OutPost learning thread

Stem:

That's good.

When/if you get to Windows 7 64 bit I'm prepared to work that at the time. No rush.

My worry was/ is that users do use these generated rules from OP ( and other vendors) so there is a need to KNOW how to tighten them.

 

Hi Stem,

I have a few questions for you.

Under file and folder lock can I put the whole folder of Emsisoft?

When looking at the log and right clicking, there is include and exclude. What exactly does this mean?

Do all these rules we setup for Vista be the same for windows 7?

 

Hi Stem,

I was looking around and in "used ports" there is a bunch of service host with no rules. Should I apply the same rules as the service host in applications we already covered.

There some called system too.

 

Hi Rilla,

No.
I have been looking more at the "File and folder locker". The very short explanation of that function is a little misleading.

For me, the "unauthorized" part of that statement would indicate any application that is not authorized, however, I have not yet found a way to actually authorize an applications ability to access a protected folder, so all applications are blocked.
I did initially think the file and folder protection was similar to the protection I have seen in other HIPS, in that access to the protected folders can be made on an application by application basis and that OP would give a popup to inform you of any access attempt with an option to allow or block that access, but I have not seen that.
So if you where to protect the emisoft folders, then there is no way(that I have found) to actually allow emisofts applications to access its own folders, so the application will fail.
Looks like that could do with better implementation to allow selected applications access.

That is a filter for viewing the log. If for example you right click on an entry for "Explorer" and select "Exclude" then all the entries for "Explorer" will be removed from view.(to see all entries, you right click any entry and select "No filter".

For your setup, I would expect so yes.


- Stem

 

Hi Rilla,



I am seeing that report of "No rule" as being inaccurate on my setup. Some are showing that I have a block rule, others that do have block rules are showing as "No rule". Looks like another area that requires better implementation.

That inaccuracy will also be the reason for the incorrect logging of firewall events where I see various blocked packets due to "No rule" when in fact they are specifically blocked by applied rule.

So just ignore that until a better/correct implementation is made to show correct Allow/block reason.


- Stem

 

Geez, so it's useless

I see, more fluff.

Okay

That's great!!

 

Okay. Do you know how to save config settings?

OP is running smooth as silk.

 

Settings-> Configuration. There are the options to export/import configs.

Good to hear.



- Stem

 

He, he....I new it was in front of my face but I couldn't remember, thanks.

You go blind after so many hours on here

Stem you are awesome, can't thank you enough

Now you can have that beer with me

 

Re: Raw Socket access and SVCHOST

In OP there is a setting for raw socket access. This one is above my pay grade but I do have questions (Stem?).

See attached image.

What exactly is this option?

For SVCHOST.exe I have it as blocked, is that the correct setting? The default came up as allow which scared me ( this happens a lot

Does the user have to go through every exe to set these?

If so that seems crazy since one hopes that vendors get it right! How would I decide to block or allow? Any rules/guides on this.

I can also ask similar questions for content filtering. Why would I NOT set it to Enable every time for every executable le?

 

Re: Raw Socket access and SVCHOST

Yes.

Using rawsockets is a way to bypass encapsulation.
I use (with some applications I have) rawsockets when I am testing firewalls, as I send crafted packets across my internal LAN to attack/test a firewalls filtering (sending spoofed packets etc).
Most applications use (what some call) "cooked" sockets, that is where the IP stack provides the necessary packet header info(your IP etc).


- Stem

 

Re: Raw Socket access and SVCHOST

Thanks Stem:

From this can I assume that:

1) NOT one application should every allow raw socket access?

2) If the answer to 1 is yes, should users go through all the applications OP has listed for them under >settings>applications>options

and ensure they are all set to block?

 

Re: Raw Socket access and SVCHOST

Hi Escalader,

Typically no. Your PC/applications should not be bypassing encapsulation unless you specifically intend to.

You can block them. I dont see any reason as to actually allow such access [apart from what I described as for testing].


- Stem

 

Re: Raw Socket access and SVCHOST

Thanks!

I have zero intention of doing these things SO I'm going to go through their whole d..... n list and change prompt to block. IMHO, this should not be necessary that a vendor would push such a technical call on to the backs of typical users.

 

Re: Raw Socket access and SVCHOST

Okay that is done.

While doing it two exe's had Raw Socket access ALLOWED.

LSASS.exe
SVCHOST.exe

Now LSASS is totally missing from the applications list! On a quick read through Black Viper it isn't there?

As well I noticed the enabled filtering option was on and off by applications?

When it was off I turned it on. Is there any security reason or performance reason for filtering to ever be off?

 

Re: Raw Socket access and SVCHOST

Escalader, results may vary, but i always found that using content filtering in outpost, caused it to use quite a high amount of cpu, so i stopped using it, and in fact, with my latest install, i didnt even install the content filtering module. for instance, rather than blocking ads at the firewall level (something made possible by the content filtering module) i use an ad-tracking hosts file, and then i run my browser through proxomitron. i also dont like to block headers etc, because it causes many sites not to function correctly, so rather i scramble my info through proxomitron.

when using content filtering, i believe that every application or process that you have filtering enabled for, will be checked by outpost. no need for instance, to have content filtering enabled for svchost.exe

just some thoughts

 

Re: Raw Socket access and SVCHOST

Thanks for that! I'm unconcerned with CPU drain. i7 64 BIT.

On your thoughts, let's see what Stem says about filtering in svchost

 

i could understand having content filtering enabled for a browser, or even an im client, but to have it enabled for svchost.exe, wouldnt that slow bandwidth, since outpost would be checking all traffic against your content filtering settings, in this case against something that wouldnt even visually render? unless im just thinking of it in the wrong way? maybe someone else can throw in their 2 cents

what elements are you filtering with the content filtering module by the way?

 

Svchost(services host) should only be making internet connections for the various windows services, not connecting to websites to download page content, if it was/is, then that is a probable security problem as svchost as too much control of the OS with most firewalls/HIPS default settings.

Placing content filtering on svchost could actually have a bad side effect depending on how the filtering is being made, as what would the filters filter out of a windows update?(if updates are being made through the update service)

It is about time(IMHO) that 3rd party firewall vendors started binding svchost to the actual services(as with Vista/win7 built in system hardening/firewall).
It does make me laugh at times, that most 3rd party firewall vendors take away the windows inbuilt packet filtering and(vista/win7)system hardening and replace it with what, mainly leak test prevention.


- Stem

 

Hi Stem:

Thanks. Several thoughts here.

1) Can I then conclude that the user should only activate content filtering on applications that access the www and that are NOT windows executables? Bad phrasing I know but my eyes have glazed over (again)

2) Can you give some advice/guidelines on how to set the statefull inspection option in applications. When to turn it on when not? I need a rule to follow since OP doesn't set this for me.

 

escalader, are you using the content filtering to block ads in web pages? i think you should disable content filtering for everything except your web browsers, im clients, and email client (and any other app that may render ads to you). using content filtering on other system files will just use resources unneccesarily imho

chrome

 

Hello Escalader,

1: There should only be your web browser actually downloading web content. I know redirects can be in e-mails to go and download images etc, but you should be very careful of that, and I would add filtering to the e-mail client anyway.
With windows applications, well, they should not be downloading web content, I know a number of 3rd party firewalls place rules to allow outbound to just about any/all windows applications, but those should be blocked in most cases(IMHO).

2:The SPI option within the rules does not work as you may think, in fact it as been discussed here on forum and it took me quite a while to try and convince some of those posting to the thread as to how it works and the security problems involved.
How it works(unless some major changes have been made in the last releases), is that a control connection is set within the rule(such as outbound to remote IP/port), once that rule is activated with that connection, then any/all outbound/inbound to any port is allowed to the IP connected to(that triggered the rule).
Probably the easiest explanation and when to use the SPI option would be for an FTP client, where an initial connection is made then further connections to various ports (inbound and/or outbound) are then needed. Unless you know what you are doing, leave the SPI disabled within the rule.


- Stem

 

What about applications like eset and download updates daily? Would I not add filtering there?

I now have a wireless printer/scanner working on my Lan to share twixt 2 PC's. One a W7 64 bit notebook, the other the classic xp sp3 desktop.

It comes with a number of programs to run it the printer exe and the scanner utility program.

Would these qualify under the FTP case for SPI activation.


Speaking of SPI, my router has a SPI on off option in it's H/W FW which I can set on or off but that is not application based it is "global". It has many other features as well but that may be a separate thread (some day)

 

Nod is not downloading web page content when updating, it will be downloading new defs/configs. If you start to filter that info you could corrupt the download.
edit.
I thought OP disabled its content filter when NOD was installed?

Does the printer have a fixed IP? or is it given via DHCP from router?

- Stem

 

Stem:

NOD was a bad example. You are correct if Nod is on your PC and you install OP later, OP's web control is greyed out.
I should have used SAS where it is NOT detected. But now I have learned from you again that this filtering is web site focused. Up to now I foolishly thought that filtering meant ALL packets.

My wireless printer talks to my router like my notebook. It seems to always be 192.xxx.yyy.nnn in the logs. I use DHCP.