Training Firewall

Once installation is complete, Firewall starts learning by intercepting all connection attempts from your operating system or user applications. Firewall works in a learning mode if the following operation modes (see the Configuring Dr.Web Firewall for detailed information about Firewall operation modes):

Allow connections for trusted applications (set by default)

Interactive mode

In the Allow connections for trusted applications mode, when operating system or applications attempt to connect to a network, Firewall checks whether these applications are trusted and whether filtering rules have been created for them. If no filtering rules have been set, Firewall prompts you to set a rule. In the same time, no rules are created for trusted applications. Such applications are allowed to connect to a network. Among trusted applications are system applications, applications with Microsoft certificate, and applications with a valid digital signature.

In the Interactive mode mode, when operating system or applications attempt to connect to a network, Firewall checks whether filtering rules have been created for these programs. If no filtering rules have been set, Firewall prompts you to set a rule. Then, this rule will be applied each time this type of connection is detected.

Figure 49. Example of a notification on a network connection attempt

Note

When running under limited user account (Guest), Dr.Web Firewall does not display notifications on network access attempts. Notifications are shown for the session with administrator privileges if such session is simultaneously active.

Application rules

1.To make a decision, consider the following information displayed in the notification:

Field

Description

Application

The name of the application. Ensure that the path to the application executable, specified in the Path entry field, corresponds to the file location.

Path

The full path to the application executable file and its name.

Digital signature

Digital signature of the application.

Address

The used protocol and network address to which the application is trying to connect.

Port

The network port used for the connection attempt.

Direction

The direction of the connection.

2.Once you make a decision, select an appropriate action:

To block application access by this port once, select Block once.

To allow application access by this port once, select Allow once.

To open a window where you can create a new application filter rule, select Create rule. In the open window, you can either choose one of the predefined rules or create your rule for the application.

3.Click OK. Firewall executes the selected action and closes the notification window.

Note

In some cases Windows operating system does not allow to identify uniquely a service that acts as a system process. If a connection attempt is detected by the system process, take note on the port specified in the information about the connection. If you use an application that can access using the specified port, allow this connection.

In cases when a connection is initiated by a trusted application (an application with existing rules), but this application is run by an unknown parent process, Firewall displays the corresponding notification.

To set parent process rules

1.Consider information about the parent process in the notification displayed on a connection attempt.

2.Once you make a decision about what action to perform, select one of the following:

To block this connection once, select Block.

To allow this connection, click Allow.

To create a rule for the parent process, click Create rule and in the open window specify required settings.

3.Click OK. Firewall executes the selected action and closes the notification window.

When an unknown process is run by another unknown process, a notification displays the corresponding details. If you click Create rule, a new window appears allowing you to create new rules for this application and its parent process.