Offline PC and Plugins that need to be online.

Discussion in 'PC' started by StormChaser, Nov 10, 2023.

  1. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    I have read quite a few posts from various people who say they dont have there studio PC connected to the internet? How do they achieve this when so many plugins want to report home or so many plugins require to connect home to authorise the plugin?

    My PC is online but I use NetLimiter 4 to control what does and does not have access to the internet both incoming and outgoing connections. It works really well.

    I use various DAWs but mainly Studio One 6.5 and currently I am trying BitWig which I am really liking, however I am finding that certain plugins wont load unless there is an internet connection, for example the MPC standalone Software doesnt run for me without having full internet access out, if the connection to mpc.exe is blocked I get not responding after about 20 seconds of launching the application, this is also happening from the mpc64.dll plugin in all my DAWs.

    I have noted that each DAW have there own plugin host componant that always wants to connect out to various IPs

    Studio One: pluginscanner.exe
    Bitwig: bitwigpluginhost-x86-sse41.exe / bitwigpluginhost-x64-sse41.exe

    Sometimes you can launch a plugin and Netlimiter will immediately want to connect out to serveral IP address, I have no idea what these are or where these are trying to connect to.

    It tells you the process for example bitwigpluginhost-x64-sse41.exe and what IP address it is trying to connect too (See screenshot below)

    [​IMG]
    NL.jpg

    However it doesnt tell you what is wanting this connection as in what plugin is generating the outbound / inbound connection, only the plugin host. So its difficult to know what to block and what not to block.

    Blocking all connections for bitwigpluginhost-x64-sse41.exe doesnt work either as again certain plugins want to connection out.

    Is there any other application which can tell me what is generating these requests.

    I have a lot of plugins installed most legit and some from the sister site and its just constant things wanting to connect out.

    Changing my gateway IP address to something false doesnt help either as some plugins dont load or dont work unless there is an active internet connection.

    Take Bitwig I am currently in trial mode which needs to be online to authenticate the account before the application will launch.

    So I really dont get how people can sucessfully run PCs offline permanately and not run into these issues, unless they really dont have a lot of third party plugins. Most current DAWs need an active connection to valid the license. Studio One, Cubase, Bitwig etc?

    I would appreciate any information to maybe a different approach.

    SC
     
    Last edited: Nov 10, 2023
  2.  
  3. krameri

    krameri Rock Star

    Joined:
    Jul 20, 2014
    Messages:
    475
    Likes Received:
    326
    Logic and Live don't need to be connected, nor do any of my plugins. I don't know why, except that Logic is never K'd and doesn't need to be, but Live is and has probably defeated any calling home. I leave my computer connected because it doesn't try to phone home. I have one app that would, which is Photoshop, but the crackers have managed to fool that app.
     
  4. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    I have Ableton Live 11 and the below are always trying to make connections out, granted I can run Ableton Live with the PC offline but the 3 Ableton processes below still generate lots of outbound connection requests.

    Ableton LIve 11: Ableton Live 11 Suite.exe / ableton plugin scanner.exe / ableton web connector.exe

    Being you are using Logic even on my MAC plugins and DAWs try to make many connections out. I use Little Snitch to stop them connecting but I am mainly using a Windows 10 PC these days.
     
  5. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,564
    Likes Received:
    3,331
    you should get used to the fact that most non-open source operating systems i.e. Windows/MacOS are going to have both inbound and outbound traffic you want to monitor and restrict or block.

    the reason people keep machines offline are for two general main reasons. Concerns caused by Software on the Local machine (including Operating System and components), and random or targeted attacks. You need a good firewall and a little bit of knowledge to prevent any of these concerns; and to not be opening/running random stuff you find online or in your emails. A third reason would be LE, but that is another matter.

    If just keeping machines off the internet was a practical solution in 2023; there would be no job openings in Cyber Security fields. We would just unplug every ethernet cable and disconnect every wireless access point.
     
  6. RobertoCavally

    RobertoCavally Rock Star

    Joined:
    Jan 20, 2021
    Messages:
    537
    Likes Received:
    378
    First, it is nearly impossible these days to keep a PC offline unless you use cracked software. I don't care about using cracks, just an observation. But also, there are situations and environments where you can't. Or it's just too much hassle.
    Then there are plugins like Sonible that use multicast to communicate (the last time I checked) so you have to have "internet on" and 224.0.0.0 to 239.255.255.255 open for communication. You could probably cut anything beyond your local network using loopback interface or virtual network.. idk. I'm a networking idiot barely able to partially control my firewall ..;)
    More often than not the culprit for these are plugins rather than Ableton (if you have updates/usage off). I have Ableton blocked, but again, if for ex. I wanted to sync the Shaperbox presets, I'd have to let Ableton access the net.
    How is your generative fill doing these days? ;) Everyone hysterical about that and Adobe cashing in lol (I don't give a fck about that, just saying)
     
  7. krameri

    krameri Rock Star

    Joined:
    Jul 20, 2014
    Messages:
    475
    Likes Received:
    326
    Haha!
     
  8. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    Thanks of the reply.

    Sure I get OS always wants connections out especially with all the telematics that windows has (I have all mine blocked)

    But the point I was trying to make is I have things pretty much everything locked down from an OS point of view but what I notice a lot of the time is I can be in my DAW and as soon as I load certain plugins, BAM one of the plugin hosts is trying to connect somewhere and most of the time it can be 4 or 5 ip addresses, doing an IP lookup its normally some sort of Amazon or Google server but it gets annoying, the software I use (basically a firewall) ask me what I want to to with each inbound / outbound request so thats fine but I was hoping to fine something that instead of saying its this DAW plugin host generating the request but to go back one step further and see the request from a *.dll point of view as in the VST plugin.
     
  9. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    Thats exactly my thinking, there is always something that needs net access for one reason or another.

    Yep totally agree, I dont mind my machine being online as long as I can totally control whats trying to come in and go out, but at times I wish I had more of a deeper level of detail to assist in making further decisions whether to allow or block something. The DAW host plugins is so general as I said in my reply above I would rather see it as

    *.DLL > plugin host controller > IP destination

    SC
     
  10. xorome

    xorome Audiosexual

    Joined:
    Sep 28, 2021
    Messages:
    1,176
    Likes Received:
    860
    Maybe that particular problem could be solved if you added all the hosts mpc tries to connect to to your hosts file as 0.0.0.0s. That way you'd get an instant response that there's no server. Maybe!

    I load plugins that need one time authorization in Savihost once, just for that purpose. I don't think I have plugins that need periodic re-authorization - or at least not that I've noticed.
     
  11. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    All of the detections that pop up for me wanting to get out are IP addresses which dont work in the Windows Host file, it wont block IPs only actual host names. Netlimiter does block the IPs just fine.

    You have given me an idea though in individually launching the VSTs that I know want to get out and creating a group for that plugin with all the IPs it generates. Only issue that springs to mind is dont know if I can wild card the IPs, say it was 185.25.65.10 then it will trying .17 or .40. Most of then try 3 or 4 IPs within the range so maybe the entire subnet needs to be blocked.

    I wonder if blocking the actual VSTs *.DLL would stop the plugin host from generating a request?
     
  12. orbitbooster

    orbitbooster Audiosexual

    Joined:
    Jan 8, 2018
    Messages:
    1,125
    Likes Received:
    626
    Create a set of rules let's call it "lan", where you allow only local lan subnet, local host (optional: broadcast) and deny anything else.
    You won't have any problem with any daw or embedded plugin.
    Instead if you block it all, some will crash or simply won't work properly (see kontakt).
     
  13. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    that’s a good idea just need to figure out if Netlimiter can do that on a local only level.
     
  14. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,564
    Likes Received:
    3,331
    It's not really as simple as this might sound. First, an old command line trick to verify a machine is online is to simply send a ping out to a common destination website. Something like Google or Amazon as you have noticed is a good example website that if everything else is functioning correctly (dhcp, dns resolution, etc) you do not even need to check the lower processes. Obviously they are working correctly or the first hop would lag and timeout, Google might resolve to some not-sane IP address; whatever the outcome, you will know immediately that something is wrong. In a program that is going to do this check over and over, that is a very easy and lightweight way to confirm internet connectivity, and not just network/lan connectivity. A developer who wants this check to not point directly back at them is not going to ping their own domain; nor would they want the generated "extra" traffic hitting their web server. " It's just Google". So it appears innocuous.

    Developers know that people use software firewalls to block communications they want happening. Like their plugin ratting out "non-paying customers". They are often using common methods of bypassing a firewall, and that is often most easily accomplished by just exploiting the firewalls own ruleset. The user has already provided "trust" to certain applications, Process ID #'s, source ports, destination ports, etc. They can use different techniques like DLL injection, process injection, outbound solicitation to "middleman server" to await inbound reply commands, and whatever other methods they want to try. It's why Desktop Application Firewalls are great for low security concern machines, and why you will never see one running on a machine at a bank, tax preparer, or medical office. Really, anywhere there is an IT department who will understand the value of hardware firewalls that are independent of the client terminals; but always when personal confidential financial data or that covered by HIPAA data compliance is in use.

    All of it can make an offline computer for your DAW easier to deal with. You can uninstall security software like firewall and malware scanners that needlessly consume clock cycles and other resources. It's an easier route certainly. But it is not necessarily the most desirable. Suggesting this approach of having separately labelled "Production Machines" is a more "professional" way of doing things is common on here from some users. Air-gapping a personal computer is about as professional as saying the best way to avoid a car accident while driving is to leave your car parked in your garage.

    I wrote this reply to you in about 10 minutes, and it is not meant to be a whitepaper. It's meant to give you some subjects to look into. I'm sure someone will reply from a cell phone that one sentence or two is "wrong", because they have a $4000 computer that isn't connected to the internet and can't reply from that. :)
     
  15. ArticStorm

    ArticStorm Moderator Staff Member

    Joined:
    Jun 7, 2011
    Messages:
    7,847
    Likes Received:
    4,021
    Location:
    AudioSexPro
    usually Live checks for updates when you open it and i guess it does over and over. but you can turn this off in the settings in the Updates tab.

    otherwise Live always for other plugins to access the internet, this should be solved by blocking outgoing connections from Live.exe.

    I dont think Live had additional connections, unless you use the ALP access in the browser.
     
  16. StormChaser

    StormChaser Producer

    Joined:
    Jan 16, 2021
    Messages:
    294
    Likes Received:
    117
    Thank you for the incredible reply, very much appreciated.

    I have a spare WatchGuard Firebox M5600 seriously overkill i know but that could be a good route to go to stop anything I dont want at the gateway instead of client, the learn mode on these things is incredible, sure I could use my internet router but i'd much rather use a Watchguard over any ISP supplied router. I have a list of all the IPs I have blocked and why I blocked them and at the time of making the notes what I thought was making the initial connection so it should only take about 20 minutes to put these in. I'll keep it in learn mode and see what comes back and then make decissions on what it finds, it also log the calling binary and dependancies.

    thanks again.
     
  17. ItsFine

    ItsFine Rock Star

    Joined:
    Apr 22, 2023
    Messages:
    584
    Likes Received:
    349
    Some years ago, i was using a virtual machine for internet only (windows host and guest OS).
    I simply uninstalled IP stack on host, so only guest VM could connect to internet with his own IP stack on virtual ethernet driver.

    Simple as that.
    if it can help someone :wink:

    PS : Of course, you can use a VM with Linux only, even more secure.
    But i needed Windows.
     
  18. Ryan

    Ryan Ultrasonic

    Joined:
    Apr 22, 2012
    Messages:
    66
    Likes Received:
    20
    Does photoshop not require you to keep adding sites to host file?
     
  19. Ryan

    Ryan Ultrasonic

    Joined:
    Apr 22, 2012
    Messages:
    66
    Likes Received:
    20
    That's a smart solution!
     
  20. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,286
    Likes Received:
    522
    Location:
    CBGB omfug
    The simplest answer to the OP's question - shit-can legit software and use scene releases exclusively. The legit-ware phoning home is only the tip of the iceberg - typically your OS (unless you have a self-optimized or use a properly pre-optimized build) is going to be doing a LOT of "connecting out" on its own. The biggest buzz-kills for production machines even running legit-ware is going to be A/V and an OS "updater" running rampant (allowed to do what they want when they want) on an un-optimized OS. The best solution - get a beater machine at a used computer store (total cost 200$ maybe a little more depending) and use IT for your internet surfing machine exclusively. Keep your production machine off the internet completely and use a small backend lan to be able to shuffle stuff to and from it (or any other machines you want connectivity to) easily without having to resort to a sneaker-net. So in essence you have one dual homed machine optimized for internet use (one single point of exposure to the nare-do-well internet) on an internet vlan and the rest of your machines safe on your local network vlan.
     
    Last edited: Mar 24, 2024
  21. saccamano

    saccamano Audiosexual

    Joined:
    Mar 26, 2023
    Messages:
    1,286
    Likes Received:
    522
    Location:
    CBGB omfug
    Haha! Yes, yes... Generative fill's... and other adobe "ai"... Give that time... The Premiere "speech to text (AI)" has already been scene released as a working add on package. Really didn't see how speech to text qualified as "AI" but we have it now and it works OFFLINE. It's only a matter of time before PhotoShop "ai" becomes OFFLINE as well. In the interim, there are already sites that will do portions of the "ai" that adobe is attempting to keep "cloudified" for free. Fuckin adobe. Leave it to them to continue to stick it to the mainstream... The part the really ticks me off is adobes' attempt at schmoozing the public into thinking that the main reason their "ai" is being held captive is that these "ai" processes are "too cpu intensive for local use". What a line of horse puckie... THE first and foremost reason behind captive "ai" is the corporate bottom line.
     
    Last edited: Mar 24, 2024
Loading...
Loading...