Hints on using Online Armor FW-a Learning Thread 4

Hello Escalader,

What info on beta testing is allowed on public (non-vendor) sites is down to the vendor.
Even open beta testing can come with restrictions on reports made.

It would need to be made clear from vendor than reports can be made openly from beta testing before such can be allowed intentionally.



- Stem

 

Hello Stem:

Good to see you back.

Yes, I'm holding on posts here pending the next formal release of OA.

In the meantime, I'm doing research/polls on which OA features are used so as to focus the learning hints.

There is no rush.

 

Hello OA thread.

For reasons shown at:

https://www.wilderssecurity.com/showpost.php?p=1412886&postcount=59

I have reinstalled OA v3 190 their last formal released some time ago version.

The poll shows more WSF OA users are using OA in beta form so questions on beta's should be posted over there. The poll also shows most WSF OA users are tweaking in advanced mode. Things like entering precise ip addys in updators. I'm avoiding using Run Safer on any application since the last time I did that I lost all my admin privileges. The vendor is aware of these issues.

That said, I will conduct a few tests with 190 on blocking lists and post those results here for the benefit of WSF.

 

In the current formal release of OA 190, there is an option to tick or not the Intercept Loopback interface.

See my attached jpg of this tab.

The OA help for this option follows:

Now I use FF with adblocking, and AV and a spam filter. My guess would be that my setup is not unusual.!

So here are some questions for those with higher pay grades than me, this is a learning thread right?

1) Why wouldn't this OA option always be ticked?
2) When users engage the pop up feature when loopback is on what rules should users apply for responding in order to maximize security?
3) Should OA users write allow inbound TCP to 127.0.0.1 loopback rules for FF and IE or other browsers and how does that match up with this OA option? Or does OA write rules for them that are "unseen"?
4) What other applications if any need similar inbound loopback rules?

 

Country_Restriction_Override?

As promised in earlier post I have been doing some research or tests if you prefer into the behavior of Restrictions in OA 190.

Attached is a composite of some jpg images that are very interesting. Here are some comments and observations based on these jpg images

1 I use NOD32 and only 1 site/server in CZ to seek the Av updates 89.202.157.135.
2 I have asked OA190 NOT to allow CZ to be accessed as a country as a test of restrictions in FW
3)The log from OA190 shows that not only 89.202.157.135 was blocked but a whole bunch of other eset ip's as well.
4) Yet Nod32 reports with 1, 2 1nd 3 all in place that it's up to date
5) I suspect the fact that I placed 89.202.157.135 in the allowed ip list for the specific Nod32 updater rule overrides any entries in the restricted country list at rule level or at Global level.
6) Another item is why does Nod32 attempt to go beyond 89.202.157.135? I suspect that these ips all belong to the range allowed implied by 89.202.157.135. But I'm not sure. See attached ip look up for these ips.

So my question to OA is are they aware of any leakage in the country restrictions at global or rule level and does a specific ip in a rule override these restrictions? How should this work?

 

Some advice for OA 190 users.

Don't use block all traffic during systems boot. See attached jpg.

I tested it for the first time to see if the issues warned about actually impact me. They do I get limited connection after reboot. Removing the tick the problem goes away.

 

No worries here, that option is grayed out in the free version.

 

Thanks, the hints here may not apply to other versions.

What version of OA free are you on? a beta or a formal release?

 

Go back to page 12 of this thread, you asked the question there and was given reply.

 

The option is to block all traffic during boot, which it does, but blocking all traffic will block boot-DHCP so the PC will have problems obtaining an IP.
If you set the PC with a fixed IP then this is not a problem.


- Stem

 

Latest formal release.

 

Thanks, Stem I'm having trouble remembering my settings


What I wanted to do was a fire drill on my own 190 setup to see what happened. Well it happened.

 

Thanks Stem:

Another option would be ( and I don't care for this) to renable the DNS service ?

My ISP ( not to be selfish) doesn't seem to offer a fixed IP. But to my strange view of security a changing ip is a good thing security wise compared to the small gain of blocking connects during boot.

What do you think yourself?

 

Hi Escalader,

Enabling the DNS client/service would not change the problems you see with blocking all traffic on boot, as during the boot process, your IP and DNS servers are obtained.
Just leave the "Block all traffic during boot" disabled. OA does run as a service, so network protection is enabled early in the boot process.


- Stem

 

Thanks for the clarification! I'll just leave it un-ticked in 190.

 

On Sunday I alway take images of my os partition C and my data partition.

To do this I happen to use the Paragon Product:

Drive Backup™, version 9.0, build 5541 (07.06.08 )Personal

Components versions:

Paragon Base Services Library, version 1.1, build 5541 (07.06.08 )
hdm.dll, version 9.0, release 9, build 6941
biont.dll, version 9.0, release 9, build 6941
biont.sys, version 9.0, release 9, build 6941


Now what I get in OA 190 is the following pop up see attached jpg.


Can anybody:

1) Confirm the same behavior with 190 and with Paragon?
2) Tell if Paragon is using KL or KLB in this product?

It seems unlikely that a well known product like this would engage in Key logger activity, the risk to their business would be too great.

For now I'm assuming it is a FP, but I blocked it anyway by policy. I have no ill effects to report for Paragon. The images are all intact and I've used them.

I will be contacting Paragon technical support on this and if they allow me will report back.

 

Hello Escalader,

could you please tell us if you have enabled Send Mail Notification feature in Drive Backup?
If this feature is enabled and you want to see your drives before\after operation then Drive Backup will save\gather the part of Drive Backup screen content - disk map of Drive Backup to RAM and then send it via mail to your e-mail.

 

Thanks for such a rapid response! From a vendor it is refreshing!

No, I don't have this email notification feature set. I attach my jpg for your inspection.

Please confirm or not if this is the feature you refer to.

As well I have never received such a before and after email from you.

The KL pop up occurred after the 100% backup finished so that would be the time to capture an after image.

 

Thank you for update.
One important note - our software works with its windows only and no pass or login information from Windows or any other software is ever saved.
During last step of backup operation the software saves information of disks layout automatically. It does not depend whether the mail notification is enabled or not. Then, if the mail notification request is not launched - the information from Drive Backup window (disks layout map that normally should be sent via email notification) is erased from memory.
Strange that OA detected it as an attempt to save the screen content as we work within our window only. We are going to research the problem immediately.
Still, no harm or risk to your personal data from our software.

 

Hello:
You are welcome.

Good, post back when your research is complete.

Meanwhile as one OA190 user only I will keep the KL block from OA190 in place just to be on the safe side.

Another odd thing, is Paragon is not in my lists of FW tab programs, it has no rules generated by OA190 or created by me. However, it does occur in my hide trusted programs list as having an "unknown trust level" but a "normal security group". I'm kind of straining to know how OA190 knows it's normal in one column but unknown in the other?

The clue may be in OASIS, I'll go there now on this Paragon matter and report my findings. Paragon is at version 9 for me and the OASIS may only cover up to version 8. Version 10 is coming so this matter may get worse even for keeping a white list.

 

Well I accessed the OASIS db regarding the white listed or not white listed Paragon Drive Backup 9.0 executable file on my system known as launcher.exe.

1st I reviewed the vendor list for Paragon and found 3 vendors (see jpg).

2 of them were Not Rated by OA coded NR. 1 however was, named Paragon Software as a Standard Software Vendor. So I clicked on this one and only found 1 entry related to the creation of a CD. Nothing else! Well yes you can create CD backup images with Paragon.

Next I then checked Paragon Technologie GMbH (NR) and there were many programs and dll etc listed. There were multiple launcher.exe and other very common Paragon files that I recognized. As I feared they were all for earlier versions of Paragon the highest level was version 8.5 dated December 2007 as an unknown program. Kind of odd calling it unknown yet it is entered in the DB. But I assumed it meant untested as qualified to be "white". The program has a digital signature that certainly look valid to me but I only looked at it. No Hash work.

Anyway, I'm a version ahead at 9.0 and I know version 10 is out or coming.

This is an example of the difficulties of even maintaining a white list for vendors.

If I were OA and I'm not I would focus hard on the most popular programs out there and validate them first on their white list. But there I'm assuming they aren't doing that now or that whatever I use must be popular.

I think I have just accidently made an argument for the behavioural HIPS function that would not be dependant on long lists either black or white.

That's it for now.

 

Warning!

If you have MS's security center disabled because you have MS auto updates turned off or your AV isn't recognized by MS

AND

for whatever reason, the user un-ticks the FW setting on the General Tab showing Mail, Web, Program and Firewall then you will have no warning in the task bar from the OA icon that the OA FW is OFF.

Again, this occurs if you have MS's security center disabled

The security centre (SC) doesn't give a warning because OA automatically turns on the Windows FW so the SC is happy.

I'm not because user gets no reminder that the OA firewall is OFF!

Now our poll shows most readers of this thread are tweaking the features of OA as offered by OA in advanced mode and are using a beta version.

So the question arises does this lack of a icon task bar warning (different than the dreaded pop up) continue in these more advance betas or public release versions. If so, post the response over there not here because I'm reporting only on OA 190 now.

Sorry about that.

If anybody doesn't like users turning off the MS security centre their issue is with Bill Gates not me since he offers the ability to do it. WSF users are quite capable of reading the windows services drivers manual.

I don't personally want or need multiple outgoing packets to MS every day asking if they have breaking news of their monthly fixes. Why burden the www with load it doesn't need either.

 

OASIS Status of my Security and Backup Programs

OASIS Status of my Security and Backup Programs

Here with out comment is what I found on the OA OASIS DB regarding my own security software. I included browsers as I use their features to enhance www security.

 

Do all OA's exe's need www access?

Well here is some "exciting" information for WSF threaders

Some observations on OA 190

There are 4 exe's showing in my task manager. Check your own to verify they are present.

These are:

1. oacat.exe in the OASIS DB 7 times as trusted
2. oahlp.exe is also in OASIS 18 times as trusted
3. oasrv.exe is also in OASIS 1 time as trusted
4. oaui.exe is also in OASIS 6 times as trusted
5. oaview.exe is also in OASIS 19 times as UNKNOWN?? their own product is unknown to themselves?


In the 190 programs tab, not one of these show up so the user can't control OA's exe's behavior as with other programs running on their PC,
they must be exempt or an oversight? There is no obvious way I can add these program. This is a violation of who controls the PC the user or
the vendor. The 5 program oaview.exe is in the programs folder for Tall Emu but doesn't appear anywhere else in the OA tabs

These 5 don't appear in Autorun.

Of these 5, only one oaui.exe appears in the Firewall Access tab as needing www access it activates if user trys an undate.

As a test, this user added the other 4 to the access list and then block them since they weren't listed so I assumed they don't need access?

Here are my test results:

All 5 blocked from any www access except oaui.exe.

Test 1 I used FF to log in an out of TallEmu forum, no problems.
Test 2 Nod32 updated okay
Test 3 Keyscrambler updated okay
Test 4 SAS updated okay
Test 5 OA 190 updated okay
Test 6 MS Outlook worked okay receiving and sending
Test 7 Yahoo web based email worked okay
Test 8 On Line banking worked


So Based on this these 4 oa exe's don't need www access.

1. oacat.exe in the OASIS DB as trusted
2. oahlp.exe is also in OASIS as trusted
3. oasrv.exe is also in OASIS as trusted
5. oaview.exe is also in OASIS as trusted

Of course the biggest assumption here is that the blocks were allowed/effective so for a while I will log all allowed accesses to see if any
of these blocked OA exe's show up as allowed.


More later

 

Re: Do all OA's exe's need www access?

How would you suggest those wanting to check for signature/rule updates, achieve that without oasrv.exe having www access?