Hints on using Online Armor FW-a Learning Thread 4

OA help is now on line at :

http://www.tallemu.com/webhelp/


I don't think it is limited to OA users.

 

Just a hint/reminder, as the next release comes ever closer ( no I don't know when) PLEASE save your settings daily. You will need them unless you want to regenerate them all from scratch.

PS: It's saved my bacon several times including today!

 

Would saving settings also work for the Free version, because as I understand it you have to uninstall/reinstall every time you decide to update to the newest version.
Saving settings would not help in that case, right?

 

I don't have the free version so can't answer 100%!

However, it sounds wrong to me! Maybe Mike Nash can help here with this one.
The thread is focused on the Non free OA!

Sorry.

 

For comparisons see this link:

http://tallemu.com/comparisons.html

Gerard

 

Thanks Gerard!

I like the comparison chart very clear and to the point.

So in the free version no settings saved. Stijnson you were correct!

But what does manual update mean in the free version? Can the user click to update or is as Stijnson said a complete reinstall each time?

 

OA Free does not allow updates at the moment - but the product will, of course, be updated.

This may not be 100% clear. The reason for the lack of clarity is simple...

It used to have a little red "No" cross in updates - for me that indicates that no auto update is available.

However, the "No Updates" was seized on with glee by some folks in one particular forum and "Online Armor Free will never be updated" became a cheap way of attacking it, so I had to change it. Rewording that particular page on the site (again) has been fairly far down my todo list

 

For those who don't yet know, OA has now released Version 2.1.0.0.85. The last official was 31 which gives some sense of the amount of beta testing carried out.

So let's now resume with the Hints thread here which will deal only with the FW/HIPS version as I don't use the AV+ version which provides KAV as the AV via an arrangement between the two firms. Others using KAV may be able to help if any questions show up. The free version is as I understand it still at version 31 for now.

For the past many weeks I have been one of the beta testers over at OA which has been an interesting experience. Any learnings that I got there I will be glad to provide here with the usual no promises of accuracy caveat.

So that my version is the same as users here I have installed the trial 85 since I couldn't find an easy way to get v 85 to show up on my pc coming off a beta version. (TO: Mike Nash from the trial how do users put their exiting license codes in?)

Here is a list of 6 steps I have followed so far:

1 Uninstalled all old OA versions, including the folders and all old settings

2 Ran registry clean up, CCleaner and a defrag then rebooted as if OA had never existed on my PC.

3 >FW>INTERFACE>untick trusted

4 >OPTIONS>FW>UNTICK AUTOMATIC ALLOW TRUSTED PROGRAM ACCESS
>TICK ENABLE LOGGING
> TICK RULES LOGGING
> LEAVE BLOCK ALL TRAFFIC DURING BOOT UNTICKED

5 >GENERAL>MODE>SWITCH TO ADVANCED
> UNTICK SHARE INFO ON PROGRAM SETTING ( PERSONAL CHOICE)
> TICK HIDE BOOT SPLASH

6 > PROGRAMS UNTICK HIDE TRUSTED

7 >OPTIONS>BACKUP RESTORE SETTINGS NOW ON SEPARATE MEDIA


At this point I will install my country white list and block all others then I will just run it for a day or so and see how she goes. I will record my next steps on settings and report back.

 

>FW>Restrictions

Countries> deny all

Except my 10 allowed countries as a white list of counties. Also I allow local host. I donot need to allow Intranet or Satellite Provider.


>FW>ICMP un-ticked all the default allowed including:

echo
timestamp
info request
mask request

 

I don't know if anybody is finding these posts here useful or not. There are other OA threads running here as well

I am prepared to post how to restrict users updating exe's using UDP 53 and the matching TCP's to one and only one ip, but why bother if everybody either knows already or don't have the interest?

I'm NOT complaining just don't want to waste time.

Let me know what is of interest.

 

Hi, Escalader

If it wasn't for your posting of all this useful info, I might not have bought OA in the first place. It helped me set up OA when I first used it. I, for one, appreciate all the info and time you have given here.

 

TY, good to know!

 

To restrain your various updating exe it is more secure to set specfic ip and countries for each one. I know why bother well the way FW's work is whatever is not specifically allowed is not allowed. So the more specific the better.

Here is one example:

For Spybot Search and Destroy (I use it only on demand and to load my host file up)

Here is what I did to limit this updater:


(1) For the UDP rule >FW>rules>SDUpdate.exe >edit rule>endpoint restrictions>entered myDNS address for this PC> entered only my home country.

(2) For the TCP rule >FW>rules>SDUpdate.exe >edit rule>endpoint restrictions>enter 87.106.8.215> entered Germany as 1 source.


These then ensure that this application gets it's updates from 1 and only 1 location.

All the other updating exe's are done the same way, and you can use the FW status screen while updating each to get the correct ip's for the TCP and you can find the dns address out of your LAN connection icon click and click on status/details. Some have a primary and an alternate. In these parts I only have one from my ISP.

 

You seem to making things to complicated. I have Spybot and all I did was when I clicked update in Spybot Online Armor gave me a pop up and I allowed it. After that Spybot is learned.

 

There are those that want to be more involved just as there are those who don't want to be bothered.

 

True but as long as it works and protects me without bothering me I am happy.

 

Hello Fellow Learners:

Here is something I found interesting anyway. In R 31, earlier in the thread we developed the advanced HIPS settings for the FF and IE 7 browsers.

OA has modified these settings so that the user can (using the "More" entries) enter target programs that could for example be allowed to start via the browser.

Mike Nash/ Stem, if you have time please let the thread know the security implications of this feature. How / why would a user exploit this?

When I opened FF up it had spooler in the start application (more). Since I didn't put it there I deleted it. No bad effects yet.


Here in the attached jpg are my current settings for FF. I made IE 7 the same.

 

Hi Escalader,

Due to lack of spare time, I have been unable to take time to look at the latest releases.

I would presume this is for child process.

Spooler?,
Spoolsv (which is the fax/print spooler) is for printing, so would expect this if you where to print web content directly from browser. Please confirm the process/ application name.

edit:

I will find time over the next day or 2 to install the new full release, then I can make better feedback.

 

Hi Stem: Yes, this is what I think as well it's for child processes. I definite change from OA 31. How will users deal with that? But I'll wait for answers on that one!

Yes will do as soon as I see it again I'll jpg the screen but I think you are correct since I do print web content routinely.

On spare time I understand 101%.

Waiting to install the new full release was a good thing for you anyway. One guy who rushed in (me) got confused by an updater bug and ended up back on the trial version. I will reinstall myself and try to restore my saved setting as the first step.

More later.

 

Escalader,
Good to see that you're still doing this.
In your post #268 you show the 'Run Safer' box.
Look at the jpg and you'll see the word 'More' in parenthesis.
Yet when I go to the same 'Run Safer', I see only 3 options-Allow, Block and N/A.
What is More and how does N/A fit into this?
I'm using OA v. 85 on XP Pro.
Thanks.
Hugger

 

Hi Hugger:

Yes that is what mine shows I have a More!

You need advanced mode, when I switch to standard mode I get N/A as well. N/A means not available in standard mode.

You get to advanced as follows:

>Options>mode> select advanced.

As to what this more means to advanced mode users, I'm about to post 3 of my More settings for viewing and when time permits Stem and Mike Nash to comment on.

In the mean time my advice is don't mess with it till it is better understood.

It seems these relate to child applications that are allowed from a trusted application, in this case I'm working FF.

More later.

 

Here are 3 jpg's from my setup. Windows xp sp2, OA in advanced mode showing HIPS settings for my FF browser.

When Stem and Mike Nash (or one of the OA FW/HIPS guys) have time I'm hoping they can help us understand how to exploit these more settings.

I'm going to read some more of the new help site now to see what can be gleaned from that.


PS: Stem, the spool I was on about was a folder name as you can see from the jpg.

 

Hey I have been playing around with OA all day today and I found out that the web shield really slows down some web pages. It even doesn't allow some to load fully. One site I visited everyday is Gamershell.com. I shut off web shield and the site was still slow. The site is allowed also in my trusted sites. I reboot and web surfing speeds came back. I have a 6MB DSL connection and I don't want to wait more then 2-3 sec for any page to load. I do not loose security with this option off since many other firewalls I used in the past lack this. I have NOD32 to keep me safe. So if anyone is noticing slow downs while browsing just untick web shield and reboot

 

referencing the photo in post #242:

This is one of my complaints about Online Armor firewall. IMO when one sets for ADVANCED mode, things like networks should NOT be auto-trusted by default. Advanced should mean the user has the knowhow to click Trusted if it is indeed trusted.

I'm assuming networks default in OA at trusted for ease of use by people who don't know about theses things. But these kinds of folks will be (as they should be) operating in Standard Mode. So I think this is a genuine complaint. the Advanced setting should not default at Trusted--should be just the opposite actually for things like rules creation, networks, and so forth.