Outpost Firewall Pro 2009 Testing and Optimization Thread

Discussion in 'other firewalls' started by Escalader, May 3, 2009.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, the standard rule sets are fine IF they meet the users needs.

    These rules allow in / out TCP / UDP to your gateway but block other connections. I don't have any connections via explorer.




     
  2. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Are you sure?
    Windows Explorer has Hooks into just about everywhere
    One example is Right Clicking an Executable to check/varify the Digital Signature, clicking on the Details Button Windows Explorer will connect out for further varafication
    Another example is opening Windows Help System, Windows Explorer will connect out
    There are many such Silent Connections performed by Windows Explorer TCP and UDP

    HKEY1952
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks

    I will ask your question on the op support forum and see what they say.

    There is also the antileak options for hooks, etc. If you look at those all can be blocked and reported to logs.

    I have mine set to block the lot.

    More later
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Well you are right HKEY 1952!

    On the antileak options after I blocked the lot, I found a number op pop ups showing attempted connects! On coming back to this forum via FF it won't allow me unless I allow Explorer to initiate network applications processes! Great! I learned something!

    The rest are blocked hooking, process injection and termination etc.

    On your digital signature validation that for me is greyed out. I don't know which blocked leak is preventing it.

    Do you know by chance?
     
  5. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    So what exact rules & settings do we give explorer?
     
  6. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    First highlight the Certificate in the Signature List by Left Clicking it, the Details Button will then be Activated.
    Clicking the Details Button will trigger an Outbound Connection through Windows Explorer.
    This connection and All Connections In/Out except Local Network In/Out will be blocked if My Rule List is intact.

    HKEY1952
     
  7. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Where the Portocol is: TCP
    and the Direction is: Outbound
    and Remote Address is: 192.168.1.0/255.255.255.0
    Allow

    Where the Protocol is: TCP
    and the Direction is: Inbound
    and Remote Address is: 192.168.1.0/255.255.255.0
    Allow

    Where the Portocol is: UDP
    and the Direction is: Outbound
    and Remote Address is: 192.168.1.0/255.255.255.0
    Allow

    Where the Portocol is: UDP
    and the Direction is: Inbound
    and Remote Address is: 192.168.1.0/255.255.255.0
    Allow

    Where the Portocol is: TCP
    and the Direction is: Outbound
    Block

    Where the Portocol is: TCP
    and the Direction is: Inbound
    Block

    Where the Portocol is: UDP
    and the Direction is: Outbound
    Block

    Where the Portocol is: UDP
    and the Direction is: Inbound
    Block


    HKEY1952
     
  8. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    Rules must allow Windows Explorer to open/close other processes/applications
    An Example, when opening Internet Explorer, Internet Explorer is actually opened by Windows Explorers Process
    Windows Explorer Must Be An Full Trusted Application Within Windows and the Local Network.....however.....
    Windows Explorer Must Not Connect to the Internet for Security Reasons.

    HKEY1952
     
    Last edited: Jul 23, 2009
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here is the setup tab for ARP attack protection and some others.

    This is posted here since in another thread a claim was made that mainline FW's did not fair well against heavy ARP attacks. How OP fairs against heavy ARP attacks I cannot say one way or the other as it would require independent testing from someone like Stem to actually know.

    In the meantime at least we know how to enable the protection offered.

    Note in this image, the ARP protection box is NOT ticked, if you want it tick it!
     

    Attached Files:

    Last edited: Aug 25, 2009
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here for the thread is the OP Pro 2009 advanced setting I currently have for my setup. This is NOT a recommendation for your own PC's, just here to show the options I have used.

    One thing that confused me at first with OP was their use of the words "Host" protection. I wrongly thought they were trying to protect my HOST File. This I have protected via BISS so it confused me. Not that hard to do in this field.

    Anyway they mean protecting the way executables and programs run and setting rules for them. So the HIPS feature if you like.
     

    Attached Files:

  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    In my OP Pro 2009 set up Real Time Protection is disabled automatically by OP because I have Nod32 V4 installed. So the implication of this is that OP experts believe or know that duplication of real time functionality is "bad" or to be avoided. Okay so far?

    Now I also have SUPERAntiSpyware v4 (SAS) installed with it's real time protection enabled so is that also to be avoided thus relying exclusively on NOd32 for ALL my real time protection?

    OP does NOT automatically disable SAS so I could conclude that OP:

    1) Doesn't know that SAS exists?
    2) Doesn't care that SAS exists?
    3) Does care and does know that SAS is compatible with OP real time protection?

    Does anybody here KNOW the technical detail on this?
     
  12. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    i think it wuld know SAS, but most AS apps are meant to be able to be used alongside other AV software unlike AV's so i guess maybe thats why it doesnt have an issue with it. :doubt:
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi firzen771!:thumb:

    Yes, SAS is an ASW application and well known for sure. But like so many of these products the lines are blurring between AV and ASW as in my view all these "parasites" malware etc should be treated as belonging to the same family BAD!

    But like you I'm unsure on this SAS conflict yes or know as far as OP goes.

    Let's l wait for further information.
     
  14. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    OP only disables functionality upon install when it notices other possible interfering security products. After OP is installed then the onus shifts to the user to know whether or not interference is a possibility.

    Antispyware products rarely interfere with each other and I'm not aware of any issues with SAS and OP. The Compatibility Wizard, triggered during OP installation, would know for sure as would Agnitum.
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks for replying Manny. I feel better now about leaving SAS real time on visa via OP.

    Is there anyway to run the Compatibility Wizard after install? I'm thinking if user added a new ASW tool after the initial install?
     
  16. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Nope, it only runs during the install.
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here under the latest version of OP FW Pro 2009 is MY settings for Host Protection Component Control. They are all maximized ( I hope) the only popup I had since these "all" setting was a FF component. Since I recognized FF I allowed it. ;)

    If you "copy" mine there are no promises that they will meet your needs or even work on your setup. Please remember this is not a OP support forum/thread. :cool:
     

    Attached Files:

  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Using the ID Block Feature

    OP FW Pro provides a feature to block selective user data which you may view as private. In fact the whole packet can be blocked or the packet can be sent but the private data is converted to *****. This sending blocking is effective when attempts are made to send "in the clear". It would not apply to https as those sends are encrypted.

    As well, you can tick if you want to be notified by a pop up when the id block is made. If there are certain sites which you wish to allow to get the private data then they can be listed. An example may be your bank site.

    I have tested this feature in OP and it works. One test I did was to send my self an email to my web email account which included a protected data element. The whole packet was blocked and the email never arrived. When I used the *** fill feature the email went through but the data was masked.

    A feature I hope will get added is to let me use * or block packet selectively since right now user has to choose one way or the other.

    Another test I did ( not a new one for me anyway) was a software license code. It happened to be SAS. When you update SAS definitions each time SAS tries to send your license number back to the mother ship. Interestingly, when the block takes place it has zero impact as the update goes ahead anyway. I have no idea why SAS does this as it is the only product I have that does this. I know this since I've entered every single license code in to the list. I really wouldn't care if they wanted it on a https connection but I personally don't care for license codes flying about the www in the clear. Sorry for the mini rant but I thought you guys should know this.

    Attached is a compressed list as an example.
     

    Attached Files:

  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    In Outpost Firewall Pro there is a Firewall feature called IP Blocklist.

    After you enable it, it allows you to restrict to and from hosts or networks you consider malicious. All packets to and from these sites will be DROPPED.

    These days with refered sites causing security issues for many any way I can minimize the chances of being sent to one is a good thing.

    You can create your own lists or import sites from reputable ip blocking services. I choose to import mine from the following link which I learned about in the OP users forum. I also choose to log any blocked packets and show an alert. Currently, there are 14114 ip/sites in the list. I'm told that these sites are blocked "quicker" than those site in the HOST File where loopback is used to void a connect to those. I have no easy way of confirming this quicker claim but it may be quite accurate.

    There are 2 ways to download the latest OP compatable list. Direct from the site or use the new CofU Beta upadater. I've done it both ways and both work. But in my view the beta updater is more convenient.

    http://www.calendarofupdates.com/updates/index.php?autocom=downloads&showcat=1

    BTW, and FWIW I had to reinstall MS Net Framework to get the beta updater to run which was the first actual use I had for Net Framework in the last 3 years or so since I un-installed it.

    One note on the block list is you have to manually import the list into OP once you have downloaded it either via the beta updater or the direct method. This beta updater also can handle 2 other FW's as well but I won't name them in a OP thread. You will see soon enough if you visit the link.

    I hope these kind of posts are of value to you guys and gals as it does take energy and time to do this "free" work for you.
     
  21. Rabiddog

    Rabiddog Guest

    I am trying out OP, this thread is very informative.
    Question, should I enable the "loop-back" setting when using Ad-Muncher?
    Did not mean to change or interrupt the thought, I asked this in the OP forum and did not get a definitive answer.
     
    Last edited by a moderator: Oct 1, 2009
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    FWIW OP does it's own "ad munching" so you could dispense with ad muncher if you wanted to. If you are using FF it also can reduce ads via ad block plus. It's possible to over kill on tools that duplicate function.

    But I'm not going further as this thread is not a support thread. If you can't an answer in the user forum submit your loopback question direct to the vendor site.

    They both need time to answer.

    Later on in this thread I will revisit Loopback but I have to research this as it seems that OP has changed it's loopback default in the latest version
     
  23. Rabiddog

    Rabiddog Guest


    I am not asking for support, just an answer if some one can? Sorry I disrupted your elite club, that I can't be afforded an answer.





    disruppeddisrupted
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Some applications need loopback others don't. For example, in browsers I allow loopback.

    As I don't use ad-muncher you have 2 choices maybe 3.
    1. Let OP generate the rules for admuncher for you this is easiest, so remove all present rules for it and activate > settings > improve net> rules autocreation tick one of the auto-create options> OK. Then immediately run ad-muncher and the rules will be built for you.
    2. Remove ad-muncher in favour of OP's and FF's own ad blocking features.
    3. Ask ad-muncher support if they need loopback.
    That is the best I can do for you. :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.