Configuring Outpost Firewall

Discussion in 'other firewalls' started by cipsor, Dec 2, 2013.

Thread Status:
Not open for further replies.
  1. cipsor

    cipsor Registered Member

    Joined:
    Nov 30, 2013
    Posts:
    5
    Location:
    Romania
    Hi Guys,
    I am not a techie, but I would like some control (and power- I feel like in a political campaign now) over my laptop. I have Outpost and my computer is hyperventilating since it is installed. My AV is Avast Pro, I have WinPatrol And Chameleon Task Manager as well as OO Clever Cache installed. Any suggestions on how to manage my Anti-Leak Control and System Guard options so everything goes smoothly? Are there any other settings I should take into consideration?
    Thank you.
     
  2. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    hi cipsor,

    to get started, more info will help.

    what version of outpost? is it the firewall only or the suite?

    what version of windows?

    how much memory do you have?
     
  3. cipsor

    cipsor Registered Member

    Joined:
    Nov 30, 2013
    Posts:
    5
    Location:
    Romania
    Hi kronckew,
    I have Windows 7 x 64, and 4 gb of Ram. I am using Outpost Pro and my version is 8.1.2.
    Thank you for your help
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Have you been running it on auto learn for a couple of days?

    That will cut requests down a bit as outpost learns your system.
     
  5. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Let it autolearn for 2 hours or so ,give the machine 3-4 restart until the antileak stuff sets itself to allow all control panels to work and defragmenting to be able to work ,then disable the auto rule mechanism in all aspects ,set the Enterteinment policy to Block Most from the Allow Most.
    Set the Svchost ruleset so nothing that you are not using is allowed ,disable the rawsocket access allowed by default and generally block anything from connecting outside from the main OS exes except svchost and the stuff that checks the license.
    Explorer does not need internet ,neither lssas and so on.The more you let out the better the risks.
    Take a look at the other networking rules not related to applications as well.
    You should have the firewall in Block Most most of the time and use the loging for troubleshooting.
     
  6. cipsor

    cipsor Registered Member

    Joined:
    Nov 30, 2013
    Posts:
    5
    Location:
    Romania
    Ok,
    I reviewed all rulles and removed those that I was advised to. I removed the svchost rule as well. What should I allow when the svchost process asks for permissions?
    And..how do I disable the rawsocket?
    Thank you.
     
  7. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    see attached.

    removing svchost from apps list will cause anything using it to fail if you are running in block most mode, if you have disabled the improvenet rule generator. you could, in rules wizard mode have it prompt you to approve rules every time a program uses svchost for a new comm. event. the improvenet autogenerated rule is secure enough for most users. you may or may not want known vendors of signed software to autgen rules, up to you. be prepared for a lot of prompts or failures to communicate.

    i generally use the improvenet's autogen (without the 'update' part) to arrive at a generic rule set for an app, then go in and tweak it a bit to make it a bit more secure.
     

    Attached Files:

  8. cipsor

    cipsor Registered Member

    Joined:
    Nov 30, 2013
    Posts:
    5
    Location:
    Romania
  9. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    p2k's guide to a secure config is still a good starting point. some of the concerns he had are covered by other areas of the firewall now, exploits etc.

    i just use the improvenet generated (the blue ones).
    you could add block rules (as noted in p2k's svchost section) at the bottom, they're processed top down. the methodoligy is more simple now. note direction and ports not rquired for the block rules.

    ie.
     

    Attached Files:

    Last edited: Dec 8, 2013
  10. cipsor

    cipsor Registered Member

    Joined:
    Nov 30, 2013
    Posts:
    5
    Location:
    Romania
    Works flawlessly now. The only problem I am encountering with high CPU is using Chrome and especially when the flash files are running. If you have any suggestions they are welcome. I am very happy with the way my Other Than Chrome applications are working now thanks to your contribution.
    Thank You,
    cipsor
     
  11. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    not sure how chrome works as i use firefox & don't have the problem, but firefox uses a plugin-container.exe process to play flash, amongst other things. filtering this might take a lot of cpu time, it can be configured in settings-apps to disable content filtering.this may reduce cpu use, at the cost of some security.
     
  12. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Why would you do that on your own machine ?! :)
    The default rules are way to wide and are allowing a lot of unnecessary connectivity.

    If i connect directly to the ISP ,no gateway in front i would not let those UPNP in there or others that are added automatically.
    Svchost only needs DNS UDP Out with DNS IP-s specified ,TCP 80 and 443 for updates and even this can be tighten to allow only connections to Microsoft IP-s or update servers ,to block other software use the connectivity of svchost (like an infection does).
    Whats with the TCP DNS in there ?!
    Why would you let lssas to go out or explorer or taskhost or any other if there is no need to.

    Agnitum really needs to tight this default rules.
    Anyway just saying.

    LE: Why is the new version calling Comodo DNS ,ACS.exe seems to be using Comodo DNS ?!Is this related to Matousec ownership ,if i am not mistaking Comodo took over in there.
     
    Last edited: Dec 10, 2013
  13. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    i have no evidence that acs uses comodo dns. i do have log evidence it uses my designated acrylic dns proxy 's set dns server(s). matousec/comodo do not own agnitum. if that were true, i'da been fired (or quit) shortly after. i am not a fan-boy of either. both have their uses tho, when taken with a little dose of reality. most of the comodo tests are slanted and matousec's exploit tests test theoretical exploits, most of which are not found in the real world. comodo's secure dns is not a bad thing,it protects a lot of foolish children whose parents have set their dns securely enough to avoid tampering. i however usually use dyndns as my servers in acrylic. they also have a nanny system. you might weant to check your adapter ip dns settings, as well as your router dns settings, and maybe even your ISP's dhcp provider server settings. i also recently noted a piece of software that will easily switch your dns settings between a list of secure (unfiltered) dns servers. maybe you have something similar.

    as stated elsewhere, i am reasonably happy with using agnitum's improvenet settings, with a few tweaks here & there, mostly adding to the dns rules to recognise i run acrylic dns proxy., and to allow localhost activity for firefox for historical reasons. i have also tightened up where i thought needed in accord with paranoid2000's guide tom a secure config on our site, bearing in mind it's a bit old in the tooth now and s9me of it is now handled by other bits of the security suite. i am loathe to fool with rules for OS system files like svchost, feeling reasonably secure with the improvenet rules which are provided by agnitum's network engineers who i feel are competent. i have had not had any software i installed that has passed agnitum's suite come back to bite me thru svchost processes. i stopped being as paranoid as i was before & now run fairly close to default to make it easier to support users who are using stock systems. so far no infections. i generally practice safe hex tho. and keep a current clean image backup justincase.

    i'm an old fashioned marine engineer, if it ain't broke, i don't fix it. if it is broke i fix the part that broke and don't try to replace the whole thing unless it's absolutely necessary. tinkering is a good way to wind up in the middle of a hurricane with 40 foot waves and no engines. knowing my own limitations i would rather use a spare part made by the mfg. than one i made myself, tho i do that in non-critical areas or where i know my part is as good as or better. so far i haven't lost a ship.
     
    Last edited: Dec 11, 2013
  14. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    Any chance you can post what you do tweak in outpost?
    or have you already done it, with what is in this thread.

    Martin
     
  15. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    To be exact the DNS requests from acs.exe and resolved to Comodo DNS were seen in the log of the firewall.
    I am having DNS cache off ,as such connectivity for acs.exe must be completed with a rule for DNS.
    I am using the OpenDNS servers for DNS set in network config and in the firewall.
    Using most of the time the firewall in Block most and with only manual rule making the acs exe might have been left with no rule to connect thus calling the DNS-s resolved by itself as being Comodo-s ones and getting blocked.Seen it right before uninstalling it as the trial was ending anyway.

    I have used paranoid2000 guide for all firewalls since i ve red it years ago on Agnitum forums :).Excellent guide for anyone interested.

    I kinda avoid Comodo for some time already :)
     
Loading...
Thread Status:
Not open for further replies.