Hints on using Online Armor FW-a Learning Thread 4

Thanks for the reply.

When I went to look up the IP for *ww.tallemu.com.au yesterday I didn't get the same results as you. I got:

Escalader, how did you arrive at this IP?

I agree with your statement, "this is why users of block list need an updater function'.

Do either your or gerardwil [or anyone else that matter have any suggestions for any other blocklist to be used?

rgds

chalawah

 

Thanks stapp, I will start checking Level 1 for sprocketdata too

chalawah

 

Posts concerning an OA and KAV conflict were moved to a separate thread for further discussion. This thread concerns "Hints on using Online Armor". Support discussions between other products and OA are off topic to this discussion and spirit of this thread.


New OA\KAV thread---> https://www.wilderssecurity.com/showthread.php?t=212720

 

Hello:

After the 8 months this thread has been running, it is possible to forget the scope of the original post.

Suggest reading it (for new viewers) is a good idea.

https://www.wilderssecurity.com/showpost.php?p=1102909&postcount=1

As well for reference only here is the link to TallEmu for support questions.

http://support.tallemu.com

I'm only interested in OA usage hints that readers have or if I have something to offer that I have stumbled upon that may help users here at WSF.

Goal is to share the learnings. It is best that you have the product at least on trial for these hints to be useful.

So readers, is there any new OA hints/ subject within the spirit of the OP you would like me to post more about?

I know I'm going to regret asking this but there it is.

 

Hello:

Some reminders:

1) Updating, if you are on manual, click dictionary updates from time to time to get latest white list items

2) Back up your settings and rules daily in a common safe place (USB stick or external HD)

3) When running first time, update ALL your SW so OA can create the rules for each exe.

4) If you want more precision use the log to record allowed connects during step 3 to obtain the ip's used. These ip's can then be inserted into the updater rules one by one as end points.


More later

 

To Stem and Mike Nash:

In OA main menu options the user can set check by hash or hash and path.

The latter seems best to me since if this option means what I think it means it can help control parasites masking as say csrss.exe but use a path to a different directory than the real csrss.exe.

Is this evaluation correct?

See attached jpg for my test set up.

 

Hi Escalader,

Check by hash is enough to prevent against nasties. Check by hash and path would prevent, for example, a copy of an allowed program being placed in a location other than where you allowed it and running.

Mike

 

Hi Escalader - I see you're using V2.1.0.145. I see it has a new GUI. I assume it's a beta as I'm still on v.131 and I've had no prompts to upgrade. I like it.

 

We released a new Beta today for XP and Vista

Anyone with a key and the desire to have a play is welcome. We're still waiting on Kaspersky on a few technical matters, which is the main holdup now for release I'd say (although, of course - it's a beta )

 

Hi twl845:

Yes, knowing where you came from I know why you like it

Anyway, FWIW, stay with 131 until OA come out with new release.

 

Yes, I will look forward to the release.

 

How to do a secure and clean install of OA

Any errors or admissions here are mine but as someone once said I'm responsible but not to blame!

1) Save settings from your existing version and backup ALL your user data. Take an image backup of whole set up if you can!
2) Turn on windows FW from control panel no exceptions
3) From add/remove programs uninstall OA, system will want to reboot, let it
4) After system reboots itself, you now have no FW, so ensure windows FW still on.
5) Run all your system cleaner program(s) eg CCleaner and if no other the registery scan.
6) Run a defrag
7) reboot
after reboot, ensure www connection is working
9) Install new version (or old if you are reinstalling it)
10) Do not restore your settings, run the SCW deal with all messages it finds, if in doubt about allowing an exe to run or start say NO!
11) SCW ends, system will want to reboot, let it, OA's learning mode will end fast, don't mess with that process.
12) If you wish to have minimum work and allow OA to decide and generate rules stay in standard mode, allow OA to set rules for everything eg autotrusted programs
13) Adjust all your SSW to exclude each other eg OA should exclude SAS or NOd 32 etc, I also add jv16, perfectdisk 2008 etc and visa versa!
14) Keep the dictionary data up to date daily
15) Make sure the windows FW is now off. OA is supposed to do that but verify it anyway
16) On the FW interface screen turn off the trust box, NO ONE needs that IMHO. If I had to change 1 default that is it! nag nag nag


"That's all she wrote "

Later, I will post the same list but for those ending up in advanced mode who DO NOT want to concede the other defaults to OA ( like me for eg)

 

Yes, that was the 1st way I tried it, but for some unknown reason it didn't work for me this time. My policy is to post only what works for me.

But you are right, it the OA uninstaller works for users that is choice 1.

TY

 

as promised yesterday here is a 1st post a similar list but for those ending up in advanced mode who DO NOT want to concede the other defaults to OA

Any errors or admissions here are mine but as someone once said I'm responsible but not to blame!

This is a work in progress so chime in if you want.

1) Save settings from your existing version and backup ALL your user data. Take an image backup of whole set up if you can!
2) Turn on windows FW from control panel also no exceptions
3) >All programs>OA's > click uninstall, system will want to reboot, let it
4) After system reboots itself, you now have no FW, so ensure windows FW still on.
5) Run all your system cleaner program(s) eg CCleaner and if no other the registery scan, disk clean ups etc.
6) Run a defrag
7) reboot after reboot, ensure www connection is working
Install new version (or old if you are reinstalling it)
9) Do not restore your settings, run the SCW deal with all messages it finds, if in doubt about allowing an exe to run or start say NO!
10) SCW ends, system will want to reboot, let it, OA's learning mode will end fast, don't mess with that process.
11) If you have advanced rules and settings from step 1, >OA configuration> options>backup restore and restore the settings, wait a bit (60 seconds) before checking all your rules and exclusions are restored.
12) Ensure you adjust all your SSW to exclude each other eg OA should exclude SAS or NOd 32 etc, I also add jv16, perfectdisk 2008 etc and visa versa!
13) Keep the dictionary data up to date daily
14) Make sure the windows FW is now off. OA is supposed to do that but verify it anyway
15) On the FW interface screen turn off the trust box, a poor choice of default IMO.
16) Now some verification and updates for you:

> FW>restrictions> click all countries will be denied and add only the countries you know you need, like your home country and Local Host ( yes I know that isn't a country> unclick Intranet​

If you use the HOST file for 127's eg sites you never want to go too update the host file your normal way. ​

If you use M$ DNS service, insert your dns server ip in the dns rule as the endpoint this minimizes dns posioning​

If you have DNS service turned off as I do so the router gets the addy's, place the dns server address in every updater exe going outbound to port 53, yes yes I know it is work but so what, once done it's done, I have 24 exe's using dns so that's it​

Now I'm going to block certain exe's from accessing the www, IE 7, windows explorer (it still runs just can't access the internet, windows media player, spoolsv, some games and what ever else you don't need calling out​

>FW>ICMP>untick all allowed​

>FW>Restricted Ports> tick them all​

17) Save your settings daily on an external unless you like doing rules all over again time after time.

That should go some way to blocking by default and allow only by exception.

If your policy is allow by exception and only block by default then these settings are not what you want.

 

To Stem and Mike Nash:

Here are some of my infernal questions.

In OA the user can create rules for TCP, UDP or both in any direction in or out any port or range.

1. How does user create a rule to deny the incoming zero octet as in the attached jpg? Can I use an all rule with this addy/range as a denied endpoint?
   
2. If, OA does this in the real lower level of rules below the table of rules seen in the FW tab how do we know this rule is present and works?
   
3. Stem have these rules on classic network type denys been tested ? results?

 

I think the "problem" came from the fact that download and forum are located at third-party hoster, while licensing/update servers are own. And you talk about different things

 

To get dictionary updates from TallEmu I am connecting to:

66.100.171.91:80 a server in the USA as indicated, a 3rd party server.

This is normal a business practice.

Many SW firms have updating severs all over the world to split / balance the load and to service the domestic customers.

It is possible to place all update and banking servers you use in your OA web sites tab.There if you mark them protected, OA is supposed to do a dns double check using their FW's DNS server. If the site you are trying to access doesn't resolve the same way at their site an alarm goes off with messages.

Possible case of DNS poisoning. If you ever get this don't continue the access attempt.

 

Hi Escalader,

Sorry to jump in - this is not a third party server. This is a Tall Emu server, located in a data center. Nobody, other than Tall Emu staff (and, of course data center staff) has access to this machine. It's not shared hosting or anything like that.


Mike

 

Hi Mike:

That is great! An exclusive server is better!

You and Stem are supposed to jump in and correct the posts especially mine!

Shows the error of jumping to conclusions!

Did you see my "the incoming zero octet" post?

 

Control by hash and path does mean that you can have different rules for the same program in differnet locations. For example you run two apaches for different interfaces. Then you can set different rules for them. If only controlling by hash you cannot do it, because they have the same hash.

 

Alex_s:

Yes, I see the point even though I don't need that ability.

My main issue/question/concern call it what you will, is the id'ing of baddies masking as safe exe's. That's what I want OA to do for me and I want to make my settings optimum for that purpose.

This feature for 2 sets of rules and 2 different but valid hashes seems to me to give the bad guys an opportunity! I really hope Mike or Stem will rush in here to prove my fears unfounded, I worry easily!

Lets wait for them !

 

Today, OA has a new build 151 which has come out of the OA beta testing process.

So for the moment, I will be installing that build and this thread can continue with everybody on the same version which is easier. I will be following my own post on advanced rules install.

So far I have uninstalled beta 150, done a major clean up and a defrag.

While doing that users still have turn on Windows FW during the period where they have no SW FW. Of course many have a router so the HW FW should be good for incoming.

Now I'm going to install clean the 151 build and run the SCW to get all the settings and white list updates for the HIPS etc.

More later


Okay I did all the steps, and OA build 151 is up and running.

The one setting I had to change from block to allow was for Windows Explorer and that was for OA itself seems to want to use. That's if the log is being read correctly.

But those rules are giving me trouble still, so what I'm going to try is delete them all and release the settings for Windows Explorer and also let OA configure trusted programs automatically.

The other thing that didn't dawn on me before is that any settings made in the SCW are overlaid when I retored my Beta 150 settings.

More later