Sophos Client Firewall: security implications of allowing processes

The Processes tabbed pages of the Firewall Policy editor in Enterprise Console, and the Sophos Client Firewall Configuration Editor on the local computer, enable you to allow the launch of hidden processes, and to allow applications to access the network with raw sockets. In most circumstances, you will not need to do either of these things.

Note: The default settings in interactive mode warn you if either hidden processes or raw sockets are used. This configuration is strongly recommended.

Launching hidden processes

This section allows you to define which applications can launch other applications.

• Only applications listed in this tabbed page will be allowed to launch other applications.
• The launched application must also be allowed in its own right, and may have its own rules.

Examples could include

• the Windows program svchost.exe which is used to launch other applications, e.g. dllloader.exe
• if you instruct Microsoft Word to email the document you are working on, Word.exe will then launch Outlook.exe to send the email.

Note: Web browser plug-ins (e.g. Acrobat) are not defined as launched applications.

Rawsockets

Raw sockets are used in three main ways. They can:

• allow a process to send and receive ICMP and IGMP messages
• allow a process to build its own IP headers (Traceroute does this by building its own TTL headers)
• allow a process to read and write IP datagrams with an IP protocol that the kernel does not support.

If you are aware of a particular application that you use on your network that needs to be able to send raw sockets out onto the network, then you should add it to this list.

Legitimate applications that use raw sockets include traceroute (tracert) and ping.

Other Sophos Client Firewall pages

Further knowledgebase articles describe the security implications of changing other options:

• General, LAN and Logs
• Global Rules
• Applications
• ICMP