The Application rules tab is the main part of the extrusion detection system and allows you to decide which applications are allowed to access your network connection. You can access this section from the main BullGuard window by clicking on the (...) button from the Firewall box and choosing Manage rules.
The Application rules tab is actually a table that contains some predefined rules and all the installed programs that try to either send or receive information through the active network connection.
Description: shows the name of the Firewall rule (it may not be the exact name of the executable file for which the rule has been created). You can rename the rules anytime.
Policy: shows what action the Firewall will take regarding a specific application: Allow, Block or Ask me.
- Allow: the application will be able to send and receive information through the network.
- Block: the Firewall will block any information packet this specific application will attempt to send or receive. As a side effect, if the application depends on the network connection to run, it will not work.
This option is an effective means to deal with worms, Trojans or ‘dropper’ viruses as these require an internet connection in order to spread.
- Ask me: the Firewall will prompt you each time the application starts and ask you to decide whether to allow or deny the use of the network connection. The pop-up question from the Firewall will remain on screen until you provide an answer and the application will be blocked in the meantime.
Protocol: this tells you what protocol type the Firewall will allow that application to use (any other data the application might send/receive through other protocol types will be blocked by the Firewall).
Direction: the direction of the traffic for a specific application (incoming or outgoing).
Ports: the ports the Firewall will allow the application to use (any other data the application will send/receive through other ports will be blocked). If no port is specified, the application will be able to use all ports available and that are not specifically closed by the Firewall or due to any network restrictions (some Internet Service Providers will prefer to keep high risk ports closed for their network).
Remote hosts: the IP address to which the application will connect to send or receive data (any other data sent to other IPs will be blocked by the Firewall). If there is no IP address entered in the Remote Hosts field, the application will be able to send or receive data to and from all IPs.
Equal ports only: this option will establish a peer relationship between the local and remote hosts port usage. The Firewall will allow information to be sent or received by the application as long as the data leaves the computer through a port number that is the same on the destination computer.
Application path: will show where the executable file associated with the Firewall rule can be found.
Automatically create rules for known programs: allows the Firewall to create a rule for each program found in the ‘Known Application’ database. The Firewall will only display a pop-up message in the lower right corner of the screen notifying you that an application has been automatically allowed to connect to the internet.
Interacting with rules
You can interact with any of the rules in this tab by using the right click contextual menu that offers several options on managing the applications list.
New rule (Insert key): will add a new rule to this tab.
Remove selected rules (Delete key): will delete the selected rule.
Remove orphan rules: a clean-up listing option that will remove all rules that no longer have an executable file associated.
Move the rule up/down (ALT+Up/Down key combination): will move the selected rule or rules up or down on the list.
Copy cell text (CTRL+C key combination): will copy the current selection.
Explore application: will open a browser window displaying the location of the executable associated with the rule.
Properties (ALT+Enter key combination): will open the Windows properties information for the executable file associated with the rule.
Adding applications to the Application rules tab
Immediately after installing BullGuard, the Firewall will start asking you about certain applications. However, the module has a “Known Application” database that lists the applications to be automatically allowed (applications vital for the operating system or the most common ones). In these cases, you will only see a notification balloon. This way, you won’t be flooded with a lot of pop-up windows.
If a certain application is not in the Firewall database, you will notice a pop-up window that asks you whether to allow or block the application from the network connection.
Possible answers to the Firewall pop-up window:
Allow: the Firewall will allow the application to connect to the network/internet until it is changed or you edit the rule and will add it to the Firewall application list with the Allow status.
Don’t allow: the Firewall will block the application from connecting to the network/internet until it is changed or you edit the rule and will add it to the Firewall application list with the Block status.
Allow Once: the Firewall will allow the application to connect to the network/internet until it is closed and restarted. The application will be added to the Firewall application list with the Ask status and the Firewall will ask you about it every time it starts.
More information: presents you with additional information about the executable file BullGuard intercepted.
Full path: displays the location of the executable file on your hard drive.
Version: displays the executable file’s version number (if available).
Process ID: displays the executable file’s ID number as assigned by the operating system. This is the same ID number as shown in the Windows Task Manager.
Command line: will show if the executable file was started with any specific parameters or commands (such as “starting” minimized or displaying a splash screen).
Parent Process: displays the Process ID number for the executable file’s parent process.
File size: shows the executable file’s size in bytes.
Last modified: sisplays the last time the executable file was modified.
Direction: states the traffic direction (outgoing or incoming), that is whether the application was trying to send or receive information from the network.
Protocol: shows what protocol the application used when sending or receiving data.
Remote address: shows the IP address of the computer/server the application was trying to connect to.
Remote hosts: the Firewall will try to resolve the IP address and will display the remote host’s name if possible.
Manually adding/removing an application to the Firewall rules
To add or remove an application, go to the Application Rules tab and right click any of the applications from the list.
Then choose the New rule option or just press the Insert key on your keyboard.
A new window (browse window) will open up and allow you to find the executable file from the application you need to add in the Firewall list. Select the executable file you wish to associate with the rule and then click Open.
By default, the newly created rule will have the Ask me policy. Thus you will need to switch the policy to Allow if you want the application to connect to the network each time it starts.
Customizing application rules
By default, when first answering a question regarding an application, the Firewall will create a general rule that will apply to that program for all protocols, IPs and ports.
You can modify this rule as needed. Note that if you wish to make such modifications, the traffic will only be allowed for the details you entered and any traffic to other IPs/ports or through different protocols will be blocked. For some applications you may want to restrict access to either a specific IP address, protocol type or port number. If the application will need other ports or hosts, you may be asked to allow it access once again.
This is where you can restrict traffic by using specific application ports. Note: if the application was not designed to run on the user-defined ports, the program may not run properly.
Edit local Ports: will make the application send/receive data only through the specified ports on the local computer. Any information packets coming through other ports will be blocked.
Edit remote Ports: will make the application send information packets to a remote computer only for the specified ports. The program will also receive information sent from a remote computer if the data has been sent from the remote computer only through the specified ports. Any other packets will be blocked.
These details can be used together with the When local and remote ports are equal. This option will establish a peering relationship between the local and remote hosts port usage. For example: if you only enter a local port 675 and check the above option, the Firewall will allow traffic for that specific application only if the packets being sent/received use the 675 port on both local and remote computer. That means the only communication between the two computers will occur through the 675 port.
To restrict access to/from an IP or IP range, double click on the Hosts button from the Hosts column in order to enter a specific IP. The application will receive/send data only to those specific IPs, any other incoming or outgoing packets being blocked.
You can add a range of IPs from a predefined group so that the application will receive/send data only to that specific IP. Any other incoming or outgoing packets will be blocked. You can define the trusted/untrusted subnets or networks from the Settings > Advanced > Firewall > Networks tab.
Any host from my subnets: will allow traffic only to the local networks (trusted and untrusted) that are included in the network where that computer is located, while blocking the rest of the IPs. You can see the trusted/untrusted subnets in the Networks tab from the Firewall settings section.
Any host from my TRUSTED subnets: will allow traffic only for the IPs belonging to the trusted networks, while blocking any other IPs.
Any host from my UNTRUSTED subnets: will allow traffic only for the IPs belonging to the untrusted networks, while blocking any other IPs.
Any of my DNS servers: the application will be able to receive and send data only from and to the DNS servers assigned for that network, while any other IPs will be blocked.
Any of my Gateways: the application will be able to receive and send data only to and from the Gateways assigned for that network, while any other IPs will be blocked.
Any of my WINS servers: the application will be able to receive and send data only to and from the WINS servers assigned for that network, while any other IPs will be blocked.
You can choose what protocol type an application can use. Note that if the application needs multiple protocol types, it might not work if only one protocol type is selected. In the Application rules tab, you can select TCP protocols, UDP protocols or both.