Why firewall messages are sometimes so vague

Giganews Newsgroups
Subject: Why firewall messages are sometimes so vague
Posted by:  AndyHancock (AndyMHanco…@gmail.com)
Date: Sat, 19 Apr 2008

After much web searching, it seems that anyone who has used older
firewalls (e.g Kerio, Sygate) will have been annoyed by messages like
"Generic Host Process for Win32 Services from your computer wants to
connect to some.changing.ip.address", or some outgoing ping (icmp).
The remote destination ip address often resolves to Microsoft or some
large content provider.  The application that is doing this is always
nondescriptly described as svchost or tcpip kernel driver.  Possible
causes are Windows update checker, Symantec, or possibly McAfee.  I
know that Kerio will specify the full path of the executable trying to
connect out in some cases, so I'm not sure this information is so
elusive for these messages.  Avast and Diskeeper connections to
outside are certainly reported more specifically than the above.  From
the aforementioned web searching, such details are not elusive to
Kerio users.  This makes it impossible to maintain a decent set of
firewall rules.  I've already disabled automatic windows updates, got
rid of symantec, and such messages continue to occur, though less
often.

How do the more experienced maintainers of home firewalls deal with
this lack of detail in tightening up their firewall rules?  I have,
and use, Spybot S&D.  I'm hoping that there is a general appraoch that
doesn't entail that a user spend much less than 50% of his or her
computer time dealing with the security aspects.  Currently, the
figure is well in excess of 50%, which really raises the question of
whether it is reasonable to convert to Luddite-ism.

Thanks!

Replies