How to use PC Tools FW + version 5.0.0.38 LT # 5

Hi Escalader,

I will install this new build later.

With NOD, which version are you using? There could be some conflicts but would need to check.

I think PC tools firewall is basically still in beta, so we will have some issues as we work through (thats if you dont tear your hair out first)


- Steve

 

This fw blue screened twice on me in the first 2-3 minutes after install. I decided it wasn't worth the effort.

 

What OS? Did you get a crash error message?
If we can get info together and get this forwarded to vendor, then it may help to resolve the issues.


- Stem

 

Vista Ultimate 32, I did get a dump from the bluescreen.

 

Re: How to use PC Tools FW + version 5.0.0.37 LT # 5

Escalader,

Just go to applications. Click on one (e.g. Iexplorer), select advanced options and you will see some HIPS features (blocking process modification, setting hooks, only it is named differently like allowed to change the system).

Enhanced Security Verification of drivers intercepted by PCTFW+

Even on the previous version (V5.0.36) , you have to allow P2P programs access yourself, otherwise I will get a bluescreen. I was the only one having this problem on the PC forum.

 

Hi Stem:

Well I've stopped all the extra connect attempts by nod32/? by blocking every single rule on Nod32 application that isn't going to my preferred ip.
That to me is like killing a fly with a steamroller!

Yes the life of beta testing, I'm not inexperienced with that role! Sounds like a movie with no Oscar! I'm unconcerned with hair loss since the Learning Thread is everything. With my image backups I can recover from anything except a direct lighting hit.

On Nod32 here is the clipboard paste of my version 2.7. I never bit on the V3 after reading all the posts here and elsewhere on V3. There is other data on my exact hardware set up as well.

NOD32 antivirus system information
Virus signature database version: 3885 (20090224)
Dated: February 24, 2009
Virus signature database build: 15185

Information on other scanner support parts
Advanced heuristics module version: 1089 (20090219)
Advanced heuristics module build: 1198
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1082 (20090213)
Archive support module build version: 1224

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.70.32
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
Version: 2.70.32
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.70.32

Operating system information
Platform: Microsoft Windows XP
Version: 5.1.2600 Service Pack 3
Version of common control components: 5.82.2900
RAM: 1527 MB
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz (2992 MHz)

 

Re: How to use PC Tools FW + version 5.0.0.37 LT # 5

Yes thanks, more learning for us in this thread. This is the reason these threads exist and the only reason I work on them!

This FW has a number of settings tables to be tested/explored:

General:

"Automatically allow known applications " what does it mean? does it imply a PC Tools white list or a "white list rule set" there are some applications I may not what to grant www access to for example MS Media Player.

as well they have automatically allow applications with a vaild digital signatures, again this is not sufficient in and of itself. IMHO

Down in Filtering they have the FW options, applications filtering, stealth, statefull etc. I suspect Stem is looking at those so I'll wait.

But your point on HIPS like features is good they seem present. How do I change them? Are they strong enough to rely on? I just don't know enough yet.

 

Hi Escalader,

You can put the steamroller away.

We do still need to go through the basics and I will put a post together for this, which will cover setting specific rules and only allowing applications access to specific sites/remote ports. I will do that it a couple of hours when I have more time.

With NOD2.7, yes, there could be a possible problem as that version added to the winsock by default installation (if I remember correctly) and has caused some problems with some firewalls (An old combination that would not sit correct on my system was Jetico V1 + PG + NOD2.7. I change the installation of NOD2.7 to resolve the issue. I will check to see if I still have NOD2.7 to check on this possible problem with PC tools firewall.


- Stem

 

Hi Stem:

Well I've parked the steam roller, but my blocks are still in place ( for now) I kind of like the roller, it sure shut Nod32 up!

I think I know exactly how to change Nod32 application advanced rules in PC_FW to point to the right ip so let me try to do that and I'll post the jpg of the rule.

But even if it doesn't fix the multiple www seeks issue you can use that jpg to check if I'm doing it right. The same approach would work for all updaters that we want to rifle shoot to a specific site.

While you work I will work that rule thing.

 

Stem et al:

Well I already had the specific ip in place! I keep having to remember that this FW in advanced mode automatically creates these rules for me! Good!
IMHO all FW should offer this type of function. Advanced and then as PC Tools calls them normal people ( how did they find out I'm not? )

Anyway, I have attached 2 jpg's to critique for my Nod32 rules. In the one you can see some of the blocks I made as it tried to access a bunch of sites I didn't want/know. ts03.eset.com, .... ts08.eset.com. These site names don't match with the eset update server list I see u39.eset.com is an example I see there!

 

Hi Escalader,

A quick post of those settings.


First I disable the "auto allow application", I like to know what is making connections and where to (not everyone wants this, so it is an option down to the user) I also disable the "check for update" as I can do that myself,



As a simple example ruleset, this is basic for FF, to allow it only access to connect out to the internet to remote post 80(HTTP) all else is blocked

The first rule is to allow localhost(or loopback) connections



A rule to allow DNS to the gateway/router or DNS servers (I have the windows DNS client disabled on this setup)



A rule to allow the remote port 80(HTTP) to any IP



I then make 2 rules, one to block all outbound for TCP/UDP



Then repeat the above rule, but block the inbound.


You could look at each applications ruleset similar to how we set up Kerio2, with blocking rules at the end of the ruleset.


- stem

 

Hi Stem:

Great! I'm on it!

I'm going to do these FF rules NOW! I did have auto allow off that's how I caught the Nod32 repeating www access but had update turned on. (not sure it is active yet anyway given this is a "beta".

I now see more clearly what you are saying here! For each application there is a VISIBLE rule set executed from top to bottom like Kerio! This and a supported product. I had better contain my interest since we haven't any where near finished the thread.

For example I'm not sure that user can recover these application rules with export/ import.It doesn't seem to offer that application by application which is good but where is it? Needs to be a global save. Last time I lost my settings in a beta I lost my cool! H..l even an unsupported Kerio could do it.

I will also clone your FF rules for IE 7.

 

Hi Escalader,

I removed the quote you had as it removes un-needed repeat of a full post of the post directly above.


I have just looked at saving rules, but the option in the Advanced rules that have the option to import/export appears to only be for those rules and not for the applications. I did export and then re-imported the rules, but that caused some problems and internet loss (outbound packets where being blocked for no reason). So it is not advisable to use imported rules at the moment (well certainly not on my setup).

the application rules appear to be stored in xml files in the main PC tools firewall folder. These may be able to be copied and saved, then re-used on another installation, but have not checked that yet.

- Stem

 

Hi Stem:

Okay.

Got it avoid unneeded repeated quotes and import/export for the moment.
On the move from version 37 to 38 it failed me lost connect so that confirms what you reported. In the PC Tools forum months ago there was a procedure talked about on these xml files but I don't have a link for that.

 

Stem:

On the FF rules, I had added the attached rule for https otherwise my online banking connect failed. I also added my own dns ip addy so gain the connects, I also disable DNS service.

 

Hi Escalader,

In the main PCT firewall folder there is an xml file:- AppRuleSet.xml which does appear to be the application rules.
On the next update of the firewall I will see if I can use this current file.

- Stem

 

Yes, there may be other rules that you require, as example some websites do use alternative HTTP such as port 81, but as you now know how the rules work it is a simple matter for you to add what you need.

- Stem

 

Good.

Do you think it may be possible to save the 38 current version's file then reinstall 38 and import the rules to accelerate the test? Maybe it isn't worth the aggravation yet

 

Yes, I may know but I will show what I'm doing rule wise for the thread.

 

Hello Threaders:

Here are my minor adjustments to the IE 7 browser rules as set out earlier by Stem

One shows the DNS addy I needed as masked off. You need to know your own. Another thought I had was is this where users would put in the alternate source dns services used by some?

The other rule was just the last one Stem asked us to add to block incoming I used the IE 7 browser as a model for those who use it. These rules strengthen IE's security a good thing in my view.

 

Please note that these files are signed to make sure they have not been modified outside of the application. If you want to reuse the file make sure you keep the AppRuleSet.xml.sig file as well

 

I did assume it was related, as it updates with the ruleset. Thanks for confirmation.


- Stem

 

It does appear to work without problems.

After disconnecting from the net:-

I closed the firewall, then copied 2 files from the PCT firewall directory,
AppRuleSet.xml
AppRuleSet.xml.sig

Then un-installed the firewall,.. rebooted.

Installed PCT firewall,.. re-booted.

After startup, I closed PCT firewall and copied back the 2 files over writing the new files that where created during the new installation, then re-started PCT firewall, and no problems.


- Stem

 

Thanks Stem I'm amazed that it worked. (well not really)

I'll save your procedure and see if I can do it later on in the thread.

I hope PC Tools produces an "easier" way so the masses can do it with 1 or 2 clicks. But now I can feel better about investing effort in doing my rules knowing I can get them back!

 

Okay I'm going to donate my email client rules to the thread. I don't want other applications trying to send email using it!

Email client example: MS Outlook handler, rules.

The 1st rule is for DNS outbound connect to port 53
The 2 and 3 rules allows outbound TCP connections to one specific IP address, using ports 110 and another ip addy for your smtp port only.

It's followed by 2 TCP/UDP blocking rules for all addresses and ports, 1 for outbound 1 for incoming. This way, users won't be prompted for
unwanted connection attempts to the mail handler. For I must avoid the dreaded pop up problem. It might wake me up