Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Traffic seems to be processed by an AV hook, without reason.

Traffic seems to be processed by an AV hook, without reason.

Postby David1990 » Wed Mar 08, 2017 5:58 am

Hi to all.
I read all relevant threads here and the FAQs before I post here. I understand completely, as it is explained, the whole story behind the "Check AV hook" concept. But...

I just built a brand new PC and I installed Windows 7 64bit SP1 Enterprise because I can't tolerate Win10 telemetry and user experience. Mind that my system is still in "virgin" state, with a very limited range of software installed and I haven't connect it to the Internet yet.
I'm in the process of disabling services and Task scheduling events before I connect it to the Web (privacy is one of my main concerns) and I was searching for a Firewall solution to manage traffic.

I haven't installed any kind of Antivirus or malware protection, yet the few programs that I ran and tried to "update" themselves and the "Host process for windows services" and "System" and ALL (less than 10 for now) applications, after I press the "Check AV hook" button are given me this warning: (I took the screenshot from another post, but is exactly the same.)

Image

What process can possibly be that hooked in all the applications (the few) and the system?
I just installed a genuine copy of Win7/64 and I get that warning without any software but MS Office, Adobe's Photoshop and Acrobat Pro.

I keep disabling "diagnostic" services of Microsoft that might be invasion of my privacy.
I tried to kill every process in the task manager and pressing the button but I got the same "....worldwide" response. Except at some point that I got a small message that I can't remember exactly. Something like "Can't find IE" or something. (By the way Win& came with IE 8.0) if that matters. I also killed the NVIDIA experience panel (which by the way comes back after a few seconds)

What else might be causing this "The applications traffic is processed by AV online protection" behavior?
David1990
 
Posts: 1
Joined: Wed Mar 08, 2017 5:25 am

Re: Traffic seems to be processed by an AV hook, without rea

Postby PietO » Wed Mar 08, 2017 5:52 pm

David, indeed looks like the AV-check does not give fully consistant results in latest builds (did cross check on Win7 and Win10 64 bit). Reply from Sphinx will surely follow.

For disabling scheduled tasks, event logs, services, apps and settings, simple batch-files can be made, e.g.
-------------------------------------------------------
@ECHO OFF
WEVTUTIL EL > .\Eventlogs.txt
echo ******************************************************
echo NOTEPAD is started to select Eventlogs, Disable will fail on
echo
echo - Applications / Security / Setup / System
echo - HardwareEvents / Internet Explorer / KMS service / Powershell
echo
echo *******************************************************
NOTEPAD .\Eventlogs.txt
Pause
for /f "tokens=*" %%a in (.\EventLogs.txt) do (
echo disabling and cleaning EventLog: "%%a"
WEVTUTIL SL "%%a" /enabled:false /ms:1048576
WEVTUTIL CL "%%a"
)
Echo ***
Echo *** EventFiles could be deleted after restart C:\Windows\System32\WinEvt\Logs\*.*
Echo ***
pause
------------------------------------------------------------------------------------------------------------------------
@echo off
setlocal enableextensions disabledelayedexpansion
schtasks /query /XML one > .\ScheduledTasks.xml
for /f "tokens=3 delims=<>" %%a in ('find "\Microsoft" .\ScheduledTasks.xml') do (
echo disable task: %%a
schtasks /change /tn "%%a" /Disable >nul
rem timeout /t 1 >nul
)
Echo ***
Echo *** done
Echo ***
pause
--------------------------------------------------------------
etc. many examples on internet, but above -and alike- may save a lot of time time configuring a virgin Windows.
PietO
 
Posts: 192
Joined: Wed Mar 02, 2011 12:09 pm

Re: Traffic seems to be processed by an AV hook, without rea

Postby VistaFirewallControl » Wed Mar 08, 2017 6:04 pm

>I just built a brand new PC and I installed Windows 7 64bit SP1 Enterprise because I can't tolerate Win10 telemetry and user experience.

Win10 telemetry can be successfully blocked with the firewall.
V8 gives perfect granularity for that. Just FYI.


>What process can possibly be that hooked in all the applications (the few) and the system?

It’s the AV (if any) dependent. Typically it’s a side effect of an AV online traffic monitoring.
Generally it’s linked to web and e-mail related protocols only, It’s not a must however.
Anyway the “processing” is determined by AV implementation solely.
So the range starts from selected (most popular) browsers and ends to all processes under the online traffic monitoring. The hooks can be set by AVs, WxFC just tries to determine the hooks presence by using IE related component as the most popular entity to possible online monitoring

>What else might be causing this "The applications traffic is processed by AV online protection" behavior?


Most probably it’s a false alarm.
Actually there was a bug fixed a spell ago.
What version you have installed?
Please try the latest version. The additional information will be sent via PM.

The real hooking can be verified easily.
Please set LanOnly to a browser and navigate the browser to a remote (not in LAN) new (not cached by the browser yet) site.
If the browser accesses the remote site under LanOnly, the traffic is hooked. (VPN may affect the process however)
If the access attempt fails, the traffic is not hooked.

The CheckAV implementation is nearly the same but automated.
It runs a windowless instance of IE, disables it worldwide with a similar to LanOnly zone, navigates it to a remote site and checks the access result. So the checking is actually IE dependent.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am


Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred