Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

What are MSOffline zones?

Re: What are MSOffline zones?

Postby sp4096 » Sun Jul 16, 2017 8:05 pm

Re: "2017:07:03|22:50:11|Allowed|1
where taskhostw was listed by path (C:\windows\system32\taskhostw.exe), not by name (Host Process for Windows Tasks);
That means the firewall was not able to find listed taskhostw.
Otherwise the listed name would be used instead of full path."
Good catch. I didn't notice it, and wouldn't know the meaning anyway :)

Re:"Taking into account you insist you did not delete the item"
Really. No, no delete, no apply, nothing ... unless you or I find something, I'll continue to so insist.

Re:"What could be useful in that case is the event of 2017:07:03|22:50:11|Allowed|1|IPv4 TCP .... taskhostw..... in the Security Events log.
It may show the inconsistency in the WFP audit."
and
Re: "May be just there is a sense to investigate the event.
Please export the events from Security Events log, try to find the event and please send it to us in the hope we will be able to find something to catch at."
Not sure it's worth pursuing in your busy time.
But, since event logs rolled over, I went into my images.
Wow, I've never been here. Amazing lists of 306 .evtx files in system32/winevt/logs.
- Full image starts July 1, end July 6 before the MSOffline thingie so it includes the July 3 event you noticed and perhaps will reveal the reason.
- Differential starts July 6 just before MSOffline, ends July 11 so it includes July 6 event which happened soon after boot.
I'll send you both pulled Security files. Snapin reads them ok. They're big, but I'm not extracting anything. You can filter by date and/or event 5157. Often something around might show up.

QUESTION: what zone should taskhostw be? I'm toying with an idea of scrapping all my rules carried over since 7.5 and letting Sphinx setup the many newer defaults which you described earlier.
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: What are MSOffline zones?

Postby VistaFirewallControl » Mon Jul 17, 2017 12:10 pm

The event was found finally in spite of different time zones were used in the access.log and Security-full.evtx, but nothing suspicious was found in the event.
Should repeat, the Events infrastructure is not documented, so the events may be processed differently for the viewer and for the binary subscription form WxFC uses. (some related problem in the native infrastructure are known)
All in all, unfortunately, there is nothing to catch at.... beyond a way to reproduce under WxFC logging.

>Wow, I've never been here. Amazing lists of 306 .evtx files in system32/winevt/logs.

Yes, WFP auditing produces huge output. You may want to switch the auditing off by unchecking Settings/DisableAllowed. All allowed events will be ignored though.


>QUESTION: what zone should taskhostw be?

MSOffline is offered, We were unable to find any vital activity in the communication.
I.e. following our experiments there were no negative visible consequences of blocking taskhostw. Obviously this is just a suggestion, we did not investigate all the possible scenarios.
There is a lot of similar CRL requests made by taskhostw and other applications.
Revoking certificates are generally rare....
Moreover, taking into account how the code sign verification is practically implemented, CRL checking is practically senseless for background operations such as taskhostw.
You may find it curious of the code signing practice.
In spite of code signing is supposed as good practice, the realization is "funny".
The sign itself is definitely verified just to show you a message box "program is developed by".
So a program origin is verified typically well.
But another important purpose of code signing is the code integrity.
The integrity checking is generally ignored however. The reason is obvious, too much resources are required for that.
We made an experiment, got a signed program, using a hex editor altered a significant part of the program, to make it inconsistent, We did not care about the program operability at that moment. we just tried to verify how the integrity checking works.
We expected an alert while trying to launch the program, but no alert was shown. The program just started normally.
As appeared, in order to use the integrity checks, there is a need to tweak the registry (the default state is off) and ONLY after that the related events will be written into the Event log.
So you can find an integrity problem only if you search for them individually.....
Taking into account the above you can decide yourself whether CRL could be worth the allowing

>I'm toying with an idea of scrapping all my rules carried over since 7.5 and letting Sphinx setup the many newer defaults which you described earlier.

Revising the permissions is reasonable
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: What are MSOffline zones?

Postby sp4096 » Tue Jul 18, 2017 1:15 am

Even though it goes to the mystery bucket which in this instance contributed nothing to this nice firewall, your theories and explanations are very useful to me.
I'm sorry about making you wade through so many wrong timezone logs over the weekend. I hope you get a reward for it :) Apologies for not telling you the time zone.

For integrity, a good antiexecutable, antiexploit or a solid old fashioned HIPS is likely the only watch worth using. Was simple to do in XP. Nothing is simple with the constantly chatting with the web Win10.

If I do start from scratch, I'm thinking what might be useful on the Zones tab would be an indication that it is a new Sphinx provided rule + date. Just for the new ones, not for any that the user changed. Ditto on Domains.
sp4096
 
Posts: 111
Joined: Tue Apr 26, 2016 2:57 am

Re: What are MSOffline zones?

Postby VistaFirewallControl » Tue Jul 18, 2017 1:10 pm

>If I do start from scratch, I'm thinking what might be useful on the Zones tab would be an indication that it is a new Sphinx provided rule + date. Just for the new ones, not for any that the user changed. Ditto on Domains.

The update for the defaults is smart and can be easily detected.
If new (updated) zone/domain does not exist (checked by name), the entity is just added to the repository.
If already exists (and different) the firewall renames the existing entity adding (prev) suffix and then adds the new entry.
So new zones appeared are the new zones (will be offered on detection hereafter).
A (prev) zone presence means the same (by name) entity was updated and the previous (potentially customized) is saved.
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Re: What are MSOffline zones?

Postby VistaFirewallControl » Tue Jul 18, 2017 1:36 pm

BTW you may want to just add timestamp to the zones/domains titles
VistaFirewallControl
Site Admin
 
Posts: 1493
Joined: Fri Mar 27, 2009 11:25 am

Previous

Return to Specific behavior

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred