be related
metal450
 
Posts: 50
Joined: Tue Dec 20, 2016 6:19 pm

Re: Hijacking. Manage the application.

Postby VistaFirewallControl » Mon Dec 26, 2016 7:24 pm

>I've no other such software that I'm aware of

Any recently installed (just before you were started prompting with Hijacking)

There are 2 possibilities actually

- an internal WxFC problem. The probability is low, but…
The scenario is the following. You have managed WxFC zones/rules/permissions/import (i.e any action you performed via the GUI evidently). The rules are updated following what you were doing and the rules were changed legally. But WxFC for a reason fails while checking the rules ownership and mistakenly treated changes made by itself as "foreign".
There are generally no background operation that can cause the rules changes.
There is just a small set of circumstances that may cause the rules background (automatic) changes. Network environment changes generally. For instance a network interface was down, but listed internally by WxFC. Then the adapter was switched on and got its IP address (WiFi for instance). WxFC may patch some rules accordingly in background to reflect the network environment changes.
All the rest rules changing possibilities may be caused by the evident (manual) manipulations with the GUI.

- the second possibility with a much higher probability is a third party that scans the underlying rules and tries to manage the rules on its own. WxFC detects that and reports accordingly.
“Manage the application” means _adding_ the rule(s) into the WxFC area from without for the application.

How the reported application is called?
Is there something well known in the name.
Who could “encroach” on the app permissions. Who would need the app enabled and thought it was disabled?

>The app has its own zone that isn't applied to any other apps,

What is the zone? Could it be disclosed?

If there is something to catch at.....
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Hijacking. Manage the application.

Postby metal450 » Mon Dec 26, 2016 7:44 pm

>>How the reported application is called?

RadarController.exe

>>What is the zone? Could it be disclosed?

AppUSRadar; it looks like this: http://screencast.com/t/Ju1lUd0fU. Just enables some maps services.

Anyway, I have been messing with the firewall rules constantly, as I'm still tinkering & getting things setup, so maybe it's the 'delay' issue you mentioned. It's only happened twice total, & I've been tinkering with rules constantly. So I'm not *overly* concerned about it quite yet, but can report it if it happens again... :)
metal450
 
Posts: 50
Joined: Tue Dec 20, 2016 6:19 pm

Re: Hijacking. Manage the application.

Postby VistaFirewallControl » Mon Dec 26, 2016 8:00 pm

The other rules are by-name as well?
Which ones?

So RadarController.exe is not running when you see Hijacking. Right?
Are there any other _running_ applications that may be "interested" in the same configured sites?
If there is a reasonable scenario we would like to reproduce.
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: Hijacking. Manage the application.

Postby metal450 » Mon Dec 26, 2016 8:05 pm

>>The other rules are by-name as well?

All the rules are exclusively by-name. virtualearth.net, arcgisonline.com, google.com, googleapis.com.

>>So RadarController.exe is not running when you see Hijacking. Right?

Correct.

>>Are there any other _running_ applications that may be "interested" in the same configured sites?

I honestly can't recall exactly what I was doing. But Google is used by everything, so it's entirely possible some other program was using Google. i.e. a Chrome instance, Outlook (which talks to GMail), etc.
metal450
 
Posts: 50
Joined: Tue Dec 20, 2016 6:19 pm

Re: Hijacking. Manage the application.

Postby VistaFirewallControl » Mon Dec 26, 2016 8:08 pm

> so it's entirely possible some other program was using Google

and configured with a similar by-name rule?
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Next

Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 1 guest

cron
suspicion-preferred