Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

What is Disable Allowed Events in editing application?

What is Disable Allowed Events in editing application?

Postby sp4096 » Thu Dec 08, 2016 4:12 am

On the Edit application panel are two checkboxes which confuse me:
Disable in Events and Log file and
Disable Allowed events.
I understand the first one. The second one is a puzzle to me.
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: What is Disable Allowed Events in editing application?

Postby VistaFirewallControl » Thu Dec 08, 2016 9:04 am

Allowed events can be massive if a widely enabled zone is applied to an application (EnableAll or WebBrowserZone for instance)
Obviously if a widely enabled zone is applied by you evidently you hardly need to check those events and the events processing would just take redundant resources.
The checkbox is intended to (literally) Disable Allowed events for the application.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: What is Disable Allowed Events in editing application?

Postby sp4096 » Sat Dec 10, 2016 3:52 am

So Disable Allowed Events sounds to me like a whitelisted program and Sphinx doesn't look at it, correct?
It does not mean that you disable the process' communication (which is how I interpreted it initially), since things run fine with that box checked.

Thanks for your answer. It explains why I had some trouble following pings, which worked, but I had to uncheck Disable allowed to see it on the events panel.
Of course, like you said, it then logged enormous amounts of packets since ping is under SYSTEM.
I may, some day, make a ping zone, just not yet sure if I can disassociate ping and tracert from System. Low priority :)
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: What is Disable Allowed Events in editing application?

Postby PietO » Sat Dec 10, 2016 10:29 am

sp4096 wrote:So Disable Allowed Events sounds to me like a whitelisted program and Sphinx doesn't look at it, correct?


Whilelisted?? Don't get your question. As far as the allowed / blocking firewall rules functionality is concerned, there is no difference if "disable allowed events" is checked or not; it's just impacting the reporting. Thus for me: if a zone is not under investigation / construction the allowed event reporting is "off" for busy zones like webbrowsing.


sp4096 wrote:Of course, like you said, it then logged enormous amounts of packets since ping is under SYSTEM

No pings at all in my machines and Zone "local System" may have reporting of allowed events active. Thus are these pings generated by some security mechanism on your local network you created yourself?
PietO
 
Posts: 192
Joined: Wed Mar 02, 2011 12:09 pm

Re: What is Disable Allowed Events in editing application?

Postby sp4096 » Sat Dec 10, 2016 4:27 pm

@PietO,
Re: "As far as the allowed / blocking firewall rules functionality is concerned, there is no difference if "disable allowed events" is checked or not; it's just impacting the reporting."
It looks like I'm back to my original question in the first post. What's the difference between those two checkboxes? What's the point of the Disable Allowed checkbox when I can do it in the Enable/disable logging checkbox above.

Re: "Thus are these pings generated by some security mechanism on your local network you created yourself?"
Pings-I was testing stuff and I was doing pings between 2-3 computers and just wanted to see it in the events panel.

Edit:
Code: Select all
Uncheck Disable in "Event" and LogFile
-- Check   Disable "Allowed" Events - works, No log
-- Uncheck Disable "Allowed Events" - works, No log

Check Disable in "Event" and LogFile
-- Check   Disable "Allowed" Events - works, No log
-- Uncheck Disable "Allowed Events" - works, enormous log
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: What is Disable Allowed Events in editing application?

Postby PietO » Sat Dec 10, 2016 10:11 pm

sp4096 wrote:It looks like I'm back to my original question in the first post. What's the difference between those two checkboxes? What's the point of the Disable Allowed checkbox when I can do it in the Enable/disable logging checkbox above.

Quite simple to my current understanding (possibly wrong):

Disable in "Events" and Logfile: concerns the reporting of allowed AND blocked events.
Disable "Allowed"events : concerns only the reporting of allowed events (thus a subset of the above; if the first one is checked no need for the second)

To elaborate a bit on this: at lower level in the WindowsSecurityEventLog the generation of the related events:
5156-permitted connection
5157-blocked connection
5158-permitted--bind
is unfortunately not impacted by the checkboxes. As far as i can recall, the allowed event generation can only be switched off globally (registry setting) and not individual per program . Thus don't look at the massive security event log (on Ram-disc for me )
PietO
 
Posts: 192
Joined: Wed Mar 02, 2011 12:09 pm

Re: What is Disable Allowed Events in editing application?

Postby VistaFirewallControl » Mon Dec 12, 2016 11:45 am

>So Disable Allowed Events sounds to me like a whitelisted program and Sphinx doesn't look at it, correct?

It’s not correct?
The check does not manage application permissions.
It manages the firewall event displaying options.

>if I can disassociate ping and tracert from System.

Via differentiating ICMP “ports” (actually ICMP types) probably.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am


Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 1 guest

cron
suspicion-preferred