Hints on using Online Armor FW-a Learning Thread 4

Two things.

1) When users update windows ctfmon.exe comes back in full force no matter what methods used to mangage it.

2) This thread is about how to use OA to mangage PC's not about how to avoid OA .

 

OK again.. with OA, well maybe (not).
I don't know were this ctfmon.exe startup item points at on other computers, but on my system the autostart path in OA points at this location



Does it make sense to block this Network Service key with OA and leave the current user key as it is?

With OA, if I want to prevent the ctfmon.exe from running, the only solution seems to be a Blocked Status in Programs.

Of course, but maybe tomorrow OA is history on my PC, but my PC is still there.
So why should I always try to find a solution for a problem with OA if I can easier find one without OA.
This thread should not become an OA ivory tower building thread.

Cheers

 

Hi Subset,

You may not of noticed, but this is a thread for "Online Armor"

Windows does like to protect the start up of ctfmon for whatever reason. Execution prevention is the way to go I would think, either from an execution prevention program, as in this case OA, or, if you are on XP pro, you can prevent its execution via local security policy.
I do have software that uses ctfmon, and have found no problem with it running.


- Stem

 

Hello Thread followers and contribitutors.

Just to let everybody know, I'm taking a break from this thread till sometime after labour day in the early fall.

May look in from time to time as a reader only.

Please feel free to continue on without me!

I will be active over in privacy general.

 

I think you did a great job and undoubtedly you need a good rest

 

Hi to all.
Regarding ctfmon startup issue I think one should not use execution prevention to stop it. You can disable it in Control panel (Regional and language options - Languages tab - Details - Advanced tab - Turn off advanced text services). So why should we use execution prevention or startup prevention to stop something that can be easily disabled with one checker?

 

Hi tomazyk,

Many thanks for the info,.. I have certainly missed info on that ability.

One for the notes.


Regards,
- Stem

 

Here is a hint I thought I would share.

In OA FW blacklists, it is possible to have your own list of ip's or ranges of ip's you want to block. Users can then use OA to edit the list via the OA blacklist tab.

I have done this by going into my folder where I keep my bluetak lists, copying the smallest one then renaming it MyBlockList. At that point, I deleted all it's duplicate entries and added a few ip's and ip ranges of my own.

 

Escalader, I use BlockListManager for that purpose. Easy to merge, add, edit, automatically remove duplicates and export as a single file (use 'SafePeer' export option).

See post - https://www.wilderssecurity.com/showpost.php?p=1103261&postcount=14

Hope that helps.

 

Apologies, I overlooked this post.

In Blocklist manager goto Tools -> Options then under
- 'General', tick 'AutoExport'
- 'Sources', select Bluetack block lists you want
- 'Personal Sources', point to text files containing any IP address you wish to block (I untick these)
- 'App locations', tick 'SafePeer' and point to a directory that the optimised/merged single block list is to be exported to and give a filename for exported list e.g myblocklist.txt
- 'Selected Filters', tick 'SafePeer' option

In future then all you have to do is load BlockList manager, select 'Process' and it's all merged/optimised automatically then import into OA in normal way (e.g select myblocklist.txt from example above)

 

Advice on beta testing:

https://www.wilderssecurity.com/showpost.php?p=1298710&postcount=112

 

Hi Escalader,

You can of course create your own blacklist in a text editor (such as notepad), but must have the format as:-

Name:start address-end address

It is important to have that format or you will have error when trying to load the blacklist. Even if you only wanted to block one IP, then you would need to enter that IP as the start and end address.

So, if I wanted to block 192.168.1.100, I would open notepad (or other text editor) and make an entry of:-

Whatever name I want:192.168.1.100-192.168.1.100

I would then save the text file and then load into OA blocklists, any further additions or editing can then be done directly within OA.


- Stem

 

Over at OA a lot of work has been done on upgrading the help information.

http://www.tallemu.com/webhelp/tabAbout.htm

I was kind of pleased to find some of my own work showing up, specifically on the way the OA Host tab works and it's actual meaning.

 

Hi Stem:

Thanks for this, turns out my copy/delete method produced exactly what you showed the steps to be. It's important to get the : in place.

Here for the thread is what mine looks like at the moment.

[DShield top10] Unknown:125.211.198.20-125.211.198.20
[DShield top10] Unknown:61.191.58.18-61.191.58.18
CM2 ZoneLab:208.185.174.0-208.185.174.255
pointroll:72.32.153.176-72.32.153.183

It is incomplete but as time goes by I will add to it.

Regards

 

In xp sp3, When a user installs OA under an administative user account, is the other user who has a limited account running and getting the protection of OA during his surfing etc etc?

I want to ensure that the Limited User can't uninstall OA (or any of the other security SW for that matter)

 

Hi,

i'm working with LUA and i confirm that when you don't have administrative rights then you don't be able to uninstall any software which was installed on your computer.

 

Thanks, I should have added a question "does the LUA have OA running for him, even though he can't unistall it?"

 

Yes, of course. OA running on my LUA without any issues.

 

Great, thanks.

 

Hi Creer:

Confirmed, just set it up under AUA and OA is available to the LUA !

So my associate should be protected but unable to delete the product.

 

Some time ago I showed the tread my expansion of the OA resticted port list.

To do this users must be in the advanced mode of a paid version.

Attached is a jpg showing a good portion of my port list.

I have as a user choice decided to add a port or two to this table in order to continue a policy of block by default allow by exception. Each user needs their own policy of course and should not just copy mine or anybody elses of course. In other words you may need to ports I'm restricting.

I have added 5050 and 5190 both messager services I don't use/want.

As well, I've been slowly adding full descriptions to the ports so I don't have to keep looking them up. I'm going down the list and I see 666 doom and I think I'll add it to the list, along with all other gaming ports and all the netmeeting ports etc etc.

Now a question for Stem on these port options. As I understand it these port ranges come in three ranges:

1) Well Known 0-1023
2) registered 1024-49151
3) Dynamic or private 49152-65535

Is there a rule or set of rules, the OA user could/should put into effect blocking or allowing using these ranges?

Why not just block all accesses to all ports in / out for the 3rd range for all protocols?

What would happen? I could try it I guess but thought I would learn first.

Straighten me out on this please

 

I see you have been looking at the iana port ranges.
With MS (XP) the main port ranges are usually referred to as:-
0-1024: Reserved (which should really include ports 1025-1030 as have been added in OA restrictions list). These are seen as reserved for the OS and its services, This is the main area that caution is needed as to if they should be allowed access to/from the internet. Most services in this area are well know, such as (simple example) netbios, this service should not really be allowed access to the internet, as it can cause problems with possible infection. Other services such as DHCP do in a lot of cases require internet access to obtain the PC IP (but that depends on setup~ if on a private LAN or connected directly to the internet)
The range 1025-5000, MS placed these (XP) as a dynamic range, these ports are usually assigned to your applications etc when they make outbound connections.
The higher ports, around a start of 60000 and up are used (XP) for NAT when such as ICS (Internet Connections Sharing) is enabled. (These higher ports are now used by Vista for the dynamic range (49152-65535))
But I think such info is not really of interest to most, they just want to surf/ play on-line games etc, so on to your questions.

There are various ports/services protected in the lower port range, these ports/services being restricted for use only on the LAN to trusted PC`s. The current list does cover most.

By default Unsolicited inbound is already blocked to those ports. I know not as many use ICS as once did, as many now purchase a router or switch for sharing a single connection. But blocking all in/out on that range would block (XP) ICS. I cannot actually see any benefit from actually blocking that full range, and with OA you can only place one port per rule in the restricted ports list (or you could the last time I checked) so you would need to add over 16000 rules. You would also have problems trying to create global rules for blocking outbound from local ports, as rules for outbound currently do not contain the local port.



- Stem

 

Hi Stem:

Yes, I've been reading a reference on port lists classes which appears to be a bit dated. However, I found the explainations valuable!

Picking up on the point of blocking the service TCP/IP NetBIOS Helper I have 2 followup questions.

(1) Is it sufficient to assume that OA's restricted ports 137,138 and 139 is good enough to block NetBIOS?
(2) If the user doesn't disable this service have you had a chance to test if OA does in fact block the ports beyond the LAN?

In my personal case, I disable the service but being a super cautious type I even wonder if that action has been tested to work with or without OA.

 

Hi Escalader,

My full testing with this as been with the latest full release (V2), I will of course check V3 when it is near to full release.

Currently, when netbios is enabled either rules will be auto created for those ports or you will have popups (depending on settings within OA) these are only to allow that service the ability to listen on those ports,..but, those ports are still over-ridden by the restricted posts list for any actual comms. The only IP(s) that can connect to or be connect from those ports must be in the LAN and set as trusted (A list of computers on LAN is shown in "firewall~ computers (Tab)"
Any IP outside the LAN cannot connect in as it is not in that computers list so cannot be set as trusted. I have made various test that do confirm that.

You could look at the restricted ports list as a firewall rule:-

Allow in/out {port number(s)} to/from {IP computer(s) trusted} block all else.


- Stem

 

Thanks Stem, always learning!

I like the rule better than a list! But that is just me!

Mean while for myself, I will add selective ports that I will never use to the OA list and publish updates from time to time. If you ever see a flaw/error in this list just say so as always!