Hints on using Online Armor FW-a Learning Thread 4

They have the same hash. Let us assume that a hash uniquely identifies a program. In this case "bad" program can do nothing in the both cases. Because second option doesn't drop hash-control, but allows different rules for differently located programs.

 

Ahhh, but what if the "bad" has a hash = good program. It is hard for the manufacturer's of parasites to do BUT (I'm informed) not impossible. A verification method that depends on an algorithim (math forumule) can be fooled and now we allow the path to vary! That was another way to confirm validity!

I don't like this "flexibilty" when it is key to id'ing a virus.

Anyway, this LT is not so much for debate, we wait for the experts now to straighten the matter out.

Mike? Stem? where are you guys? I know doing real work... comment when you can.

 

Theoretically md5 hash may be fooled (actually, any has can be), but not that simple that any given program could be modified in a free way. For example, there is an algorythm that allows to find a 8 byte sequence where the two bytes can be swaped and md5 hash will be the same, but probability that such a sequence can be found in a good program is extremely low, and probability of turning this program into dangerous program by just swaping two predefined bytes is close to zero. And in case you use not only one hash but a pair of them the whole task goes actually unreal.

 

Thanks alex_s:

As before, I'm waiting for Stem on this one.

But this ismore to do with OA design as opposed to helping OA users learn how to use OA 151. So it is OT, IMHO.

 

Oh, yes

For the users I'd say that controlling by hash and controlling by hash and path doesn't matter from the security point of view. A hash is only identifying thing. No security can be built on a path !

 

Hello OA 151 Learners (advanced options)

Today, I upgraded my NOd32 update and dns rules to be "tight".

Now there was a long set of posts before about letting NOd use any server it wanted via it's auto update set up. They have various servers in different countries to get updates from. I have some of those countries blocked using OA FW restictions for reasons of my own.

So in the nod32krn.exe TCP rule I used the endpoint restriction on addresses and inserted 89.202.149.49 which is in the UK. On the allowed country side of endpoint restrictions I added UK, deleted intrenet and added local host.

See attached jpg

If you wanted to add a few more nod32 sites all you need is the ip address and the country.

You can do the same thing for ALL your SW products and use the OA log for
blocking id'ing or allowing to gain the ip addresses. They rarely change although some users say differently.

As I have DNS services disabled, my setup picks up port 53 via the router.

So for each updating exe I add my ISP's DNS service ip address ( look in your connection tab for it) and then just add your home country for that.

I'm sure all this is as clear as mud, but once done it's done.

 

A hash is identifying things technically, a path shown in Programs or the Firewall offers useful additional informations for the users.

Valves Half-Life 2 and it's mods (Counter-Strike Source, H, Day of Defeat Source, Team Fortress 2) have all the same hl2.exe (by hash) but they are all in different paths, like Steam\SteamApps\user\*\hl2.exe.

Right now OA shows one hl2.exe in Programs and different in the Firewall (if path and hash is checked).
But even the Firewall informations are incorrect with the recent official version.



I always requested to show full path in Programs and Firewall for easier orientation.
But even if this is not wanted, at least the given informations should be correct.

Cheers

 

I never meant path not to be shown !

 

Stem:

Why/Should does FF ask for UDP to any ports?

OA 151 creates such a rule to be generated?

See attached image

 

I'm going to say it because Firefox uses local proxy and you have Loopback alerts enabled in OA.

 

Well, I do have loopback enabled in OA 151!

 

In OA 151 users can set programs to run safer status in the program tabs window. When you click on Security Group column heading you will get the entries sorted so that will tell you if any are already classed that way.

The reason this feature exists is OA's belief (not without reason) that most users in xp run in administrative mode for ease/convenience/ laziness call it what you will. I'm no different! So this feature gives me the best of both worlds as I can slap a run safer classification on individual programs and achieve Limited User status program by program. The obvious ones to choose are those " facing the internet or www". Your browsers, mail client etc. I also limit a few others at this point and expect to add to the list as time goes along. If you readers have so extras you think should be limited by all means post them. A rationale for them would be useful.

I have attached my list for reference only, your situation may/is different.
If you copy mine, and foul up your setup that is not my fault,

Note that MOST of these I have Run Safer are trusted by OA, so users need not accept the vendors "view" of these.

For more help on how to set a program to run safer see:

http://www.tallemu.com/webhelp/RunSafer.htm

Is this sort of post of any use to you guys or do you already know all about this stuff?

 

To those interested:

In OA 151 their word restricted does not equal the word denied.

Here are my additions to the OA 151 "restricted" ports list.

1900
5000
and 5190

I'm going to assume you guys know why or can find out.


Note that OA says some windows services "should be blocked", but I don't have a list FROM them as to which those are. I have my own Hybrid list derived from Stem's posts and sticky, BlackVipers lists and my own research.

I'm not sure if it is wise for me to offer this Hybrid list as it very specific to my LAN set up.

 

Escalader,
Remember, what's obvious to some isn't obvious to others.
Even though I don't use OA anymore, the previous 2 posts are right on the money.
Thanks.
Hugger

 

I like OA in general but I'm confused by a difference between "Allowed" and "Trusted". What is the difference ?

 

Best to read the concepts section at their online help site. But as you are "new" here is a quote from it to answer your allowed vs trusted question:

 

IMHO, it is wise to reduce www risk by sizing down the list of FW restrictions all countries are denied / except. These are known as Global Restrictions and are the "lazy" way to do things.

So today I id'd 2 of my programs one updates from Finland jv126 PowerTools 2008 and the other from Sweden. I have no other reason to have my PC connect there.

I had these 2 counties allowed for ALL programs that are allowed to connect to the www.

So I removed them both (no reflection on those countries) from the Gloabal denied/except list.

But I had to add them to the updater exe's in the FW rules for each. Now only 1 program can access Finland and one other can access Sweden.

To restrict them even further, I inserted the ip addresses of each vendors site into the FW rule in advanced mode.

So for my policy it is a bit more deny by default and allow by exception.

Hope this is of interest.

 

Today, when I try to update OA 151 Rules and signatures only I get a little
OA 151 pop up error

Autoupdate
10061 sprocket error
Connection refused

And the solution was:

The OA FW I turned off and the update proceeded normally

Then knowing the issue lay within my FW rules for oaui.exe the allowed ranges and mask combo's needed updating.

I had to expand the endpoint ranges to the following:

66.100.171.82-83

and on a separate endpoint entry:

66.100.171.84-87

I can't get it to be one rule as the CIDR mask varies.After you update the FW rule refresh or it won't "take".OA warns that the addy's must lie within the mask set, so that is that for now.

 

Over on the OA forum I got this excellent post I wanted to share with you all! The name has been held back for the usual reason:

 

Are these ports on my FF (version 2.0.0.16) correct from the security point of view?

I don't ever remember seeing port 16 ftp ? What is this? I didn't put it there but may have allowed it in the dead of night? Stem? anybody?

here is a reference:

http://en.wikipedia.org/wiki/Special:Search?search=port 21 ftp&fulltext=Search

BTW, remind me what the ip's allowed should be for FF endpoint restraints?

Having a memory blank out!

 

Perhaps old, but how exacly do you do this? Importing and updating the Firewall's 'blacklist' via BlockListManager?

 

Have a look here:

https://www.wilderssecurity.com/showpost.php?p=1262557&postcount=419

 

Thank you very much Escalader.

 

Readers:

Have a look at this link:


http://www.tallemu.com/oasis2/report_file_hash/5F1D5F88303D4A4DBC8E5F97BA967CC3

This is ctfmon.exe.

I have posted elsewhere before on this exe so I won't repeat it's history.

It is now id's in the advanced beta versions of OA as:

1) a keylogger
2) and unknown exe wanting www access and to run at start and every time we use office outlook, word etc.

M$ says it is needed for "alternate" input types.

Advice?

1 let it run on ask, run safer in program tab
2 block it from auto starting
3 deny it www access in the FW

Note: your results may vary on your system

 

This is no advice, it's just how I handle this ctfmon.exe.
All these years with XP I have never seen any reason to let it run all the time because of using Office programs.

But some may need this process:
"Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies."
And:
"Removing the Ctfmon.exe might cause problematic behavior in your Office XP programs, so removing it is not recommended."
http://support.microsoft.com/kb/282599/en-us

All I do is just prevent the autostart of ctfmon.exe (without OA), but only deleting the value from the registry is not enough, because it comes back.

Therefore I use this 'negativ' value Run-:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

That's all, never set anything within OA about this Program.

Cheers