OutPost learning thread

Okay, I do remember you saying this before about OP.

 

I do have an image for both Vista and XP with OP installed, so am jumping between them.

I may be better to setup both OS onto VMs so can have both running at the same time. I will see if my VM software will run on Win7 64.

- Stem

 

Good idea Stem

Will any updates screw up the application rules that we clean up from being auto generated?

 

In "settings-> ImproveNet" there are some options. What we will have to do is change to "Disable automatic rule creation", and uncheck the "Automatically create rules for applications signed by trusted vendors". If rules are still changed/added after that, then I would see it as a bug.
That should not be a problem once all your applications have rules, and even if they dont, you should still get a popup for any new rules needed.(but will check to confirm before we make changes)


- Stem

 

Should I make the above changes now or wait until we are ready to tackle that area?

 

I do not see them needed in your setup, but yes, you can enable them. Just keep an eye that your router does not get blocked(and therefore your internet). I have seen the router blocked before, but that may now be fixed.

Security applications will need to able to take certain control of the OS, so yes, you should stop them from intercepting each other by excluding them from any restrictions.(basically make them trust each other)


- Stem

 

Do all your internet applications now have rules?
Normally it is better to run in auto for a couple of days to make sure you will not get popups or internet access problems before changing these settings.


- Stem

 

Okay, in that case I will let it run for few more days.

Should "block intruder subnet" be checked per post #48?

 

Hi Rilla,

As for the Ethernet protection, as I mentioned to JR, just keep an eye on if you get blocked with those settings
For the "Attack detection"->"Attacks", well, most are now quite old and are actually only a threat on some of the OS that OP no longer installs/runs on.(but it makes the plugin look good )

Not needed in your setup.


- Stem

 

So it's there for looks.

 

What do you think of the way this is set?

 

Check for yourself:- http://www.agnitum.com/support/kb/article.php?id=1000193&lang=en
You will see quite a few with such as:- "Affected systems: Win 95, 98"


- Stem

 

Fully open.

This is an area that needs config based on the sites you visit. I have not looked at that as yet, it is an area of protection that I normally run within the browser.(such as(for browsing) firefox NoScript). Are there option for creating restrictions on a site per site basis? (I am just trying out VMs so dont have OP running)

- Stem

 

Thanks, Stem.

So...would I exclude NOD32 from Outpost via the following?

Settings > Proactive Protection > System and Application Guard > Application Guard > Exclusions ? (then click on Add, browse to Local Disk [C:], Program Files, ESET?) And if so, should I select the ESET folder....or the ESET NOD32 Antivirus subfolder? Or something else?

 

Hi Rilla,

Just curious...but when you go to Settings > Proactive Protection > Anti Leak....what setting do you have Anti leak protection level set on? I currently have mine set at "Optimal". I also notice that if you select "Customize"...the "Component Control" tab has an option to "Enable Component Control"...but mine is NOT checked....is your's? Stem...what would this do here, and this this setting recommended?

 

Hi JR,

Yes.
You will need to add the specific executables for NOD to be excluded.

You may also want to look at the "Proactive Protection"-> "File and Folders locker" and set Nods folders as protected.


- Stem

 

Hi JR,

By default the Component control is enabled on this XP setup.

I personally would not leave the anti-leak set at optimal, I would have that set to at least "Advanced". That can cause extra popups/warning for various applications, but it is far more secure(IMHO) due to what is intercepted.


- Stem

 

Hi Rilla,

Re:- Web control

I have been having a look at that.
I would change the setting to "Maximum". That does then mean some work with adding exclusions for the sites you trust, but is a more safe approach IMHO.



- Stem

 

Oh boy. Here's where I start to sound like a dummy.

OK..so I guess the path I described above is the correct procedure then

And when you say "add the specific executables"...what exactly does that entail?

Also, I guess I would first have to "Enable File and Folder Lock"...but then should I add the entire ESET folder as protected, under the "File and Folder Lock" section?

By the way...I followed your advice, Stem, and changed the level of protection to "Advanced". Simply by doing so, the "Component Control" tab is now changed to "Enable Component Control"....

 

Hi JR,

Just give me 10 minutes or so, I will download/install NOD to check what is needed.


- Stem

EDIT:-

For the exclusion:-

Open the "Application Guard exclusions" then select "Add" then browse to the NOD av directory. Then select "ekrn.exe" (I believe that is the only NOD exe that requires full system access).




For the file/folder protection, enable the protection then click "Add" and select the Eset folder.

 

My Antileak is set to Advanced and then I have this

 

Okay, I changed mine.

 

Hi Rilla,

Looking good.

I have to go out now. When I get back I will be looking into the IP Blocklists (Settings:- Firewall-> IP Blocklist) to see what is available for import into OP.


- Stem

 

Okay, Stem have a good one. Thanks again for all your help.

 

EDIT:

I am editing this, as after making a number of changes to make OP inform me of various interceptions/internet access, OP is locking up constantly and is unresponsive for about 20seconds each time. I have seen this in the past with its HIPs functions. I will need to look more at this, as this behaviour is not what I would expect even from a beta build of a product.


- Stem