OutPost learning thread

Hi Rilla,

Are you behind a router?


- Stem

 

Hi Stem,

I finally finished, it's been a long night.

Yes, I'm behind a router.

 

Hi Stem (and Rilla ),

I'm also behind a router...and looking through the Outpost "Help" section, I noticed that under "Preventing Network Attacks", under "Protecting from Ethernet Attacks" there are several options.

If you go to Settings > Application Rules Firewall > Attack Detection> Customize....none of the options are checked by default (Block intruder(s) if they spoof their IP address, Block sniffer if the gateway network adapter MAC was changed, Protect my IP addresses from being falsely reported as used, Block host when it enumerates other computers on LAN). Should this be the case? Or should these be checkmarked?

 

Hi JR,

Those are low level filtering rules intended (IMHO) if you are on an untrusted LAN, or, if you want to try and isolate the PC from the rest of your home LAN. So it depends on your needs against any other nodes(PCs) on your LAN.

So a question from that is: Are there other nodes on LAN, and if yes, do you share files etc between those nodes.

[I am just going to apply the OP image, so will log back into forum from another PC. then I am set to check any settings etc you have questions about]


- Stem

 

Currently, no. I intend to add a laptop very soon, but as of right now the router is simply being used as another layer (hardware firewall).

Would you recommend leaving them unmarked? Or checkmark each of the options?

Also, I've noticed that Outpost recognized that I had an antivirus/anti-spyware program already installed, so it has disabled the real-time anti-spyware protection that it offers. BUT...it updates it's definition base and I can do an "on-demand" spyware scan. I believe I can even set it to automatically run. Currently, under Settings > Anti-spyware > Schedule and Profiles....under Scheduled Tasks, there is a "Quick Scan" set to run Daily at 1 AM. The delete option is grayed out, there, so I'm not sure how to remove or change it. I'd like to add a weekly Full Scan.....

 

Hi JR,

For some reason our XP setup(OP options) are different.

In the Attack Detection-> Ethernet:

Enable smart ARP filtering is enabled.
then 2 options are enabled: Block intruder(option 1) and Protect my IP(option 3). The other 2 options(2/4) are disabled.

In the Anti-spyware Schedule tasks, I can select and delete the quick scan profile that is there by default.

These settings are from default installation, I have not changed any of these setting as yet.


- Stem

 

If your PC is the only node on LAN and it is connected by wire to the router (wi-fi not active in router), then that ARP protection is not needed.

I will be looking at this protection and checking it against attacks from LAN as at one time it was a little problematic, in that the protection was, well, not at its best.



- Stem

 

Hi Stem,

Smart ARP filtering is enabled on mine as well....but as for the specific options under Ethernet, all of mine were unmarked. Hmmm...that is interesting....because I haven't made any changes on my end either. Think it has anything to do with the router itself?

Another odd difference. It's completely grayed out on my end.

You don't have the "real-time anti-spyware protection" enabled by any chance, do you?

During the installation of Outpost, it recognized ESET NOD32 AV and disabled the real-time anti-spyware protection of Outpost as to "not interfere with any third party security software". I'm wondering if the real-time anti-spyware protection in Outpost is what allows scans to be scheduled, deleted, etc.(?)

 

The router itself should make no difference, maybe the LAN detection could be making a difference? Have a look in "Settings- firewall/ Lan settings" There should be a LAN range added, by default (on my setup) that as allowed netbios, but other options unchecked. As your LAN been set as trusted?

Yes, that will be the difference. I have installed OP onto a base XP(no other applications installed) with default settings, so the anti-spyware is active.

If you are making a schedule scan for NOD, then you will have to make those settings in NOD and not in OP.

_ Stem

 

Yes, it recognizes the LAN range setting...and netbios is the only option that is marked (all netbios communications to and from this network are allowed). LAN has NOT been marked as "trusted", though.

As for the Outpost anti-spyware scan...I'll have to run any Outpost scans manually on-demand. I've discovered there isn't an option to "schedule" a scan, unless I activate the real-time anti-spyware protection (which I won't, since I have NOD for that).

 

Hello:

FWIW, the local ports for Win 7 are:

49152-65535.

Attached is a rule for using them. Comment at will!

 

Hi guys,

Mine recognizes Lan range setting. Should netbios be checked? I have Lan untrusted.

Thanks Escalader, jump on in.

Stem, here some shots of system wide rules and see what you think.

 

The only reason I can think of at the moment for the difference in Ethernet protection settings is due to you having NOD installed.

Ah right, sorry, I though you where trying to schedule a scan for NOD .
With having NOD installed, then it could cause problems if you have 2 scans from different applications running at the same time, so would think that is a safety precaution.


- Stem

 

Hi Rilla,

Unless you are sharing files etc on the LAN, then uncheck Netbios.

IMHO< you should also on an home LAN disable the "Detect new networks automatically"(in that LAN settings), as you should not be seeing new LANs on an home network suddenly appearing.


- Stem

 

No sharing files. We were typing at the same when I put the screen shot up.

Yes, I did uncheck that.


- Stem[/quote]

 

Hi Rilla,

In your first pic.

Do you have any VPN(or similar) software installed that you use? If not, then open the "Allow L2TP" rule and change it to "Block"

"Allow DHCP" is OK and needed unless you have fixed your IP.

The 2 block RPC are OK.

"Allow PPTP control", again, are you using VPN? Needs changing to block if not.

The last 2 rules appear to be for netbios, you should change them to "Block".

NOTE:
If making changes causes connection problems, then check the firewall log for blocked packets, change the setting back to what they where and post info on the problem. But you should not see problems unless your internet connection is somehow being routed through a tunnel.


The second pic:-

I need to ask: Is your ISP using IPV6?



- Stem

 

No, not as far as I know. When I setup my DNS servers I used IPV4.

I made suggested changes.

Here are some ICMP shots that are defaults from OP.

 

OK< I will just change to Vista image. It will also allow me to see what OP is allowing out from Vista during boot.

OK.


- Stem

 

Those should not really be a problem in your setup.
There should be no need for the router solicitation, so you can remove those(as long as you do not see problems after disabling them)




- Stem

 

Okay, I removed router solicitation.

 

Hi Stem,

Regarding these options we were discussing earlier:

It won't hurt to have them all checked, will it? If not, and it would help aid security without compromising functionality, I might leave them all checked.

Also, you mentioned this:

I believe that Outpost offers an "Exclusions" list. Would it be a good idea to place ESET NOD32 AV in the exclusions list? And visa versa, place Outpost in ESET's exclusion list as well?

 

Crap, Rilla...I'm sorry. Here you are trying to work with Stem on a Vista setup, and I keep asking about XP settings.

Sorry about that....

 

Here are some Attack Detection shots:

 

Hi Rilla,

On my checking through some of the rulesets created by OP for the various system application, I see that there are quite a lot of un-needed rules. The problem with these types of rulesets is that they are made to try and cover all users needs and are not therefore specific and allow(IMHO) too much.
This "cleanup" of rules will need to be done once you have all your internet applications with needed rules(which would of been auto generated). We can then go through disabling some of the options so we can remove/disable or block some of the rules without OP auto replacing them.


- Stem

 

I think he has both loaded up.