Yes, the win native FW does work (never said it didn't), but it is very obtuse to make rules for AND (most importantly) there is no REAL TIME dashboard (i.e. network monitor) to look at traffic and set rules on the fly. Also a firewall needs to be able to be configured in such a way as to make two or more different networks mutually exclusive to one another. That is to say keeping unwanted/unapproved traffic from traversing an internet vlan onto a backend admin vlan and vice versa. This is possible given the limitations of the win native FW, but VERY difficult to implement properly and to monitor. Personally I just turn it off and install/run a proper FW.

 

Try using Tinywall, it takes the windows firewall and not only doubles up the strength, but it has a front GUI that makes the windows firewall very easy to use.

 

XP only had incoming rules though if memory serves correctly

 

I'm not trying to write a book when most people already know how it works, with the left column of each entry containing the ip of localhost, 0.0.0.0, or in certain cases another Lan IP.

 

Last edited: Jun 23, 2023

There is no way a plug-in can call home, if there is no internet.

Also, people please stop thinking ONLY .exe files can do stuff like connecting to the internet !
Any created file can act as an excutable !

A .vst3 file can act as an executable. A .dll file can act as an executable !

Ive found a cmd script on the internet , that grabs whatever extension i define, like .exe, .dll, .vst3, etc, and it will add a in/out rule in the windows firewall.

Eg, i copy my addrule.cmd file to c:\program files\steinberg\vstplugins\my plugin, open an admin cmd from there, in the cmd window, i type a+d+d, + tab, the command prompt is now addrule.cmd, i type a name, between double quotes, like 'plugin name+manufacturer'...
Press enter... and the script will search for all the extensions, even in the subfolders, and will add all the in/out rules to the firewall.

If you run it in program files\steinberg, and you have a ton of plug-ins, it will block all the exe, dll, ocx, vst3, etc, inside the cubase folder and all subfolders !

Yes, because a developer can write an app, a vst plugin or instrument, and the file might be called 'mamouth.casanova'...."quadcompressor.pieceofshit'... or even "divinity.pavarotti".... and yet, all those files might have code that will connect to the internet, connect to a server, etc etc.

If a .vst3 runs some code 'get current logged username, windows version, scan the vstplugins and get all the file names, and sends all that data to the server 24.25.26.xx port 10000', well, if that file isn't blocked by the firewall, it will do exactly that.

Also, if there's a risk for the new version, r2r or not, to have some issues, and permanently fuk up the windows installation, with hidden files, registry entries, etc,
PLEASE, take 5 minutes to download and install VIRTUALBOX !
With vmware, there is a latency/ echo issue, and we must add a special line, to the config file, to more or less fix the issue.
With VirtualBox, when we 'mount' our audio interface, the audio works flawlessly, with no echo, no latency, no nothing.
We can quickly install a simple daw, like reaper, or simply use a vsthost ... to try out that new plugin, or check if the latest update actually breaks something.

Don't be afraid to add even thousands of rules, to the windows firewall. Block every single extension you can, with the addrule.cmd method. Block the full daw and all subfolders.
I think I've seen a windows firewall app, where one could simply block an entire folder. That would be the ideal solution, better than blocking 50 .exe...30 .dll... all manually, one by one...

If you absolutely need internet, and don't want to disable the network card, you can create a firewall rule that blocks EVERYTHING, and you create a rule that allows, eg, your web browser to go "outside"... and you block all websites in the browser, excepting a few ones that you enjoy visiting.

Because again, there is no reason for a plug-in to call home, if all the doors are 'closed'...

 

if you are this security aware (or paranoid), you eventually get sick of all this stuff on your daw computer. exe, nah not connecting anywhere. dynamic linking library, ocx, dependencies written directly into delphi authored executables, etc....nope. 99% of it is wasted effort, like getting good at landing a plane at the wrong airport. If windows (in)security is of this much interest to you, stick it in a VM as your Victim OS.

 

Not paranoid, but i like using a little windows shortcut, that

- installs the r2r root certificate
- disables the network stuff
- starts the daw

When I'm done, i click on another shortcut, that
-enables the different ethernet + wifi cards
- disables/removes r2r root certificate

It takes 2 seconds. Not a big deal. No need to worry if this plug-in is well Patched, if this plug-in will/has called home.

Some will call me un ungrateful disgusting human, for daring not 300% trust the r2r certificate.
It's not because it's r2r, or vr, or s3s, or t4t... it's because it's a ... root certificate, no matter who makes it (and don't talk about the many other certificates that come activated, on windows 10/11..)

Many have forgotten, but a few years ago, r2r hadn't posted 1 single plug-in, for over 1 year, because of the leak thing, and because they were so so so pissed, because of the people who were always begging 'r2r release this...r2r release that'... they were so mad, that for over 1 year, they 'punished' us.
Had they had a root certificate in some begger's computers, they were so frustrated and mad, i think they would have been able to destroy their computers, so they stopped begging...

Today, they could be 'on our side'. Tomorrow, they could be grabbed by the fbi,/ others, and asked to pay tens of millions, as reparations for copyright infringement... and what could be done, with those root certificates in place ? Does anyone know the future ?

 

Well, obviously you know that a small executable can be merged/melted into a still fully functional application. As small as 2 kbs, for just simple http download/upload/execute functions. Any executable can be tampered with in such a way, and if there is no mechanism for comparison to original; a free linking or hosting service web account is not exactly Fort Knox. Replacing an example file with a 1mb file size difference is not setting off any more alarms than an already tolerated "false positive".

 

Dont need it or want it. Outpost pro does everything I need from a firewall.

 

Did they ever sort out that huge flaw in their software? The HTTPS leak from ID block which never functioned on secure sites, meaning any time you inserted your personal info on a supposedly secure protected website, your details could be leaked or stolen by any half decent hacker.

That was why I stopped using it several years ago. If memory serves , it was version 9

 

You're not serious... You dont block ip addresses directly in hosts. Your entries are domain names which eventually resolve to ip addresses. And

FYI, if you're setting a "0.0.0.0 domain.name" or "127.0.0.1 domain.name" entry in your host file and after saving it, you can still ping/surf to that domain name/ip address, then you got some SERIOUS problems with your os/net config. You should just shutdown now and figure it out because it's fubar.

I use ONE tool which suffices for all. It is time/os tested and it works better.

XP's firewall was ingress only. Not certain when win native FW first went both ingress/egress (maybe vista? maybe win7?)... It still sucks tho... IMO.

 

This isn't exactly correct. Your command line tools will reflect the changes in modern WIndows versions. So your ping will work as you expect. But your browser will not, in many of them; until cache is flushed. https://serverfault.com/questions/9050/how-to-refresh-hosts-file-without-rebooting. The XP firewall was a joke. Better tools like Blackice Defender, Zone Alarm, etc were already available. By then Cisco PIX were available, but still quite expensive. Prior to 2005, Windows Defender was called this (also junk):

Microsoft AntiSpyware

At the 2005 RSA Security conference, Bill Gates, the Chief Software Architect and co-founder of Microsoft, announced that Windows Defender (formerly Microsoft AntiSpyware prior to November 4, 2005) would be made available free-of-charge to users with validly licensed Windows 2000, Windows XP, and Windows Server 2003 ...Nov 22, 2022

 

Last edited: Jun 24, 2023

Of course it's correct. Just because one doesn't know how to run a browser safely does not mean the hosts file mechanism is faulty.

Most decent browsers will have a tweak (some buried more than others) that;
#1 - turns OFF browser history - should be switched ON at all times
#2 - clears browser cache at every exit of the browser program - should ALSO be switched ON at all times

 

Never had problem one with it. I have never had the "web ID" stuff even turned on since my entire site (internet wise) runs thru a vpn. Ver 9.2/9.3 supposedly fixed that issue anyway...

 

Simple?
You clearly dont know what Reaper is.

 

Can you post a copy of that script?

I do something similar. Before I fire up my DAW, I just disable my network connections. Both the wireless and the wired, because my computer is generally on a CAT5 cable but everything else in the house is on wireless, so I don't want shit leaking out that way.

But I'm curious about how you handle the root certificate, and also how you'd automate disabling and enabling the network stuff in a script. I've just been doing it manually.

 

Is that latest r2r keygen also bombing?