open process control

not sure if i should post this in the processguard forum or this one, but anyways:

i have been reading about some of the features in outpost pro 2.5 that i didn't pay much attention to in my initial set-up. i have been trying to figure out this "open process control feature". is it safe to say that if i use processguard, i can leave the 'Block network access if application memory was modified by another process' box unchecked?

thnx in advance.

 

Hi INTOXSICKATED,

I have used OP's Open Process Control feature along with PG for a long time without any conflicts. I while ago I ran most of the available firewall leaktests (including Atelier Web Firewall Tester 3.1) against the combination without any leaks. I would have to retest to confirm and give you detailed results. Remember that for a process to modify another process, it has to execute in the first place. PG takes care of that.

Nick

 

Intox . How are you my friend ?

It is fairly safe to run Outpost without it checked if you are using PG . I use both . On occasion , you will run into a problem . Only problems I have ever had were with Spy Sweeper . And that program has a bug anyway and I wil not touch it . So , I am unsure if it is COMPLETE overlap but , there is at least , some , overlap . Hope that helps .
Now I will click off my switch

 

did u run any tests with just pg and open process control turned off? just curious.

i knew i would here from you on this hollywood! maybe i will try running it with open process control enabled for a while and disabled for a while, and see what happens. does it use more memory to keep it enabled?

thank you both for the replies. i have another question to ask also about outpost when i get home!

 

As for memory use , try it and see . It will probably reduce it . I have kept Outpost as my # 1 firewall for over a year now and , the only problem I had was with Spy Sweeper . And I run alot of different programs at different times . You can turn off the logging option in Outpost and DAMN , resource use goes from 21megs down to 2 and a half on my machine . WOW . Hope that helped .

 

Hollywoodpc-

I believe you, but it does seem odd that logging makes such a difference. Is there some middle ground with logging restricted to "exceptions" that produces a reasonable (less than 10mb) memory footprint with access to critical log information?

 

Hollywoodpc should know the intricaces of OPFW as he is using it and he is knowledgeable with its operation.
With that said, here are a few discussions which may add some additional information here and here and here
Cheers

 

Just tested it again with PG enabled (with IE set to Permit Always) and Open Process Control disabled (but with Hidden Process Control enabled). PG blocked tests #2-#6. OP blocks test #1 only if you have HPC enabled.

Test #1 (allowed by PG but blocked by OP's Hidden Process Control)

Tue 29 - 14:50:56 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\atelier web\awft\awft.exe" [312]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ]

Test #2

Tue 29 - 14:51:11 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\program files\internet explorer\iexplore.exe [1052]

Test #3

Tue 29 - 14:51:18 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\windows\explorer.exe [516]

Test #4

Tue 29 - 14:51:24 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\windows\explorer.exe [516]

Test #5

Tue 29 - 14:51:36 [PHYSICAL MEMORY] c:\program files\atelier web\awft\awft.exe was blocked from accessing physical memory

Test #6

Tue 29 - 14:51:42 [PHYSICAL MEMORY] c:\program files\atelier web\awft\awft.exe was blocked from accessing physical memory


Nick

 

interesting. good to know. thnx nick.

hollywood: i for the first time disabled logging last night. it does make a huge difference. i still need to read up on what else can be done to logging without totally disabling it. for now, i just might leave it disabled. my logs are very boring and uneventful anyways. haven't seen anything out of the ordinary in a few months. i also need to experiment with the plug-ins a little more. right now i'm just using one of them.

 

I agree Diver .
It should not make that much difference . Sadly , there is not a way to partially turn off logging as far as I am aware . One of the downfalls too , is that Open Process Control can only be turned on or off . No way to include or exclude certain programs . I THINK they are currently looking into this . As for the tests that Nick did . Not sure exactly wehat was done but , with PG off , NORMALLY Outpost will catch things trying to modify . That is with Open Process Control enabled . Hope that helps .

 

I used to watch my logs and felt I needed them . Since disabling , I find I do not mis them . And YEP . Amazing the difference with logging turned off . Almost like the whole firewall is nothing more than a big log . lol .

 

OP does block all tests with PG disabled. That is with Open Process Control and Hidden Process Control enabled. Here's a description of the tests from the AWFT help file:

Technique 1: Attempts to load a copy of the default browser and patch it in memory before it executes.

Technique 2: Creates a thread on a loaded copy of the default browser.

Technique 3: Creates a thread on Windows Explorer.

Technique 4: Attempts to load a copy of the default browser from within Windows Explorer and patch it in memory before execution. Defeats PFs which require authorization for an application to load another one (succeeding on Technique 1) - Windows Explorer is normally authorized. This test usually succeeds, unless the default browser is blocked from accessing the Internet.

Technique 5: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer.

Technique 6: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, then creates a thread on the select process.

I disabled logging last year and only use the Attack Detection plug-in...running under 3MB here as well.

Nick

 

sry, but i'm finally at home. what do you mean by having hidden process control set to enable? you have it set to 'allow access' or 'block access'? you would think that with pg running, we would be able to set hidden process control to 'allow access' and keep open process control 'unchecked'. but since there doesn't seem to be any conflicts between pg, open process control, and hidden process control running all the time (at least on my computer), i'm assuming that i have kind of a layed protection going on and am probably more secure.

by the way, i only use the attack detection plug-in as well. the others didn't seem like anything i needed.

 

I set HPC to prompt for the tests. Normally I have it set to Allow and I leave Open Process Control checked (only as an additional layer of protection in case I screw up and let something slip by PG).

Nick

Edit: the only reason I don't block with HPC is that I run Proxo as a service (running hidden) and have not figured out how to exclude it from being blocked.

 

i've gone back to the outpost forums and help files to mess around with some of the features in outpost i didn't pay much attention to in the beginning. thnx for the responses guys, it really helps.

 

Good luck Intox and thank you Nick !

 

oops! i forgot something. is it ok to just leave the firewall policy set in the 'rules wizard' mode?

 

Sure . Most will tell you to put it in Block most mode after you run it a day or two in rules mode . Mostly , I keep it in rules mode . But , block may prove to be better . Just be sure to run it a few days so it knows the programs you want to allow . Then , set it to block . You probably know this but , just in case Intox , you can always add a program you trust to the trusted app area . Do not forget to right click on Active Content and click properties . There is where you can block referrers , cookies , active x , popups , applets , etc ..... so go nuts ! And have a drink ON ME
Good luck my friend