Firewall leak problem
 

I'm having a problem with a program that is able to bypass my firewall without asking for permission first. Well, not the program is the problem, but the fact that probably any malware could do it the same way.

First some basics:
The program comes as x86 and x64 version.
The program can be installed, but also runs as "portable" software.
The program does not need admin privileges to run or to bypass the firewall.
Every version is able to connect by HTTP port 80 to a webserver located on the internet.

Now the story:
I was running the program and used "check for updates" from the help menu. It told me "you're running the latest version". I was confused, since my firewall didn't pop up and ask me if I wish to allow internet access to the program.

Then I started my network monitor and did the update check again. I could clearly see a connection to port 80, HTTP protocol, requesting "/update.php" and a response from the server with the current version number.

Then I fired up my connection monitor, tried again and found out that the connection is made by the file "svchost.exe". I thought of some trojan using the same name, but it turned out that the real Windows service was the one which initiated the connection.

Since "svchost.exe" acts a proxy for many different services, I checked the process ID which had initiated the connection and ended up at "ProfSvc", the User Profile Service.

Since this is an essential Windows service which you cannot turn off and which you cannot deny network access to without crippling your system I'm now stuck.

Does anybody know how you can access the internet with the help from this service and how to prevent it?

Like I said before, a legitimate software is using this way to check for updates, it's not a trojan hourse or something like that.

First thought that came to my mind was that the program might be using BITS (Background Intelligent Transfer Service).

Are you sure about ProfSvc?

look here

Edit HOSTS file in windows and add the IP to localhost . you are done .

I'm not trying to block this software. That's one of the reasons I didn't name the software here. This software is legitimate and I would have allowed it internet access if my firewall asked for it. Or why should I willingly click on "check for updates" if I didn't want it to access the internet?

I'm trying to block any other (possible malicious) software from using the same approach to access the internet, since obviously my firewall would allow any other traffic using this method without asking me.

@The Old Pirate:
I checked the Thread-ID, unless something was showing up wrong only ProfSvc had an active connection to the IP address.

My bad . this may not be an exact answer but i hope these docs will help you

http://www.nirsoft.net/dll_information/windows8/profsvc_dll.html

http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/

Since you said ProfSvc.dll is initiating the connection , all that comes to my mind is a compromised dll or hooked one . I dont see any reason for windows dlls to connect to 3rd party software and aid them in updating .

More details or exact behavior will help in determining the problem. i will suggest you to use an api logger to check the program behavior .

Does the binary of the application in question happen to be signed maybe? I don't know what firewall you use, but Comodo Firewall for example automatically adds executables signed by 'trusted vendors' to its internal database of safe files and allows them to access the internet without confirmation. Thankfully this behaviour can be disabled.

Like I already said, not the software itself but svchost.exe is the one initiating the connection. I can't find any suspicios services, so I assume the connection is made by using some documented or some undocumented (but open) service calls.

May be this software is using a another http program/component to access Internet.

@Kerlingen:
Hi,

What is your operating system ?
Sure you don't use windows firewall ?
If it's SvcHost, maybe it used a COM component.
Give the name of the proggy and we can try.

Regards.