Hints on using Online Armor FW-a Learning Thread 4

"Fully trusted" does mean only default settings. You can create the rules manually and they will work. The only difference for LAN is "Restricted ports" are not checked for IANA LAN IP ranges. Though I agree, Mike could invent something to make it easy and transparent. For one they could make a checkbox - do not trust LAN. Easy and effective way to go with mums

 

Hi alex_s:

I would like to see some examples of these "manual" rules for my learning thread. In my last post I asked Stem about this, but he is sometimes very busy!

Failing that the detailed steps/tabs/windows examples/guidelines in OA 2 to follow to do these manual rules. I would post these rules for others to benefit.

If you prefer your response can be over at OA forum?

 

What is the problem ?!!

Switch to advanced mode, Ctrl-Alt-Home, Firewall->Rules

System, TCP, in, 139,445

Endpoint Restrictions:

Deny all except:

a list of my trusted computers or network mask of my trusted subnet.

The same with svchost and any other service you wish.

That's all

 

You can add 137 and 138

MaB

 

UDP, yes. I was just an example. I would not dare to call it complete and secure configuration

 

Alex!

Didn't say there was a problem.

Just trying to learn how to do it.

Since the goal is make rules for untrusting the router/lan, I gather from your answer that user makes rules for each service, System , svchost etc?

I have the 192.168 .... addy
the subnet mask 255.255.255.0
a DHCP server 192.168....
and a DNS server in the LAN connection.

So I will try a rule for system and see what happens

 

I did create manual rules etc, but the LAN was still allowed. I will have to set up again (there may be a problem on this VM)

From the settings you mention, An option to trust/not trust the LAN would still be needed for the free version (you cannot uncheck the restricted ports in the free version~ or so it was reported)


I will change VM software, and check again. (I currently have no spare hardware)

 

Can missing rules be inferred from my active connections?

Attached are 2 images one with addresses resolved the other with the addresses unresolved. I have 3 questions:

1. Is this list commonly called the TCP stack?

2. Using these jpg's, Stem/Mike can you guy's infer and describe / explain any errors in my existing OA 2 settings?

3) Stem/Mike can you infer and describe / explain any errors in my existing OA 2 rules?

 

Hi Escalader,

They are in a LISTEN state - so there is nothing connected (and therefore, nothing to resolve)


Cheers

Mike

 

Hi Mike:

Sorry I fear my question missed the mark. This is not my what I was asking and failed to make clear for you. I realize these services/ exe's are listening.

My 2 jpg's are for the identical FW status, one shows unresolved and for clarity I showed the same set of listeners as resolved.

My questions remain unanswered as in the OP. Basiclly I'm saying, study these "listeners" and tell me if you can infer a missing or incorrect rule.

See you later.

 

Hi OA Learners:

Been busy testing and learning:

Here is a hint to help improve your security online. No promises it will work okay on your system. Try it after saving your present settings.

http://support.tallemu.com/forums/viewtopic.php?p=19391#19391

See you.

 

One idea I have implemented may interest some users. I use the Host feature of Spybot Search and Destroy V 1.5 and load my host file with 7,000+ bad sites.

As they are all ip'ed as 127.0.0.1, it insures no one on my system can get to these locations.

There is no noticeable change in performance.

However, in OA 2 the host file feature at first glance seems to undo this step.
All these nasties appear in OA 2 as "allowed". But on further review and feedback from OA guys their feature is a list of rules about the host file not the file itself.

So it is simply saying the entry is allowed to be there.

 

Hello Learners:

The first time ZinioReader executed, it it triggered a key logger alert (don't know why) it was allowed it so then it was able to read my stored digital magazine.

Here are the settings OA made for ZinioReader.

What I would like to know is on what basis would I change any of these settings on any program?

OA offerers me the ability but where are the guidleines on how/why etc?

 

Hi Escalader,

To stay out of trouble, the simple rule here is always:

1) Do you trust the program?

2) Did you get it from a legitmate source?

3) You didn't apply a crack to it, did you?

In other words - Do you have a known good program, that hasn't been tampered with from a legitimate source ?

If the answer to that question is yes, then one should not adjust these settings at all, and grant the program whatever rights it wants (or, just mark it as "trusted").

That's my advice for the user whose sole concern is the smooth operation of the computer, and whose reason for running security products like Online Armor is to keep the bad guys off your computer - not tweak things.

If your objective is to try and use the program to tweak your system, or to improve privacy then you can adjust these settings and adopt a "try it and see" attitude, because unless you have the source code and understand it you're not really going to know (other than trial, error and observation) what the restrictions actually do.

For example, YahooIM has a keylogger behaviour - I routinely block this, and it works for me. However, when I use Yahoo it's a text chat window - no video, no add on features, audio, etc. I think that blocking the "keylogger" behaviour in Yahoo will cause the "user is idle" detection to work incorrecty - it cannot log the last keystroke - so it doesnt know when it was, and therefore - if you are at yahoo.

If I decided I can't live with this, then I can always allow it and restart Yahoo as needed.

However, because I don't use many of the features of Yahoo I am uncertain if there would be other side effects (and,in my case, don't really care)

When you stop a program from doing something it wants, or needs to do - you run a risk of that program not working. If you know the program is safe - why take the risk?

Same applies for security programs - if you are running any security program such as Antivirus alongside Online Armor - just mark it trusted. You may get a tweaked set of permissions that work - you may also inadvertently neuter the security program, or , potentially get system instability on a reboot or after an update.

Hope this helps


Mike

 

How to use exclusions

Here is a thread from OA forum for learners here. This feature only applies to the paid version.

http://support.tallemu.com/forums/posting.php?mode=editpost&p=19842

 

The endpoint restrictions in the advanced FW rules for ip address ranges is not fully functional. A bug means at the moment we can only put single addresses in.

Will be fixed soon I read on the OA forum

 

Hi Mike:

Sorry I'm slow in responding to your post. Yes, it is very helpful. It make us think!

As you know, here we are more a maximum security guys and thus I'm here to learn how to "tweak" for maximum effect while avoiding obvious trouble.

You have pointed out some things to avoid. On Nod32 (my AV de jour) it is not in the program list to mess with in OA 2 but is a service allowed to start with bootup. I have not touched Nod 32 settings nor do I want too.

FWIW, I agree I don't want to cripple a security feature in my AV or for that matter any valid program. However, I have been working with the browser settings for FF and less so IE 7 ( don't use that one much).

Here as a jpg are my current FF settings. I don't want to protect FF from restart if terminated since when you close it it pops right back and you get in a loop! But with that exception these work for me (others will have different settings) I have to allow some FF settings due to RoboForm being integrated with it.

Comment at will Mike and any other learners!

 

Escalader,
Keep going. And keep including the jpegs.
Safe bet I'm not the only one learning.
Hugger

 

Well, I am always learning, so if I may add,

From the standpoint of the use of a browser, I personally prefer to give as little permission as possible, I would certainly not allow the browser to directly execute other applications, like if we look at HIPS such as PS or SSM, there is no need to allow such (plugins load with browser).

As we look at your settings,
Allow "start applications": I ask why, my own setup prevents such (with no-script/ ref-control) without problems, but gives me this protection.
Allow "set global hooks", again, why, I see no problem with blocking such(or does OA cause problems when this is blocked?)
Allow: Remote code/ remote data modification/ suspend process/thread,.. come on, basically you are allowing your browser to kill your system,.. OK I will say that the browser may need some permission for 3rd party addons, but to allow such against the OS, well, why have such protection when you simply bypass this yourself.

 

Hi Stem, you beat me to the post!

For testing purposes, I just tried out firefox with the following settings, and it seems to me sensible and works a treat.

Edit: Italic comments are my rationale, for Escalader to understand why I chose this setting

Run Safer (Active) lets limit any damage on exploit, lower privs because I run as admin

Start applications (blocked) No sneaky startups, I will click on the desktop

Set Global hooks - (blocked) - appears not needed, but test it yourself

PhysMem access (blocked) - appears not needed, but test it yourself

Remote code (blocked) - appears not needed, but test it yourself

Remote data modification (blocked) - appears not needed, but test it yourself

Suspend/resume (blocked) - a browser should not need to do this

Create Executable (ask) - create exe only when you ask me

Use DNS api (block) - does not seem to need it.. but I am playing with a beta and this could be a bug

System shutdown (block) - the browser is not the start menu

Restart if terminateted (not selected) - would be annoying

Protect from termination (not selected) - sometimes browsers must die

Protect from suspend (not selected) - I'm not concerned about this

Protect from remote code (ACTIVE) - Don't mess with my browser!

Protect from remote data modification (ACTIVE) - Don't mess with my browser!



Mike

 

by blocking start applications,won't it also make online scanners and firefox add-ons unusable?

 

I don't think so, no. Addons don't start as a separate process - they should be loaded as part of the browser and executed within the browser's normal process.

 

Hi Stem/Mike:

Good, got some action on the learning thread.

Here is version 2 of my FF settings.

Couple of questions on protection from termination Mike has not selected because "some browsers must die". What is the rationale for the rationale

On Protect from suspend why are you not concerned? Mike this was yours.

Another thing Mike is sort of a critique of blank boxes as settings, in development work I was always taught that blanks are the worse possible codes. Use N or Y but make it a specific visible entry. Just a suggestion.

Stem, like you I have FF no script and ref control, IF a user had allowed start applications as in my flawed v1 setup, which would prevail? Anyway of knowing or do we even care?

I have tested version 2 FF settings and can browse and print from web pages do my email and update all my SW. So far so good.

Is there a Version 3? If not I will lock this in and move to IE7. That should be more exciting

 

Moving on to IE7 settings here is my tested version.

Very similar to FF except for this:

As soon as I select protect from remote data modification the browser will NOT connect to any site. THis is not the case with FF.

Why is this? Is it a OA bug or a IE7 "need"?

This one is over my pay grade ( again)