Online Armor new features - opinions

Hi,

there are new features in 2.1.0.127.

- some installers with digital signatures are allowed to run without any prompt from OA,
nor is there any popup during installation.
In Programs a permanent rule for this installer is auto generated,
as said without any prompt for the user, simply hidden.
I experienced such behavior with Opera and HauteSecure installers,
both are signed by VeriSign.
There is actually no option to deactivate this feature.

- deleted rules in Programs from applications of OA's whitelist are always restored to Allowed and Trusted,
if you ever start these applications again.
Again this restoration is without any prompt for the user,
he will have no clue, this happens completely silent.
Only if a deleted rule was from an unknown application (not in OA's whitelist),
at next start of this application the rule will be restored to Ask and Unknown.
Therefore a prompt will show up for this application again.
There is also actually no option to change this behavior in any way.

I'd be interested in knowing what you think about this features.

Cheers

 

My opinion is security software should ask as little as possible. Ideally there only should be questions about really dangerous actions. So I think OA has a lot to improve in this direction. There are people who like just opposite, to control everything. I dunno how to make these two approaches to live in peace. The only idea that cames to my mind is "Paranoid mode"

 

Er... there is alright an solution for your approaches, Standard mode and Advanced mode.

But a problem is that features (like some installers with digital signatures) are implemented without a line in the release notes and without any consideration of Standard mode and Advanced mode.

After installation of 2.1.0.127 I downloaded the latest Opera installer and started it.
Couldn't get my mouth shut, no prompt, what's wrong?!
The answer in OA forum was "Yes, it would relate to the signature"

What's next? Deleted firewall rules are restored to allow if an application signed by whomever wants to send data to the net.

Maybe you as a beta tester know it, common users like me have to deal with it.

Cheers

 

All I know is yes, it relies on signature. Do not ask me how it does it, I don't know

I think OA trusts not the fact a file is signed, but somehow it looks at certificate issuer and signature owner. Once they both are known as trusted and signature is valid (digitally), what should be a sence to ask signed file about starting ?

 

Well, you answered your questions somehow by yourself.
As long as not even beta testers know for sure how a feature works, I would really prefer at least one "tries to run" popup.

Cheers

 

I don't know because I don't care. I have my testing fun in other things. For example I test every real malware and every rootkit I can find and then report the fails to Mike. That is to say it was long ago when OA failed real malware in my tests last time. BTW, if you have interesting examples, you are welcomed !

 

Hm,

this reminds me somehow of solcroft's post about HIPS and prompts.

https://www.wilderssecurity.com/showpost.php?p=1164402&postcount=28

But now it seems like the vendor wants to get a watered-down program...
So be it.

Cheers

 

HIPS is not about asking, HIPS is about protecting. If you have an example where such behaviour brought someone to the danger, I think the concept might be reviewed. But until then this is just "my wish vs your wish" or "speculation vs another speculation" ..

 

If you look at the filesizes from the OA applications, you see it has been programmed really messy.

If you look at the behaviours/misbehaviours/popup layout/missing configurability/..., you see that it has been programmed really dumb.

If you look at the system impact/slow window reactions/you see that it has been bloatly programmed.

If you look at the scores it tries to achieve at cloudy sites like Matousec, yet look at all the misbehaviours/bugs/cpu-hungry parts compared to better HIPS software, you see that is has been programmed to attract money instead of offering security.

 

I wish you a happy looking weekend Shotwick.
I won't do that but instead use OA without issues.

Gerard

 

Same here Gerard.

 

I leave your estimates to you, but please, gimme an example where it really failed in a sense of security. Virus-name, malware-name, rootkit-name or something. Cause I don't care about size, some tempt misbehaviour, but I care that real beast was stopped.

 

Thank you Mr Shotwick for this great post , any proof of that ?
What you recommand as being a HIPS programmed by genius ?

MaB

 

Exactly but still being capable to switch in some sort of paranoid mode.

 

I dunno, but I think that while packet filtering is a real security, packet sniffer is just a service function to debug and diagnose. A bit different tasks for those who understand at least what those network packets are for. The same with HIPS. Not to forget that every false alert is a "time is mony" for a user.

 

Gee!

Opinions on OAs new features was the title of this thread, do you remember?
I know Shotwick came around to put out my little flame with gasoline.
But as OAs fire and rescue service admins rushed in instantly,
everything should be save now.

Cheers

 

OK, OK, OK .. If to talk about new features I'd like to see taskmanager like process explorer and a way to setup and manage running processes like in Programs.

 

I know that nice new feature when I updated firefox, and OA made the 9th dumblicate rule for it.

 

The new feature I would really appreciate the most is some good printable documentation that explains how to use all of OA's features/settings.

 

I'd like to see a new feature in online armor concerning
anti arp & anti spoofing properties
more protection and functions concerning the local network whether "wired or wireless lan"

 

Full anti-arp protection is not possible in case attacker spoofes your router with your fake mak address. I think all this antiarp stuff is very overestimated. Any linux router can detect arp-spoofing in the lan and show the source of attack. And h/w routers can handle it better than any s/w firewall. I think this is irrelevant for now.