Hints on using Online Armor FW-a Learning Thread 4

I think that Flashgot loads as a separate process. At least that's what my behavior blocker tells me. But of course, disabling it will keep you from downloading unwanted programs and media

 

uhm..if i am not mistaken about half of these options are only available in the version to come of OA which is currently in beta..advanced options in present stable versions are less and easier to understand(personally i can't w8 for the beta to go public as stable its awesome ) Mike any info on when thats gonna happen? i heard its gonna be pretty soon

 

Hi Chris,

It will be in January due to leave taken by team members over the Christmas & New year break.


Cheers

Mike

 

Well, we are now looking at IE,.. you will see many posts on various forums stating not to use this browser, this is not based on how it looks etc, but based on the way it is integrated within the OS. Such as IE will have a lot of interaction with the OS/svchost. I personally stay away from IE, so cannot really comment more (well, I could, but would probably get sued by Microsoft )

 

I did post to your forum my concern on this. I normally do not use the DNS client service, but enabled for checking,.. no interception was made (my post was probably lost in the thread)

info:
An interception of the DNS api, this is (possibly) needed if the DNS client service is enabled. It is to intercept applications making DNS without user knowledge.

 

That's okay Stem. I only use IE when forced to about 1% of the time. Usually to go to a M$ site. On the remaining 99% I use FF.

However, that said I did the settings for IE 7 since other users do use IE in spite of the hazzards. So for them, I wanted to post the best possible security setiings.

 

Why are you forced to use IE?

I can understand that, I know there are users who do actually prefer IE.

 

Happy New Year Stem and all thread posters and readers! Onward and upward!

Forced was the wrong word. I thought for a minutes it was updates to XP Sp2 but doing that via help and support centre I get the usual flak!

"The site cannot continue because one or more of these Windows services is not running:

Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed) "

Yes, you are right again, I'm never forced to use IE 7. I stand corrected!

So I'm doing and experiment, I have blocked IE7 to see what if any trouble I get into. Tried an update to CCleaner (there isn't one) , it normally uses IE 7, and guess what PC just used FF instead! This is good.

On another OA matter,

While here I find now my DNS Service Client disabled, that OA creates a DNS/53 rule for every updater I run, one for OA itself, nod 32, pg2 etc et etc

So my simple question is why is this better/safer/ more effecient than just allowing DNS services to run and popping in the DNS server addy and country once? Probably another of my memory lapses or dumb questions but then again that's my role here

 

Hi Escalader,

This is what I have been looking forward to since you started this thread - blocking of Windows components.

Blocking IE is the single most important security measure one can take. Did you block it from running or only from access to the net? I used to disable all security rights for iexplore.exe, including read access, but I got tired of the virus scan error messages, so now it is only blocked in my behavior blocker.

I also recommend blocking Windows Explorer from the net.

 

Hi Lundholm et al!

So far my experimental method is as follows:

1) I used Program Guard to prevent iexplore from running, so the OA HIPS is used for blocking.

2) In the FW advanced rules I set the IE7 options as shown in post 200 and commented by Stem in post 201 etc

Results/Observations:

So far only 2 programs complained, CCLeaner then reverted to FF and another program I have for genealogy research I had to change it's settings to FF as the preferred browser.


New observation, on attempting to update SpywareBlaster, it couldn't get a connection, so I assumed it needed IE 7. I temporarly disabled OA Program guard, the update attempt worked then, then I re-enabled OA Program guard.

Newer observation, today SpywareBlaster can connect and does it's update attempt without complaining IE is blocked, yes I checked it is still blocked. I think the port 53 address update made the difference since if it goes via FF it is invisible on the GUI. Checking out the OA log below I noticed that explorer.exe is listed in the passed by rule UDP and I have that rule deny to port 80 outbound. So it looks as if OA is allowing 53 via that rule. My understanding was that OA would disallow any connect not specifically allowed. Mike/Stem: Help me out here I'm now in a logical black hole. This update should of failed if the rules held?

[TDI] UDP, Connect, 0.0.0.0:1623, "dns-server address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/564)
[TDI] Passed by rule: UDP, --> spywareblaster.exe, [53], +("dns-server address", +(Canada; explorer.exe(1)
UDP -> 192.xxx.y.zzzort, "dns-server address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (0/1)
UDP <- 192.xxx.y.zzzort, "dns-server address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (0/1)
[TDI] TCP, Connect, 0.0.0.0:1624, "my isp address":80, C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/564)
[TDI] Passed by rule: TCP, --> spywareblaster.exe, [80], +(*), +(Australia;Austria;Canada;Finland;France;Germany;Intranet;Italy;Localhost;Luxembourg;Netherlands;New Zealand;Norway;Sweden;United Kingdom;United States; explorer.exe(1)
TCP -> 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP <- 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP -> 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP -> 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP <- 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP <-192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP -> 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)
TCP -> 192.xxx.y.zzzort, "my isp address", C:\Program Files\SpywareBlaster\spywareblaster.exe(3828/0)
Passed by access list (1/2)


Pete, you mentioned Quickbooks. I use Quicken from same company and it works fine with FF. If you are interested, you could check the settings in Quickbooks to see if user can choose the browser thus you could possibly block IE as well.

On blocking DNS client services, I have a post waiting for Stem to comment.

What is happening is as I currently have DNS services disabled and all programs that need 53 are creating rules to allow them to access my ISP DNS server by specific addy. Before, I had one DNS rule only for the service with the specific addy in that rule and only my home country for endpoint control.

Left to my own devices I would revert to allowing DNS service and restrict the rule as above. Then all the "extra" dns rules for updaters would either disappear or I would simply delete them. But before doing that I hope Stem can tell this thread which is the better route FW wise!

Happy new year again to you all!

 

Ok Pete:

Have not gone into sandboxes yet, maybe a new thread sometime in 2008!

 

Hello:

When talking of windows components I like to be specific. To help with that in the context of using OA in this thread, I have attached my own list of Windows Services that are started. All the rest are either disabled or set to manual. If you meant something else re windows xp sp2 components please be specific.

What exactly are your questions? Advice? Whatever? I have IE 7 and Explorer blocked. I also restrict windows media players.

When you say virus scanners gave a IE blocked message, I must confess I don't follow that. What was the scanner SW? What was the message you got?

Anyone should feel free to comment.

 

Hi Escalader,

What is interesting here is OA's ability to block "trusted" Windows processes, which seems to be no problem. I was worried about the whitelist.

Blocking IE and Explorer is quite interesting, and blocking svchost is even more interesting. I have stripped down my system, so that svchost only needs DHCP access and maybe DNS, I'm not so sure about that when DNS client/cache is disabled.

I have disabled more services than you have, but I'll not make any recommendations. I'm no Windows expert, and disabling services is a little bit risky.

The scanner remark was a bit OT. When you disable read access to a file, virus scanners like Antivir will report that the file cannot be read.

Keep up the good work!

 

Hello:

Just so all readers are clear my jpg image shows started windows services and was done completely independently of OA. My list which you all can see is NOT my recommendation on services. It is just a snap shot of what I've got at the moment in the middle of a OA learning thread.

To produce this set of services I used a blend of 2 sources, Black Viper List of windows services recommendations and Stem's list done a fair while back. (sorry at this point I don't have the links). I ended up with a hybrid list that works for me.

I have edited a few of these updater rules that with DNS services disabled get created by OA one by one. They are not restricted as to ip address as the services DNS approach so in that sense to me they seem more "open".

So what now I'm asking, do I insert the dns server addy into 12 or so rules or revert to one DNS services rule with the 1 specific address inserted?

Well, I have for now restricted every port53 rule to my DNS Server address only and to my home country, Canada and left the DNS service disabled.

My goal is block by default allow by exception.

Work continues.

 

Personally, I would disable the DNS client in any event. Isn't it possible to define a global DNS rule?

You must have a secondary DNS server too?

 

At the moment, the DNS client is disabled. Yes, the "global" rule is what you get as a "service program" when the DNS cleint is enabled.

Not with my ISP. Secondaries not used as much used on this side of the pond.

 

Not very advanced for an advanced firewall, is it?

If you set your DNS server IP manually, you can set both primary and secondary IP. Your ISP probably hasn't got the worlds best DNS server. I use openDNS as secondary server.

 

When user goes to the rules in advanced mode OA they can set as many conditions as with any other FW exe. Protocol, deny/accept, in / out, ip address, ports allowed, endpoint restrictions. and a global black list.

So what's missing?

What are the advanced rules you suggest for DNS services?

 

Your original problem was the choice between making 12 DNS rules or more and living with the DNS client.

Don't look for advanced rules, look for advanced solutions. You paid for it, I believe.

If you want advanced rules, maybe Kerio 2 is the solution. You already know that.

 

I believe Escalader was looking for advice, and only asked you a question. Please do look at this thread for what it is,.. a learning thread.
TIA


@Escalader
I personally do prefer to force all applications to make their own DNS lookups, placing endpoint restrictions within the DNS rules (IMHO) is not really needed, as you have allowed the application to make these lookups (so you know and (possibly) trust these?)
Placing a global rule will allow any application to perform DNS, and as it is possible for such as malware to (possibly) bypass an endpoint restriction within such a rule (recursion), then I do not advise having such an open rule.

 

Stem:

The point I was trying to make you have made much clearer.

I did the "experiment" to show the thread that users could place server address limits on DNS services, I did that. For the learning thread I was asking the question about which technique was better. I have NOT used DNS "global" for some time now and have disabled that service exe.

For each of my applications that need to look up addresses, I prefer (just my personal policy) to force a specific address and endpoint since "trust" for me anyway is not granted just on a need to exe the program.

I have 23 applications "needing" port 53 UDP outbound.

Example, I want to update and use the genealogy application's exe. But "trust it" well no not ever 100%. Humans program these applications and even if they are "honest" mistakes are made and will always be made.

My apologies for lapsing into my own philosophy for a moment

 

Great advise. Can you describe what advanced solution should look like ? I do not mean _names_, I mean _algorithm_.

 

Hello Alex,

Do you miss anything in OA? In that case you should post it on the OA forum.

I don't miss anything.