Problems with Application Blocking in Firewall

I've just installed Norton Internet Security 4.0 for Mac, on my Mac OS X 10.5 (24" iMac).  It ran fine until I tried to turn on Application Blocking --

 

1)  First, it automatically blocked /System/Library/Filesystems/AppleShare/check_afp, without prompting me to allow it to go out, unlike several other Internet applications.  I couldn't unblock it or allow it (when I tried to manually browse to the file to add it, Norton told me "Permission Denied").  Nothing seemed to be wrong, so I continued using the Mac, but after a while the Mac crashed on me. After restarting, I could not login to any of the accounts; after logging in, the Finder refused to load and the screen stayed as the default wallpaper.  Only a forced shutdown followed by a Safe Mode boot, and uninstallation of Norton worked.  After another reboot, the Mac OS alerted that there had been a crash in the check_afp application and asked for permission to send the logs to Apple.  It seems like check_afp crashed after not being able to access the network.

 

2)  I'm stubborn, so I tried reinstalling Norton.  Again, everything worked fine initially.  So I tried enabling Application Blocking again.  This time, no complaints about check_afp.  Went through the applications one-by-one to get them added to the whitelist.  Then, I tried switching to my wife's login, and it froze; couldn't complete the login (Finder didn't load, again, and had to force shutdown, Safe Boot, uninstall (just the Firewall this time), and reboot.

 

I opened the SQLite database saved under the "Saved Symantec Data" (SymAppBlockingLog); these are the applications listed as "Action=2", which I assume are the "Blocked" applications:

 

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker

/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer

/System/Library/CoreServices/pbs

 

(The "direction" for all of these was "2", which appears to be for Outgoing traffic)

 

Am I a total idiot doing this wrongly, or is Application Blocking broken?

 

- J

Thanks for the quick response.

 

1.  I'm not logging in via any domain controller, Kerberos, etc.  Just plain-ol' vanilla local login.

 

2.  Yes, I am connecting to a network drive; primarily AFP with occasional SMB.  My AFP mounts are mounted at start-up using a script that calls "mount -a" and mounts the AFP drives using the configuration in "/etc/fstab".  This isn't a default configuration so it's possible that mount could be interacting with the Application Blocking somehow.

 

3.  Yes, I am using Fast User Switching (or whatever Apple calls it).  I didn't seem to have a problem with these 4 processes trying to make network connections when I logged in as the first user, only when I tried to switch to the second.  After that, however, I didn't seem able to log into either account.

I've just installed Norton Internet Security 4.0 for Mac, on my Mac OS X 10.5 (24" iMac).  It ran fine until I tried to turn on Application Blocking --

 

1)  First, it automatically blocked /System/Library/Filesystems/AppleShare/check_afp, without prompting me to allow it to go out, unlike several other Internet applications.  I couldn't unblock it or allow it (when I tried to manually browse to the file to add it, Norton told me "Permission Denied").  Nothing seemed to be wrong, so I continued using the Mac, but after a while the Mac crashed on me. After restarting, I could not login to any of the accounts; after logging in, the Finder refused to load and the screen stayed as the default wallpaper.  Only a forced shutdown followed by a Safe Mode boot, and uninstallation of Norton worked.  After another reboot, the Mac OS alerted that there had been a crash in the check_afp application and asked for permission to send the logs to Apple.  It seems like check_afp crashed after not being able to access the network.

 

2)  I'm stubborn, so I tried reinstalling Norton.  Again, everything worked fine initially.  So I tried enabling Application Blocking again.  This time, no complaints about check_afp.  Went through the applications one-by-one to get them added to the whitelist.  Then, I tried switching to my wife's login, and it froze; couldn't complete the login (Finder didn't load, again, and had to force shutdown, Safe Boot, uninstall (just the Firewall this time), and reboot.

 

I opened the SQLite database saved under the "Saved Symantec Data" (SymAppBlockingLog); these are the applications listed as "Action=2", which I assume are the "Blocked" applications:

 

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker

/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer

/System/Library/CoreServices/pbs

 

(The "direction" for all of these was "2", which appears to be for Outgoing traffic)

 

Am I a total idiot doing this wrongly, or is Application Blocking broken?

 

- J

Quick question–do all user accounts have the automatic AFP mount setup during login, or just the initial account?


I tried logging into an AFP server, and then fast user switching to a 2nd user account, but didn’t encounter any problems. However I am not sure if in your setup the 2nd user account has any AFP mounts setup during login, or just the 1st account.
 
Thanks,
Ryan 

All accounts.  It is added into the start-up using

 

sudo defaults write com.apple.loginwindow LoginHook /usr/local/bin/mountall

 

The contents of the mountall script:

#!/bin/sh
mount -a

 

 

By the way, I had previously also run this command in an attempt to get Mac OS X to mount the fstab mounts automatically, but it didn't work; there could be some interaction from this as well:

 

sudo defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool true

 For reference, the contents of my fstab file are:

 

afp://10.0.0.1/doc /Volumes/doc afp auto,rw,nodev,nosuid 0 0 afp://10.0.0.1/med /Volumes/med afp auto,rw,nodev,nosuid 0 0 afp://10.0.0.1/app /Volumes/app afp auto,rw,nodev,nosuid 0 0 afp://10.0.0.1/web /Volumes/web afp auto,rw,nodev,nosuid 0 0 afp://10.0.0.1/bac /Volumes/bac afp auto,rw,nodev,nosuid 0 0

 

 

 

 

Although I didn't replicate your exact problem, I did see some odd behavior when switching between two accounts. I'll try working on replicating your exact behavior tomorrow.

 

However, please try adding

/System/Library/CoreServices/pbs

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer 

To your Application Blocking list, and making sure it's setting is set to Allowed. These applications are pretty essential to Mac OS X, so I will add them to our internal whitelist next time, but adding them to your list might alleviate the problem.

 

You can add them via the application UI or via the command line interface (which might be easier since you seem to be comfortable with the command line, and these executables are in /System which isn't easily displayed in the UI). The command line tool is called 'npfx'.

 

Let me know if this works.

 

Thanks,

Ryan 

Added those two.  Re-enabled Application Blocking.  System crashed again; had to reboot into safe mode in order to login.

 

Apple's Error Reporting shows the following:

 

Thu Apr 23 21:00:15 2009 panic(cpu 1 caller 0x001A9C68): Kernel trap at 0x00198d3c, type 14=page fault, registers: CR0: 0x8001003b, CR2: 0x00000014, CR3: 0x010df000, CR4: 0x00000660 EAX: 0x081e4974, EBX: 0x00000004, ECX: 0x00000001, EDX: 0x00000004 CR2: 0x00000014, EBP: 0x571fb598, ESI: 0x081e4974, EDI: 0x00000014 EFL: 0x00010212, EIP: 0x00198d3c, CS: 0x00000008, DS: 0x07a10010 Error code: 0x00000002

Backtrace (CPU 1), Frame : Return Address (4 potential args on stack)
0x571fb398 : 0x12b4f3 (0x45b14c 0x571fb3cc 0x1335e4 0x0)
0x571fb3e8 : 0x1a9c68 (0x464710 0x198d3c 0xe 0x463ec0)
0x571fb4c8 : 0x1a037d (0x571fb4e0 0x0 0x571fb598 0x198d3c)
0x571fb4d8 : 0x198d3c (0xe 0x7f10048 0x571f0010 0x130010)
0x571fb598 : 0x381637 (0x81e4974 0x14 0x4 0x380b87)
0x571fb608 : 0x38196e (0x81e4974 0x0 0x4 0x12154100)
0x571fb628 : 0x57be1fed (0x81e4974 0x4 0x12154100 0x14)
0x571fb678 : 0x57be2957 (0x81e4974 0x4 0x14 0x14)
0x571fb7d8 : 0x57be436a (0x571fbda4 0x0 0x2 0x2)
0x571fbc58 : 0x3923cb (0x6b79990 0xc0047a43 0x13d85684 0x0)
0x571fbcb8 : 0x3baa2e (0x6b79990 0xc0047a43 0x13d85684 0x0)
0x571fbcd8 : 0x57bfb58d (0x6b79990 0xc0047a43 0x13d85684 0x571fbcc0)
0x571fbd18 : 0x57bfc40c (0x6a1c004 0x571fbda4 0x0 0x0)
0x571fbdc8 : 0x57bfceec (0x6a1c004 0x0 0x8d6c804 0x12)
0x571fbe18 : 0x57bfda3c (0x6a1c004 0x0 0x8d6c804 0x12)
0x571fbeb8 : 0x57bf92c2 (0x6a1c004 0x6a1c2c5 0x6a1c5c8 0x6a1c150)
Backtrace continues…
Kernel loadable modules in backtrace (with dependencies):
com.apple.filesystems.afpfs(9.0)@0x57bed000->0x57c37fff
com.apple.nke.asp_tcp(4.7)@0x57be0000->0x57becfff

BSD process name corresponding to current thread: kernel_task

Mac OS version:
9G2030

Kernel version:
Darwin Kernel Version 9.6.1: Wed Dec 10 10:38:33 PST 2008; root:xnu-1228.9.75~3/RELEASE_I386
System model name: iMac9,1 (Mac-F2218FC8)

 

Same as the last time’s system crash; seems to be the AFP filesystem acting up again.  I’m going to try adding in “/System/Library/Filesystems/AppleShare/check_afp”, which was previously blocked (although this time I didn’t get any notifications of that, and the logs don’t show that either), to see if that helps.

 

The logs this time also show that the following application was blocked (again, like check_afp, I was not given a chance in the UI to allow it): “/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon”.  I will also try adding this to the allowed list to see if that helps.

 

Short update: Adding "check_afp.app" and "Microsoft AU Daemon" to the whitelist didn't help.  I was still not able to login after that.

 

I'll try adding the other two applications which were initially blocked upon login

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker

/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer

later to see if that helps, and post my results here.

 

It looks as if there are two classes of issues here:

 

1)  A few applications that are started at login that require network connections, that are started up before the UI is fully functional, and that hang while waiting for the network connection, which cannot be explicitly allowed by the user as the UI is not up yet; these include my original set of 4 applications that were blocked during login, from the logs:

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker

/System/Library/CoreServices/SystemUIServer.app/Contents/MacOS/SystemUIServer

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer

/System/Library/CoreServices/pbs

2) The Application Blocking seems to have trouble with applications hosted in /System/ or /Library/, and seems to block these automatically without the user being given a chance to allow them.  This then results in blocked app notifications, and leads to the AFP processes being blocked, and AFP then crashes the system when it isn't able to handle being blocked.  So far, applications which have been summarily blocked include:

/System/Library/Filesystems/AppleShare/check_afp

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon

Not sure if these two issues are related.

 

 

 

Message Edited by perlionex on 04-24-2009 11:26 AM
Message Edited by perlionex on 04-24-2009 11:27 AM

Thanks for the info. It's all very odd, because it looks like basically every application on your Mac is attempting to connect out. I'll have to try and replicate this behavior, but if adding the applications to the user-defined whitelist didn't help, it's even more odd. 

 

I will rebuild our internal whitelist and try and get you a copy of it before the weekend. The internal whitelist works a little differently, so it might make more of a difference (at least I hope it does).

 

Thanks, 

Ryan 

It works now, after adding all those applications to the whitelist.  I still get random /System/ applications being blocked (latest case: SpeechSynthesisServer.app) which I have to manually add to the whitelist using npfx.

 

One thing I've noticed is that any application needing to access files on my AFP drives is prompted for access to the "Internet".  This is probably because AFP drives are mounted as remote / non-local drives.  For example, opening a .txt file on the drive using TextEdit brings up a prompt by Application Blocking to allow TextEdit to access the Internet.  This could be why almost every application is prompting, and could be the reason for the start-up UI applications prompting for access too.

If you open any file on a remote volume will definitely cause Application Blocking to catch the file open. Same thing when you open the Open/Save window in an application. However, most applications don't need to access the remote filesystem (unless they need to access a file on those servers).  

 

I am wondering if some other application you have running during login is causing lots of files to be accessed on the remote volume, such as the Spotlight database or some file icons. The AFP filesystem is a kernel extension, so its activity is part of every process. If it tries to do something, Application Blocking will think it's part of the application, no matter what process is actually doing the activity. This is a limitation of Apple's socket APIs in the kernel. Are these volumes a Time Capsule or a remote Time Machine backup drive? Just a thought.

 

If you have time (and the interest), could you please run sudo fs_usage on the command line before you switch user accounts, and paste it here. The applications that are causing these alerts must be accessing some file on the remote volume, but I am wondering if it's all the same file. 

 

Thanks,

Ryan 

I'm using Time Machine using a HFS+ sparsebundle mounted from the AFP file share from my NAS.

 

Anyway, the system hung again, and I couldn't relogin again.  Had to do an uninstall / reinstall.  This time, the "Saved Symantec Data / SymAppBlockingLog" file saved on the Desktop was corrupted, so I can't find out what application caused the firewall to choke.  Is there any way I can set the Application Blocking to a learning mode or log-only mode while we get this debugged?  Alternatively, is there any was I can query the log and/or change the application settings from Safe Mode?  The UI applications won't work as the daemons aren't started in Safe Mode.  That way, I can at least debug this without having to uninstall / reinstall / reconfigure everything each time.

 

P.S. For the same reason, npfx doesn't work in Safe Mode either, because it also seems to be querying the SharedSettingsDaemon. I think I've located the SymAppBlockingLog in the filesystem (easy as I know the file name and can just do a search), plus it's easy to view as it's a standard SQLite database, but I don't know where the configuration database is stored, or if it's in a format I can easily view and edit using 3rd-party tools.

Message Edited by perlionex on 04-25-2009 05:51 PM

Any update on this? I’m leaving Application Blocking turned off until this can be resolved; after what I have listed above, are there any particular steps you want me to take now to help diagnose this?