Hi All, Is there any documentation that says it's a normal Windows behaviour to check for active Firewall. Let say it couldn't found any external Firewall installed and turned-on, it will turn the default Windows Firewall on?

Network awareness (or network location aware host firewall) capability allows adaptive behaviour and programs using NLA API can change local behaviour of Windows: http://technet.microsoft.com/en-us/library/cc754893(WS.10).aspx http://msdn.microsoft.com/en-us/library/ee264321(v=vs.85).aspx Some related topics: 1. Here is an article on the Windows Firewall check http://technet.microsoft.com/en-us/library/bb926071.aspx (You have not specified the version, so I take the first information on the behaviour.) 2. Some roles, features and program may change local firewall setting. 3. There is another indirect check in newest operating system, namely the access to the Internet http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx Regards Milos

Hi Milos, Thank you for your reply. To be specific the OS is Windows 2003 SP2. Recently we did AV upgrade on the server, somehow after reboot the firewall get turned 'on' eventhough it was set to 'off' before the upgrade. The support claimed that it's a normal Windows behaviour.. which i not 100% agree because he provided no KB nor documentation... 1) What are the chances the AV changing Windows Firewall status? Any method or log to confirm this? 2) Win Server 2003 SP2 default windows firewall setting is set to 'off' by default right? Thank you

Your reply has change the situation. I am afraid that the key component in this "dirty play" is AV program. Have you contacted support of AV vendor? (Especially I have had bad experience with Norton, that included proxy and all mail traffic went via 127.0.0.1. ) If event log and FW log do not provide required information, in this case you should dive deeper into the system with Sysinternals tools (process monitor and process explorer) In my experience, I have the least amount of problems with security essentials (updated via WSUS). (We had tried NOD and Avast (campus license) and some free AVs and MSSE has won with least problems.)

We're suspecting the AV is the root cause which they denied.... How to check the firewall behaviour using process monitor/explorer? thank you!

The very first test is the resulting difference (A.) of firewall settings on vanilla plain Windows server after the route to Internet is recognized and the server is fully patched and (B.) after fresh install of AV and then during the operation. Ask the AV vendor and AV forum your question and provide more data. Your question is very general one and it is hard to guess without specifying the changes and the name and version of OS and AV.

I don't know... i saw your previous reply suggesting to go deeper using process monitor/explorer... what should i check exactly? Should i add the Windows Firewall registry key into the watchlist? I've already raised a case to the support, but with delay, time zone different and all that... you know...i would prefer to have my own checking at the same time.. Thanks