I wonder how much improvement can be had by installing an application firewall and restricting everything that doesn't need networking for its primary functionality.
Not much. A lot of this sort of functionality is offloaded onto opaquely named services. So now you have decide if some access should or should not be allowed; but with very little information as to what process will in the end use that access. I used Glasswire for a long time, and when you install it on a new machine you get a lot of allow/block notifications; but then if you go back and look at the 'rule set' that was build up that way some months later, it's really hard to see what was blocked for what reason and if you actually should be blocking it.
One example is embedded IE/Edge views. It seems that those are a process of its own (sometimes), likely out-of-process COM instances. But if you want to allow one program to access the network that way but not another one, well there is (to my knowledge, and I haven't really looked into this) no way to do that. Same for the 'background download' service, the search service mentioned in the OP (although that's only used internally by Windows afaik, but by several sub-components), etc.
Not to mention, there isn't a whole lot of software left that doesn't need at least some networking for its 'primary' functionality. Whether that's by design I don't know. I blame engineers and marketing/product people equally for not showing enough restraint (i.e. the trope of 'just because they could... asked if they should...' etc). But nobody cares about my opinion on this, and the majority of users don't realize or care - and even if they do, they're as powerless as I am, individually.
It's been a while since I used Windows with any kind of seriousness (and the last version I did was 7), so I wasn't aware that this kind of thing is offloaded to separate, shared processes like that.
> Not to mention, there isn't a whole lot of software left that doesn't need at least some networking for its 'primary' functionality.
Case in point, Microsoft Office has no good reason to be aware of the existence of the internet. Its job is to open, view, edit, and save local files. No one I know uses any of the cloud crap they added in the latest versions. The only use case when networking might be needed in Word/Excel/Powerpoint — and even then, it's most probably handled by a system service — is printing to a networked printer.
(when working with a file stored on a remote server, shared over SMB or something similar, that's definitely handled by the system and appears as a local file to applications, albeit on a very slow disk)
"Case in point, Microsoft Office has no good reason to be aware of the existence of the internet."
shrug I think the same, but it's a fact that new versions of Word heavily integrate with Sharepoint and Teams. I don't use that functionality (at least not a lot), but for some businesses it's the primary use case, and it's how Word can manage to stay relevant even when competing with Google Docs. The concept of 'files' is going away slowly anyway, like it or not. (I don't, but again, nobody ever asked me). There's more - like, when you install a new spell checking language pack, something accesses the internet. It's most likely the installer/automatic updater 'service' that does this, but then you're again in the 'what's this process for anyway' territory.
My point - I think your view on how software 'should' behave is the same as mine, but the reality is that our view is outdated. It's just not how software works in 2023.
It's actually timely for me, as I just started using Glasswire with a clean ruleset. As I'm typing this, freakin' explorer.exe asked for network access to an outside IP address. It's hard to disallow explorer.exe network access as I won't be able to access SMB shares without it, but I have no idea why it would go outside my network.
I did just block Word from accessing the network at all. I guess I'll find out over the next few days in what ways it will break.
(that's another thing - most software nowadays doesn't even handle not having network access gracefully any more, if at all. Sometimes you just get blank parts of a window (presumably when embedded HTML views silently fail) and there is no way to 'reload' those parts of the UI. Or windows that don't open at all, so it just looks like a button doesn't do anything. And so on. It's disgraceful and like I said upthread, many of today's engineers just think it's normal, or are told to implement it that way against their own convictions. I mean I understand why things are they are, I just don't agree with the lack of effort in fighting back against the drivers of that outcome.)
> It's actually timely for me, as I just started using Glasswire with a clean ruleset. As I'm typing this, freakin' explorer.exe asked for network access to an outside IP address. It's hard to disallow explorer.exe network access as I won't be able to access SMB shares without it, but I have no idea why it would go outside my network.
I don't know glasswire, but on Commodo firewall you can set a rule to allow access to your local network by default (or any range of IPs) and ask about external access, which would be a way to solve your problem with explorer.
Yeah I should probably look into it more. Can Comodo's firewall be used standalone, i.e. without its antivirus? What I needed from Glasswire was click-to-allow on each network access, I couldn't find that in any product I tried a few years ago before I decided on Glasswire.
> Can Comodo's firewall be used standalone, i.e. without its antivirus?
Yep, just pick the firewall from the installers and make sure you uncheck everything except the firewall during the install (they are tricky, these guys):
after installing go through and (again) disable everything but the firewall. I also use their firewall to block their firewall (hah) from updating. Once you do this it works fine as a standalone firewall and the only reason to ever update it is if you reinstall or upgrade Windows.
EDIT: It does per-app blocking great; that's why I use it. I tried glasswire and didn't like it (or maybe they wanted to charge me money, I forget).
I am a bit confused about Portmaster and Safing. The documentation on Safing constantly refers to Portmaster. Does portmaster do anything besides act as a local firewall?
explorer.exe is also responsible for the Windows "shell" (Start menu, taskbar, system tray, desktop background), at least historically. I think more of this started to be done by Metro and UWP subprocesses since Windows 8. (But explorer.exe is ultimately still important—if you kill its process, you lose everything but alt-tab and control-shift-escape). So I'm not too surprised that it would request network access given how much it's doing.
> Its job is to open, view, edit, and save local files
That might have been the case 20 years ago (and even then Office had functionality to self-update).
Now, with OneDrive, cloud storage, Exchange, SharePoint, etc, people expect that Word, Excel, PowerPoint, etc should work seamlessly with multiple users simultaneously editing documents.
Even IDEs and code editors have ‘network access’ now—VS Code can download and update itself and any extensions, connect to remote SSH hosts and GitHub Codespaces, use extensions that themselves connect to the Internet (like Copilot), etc.
People have come to expect some form of self-updating mechanism now even for the smallest programs (consider Rufus, an ISO burning program which can update itself, download ISOs to burn to USB drives, etc), and it’s counterproductive to just blanket-ban everything from accessing the Internet, as things are likely to stop working as expected.
> Now, with OneDrive, cloud storage, Exchange, SharePoint, etc, people expect that Word, Excel, PowerPoint, etc should work seamlessly with multiple users simultaneously editing documents.
How many people do actually use these features in these programs? I myself have always seen them as nothing but bloat, a symptom of the IT industry utterly lacking a notion of a project being finished and not needing any further work. Maybe these features should come as plugins that you can optionally install. At least that's how I'd do it.
Usually, when someone wants to collaboratively edit a document or a spreadsheet, they use Google Docs. It being web-first also helps.
> Even IDEs and code editors have ‘network access’ now
And as an Android developer, I despise how Android Studio, or the Gradle Android plugin, or both of them, can just shamelessly download 100-something megabytes of some crap without asking, expecting that you have a network connection capable of that, sometimes not even showing the fact that they're accessing the network in the UI, and refusing to operate if that download fails. Eclipse didn't do that. Though it was terrible in many other ways.
> People have come to expect some form of self-updating mechanism now even for the smallest programs
Honestly, I expect smallest programs to be complete and not need any updating.
Wouldn't that make things worse? Those applications usually expect to be able to make these calls. So now, instead of lagging once in a while when the home base is having troubles, it will lag all the time.
> Wouldn't that make things worse? Those applications usually expect to be able to make these calls. So now, instead of lagging once in a while when the home base is having troubles, it will lag all the time.
Not necessarily. The lag may be waiting for the remote server to respond to a request, and the app may move on quickly if it can't open a connection at all. It's not totally uncommon to work totally offline (e.g. on an airplane), so there's a decent chance the test that scenario.
