Activity being reported on real-time blocking after the application has been closed on the target

General discussion about WFilter ICF features, problems, configuration issues etc.

Moderators: imfirewall, gengw2000

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Tue May 01, 2012 11:51 pm

Hello,



I am testing out the blocking feature.



I was running emule on my computer and WFilter correctly detected this activity and blocked as per the policy settings.



I then closed emule on my computer however the online blocking is continuing to report that emule activity is being detected and blocked (but emule is not running so this cannot be correct).



This looks like a bug or I have stuffed up the configuration somewhere.



Would appreciate advice on how to troubleshoot.



Thanks



VW

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby gengw2000 » Wed May 02, 2012 2:16 am

There are two possibilities:

1. Even you have exited the emule desktop application, it also can have background processes running for uploading/downloading. Please run "windows task manager" to check your processes.

2. Some p2p programs support both UDP and TCP traffic. TCP connections will be terminated when application is shutdown. However, UDP traffic is connectionless, remote peers will keep push UDP traffic even the application is closed. This will happen for a while(several minutes) for all remote peers to get "target not available" responses.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Wed May 02, 2012 2:22 am

gengw2000 wrote: There are two possibilities:

1. Even you have exited the emule desktop application, it also can have background processes running for uploading/downloading. Please run "windows task manager" to check your processes.

I checked that at the time, definitely not the case.



2. Some p2p programs support both UDP and TCP traffic. TCP connections will be terminated when application is shutdown. However, UDP traffic is connectionless, remote peers will keep push UDP traffic even the application is closed. This will happen for a while(several minutes) for all remote peers to get "target not available" responses.

This must be the case then.



Thanks for the clarification. I found those entries on the WFilter logs disconcerting.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Wed May 02, 2012 2:34 am

Actually I think there is a third possibility.



It looks to me as if TeamViewer (TeamViewer 7) is being identified as Edonkey,Emule and that's why I had all those entries in the logs after I had closed Emule.



Everytime I switch from the Default blocking policy to High on my computer, TeamViewer stops working and I get Edonkey,Emule entries in the Real-time blocking log.



I don't want to block TeamViewer, but I do want to block unknown.


gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby gengw2000 » Wed May 02, 2012 3:26 am

If you have edonkey/emule running, WFilter will over blocking some unknown traffic.

For no blocking of teamviewer, please add the teamviewer protocol into "Customize Protocols" of WFilter. Then it will not be over blocked.



Check this blog topic: http://blog.imfirewall.us/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Wed May 02, 2012 6:33 am

gengw2000 wrote: If you have edonkey/emule running, WFilter will over blocking some unknown traffic.

For no blocking of teamviewer, please add the teamviewer protocol into "Customize Protocols" of WFilter. Then it will not be over blocked.



Check this blog topic: http://blog.imfirewall.us/How+To+Block+TeamViewer+On+My+Network+Using+WFilter.aspx

I made the suggested change and initially it appeared to work.



However I recently enabled the High filtering to do some more testing of the https and TeamViewer stopped working. Once I returned to the Default policy TeamViewer resumed working. So there is more to this.

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby gengw2000 » Wed May 02, 2012 7:10 am

You need to check "Real-time blocking" to get the blocking reason. Then modify your blocking policy to make it work.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Wed May 02, 2012 7:35 am

It's reported as unknown (and I'm blocking unknown). So presumably I need wireshark to run a trace. Are the instructions self-explanatory or is there a procedure that you would prefer me to follow?

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Activity being reported on real-time blocking after the application has been closed on the target

Postby VeeDub » Thu May 03, 2012 3:41 am

I've installed Wireshark. To obtain details on the 'unknown' traffic being reported by WFilter should I just run a trace and send it to you?



Or are there some filters that I can apply?



Is it possible for me to do some of the analysis?



I ran a trace on the internal NIC for 1 minute and the size of the capture file is 800K.


Return to “WFilter ICF”

Who is online

Users browsing this forum: No registered users and 46 guests