Hints on using Online Armor FW-a Learning Thread 4

FWIW, others have provided the same view to Mike Nash at OA forum. To date they have adopted a different default design policy. So be it.

The purpose of these LT's is to help users know these things and optimize their own settings.

Just so readers know, users in standard mode can (and in my opinion should) with latest version also set their interface to untrusted.

 

Default rules are not going to change just because you switch to an advanced mode. Why would you think such?

I would say maybe the default rules should be changed, or an option during setup to select a LAN as trusted or not.

 

That is very true. My own connection is "up to" 20mb download, but I see this change dramatically even with the same firewall installed.

I have been looking at the latest full release (build 95) I dont actually see any slowdown compared to my last setup (Jetico2)

I know this is just simple browsing, and can agree that my need to set up and start testing on-line games etc, but, I do worry I may get too involved with the games than test firewalls.

 

I was thinking what I described seemed like a good approach to suit different folks But I think I see what you mean. It isn't feasible from a use/design standpoint. Sorry :0

But yeah, having the default rules be changed or an option during setup to trust a LAN or not would do the job for me. I'd prefer to just have the default changed. People can manually decide when a LAN should be trusted or not.

 

Certainly no need to be sorry for expression. I do actually agree with you, just in a roundabout way.

LAN will become a main focus, the management of this cannot always be presumed as safe.
I will always push for better protection by vendors for users. This is why I am around.

 

Thank You. I appreciate your advocacy.

 

I want to change the subject back to the matter of changing OA's "trusted" or "white list" applications, we did some tests many posts back (#12) on an older release.

I used CCleaner which to OA is a trusted and known safe file as a test case.

I am NOT saying CC is unsafe this is a test to modify an exe white listed.

The 4 steps that we followed before were:

1. Untrust it.
2. Set to Ask
3. On advanced options, set all of "Permissions" to allow. Don't activate Runsafer for security products, and don't worry about the protection.
4th rule OF NOT CLICKING REMEMBER DECISION

With this release I have attached my settings and followed a revised set of steps and again used CCleaner version 2.05.555 as a test exe.

In the programs tab:

1. Untrust it.
2. Set to Ask
3. Activate Runsafer
4. When exe asks to run decide but don't click remember until you are dead sure you agree it is safe.

I found CCleaner did now ask to run as I had hoped, I allowed it, and it began to run then asked to run rundle. The rundle question was new.

Until I allowed rundle, the clean scan just waited. After allowing rundle, clean scan ran fine.

I then tried a CCleaner update. Since I have IE 7 blocked from access, CC did it's update through FF which is exactly what I wanted, to restrict IE 7's use as a browser.


Update: I have now retrusted CCleaner, having satisfied myself on the workings of changing a trusted program to ask.

 

Poll: Should Learning Thread Hints on Online Armor FW-Continue?

Please see:

https://www.wilderssecurity.com/showthread.php?t=202639

Thank you

 

Revised Post 1 in Hints on using Online Armor FW-a Learning Thread 4

Revised Post 1 in OA Learning Thread (LT)

Back in post # 1, I said "You need to turn on the advanced features to work these screens."

This was not correct, I was in advanced mode, but switching to standard mode the user is able to use these 2 options.

One jpg shows MY current acceptable counties. Your list will be different. Your own home country would be allowed plus any where your software gets updated.

Please don't get mad at me if your country isn't on my list. Everybody builds their own list.

If you don't believe in restricting countries that's fine, you just don't use this feature. As my policy is block by default allow by exception, my use of this option fits that plan.

When a user tries to make a black list of countries (I did that at first), they may find a much larger list to enter (tick). It is easier and shorter to tick "deny all" then list the except (white) counties.

The second jpg is just my current black list. You down load the lists to your OA then enter them by reference path via explorer.

They come from Bluetack at http://www.bluetack.co.uk and are free.

In my case, I use also have PG 2 an "independent" of OA's black lists , so there is a likely duplication between these 2 sources. I haven't had time to work that issue yet.

When users block whole counties they have no need to connect with, IMHO greatly increases the security of their setups. As exceptions arise users can adjust this list. I did that with Brazil.

OA must have seen advantages as they build these functions into their design. But it is up to them to comment/describe their reasons for features, I'm just speculating.

 

OA FW Intercept_Loopback_Interface Questions

In advanced mode, the user can tick Intercept Loopback Interface or not.

The questions are, How to decide to intercept or not?

What security does the user gain by intercepting?

What is the downside?

For reference I have attached my current setting.

 

Re: OA FW Intercept_Loopback_Interface Questions

It's useful if you use a program that creates a local(right name?) proxy.
Depending on the configuration of the proxy the programs will connect to the proxy and the proxy will connect to internet rather than the programs connecting directly to Internet.

For example for NOD32 v3:

Without HTTP scanning:
Program <-> Internet

With HTTP scanning:
Program <-> NOD32 <->Internet

If Intercept Loopback Interface is disabled OA will see only the connection between NOD32 and Internet but not the connection between the program and NOD32. That can result in programs connecting out without authorization.

The downside is that enabling the option will cause more prompts as some programs connect to localhost for other reasons.

 

Re: OA FW Intercept_Loopback_Interface Questions

With such a localhost proxy, there is a need to intercept localhost traffic.

It would be a case of setup:
Local proxy will use one port, lets say for example port 30000. A global rule can be made to allow localhost comms on all ports apart from 30000. Then any program attempting to connect to proxy would cause a popup (depending on firewall settings for trusted program access), but normal localhost traffic would be allowed.

 

Re: OA FW Intercept_Loopback_Interface Questions

Stem, how exactly do I create the loopback rule you describe? I can endpoint restrict ports in a rule to 127.0.0.1/32, but how do I globally allow loopback to all ports except one (ie, endpoint restrict a port from loopback in OA)?

Whenever you have time, would you maybe show us how to do it in OA?

***EDIT: Nevermind, Stem. I figured it out. I have to start thinking and not be so quick to post. Sorry. OA sure is cool! I'm always learning new ways to configure things with it. It's definitely become my all-time fav firewall.

 

Hi,

there is another downside with such proxys like NOD32 v3 has.
Even with Intercept Loopback Interface you can only set a global Restriction or a global Blacklist.

It is not possible for example to assign a Blacklist to Firefox only but not for Opera.
You will have to assign the Blacklist to ekrn.exe to make it work.
In other words, OA can not see where Firefox is connecting to.

Cheers

 

Re: OA FW Intercept_Loopback_Interface Questions

Stem:

Here I go with the dumb questions again!

Could you provide another non Nodv3 example of a user with a localhost proxy?

What will/could happen if the user failed to intercept? Why does it matter?

Some readers may benefit from a clearer expanation between loopback, host files and local proxies with the OA product. Or a reference they could read?

What steps should a user follow to maximize OA security for this intercept loopback option?

Should everybody just tick it and forget it?

 

Re: OA FW Intercept_Loopback_Interface Questions

From what I've read, you don't need to Intercept Loopback unless you're running a proxy (e.g., Avast Web Shield or NOD32 v3 etc). If you anonymous surf or something thru a proxy then this would apply too. Absent this, Intercepting Loopback isn't really necessary. However, Intercepting anyway will lock down your machine even tighter if you don't mind configuring the rules for it. I don't think there's much more to it that isn't already posted somewhere.

 

Re: OA FW Intercept_Loopback_Interface Questions

Thank for the post.

 

Re: OA FW Intercept_Loopback_Interface Questions

Proxomitron (Proxo)

Malware is forever evolving, it would not take much for detection of such a proxy in use, and has the proxy would already have rules/permission to access the internet, then it would be a possible bypass.

http://en.wikipedia.org/wiki/Loopback

http://en.wikipedia.org/wiki/Hosts_file

http://en.wikipedia.org/wiki/Proxy_server

Normally, there is not a problem or need to intercept lookpback, certainly if other precautions are taken (Hips/AV etc). Only if a local proxy is in use would a user be advised to intercept, so control of such internet access is under full control of the user.

Depends on user setup.

 

Re: OA FW Intercept_Loopback_Interface Questions

Good to hear.
Are you going to share your findings/setup with the forum/ learning thread?

 

Blacklists within OA are loaded globally, and by default are set globally.
The blacklists are loaded in to OA:-



Then for each application, on each rule, the (Advanced) option is there if the blacklists should be used for that rule as globally (default) or by choice (option) of the blacklists loaded.(so only specific or no blacklist can be used for that specific rule.)



How this then works while having forced local proxy from such as Nod3, I will have to check.

 

We have checked this in a german forum, computerguard.de.
The blacklist doesn't work, if it's assigned to Firefox or Opera, a blacklist only works, if it's assigned to ekrn.exe.

Create a blacklist with an IP range.



Assign the blacklist to ekrn.exe, or it's useless.



As said, OA can not see where Firefox or Opera are connecting to, only ekrn.exe can be restricted and this is, as far as I know, not an OA limitation, it's a general limitation because of the proxy.

Cheers

 

Thanks for the info.

 

Re: OA FW Intercept_Loopback_Interface Questions

Sure, here goes:

NOTE: I installed NODv3 only for testing. I was running NODv2.7 but dumped it cause I won't upgrade to v3. But here's how I would set up OA with Stem's plan for a proxy that operated on port 30606.

Firewall / Rules / Rules
New Rule
Allow
TCP/UDP Outbound
All Programs
Ports 0-30605
Ports 30607-65535
EndPoint Restrictions: uncheck "Use global restrictions", check "only to following endpoint" -->ADD IP Address 127.0.0.1/32
OK
OK

Now, all loopback will be silently allowed to localhost EXCEPT to port 30606.

 

guys, I don't know what blacklists are. Where do you guys get them, do you create them?

Could you explain a little or maybe link me to info on them and/or where/how you obtain them?

For example, I don't understand your discussion of how a blacklist would help the NOD32v3 situation.