|
 iTunes. The application indicated above is trying to access the network. What would you want to do? Allow, Deny, More Options.”
This is a challenge message from Nvidia Firewall (www.nvidia.com; bundled with nForce4-based motherboards). The message popped up in the lower-right part of our display after we installed iTunes and launched it for the first time. Nvidia Firewall was acting like a guard dog, growling at someone on the front porch until its master indicates whether that person is a friend or foe.
Firewalls are security software that monitor the data trying to leave or enter a computer, such as when you launch your browser to get the latest news from CNN.com. Many have lists of “safe” and “unsafe” applications, files, and processes (files loaded into memory), which they quietly approve or block without bothering you the user. If a firewall doesn’t recognize an application or process that’s trying to send or receive data, it may ask you to tell it what to do. That is, unless you find and enable the setting that tells the firewall to make all decisions for you, which we really don’t recommend. Hardware firewalls, such as those found in gateway routers for small office and home use, usually don’t ask you these questions.
We didn’t have to think twice about clicking Allow to tell our firewall to let iTunes do its thing, but with other challenge messages, we weren’t so sure. For instance when our firewall asked us whether it should allow Cli.exe or Alg.exe to access the Internet, we needed more information before we could make a decision. This article can help you figure out what to do when your own firewall needs a response.
 Decisions
Many firewalls offer you more options than just Allow and Deny. Generally, you can choose to allow or deny a network access once, meaning the firewall will ask you each time the program relaunches. This setting is sometimes called Ask, short for “ask each time.”
You’ll also have options to always, or permanently, allow or deny the file access to the network or Web. This way, the firewall won’t bug you about that process again. The words “always” and “permanently” are a little misleading because you can dig into most firewalls’ settings to correct their program permissions in case you change your mind later. Often, you’ll find user-friendly green check marks denoting permissions you granted and red Xs showing those you denied, as in Zone Lab’s ZoneAlarm (www.zonealarm.com).
Most firewalls ask you separate questions about letting processes bring data into or letting it leave your computer, depending on what a program tries to do. In ZoneAlarm’s terminology, to access is to fetch data from another computer on the Web or network, such as a server with the latest antispyware definitions for your Spybot installation. To act as a server means to allow other computers to copy particular data on your PC, such as letting a peer-to-peer network upload podcast audio files from your hard drive. You might allow your browser to always access the Internet, but you might tell it to ask you (set it to allow or deny once) on a case-by-case basis when your browser tries to act as a server.
It’s pretty easy to make such decisions when your firewall tells you which application is making the request, such as iTunes in our example. But what about processes that don’t sound familiar? How do you know whether Alg.exe is innocent or wicked? What does Cli.exe do anyway? And what computer are they trying to communicate with?
The examples we cited are pretty harmless. Cli.exe simply lets you access your ATI graphics’ settings from a System Tray icon, and Alg.exe is necessary for running Windows XP.
If you just launched an application for the first time and your firewall challenges you, the new application is almost certainly the cause. Instant messaging apps, email clients, Web browsers, and security utilities that automatically check for updates all have to go online. Go ahead and allow the access if you trust the application. If you allow a process through, the firewall will continue to watch that communication channel for misbehavior, but you’re really placing trust in the new program not to compromise your PC.
Here’s a challenge message, or security alert, from Nvidia Firewall. A program, iTunes in this case, is trying to connect to Apple’s Music Store over the Web. |
On the other hand, some software comes with “piggyback” applications that could be adware or spyware. Free peer-to-peer clients and online games are notorious for bundling extra apps, such as Bonzi Buddy and WhenU, and in fact, some won’t operate if you remove the bundled apps.
Zone Labs’ ZoneAlarm and some other firewall software make it easy for most users to get a bird’s-eye view of the programs they allowed to access the Web and which ones they denied. |
You don’t want to block a function your legitimate software needs to run, but you especially don’t want to permanently approve spyware or adware. You can choose to block the process once and then see whether it keeps a “good” program from running properly. If it doesn’t you might make the decision permanent the next time that challenge pops up. The more permanent decisions you make about application permissions, the fewer challenges you’ll see from your firewall over time.
Research
Of course, you may need to do a little research to make those decisions. Some firewalls’ challenge messages will try to guide you; take Nvidia Firewall’s color-coded Low-, Medium-, and High-Risk ratings, for example. A few firewalls, such as Norton and ZoneAlarm, offer links to more information about a process or program to help you decide. For instance, you can click the More Info button on a ZoneAlarm challenge to pull up a Web page that may have relevant information.
Nvidia Firewall can tell you the manufacturer, file path, and description of every file it challenges. Simply click More Options when a challenge appears. If your firewall doesn’t give you these details, try searching for the process name in Windows. In WinXP click Start and select Search. Choose All Files And Folders and set the Look In field to Local Hard Drives. If no results come up, you want to click Include Hidden And System Folders. (By default, WinXP doesn’t search system files.)
After you locate the file, such as Alg.exe, look at the folder and its subfolders, such as C:\WINDOWS\SYSTEM32\, in which the file is located. In most cases one of those folders will tell you the name of the application the file belongs to. In this case it’s a Windows file, and you should allow the connection. However, any malware or virus could plant files in another application’s folders, so you should also try looking up that file on a trusted security site, such as ProcessLibrary.com or Symantec’s Security Response Web site (www.sarc.com).
You can also look up files, apps, and processes on your favorite search engine, such as Google or Yahoo! Search. Look for descriptions of the file or perhaps forum posts from other users who have encountered a firewall challenge for the same process. If you see any exhortations to “go ahead and allow this harmless process,” consider the source and take it with at least a few grains of salt, especially if it seems like an ad.
Note that recent threats may be too new to appear on the Web. Security companies may not have fully explored and written up a new threat, and Google’s automated bots may not have uncovered references to it on forums or sites. If you’re really in doubt, try denying network access to that program until more information about it appears in a week or two.
Finally, keep your antivirus and antispyware up-to-date and actively protecting your system. Even if you make a mistake and allow malware (perhaps its masquerading under a trusted file name) to phone home, your firewall and other security software might block any monkey business by the way the malware behaves.  by Marty Sems
|
Email This
Print This