lars1106
20th August 2004 09:00 UTC

SP2 Firewall in WinXP
I noticed yesterday when I installed "Groove" [http://www.groove.net] that during the installation, the installation kit (InstallShield) that this interacted with the new firewall in XP.
this means that the installer unblocked this program during installation. I think this is a very good feature, since users do not by accident block a program that needs certain ports open.

I have in vain searched MSDN to find information to find information about this issue, so I could implement this in the NSIS installer.
Does anyone here know which information, and how to pass this on to the Firewall ???


Cheers,

Lars

kichik
20th August 2004 10:16 UTC

Is the installer signed? Windows probably did this automatically if it is. I seriously doubt there is some way to disable the firewall for a specific program without some sort of approval from Microsoft. That would make the firewall pretty useless...

lars1106
20th August 2004 12:10 UTC

more info
Hi
After posting question I found some more information. There exists an API for Windows firewall + you can use a command like:

netsh firewall set portopening TCP 445 ENABLE
or
netsh firewall add allowedprogram [program.exe]

I disagree with you in that this renders the firewall useless since this is done from within the secure side of the firewall.

Now I just have to find out how to run this from an NSIS script..

Cheers,
Lars

kichik
20th August 2004 12:16 UTC

I wouldn't call a program I didn't write the secure side of the firewall. What about trojans? Wouldn't you want to be notified when it tries to send your credit card number to the other side of the world?

To execute programs from NSIS use Exec, ExecWait, ExecShell or the nsExec plug-in.

lars1106
20th August 2004 12:31 UTC

Trojan
Well - I guess the idea is that the trojan will not be allowed in by the firewall in the first place. If it is in though for some reason it will be able to fire the "add allowed program" command.

Try to run this command from a prompt, then you will see the possibilities:
netsh firewall add allowedprogram

Thanks for your answer ;)

kichik
20th August 2004 12:35 UTC

A firewall is not an antivirus, it can not recognize you're downloading a trojan.

I don't have SP2 yet, so I can't test this.

afrodan
20th August 2004 12:59 UTC

Originally posted by kichik
A firewall is not an antivirus, it can not recognize you're downloading a trojan.

kichik
20th August 2004 13:02 UTC

That's another story. I'm sure lars1106 doesn't want to distribute his installer this way.

kichik
20th August 2004 13:03 UTC

It also askes if you would like to allow the progam that is accesing the net to get access to the net...

afrodan
20th August 2004 13:06 UTC

Originally posted by kichik
Which is exactly what lars1106 is trying to avoid.

lars1106
20th August 2004 13:10 UTC

I can´t ?
Afro...Read the thread and if you have windows firewall then try to fire the command I mention.

Lars

kichik
20th August 2004 13:10 UTC

Exactly. That's why I seriously doubt it's possible. However, lars1106 says that netsh can do the trick.

lars1106
20th August 2004 13:21 UTC

Believe Microsoft :-)
I you guys doesn´t believe me, maybe you belive Microsoft:

Using Command line options

The more I think about this the more sense it makes. Imagine a netadmin controlling 1000´s of computers in for instance a bank, he has to have command line tools if the firewall is deployed locally as well

Cheers,
Lars

kichik
20th August 2004 13:23 UTC

It makes sense for an admin to have an option to allow a certain program, but it doesn't make sense for a program to allow itself.