Hints on using Online Armor FW-a Learning Thread 4

Re: Varying Backup File Sizes

Hello Mike et al at OA:

Attached is a jpg of my recent backup files. Note the change in file size.

I'm sorry if this is a dumbo question but why the large difference ?

 

Re: Escalader's Security Tools

Here for information only is the current list.

It is posted not to generate any debates about why your tools are better etc but to see what works for me on OA 2.

If you want to ask me a question on them please use a PM so as NOT to go OT.

They fall into 2 groups, active or running all the time and on demand or when I decide to use them:

Active:

H/W DSL Router
H/W Alpha Shield FW protects whole LAN from incoming only

S/W FW/ HIPS combo (OA 2 Beta 135) uses white list concept
S/W AV Nod32 with heuristics engaged
S/W PG 2 ip list based blocker (white list and black lists)
S/W Spam Monitor (PC Tools)
S/W SpywareBlaster

On Demand (all S/W)

Backup and Partition Management (Paragon Imaging)
Spybot Search and Destroy (I use their Hosts list for 127.0.0.1 and Immunization)
File Encryption (LavaSoft)

Omitted some tools used for register maintance and temporary file clean up and defragging.

 

How to test OA firewall? (adapted from a WSF Sticky)

To test your firewall's ability to protect against attacks and scans there are a number of test sites. This thread is not interested in which test site is best!

Please be aware that if you are using a router, the test will target the router, not any software firewall your PC is running. This is a waste of time unless you are testing the router!

So, I suspect (subject to the usual expert corrections) that the way to do it would be to temporarily disconnect from your router and any other H/W F/W like my alpha shield and plug the ISP cable straight into the PC.

Run the test, record the results and them plug back into to the router as it is a primary H/W FW.

 

Here is a question to ask ourselves

With XP sp3 out yesterday (my time not yours ) has anybody noticed any impacts on OA 2 settings/behaviour?

I can't answer now since I won't install sp3 for at least a month (if then). Let the early adopters have all the "fun".

Selfish attitude I know but I've got other fish to fry as they say around these here parts.

See ya!

Todays advice? Backup your settings before installing a new OA version and let the SCW run to completion before attempting a restore settings step. This increases the chance of a good clean restore. In a perfect world this would not be needed, but it is not yet a perfect world.

 

So far no problems, several new pop-ups from OA for svchost.exe connecting to internet.

After first reboot and connecting to internet checked OA's History and had 12 new Program Guard entries, (apparently due to updated [or possibly new] Windows systems files), and 7 new Firewall: Automatic decision entries. Two (1 Incoming, 1 Outgoing) for lsass.exe. Rest were Incoming and Outgoing for svchost.exe on different ports.

As some users have noted at other forums, some tasks "seem" to run a little smoother and faster.

Made an image of HDD prior to installing SP3 so I could easily restore system if needed.

 

Re: Spoolsv.exe allowed by OA

Attached is an image showing OA's rule allowing spoolssv.exe to use dns port 53.

I should know/remember why this is "okay" or not but I don't.

I'm unsure why spoolssv would need this? It is not in my program tab listing even with trusted programs not ticked as in to be hidden.

Help would be appreciated.

 

Re: Hints on using Banking Mode

One of the features of OA is called Banking Mode. This is one of the add on features by OA which makes the product a "suite" of tools for users and not just a SW FW.

Rather than re-state how to use this feature, here with a few editorial comments, are the OA's help sections:

The important step to carry out before using this feature is:

This ensures your bank is included in their "white" list.

1. http://www.tallemu.com/webhelp/WebScreening.htm
2. http://www.online-armor.com/help/TrustWebSite.html

Now that you have loaded your sites when you want to do online banking here is the video help on how to engage Banking Mode.

As I understand it, OA does a double check DNS to ensure your addy for the bank matches their's in the white list.


http://www.tallemu.com/webhelp/FirewallBankingMode.htm


Note: My own Banking Mode test failed:

Loaded in my sites, tried to log on and the connection failed due to FF being blocked.

Let the thread know if you have better luck.

Mike Nash: What did I do wrong here, FF is in run safer mode, does that matter?

 

Hi,

I ran Firefox with "run safer" option and sandboxed with SBIE... and it worked for me.
Just marked my site as "Protected" in My Web Sites and enabled Banking mode.
All other open sites were blocked, only Protected website opened up.

Maybe redirecting to another domain causes the failure with your site.

Cheers

 

Hi Subset:

TY! Yes I can confirm that removing run safer from FF didn't change anything for me.

My FF fails to connect when it tries to "go" to the bank so I think you may also be correct about the redirect. I also use a FF add on called Roboform to store id's and passwords so that complicates things.

What I can't figure out is what to do about the redirect.

I'll mess about with this one and post my failures and successes.

More later

 

Right, here is a partial success I have.

When I get the FF redirect following:

en-gb.start2.mozilla.com

OA won't connect in banking mode, it is not a protected site.

So I used Roboform add on to go direct to the protected banking site and that did work.

On my second bank site this trick failed to work, but I may need to add all the subsites it uses to the protected list.

So I'm grading my work here at 50%!


More later.

 

Hi Subset:

Did you enter your banking sites with or without the www's, https's or just as domains

eg

1) https://www.yourbank.com?
2) https://yourbank.com
3) www.yourbank.com
4) yourbank.com

Are you in IE or FF or another browser?

BTW, readers in the OA My Web sites table

by right clicking on an entry you can open a site directly for any setting there except Blocked.

In my case I'm taken to FF from that click

 

Hi,

let's take Bank Fantasia for example... but it's a little tricky.
I use the registered domain names, like BankFantasia.com and Ba-Fa.com
BankFantasia.com is the registered domain name of Bank Fantasia's website.
Their IP is AAA.BBB.C.D (just letters instead of numbers).
But if I hit "OnlineBanking LOGIN" I am redirected to Ba-Fa.com, their IP is AAA.BBB.E.FF.
Therefore it only works for me if I mark both, BankFantasia.com and Ba-Fa.com as "Protected" in OA.

Because OAs Webhelp tells us:
"When in Banking Mode, Online Armor restricts you to connecting to trusted (or protected) websites."
This "trusted" seems to point at OAs banking whitelist, because I can only connect to Bank Fantasia and the redirected OnlineBanking domain (while in Banking mode) when I choose "Protected" for both domains.

And as you can see from this example: if you only add the website of your bank to My Web Sites, maybe you can't connect to your online banking domain and vice versa.

I use Firefox as web browser.

Cheers

 

Re: Spoolsv.exe allowed by OA

Do you have multiple PCs connected and possibly sharing a printer?

As you're aware I know little about firewall rules protocol, just a guess based on various posts I've read at OA forums as to problems users having with multiple PCs the common solution been adding a rule allowing udp outbound on port 53 for various services.

See the links in my post at this OA topic.

 

Re: Hints on using Banking Mode

Hi Escalader,

Sorry I missed this question. Banking mode works off the list of protected domains. The problem is that the banks sometimes use subdomains as well, for example, in Australia Westpac Bank would require the following entries:

www.westpac.com.au
westpac.com.au
online.westpac.com.au

If anyone's particular bank does not work, please contact support through the support form if you want to be anonymous (not that we're concerned who you bank with, but that info is best kept private) and we will figure it out and add to the config.


Mike

 

Re: Hints on using Banking Mode

TY, Mike I will contact the support forum as the second bank will NOT work.

At any rate people here are now aware of the feature.

 

FWIW, over at OA forum Mike has taught me (yes I'm learning) that his Protected Site feature works whether user is in banking mode or not.

I tried 2 sites that I decided to protect unrelated to banking and it works!

Site 1 was www.tallemu.com
Site 2 was www.ccleaner.com/update

What this means is I can now protect ALL my SW update sites reducing the chance of getting an update from the "wrong" places.

I turn off all automatic updates so I won't be causing tooooo many double dns checks.

So this feature can be used for MORE that just banking.


Of course, as an added step I also put the update sites ip's as endpoint restrictions right into the updater exe's.

 

Today all I have for the thread is a basic reminder:

Just because users need/want to run a program (xxxxx.exe) on their PC's, DOESN'T mean these programs MUST be allowed to access the internet.

FYI, attached is my current blocked program list. I'm NOT recommending you copy mine at home yourselves this is ONLY what I choose to do on my PC. I'm also NOT claiming my list is complete.

iexplorer for example should not be blocked if you use that as your browser.

I use FF I don't need to extend www privelges to ie7. But you might if that is your one and only browser.

On Spam Monitor I let it access the spam list sites it needs but as my updates licence has expired I cut off it's update program from accessing www.

These are just my examples, you guys and gals will have your own favorite exe's to block.

FWIW, the endpoint ip ranges now work in beta versions of OA for restraining the set of ip's an exe can access for updates etc. Works well and saves manual entry effort.

 

Re: Spoolsv.exe allowed by OA

Hello OA Learners ! Been away on vacation! Try it sometime!

FYI,

On this wiindows/SYSTEM32/spoolsv.exe matter I have been running with:

1) In Program Tab ( HIPS) set to ask to run. In beta version also set to safer which puts this exe at limited user powers rather than whole PC.

2) In FW rules, I have port 53 (domain) set to deny as I can't see why it needs it.

So far all works fine.

 

How to block selected ip ranges with OA and Bluetack

Although as some readers may know I use pg2 for most default blocking, it is a good idea for users to know how to use OA list files to achieve the same function. (If you don't believe in blocking then don't do any of this. It is a matter of user security policy and approach. To each "his"own.)

In OA FW tab (including standard mode) > a tab called black lists.

At the bottom of the window > Add. Up pops the standard My documents window.

What to do? It is calling for you to click on a file. No doubt you don't have a file for this purpose. So we have to download a file(s) that contain ranges of ips you want to block.

The main place I'm aware of is Bluetack in the UK who do these list building projects. Here is their link.

http://www.bluetack.co.uk/forums

BTW, I'm in that forum under same id if that is of any interest. Posted a few times there while figuring out how to use their services and about the use of China in PG 2 as a source for updating PG 2 lists.

So you register at bluetack go to their blocklist tab download the lists you want to use and they arrive on your PC as zip files. Un zip to your blocklist folder whatever.

Now you have the list files for OA blacklist to point to and you do that a list at a time via OA's Add tab.

That's it! Oh one little item, IF you find a block range you don't want you can use the OA Edit tab to delete the entry or modify it.

It is easy to see in these list edit tabs that a user COULD build their own list.

Thing on that is you would have to be careful NOT to lose your entries when updating the list from Bluetack. So create your own txt file name if you do set your own favourites up to block.

Attached is my jpg of this OA feature.

 

Hi,

Just a question though, can OA block advertisement and popups? I can't seem to find it in this thread. And I do not wish to use Ad Muncher if possible. Can it be done? If yes, how? Currently using Adblock Plus with FF. I'm just toying with the idea of having OA do all.

 

Regarding the Bluetack Level1 blocklist,

I notice that when this list is imported in OA I cannot access w**.tallemu.com and w**.tallemu.com/
As soon as disable the Level1 blocklist in OA I can access these websites without problem.

Has any one else noticed this?

What entry in the Level 1 blocklist might be responsible for this? I have tried to find one but have not had success.

Cheers,

chalawah

 

Hi,

I once had that level1 list on this machine and I noticed it blocks a lot, also sites I don't want to block at all.
So I deleted that list.
That said I don't know why it is blocking TallEmu.

Gerard

 

To find the right entry in any list you need the ip. One for Tallemu is

66.100.171.91 so you scan down the list in Level 1 find the range which includes it and delete the entry. Take a second look at my example and you will see the delete/remove tab.

Thing is the next update to level 1 may wipe out your change and reintroduce Tallemu. This is why users of block list need an updater function.

IMO this list1 is toooooo big.

 

Hi cryon:

I'm biased but I really don't believe in one tool does all even OA. So IMHO keep your adblock plus on FF.

To answer your questions go to:

http://www.tallemu.com/webhelp/


OA does do some ad blocking in sites.

It sounds like you don't have the product on trial yet?

If not, get it and try it out on your security concerns to see! Kind of like a test drive on a car before buying.

 

Thanks Escalader. Appreciate the answer. Yes, I still using OA (Trial) while waiting for my paid license to delivered from my local vendor. It's just a thought of toying with OA, kinda like a kid having a new toy.