How to identify and prevent programs from phoning home - gHacks Tech News

How to identify and prevent programs from phoning home

Networking monitoring can be an eye opener in regards to network connections of programs that run on a computer system.

I started to monitor network connections closely recently and decided to take a closer look at some popular programs installed on a Windows test machine to check if they'd phone home automatically.

The program I'm using for the monitoring is Fiddler, but programs like Wireshark should work as well.

I set up Fiddler and started to monitor the program's output while launching and using programs such as Bandizip, Steam or Firefox.

Some network connections are required obviously. When I enter an address in the Firefox address bar for instance, I want that connection to be made.

But there are connections that are not initiated by the user. Some may still be necessary or wanted by the user, a check for updates for instance. If you monitor the connections closely however, you may notice some that you don't consider essential or required at all.

bandizip connection

If you take the popular archive program Bandizip for instance. It checks for updates by default but also connects to analytics.bandisoft.com on first start as well.

While you can disable the update check in the program options, you cannot disable the ping to Analytics and the setting of a cookie on the system.

Dealing with unwanted connections

Once you have identified an unwanted connection on your system, you need to find a way to deal with it. You may have several options at your disposal, for instance by creating a new rule in a software or hardware firewall to block the domain.

One of the easier options is to use the Hosts file that every version of Windows ships with. Let me walk you through the steps of blocking the Bandizip Analytics domain from connecting to your system.

  1. Open File Explorer on your system. You may do so with the shortcut Windows-E, or by clicking on its icon in the taskbar.
  2. Navigate to c:\windows\system32\drivers\etc.
  3. Copy the hosts file to your desktop. This needs to be done as you cannot edit it directly in the directory.
  4. Right-click on the hosts file on the desktop and select edit. Use Notepad or another plain text editor to do so.
  5. Add the line 0.0.0.0 0.0.0.0 at the top.
  6. Add the link 0.0.0.0 analytics.bandisoft.com
  7. Save the document afterwards.
  8. Copy it back to the c:\windows\system32\drivers\etc and confirm the replacing of it.

This blocks connections to analytics.bandisoft.com by mapping it to the address 0.0.0.0 instead of its original IP address.

Why 0.0.0.0 and not 127.0.0.1? Because it is faster.

Closing Words

It takes time to monitor and identify unwanted connections on a system. A firewall may help with that if it is configured to prompt whenever a new connection is established for the first time.

Summary
How to identify and prevent programs from phoning home
Article Name
How to identify and prevent programs from phoning home
Description
Find out how to identify programs that establish background Internet connections on Windows, and how to prevent them from doing so.
Author
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Chris Granger said on August 15, 2015 at 10:30 am
    Reply

    I use another Bandisoft program, their Honeyview image viewer, and I noticed a while back that it too places a cookie on the system. I found that cookie using CCleaner. When people think of cookies, I’m sure many generally believe that’s something only web browsers do, but it’s sadly not the case.

  2. Nebulus said on August 15, 2015 at 10:39 am
    Reply

    Fiddler captures HTTP and HTTPS traffic, so it is of limited usefulness in debugging unwanted outgoing communications. Wireshark monitors all traffic, so it is superior in this area. You will want to use Fiddler when you discover a HTTPS communication and you are interested in its contents.

    Another interesting tool that can be used to monitor computer communication is Microsoft Network Monitor 3.4 . I was forced to use it because Winpcap (the capture engine used by Wireshark) had some incompatibility with the Comodo firewall driver, and I didn’t want to give up using Comodo as firewall. Anyway, Microsoft Network Monitor does its job pretty well, can export files in a format that can be read by Wireshark and has an interesting feature: it can show traffic per application, so you can see what each application tried to do from a network perspective.

    1. ams said on August 15, 2015 at 5:37 pm
      Reply

      Thanks for calling attention to the inadequacy of just using fiddler. This article leaves the reader half-informed. Implying “Just use fiddler. Boom, you’re now omniscient” fosters a false sense of security. Oh well, at least the article represents an attempt to “raise awareness”.

  3. Pants said on August 15, 2015 at 10:50 am
    Reply

    You said you were on a Win7 machine – if you open Notepad as Administrator, and then open hosts, you can edit it directly in the C:\Windows\System32\drivers\etc directory.

    Otherwise, BlueLife Hosts Editor is rather handy (and portable) http://www.sordum.org/8266/bluelifehosts-editor-v1-1/

  4. Tim said on August 15, 2015 at 1:57 pm
    Reply

    For something like this, wouldn’t outbound firewall whitelisting be better than using the hosts file? Or are you thinking along the lines of you want Bandizip to be able to connect to update.bandisoft.com, but not analytics.bandisoft.com?

    However, ignoring the firewall option, I wonder whether some kind of system wide parental blocking feature would do a better job than the hosts file? The problem with hosts file is that it doesn’t allow wildcards, so although blocking one URL is pretty straight forward, it’s a problem when they use multiple subdomains, as you have to sit there trying to capture them all and you don’t necessarily know when they’re going to phone home.

    Blocking *.bandisoft.com and then whitelisting update.bandisoft.com for example would be a lot easier than trying to manually block a whole list of subdomains.

  5. Tom Hawack said on August 15, 2015 at 2:51 pm
    Reply

    With new applications I generally test their phoning by using NirSoft’s TcpLogView.
    If the application has phoned for no legitimate reason (i.e. update check I’ve decided, not if the app decides for me) then I decide to manage its connection with a small software called Firewall App Blocker (FAP) available at sordum dot org. FAP simply creates an in/out rule in Window’s firewall to block the connection of the calling application. Extremely simple scheme.Rules can be paused and removed of course from FAP itself.

    1. Jeff said on August 15, 2015 at 5:52 pm
      Reply

      omg, Firewall App Blocker is great! thanks a bunch for the heads up on that! This makes it SO easy to add a bunch of exe’s from the same folder/app in one go, taking away the tedium of doing it manually in windows firewall. merci!

    2. Badger said on October 21, 2015 at 5:00 pm
      Reply

      FAP – excellent recommendation. Thank you!!

  6. dan said on August 15, 2015 at 6:34 pm
    Reply

    Martin,

    If you use the 0.0.0.0 as you suggest, do you remove the 127.0.0.1 localhost lines at the top, or leave them in? In other words, should the top of the file look like this:

    0.0.0.0 0.0.0.0
    127.0.0.1 localhost
    ::1 localhost
    0.0.0.0 click.buzzcity.net
    ……

    Or like this?

    0.0.0.0 0.0.0.0
    0.0.0.0 click.buzzcity.net
    …….
    etc.

    Thanks for this suggestion!

    1. Martin Brinkmann said on August 15, 2015 at 6:58 pm
      Reply

      Keep it ;)

  7. Dave said on August 15, 2015 at 7:11 pm
    Reply

    Thanks Martin this was helpful. Nasty Bandizip!

  8. hirobo2 said on August 15, 2015 at 11:19 pm
    Reply

    What if you want to block a wildcard domain, for instance *.googlesyndication.*, will it work when you add the asterisks to hosts?

    1. Ray said on August 17, 2015 at 12:12 am
      Reply

      No. Hosts files do not accept wildcards.

      You need to use something like Acrylic DNS Proxy, which has a hosts file that accepts wildcards.

  9. Gabriel said on August 16, 2015 at 12:24 am
    Reply

    There’s a hosts manager called HostsMan
    http://www.abelhadigital.com/hostsman
    This program is very good.

  10. Hy said on August 17, 2015 at 11:29 am
    Reply

    For blocking connections within Firefox itself, I prefer BlockSite Plus: https://addons.mozilla.org/en-us/firefox/addon/blocksiteplus/

    For blocking connections system-wide, both Emsisoft Anti-Malware and Emsisoft Internet Security have a “Surf Protection” component which I find provides a very handy way to fine-tune one’s Hosts file. Rather than simply “Allow” or “Block”, you have the choice of Blocking Silently always, Blocking and Notifying, and Alerting, so you can sometimes allow the connection if it is necessary in that particular instance, but otherwise block it when it occurs in other contexts.

    What I miss dearly is the extremely granular information Emsisoft’s now-discontinued Online Armor firewall and HIPS provided. If anyone knows a good replacement for Online Armor, another program which provides such detailed firewall and HIPS information, I’d love to know. I tried Comodo but found it excessively complicated. I’m open to using two programs (one firewall, one HIPS) to replace Online Armor. Thanks!

  11. Judy Kettenhofen said on August 17, 2015 at 11:33 am
    Reply

    I have not yet used either fiddler (which I only recently found out about) or wireshark (which I’ve known about before) — more on that in a moment.
    I have found this can be a very useful hosts file, and will block, avoid, you having to track down these bad guys in the first place.
    WARNING: there may actually be some sites in there you want, so be sure to check it out. It’s 497kb in length — but if it blocks you from sites you actually want, you’ll find out soon enough. Further, they give you instructions on the care and feeding of your hosts file on various versions of Windows:

    http://winhelp2002.mvps.org/hosts.htm

    What I do use to monitor connections is use the SysInternals tcpview. The SI tools were apparently helpful in tracking down what was going on with stuxnet.

    The SysInternals Suite can be found here:
    https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx (it’s free)

    Just did a search on ghacks.net for SysInternals…I didn’t find as many references as I would have expected for this very savvy site!

    1. Hy said on August 17, 2015 at 3:48 pm
      Reply

      It has seemed to me recently when doing searches on gHacks that the site’s search engine seems to be acting differently lately. It seemed to be returning only results which had my search term(s) in the article headline, and what I was looking for was either in the body of the article, or in the comments, and thus it was not showing up in the results. I could be wrong about this; that’s just how it seemed to me recently.

      I succeeded in finding what I was looking for instantly by using the “Search this site” feature of the Ixquick toolbar. One can also use the “search this site” feature of their favorite search engine right from that search engine’s web page, as long as the proper search syntax is used.

      1. Judy Kettenhofen said on August 17, 2015 at 7:51 pm
        Reply

        Thanks for the reply … I can’t really speak to your searches, only my own — which were done from Google.
        When I see a result which surprises me, I also look to see for ways in which the results I pulled up were wrong or skewed.

        Now, back to the topic … and my comments about how or why MVPS hosts file and the SysInternals TCPView would appear to offer additional help to the initial concerns…

        …I’d love to see a pro & con discussions about the various options. At least with TCPView, I don’t have to install a VM … :)

        Thanks again!

  12. ann said on August 17, 2015 at 11:55 am
    Reply

    Martin, there is a way to directly edit the host file.

    1. start => notepad => right click and run as administrator
    2. now open your host file
    3. save.

    the problem with that is that you’ll have to start notepad as admin.
    alternative, just edit it, found out that you can’t save there, so save it on your desktop.
    then move it back to %windir%\system32\drivers\etc

    1. Judy Kettenhofen said on August 17, 2015 at 7:53 pm
      Reply

      Ann,
      If people go to the mvps.org site, they go, in detail, into the best ways to edit the hosts file on the various flavors of Windows. It really is quite an excellent resource… :)

      The MVP in the site name comes from the honored “MVP” designation given by Microsoft to various 3rd party contributors.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.