BullGuard Help

Firewall > Application rules

Firewall Application rules

Specifying which applications are allowed to access your network connection


The Application Rules tab is the main part of the extrusion detection system and allows you to specify which applications are allowed to access your network connection. This tab can be accessed directly by clicking the Application Rules button in the Firewall overview window or by using the Application Rules button in the Firewall Rules tab from the Firewall settings section.

The Applications tab is actually a table that contains some predefined rules and all user-installed programs trying to either send or receive information through the active network connection.

Description: This will show the name of the Firewall rule (it may not be the exact name of the executable file for which the rule has been created). You can always rename the rules.
Policy: Will show what action the Firewall will take regarding that application: Allow, Block or Ask me.

- Allow: The application will be able to send and receive information from the network.

- Block: The Firewall will block any information packet this specific application will attempt to send or receive. If the application depends on the network connection to run, it will not work. As a side effect, this option is an effective means to deal with worms, Trojans or ‘dropper’ viruses as these require an internet connection in order to spread. If they are unable to use the connection they will be rendered useless and unable to spread any infection.

- Ask me: The Firewall will prompt you each time the application starts, and ask you to decide whether to allow or deny the specific application the use of the network connection. The pop-up question from the Firewall has by default a 20 second delay during which you will be able to select an appropriate answer. If the 20 seconds period is exceeded, the Firewall will block the application by default until you will either set it to allow or block. If you did not have time to answer, restarting that specific application will make the Firewall question pop-up again and the user can choose the appropriate answer.


Protocol: The protocol type the Firewall will allow that application to use (any other data the application might send/receive through other protocol types will be blocked by the Firewall).
Direction: The direction of the traffic for a specific application (incoming or outgoing)
Ports: The ports the Firewall will allow the application to use (any other data the application will send/receive through other ports types will be blocked by the Firewall); if no port is specified, the application will be able to use all ports available and that are not specifically closed by the Firewall or due to any network restrictions (some ISPs will prefer to keep high risk ports closed for their network).
Remote hosts: The IP address with which the application will connect to send or receive data (any other data sent to other IPs than what is specified will be blocked by the Firewall); if there is no IP address entered in the Remote Hosts field, the application will be able to send or receive data from all IPs.
Equal ports only: This option will establish a peer relationship between the local and remote hosts port usage; the Firewall will allow information to be sent or received by the application as long as the data leaves the computer through a port number that is the same on the destination computer.
Application path: Will show where the executable file associated with the Firewall rule can be found.
Automatically create rules for known programs: Allows the Firewall to create a rule for each program found in the known application database. The Firewall will only display a pop-up message in the lower right corner of the screen notifying the user that an application has been automatically allowed to connect to the internet.

 Interacting with rules

Users can interact with any of the rules in this tab by using the right click contextual menu that offers several options on managing the applications list.

New rule (Insert key): Will add a new rule to this tab.

Remove selected rules (Delete key): Will delete the selected rule.

Remove orphan rules: A cleanup listing option that will remove all rules that no longer have an executable file associated.

Move the rule up/down (ALT+Up/Down key combination): Will move the selected rule or rules up or down.

Copy cell text (CTRL+C key combination): Will copy the current selection.

Explore application: Will open a browser window displaying the location of the executable associated with a rule.

Properties (ALT+Enter key combination): Will open the Windows properties window for the executable file associated with the selected rule.

Adding applications to the Application rules tab

Immediately after installing BullGuard, the Firewall will start asking you about the applications. However, the module has a “Known Application” database which will be automatically allowed (Applications vital for the operating system or most common applications) with only a notification balloon to inform the user. This way the user will be protected from being flooded with multiple pop-up windows from the Firewall.

If the application is not in the Firewall database, the user will receive a pop-up window through which the Firewall will ask the user whether to allow or block the application from the network connection.

Possible answers to the Firewall pop-up window:

Yes: The Firewall will allow the application to connect to the network/internet until the application is closed and restarted. The application will be added to the Firewall application list with the Ask status and the Firewall will ask you about this application every time you open it.

No: The Firewall will block the application from connecting to the network/internet until the application is closed and restarted. The application will be added to the Firewall application list with the Ask status and the Firewall will ask you about this application every time you open it.

Yes with the Remember my answer and don’t ask again option checked: The Firewall will permanently allow the application to connect to the network/internet until you wish to change its status. The program will be listed in the Firewall application list with the Allow status and the Firewall will not ask you about that specific application again.

No with the Remember my answer and don’t ask again option checked: The Firewall will permanently block the application from connecting to the network/internet until you wish to change its status. The program will be listed in the Firewall application list with the Block status and the Firewall will not ask you about that specific application again.

Yes or No with the Send application to BullGuard for analysis option checked: The Firewall will either allow or block the application according to the selected answer and will upload the executable file to the BullGuard servers where it will analyzed and entered into the known application list so that the Firewall will recognize the application.

More information: Presents you with additional information about the executable file BullGuard intercepted:

  

Full path: Displays the location of the executable file on the user’s hard drive.

Version: Displays the executable file’s version number (if available).

Process ID: Displays the executable files ID number as assigned by the operating system. This is the same ID number as shown in the Windows Task Manager.

Command line: Will show if the executable file was started with any specific parameters or commands (such as “starting” minimized or displaying a splash screen).

Parent Process: Displays the Process ID number for the executable file’s parent process.

File size: Shows the executable file’s size in bytes.

Last modified: Displays the last time that executable file was modified.

Direction: States the traffic direction which can be outbound or inbound; i.e. whether the application was trying to send or receive information from the network.

Protocol: Shows what protocol was used by the application when sending or receiving data.

Remote address: Shows the IP address of the computer/server the application was trying to connect to.

Remote hosts: The Firewall will try to resolve the IP address and will display the remote host’s name if possible.

Manually adding/removing an application to the Firewall rules

In the Application Rules tab, right click any of the applications from the list and choose the Add application option or just press the Insert key from your keyboard. A new window (browse window) will open up and you just need to navigate to the executable file from the application you need to add in the Firewall list. Select the executable file you wish to associate with the rule and then click Open.

By default, the newly created rule will have the policy set to Ask me. Thus the user will need to switch the policy to Allow if they want to allow the application to connect to their network each time it starts.


Customizing application rules

By default, when first answering a Firewall question regarding an application, a general rule will be created that will apply to that program for all protocols, IPs and ports.

You can modify this data as needed. Note that if you wish to make such modifications, the traffic will only be allowed for those details entered by you; any other traffic to other IPs/ports or through different protocols will be blocked. For some applications you may want to restrict access to either a specific IP address, protocol type or port number. If the application will need other ports or hosts, you may be asked to allow the application once again.

Ports

Restricting traffic by using specific application ports (Note: If the application was not designed to run on the user defined ports, the program may not run properly)

Edit local Ports: Will make the application send/receive data only through the specified ports on the local computer. Any information packets coming through other ports will be blocked.

Edit remote Ports: Will make the application send information packets to a remote computer only for those specified ports alone. The program will receive information sent from a remote computer if the data has been sent from the remote computer only through the specified ports. Any other packets will be blocked.
These details can be used together with the When local and remote ports are equal: this option will establish a peering relationship between the local and remote hosts port usage. For example: if the user enters only a local port 675 and checks the above option, the Firewall will allow traffic for that specific application only in the case of the packets being sent/received while using the 675 port on both local and remote computer (the only communication will occur through 675 port only on both computers).

Remote Hosts

Restricting access to/from an IP or IP range only: double click on the Hosts… button from the Hosts column in order to enter a specific IP; the application will receive/send data only to those specific IP, any other incoming or outgoing packets being blocked.

It is possible to add a range of IPs from a predefined group – the application will receive/send data only to that specific IP, any other incoming or outgoing packets being blocked. The trusted/untrusted subnets or networks can be defined in the System tab.

Any host from my subnets: This will allow  traffic only to the local networks (trusted and untrusted) that are included in the network where that computer is located, while blocking the rest of the IPs. You can see the trusted/untrusted subnets in the Subnets tab from the Firewall settings section.

Any host from my TRUSTED subnets: Will allow traffic only for the IPs belonging to the trusted networks, while blocking any other IPs.

Any host from my UNTRUSTED subnets: Will allow traffic only for the IPs belonging to the untrusted networks, while blocking any other IPs.

Any of my DNS servers: The application will be able to receive and send data only from and to the DNS servers assigned for that network, while any other IPs will be blocked.

Any of my Gateways: The application will be able to receive and send data only to and from the Gateways assigned for that network, while any other IPs will be blocked.

Protocols
You can choose what protocol type an application can use. Note that if the application needs multiple protocol types, it might not work if only one protocol type is selected. In the Application rules tab, users can select either both TCP and UDP protocols or between them.