Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

ExplorerZone

ExplorerZone

Postby Alice Springs » Wed May 31, 2017 7:19 pm

You might want to run some tests to see whether Windows Explorer attempts to contact any crl or ocsp sites.
It attempts to contact both on my Windows 7 computer on which sfy /verifyonly gives the result "Windows Resource Protection did not find any integrity violations."
Alice Springs
 
Posts: 43
Joined: Wed May 10, 2017 10:59 am

Re: ExplorerZone

Postby VistaFirewallControl » Thu Jun 01, 2017 9:42 am

Generally filemanagers (including Explorer) may contact related CAs to verify code sign of applications to launch. It's typical practice.
Decision whether to allows that access or to deny is up to you.
Explorer (or another filemanager) being unable to contact Certificate Revocation List (CRL) just can't verify whether the related certificate is revoked, but still can verify the program integrity using the existing ceritifcate.
The integrity verification itself is network-less operation.

Though Domain's CRL/OCSP rules overwrite the Explorer zone behavior and in spite of the ExplorerZone's rules does not allow CRL/OCSP communication, the communication is allowed.

All the rules are manageable obviously.
The final decision is up to you
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: ExplorerZone

Postby Alice Springs » Thu Jun 01, 2017 11:19 am

Thank you for your explanation. If I understand you correctly, even though the events pane shows the attempts at crl and ocsp communication with red arrows, crl and ocsp communication is allowed because of the Domain's rules. Is this right?
Alice Springs
 
Posts: 43
Joined: Wed May 10, 2017 10:59 am

Re: ExplorerZone

Postby VistaFirewallControl » Thu Jun 01, 2017 11:24 am

The events pane shows the blocking zone/rule as well.
What is the zone/rule?
It should not be a magic.
The blocked reason is specified evidently, so the blocking rule should be determined and reconsidered promptly.
Need an assistance?
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: ExplorerZone

Postby Alice Springs » Thu Jun 01, 2017 11:48 am

I have since reset the panel, so I can't determine the blocking reason. If this happens again I will be sure to note down what the blocking reason is and proceed from there.
Alice Springs
 
Posts: 43
Joined: Wed May 10, 2017 10:59 am

Re: ExplorerZone

Postby VistaFirewallControl » Thu Jun 01, 2017 12:07 pm

If you reset all the settings, the domain rules will be reset as well (the domain list will be empty).
So no CRL\OCSP enabling via domains is possible after reset by default
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am

Re: ExplorerZone

Postby Alice Springs » Thu Jun 01, 2017 12:25 pm

I only reset the results pane, nothing else. CRL and OCSP are still enabled via domains.
Alice Springs
 
Posts: 43
Joined: Wed May 10, 2017 10:59 am

Re: ExplorerZone

Postby VistaFirewallControl » Thu Jun 01, 2017 12:34 pm

Thank you for the clarification
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am


Return to What is VistaFirewallControl, features

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred