open process control

Discussion in 'other firewalls' started by INTOXSICKATED, Mar 29, 2005.

Thread Status:
Not open for further replies.
  1. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    not sure if i should post this in the processguard forum or this one, but anyways:

    i have been reading about some of the features in outpost pro 2.5 that i didn't pay much attention to in my initial set-up. i have been trying to figure out this "open process control feature". is it safe to say that if i use processguard, i can leave the 'Block network access if application memory was modified by another process' box unchecked?

    thnx in advance.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi INTOXSICKATED,

    I have used OP's Open Process Control feature along with PG for a long time without any conflicts. I while ago I ran most of the available firewall leaktests (including Atelier Web Firewall Tester 3.1) against the combination without any leaks. I would have to retest to confirm and give you detailed results. Remember that for a process to modify another process, it has to execute in the first place. PG takes care of that.

    Nick
     
  3. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Intox . How are you my friend ?

    It is fairly safe to run Outpost without it checked if you are using PG . I use both . On occasion , you will run into a problem . Only problems I have ever had were with Spy Sweeper . And that program has a bug anyway and I wil not touch it . So , I am unsure if it is COMPLETE overlap but , there is at least , some , overlap . Hope that helps .
    Now I will click off my switch
     
  4. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    did u run any tests with just pg and open process control turned off? just curious.

    i knew i would here from you on this hollywood! ;) maybe i will try running it with open process control enabled for a while and disabled for a while, and see what happens. does it use more memory to keep it enabled?

    thank you both for the replies. i have another question to ask also about outpost when i get home!
     
  5. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    As for memory use , try it and see . It will probably reduce it . I have kept Outpost as my # 1 firewall for over a year now and , the only problem I had was with Spy Sweeper . And I run alot of different programs at different times . You can turn off the logging option in Outpost and DAMN , resource use goes from 21megs down to 2 and a half on my machine . WOW . Hope that helped .
     
  6. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Hollywoodpc-

    I believe you, but it does seem odd that logging makes such a difference. Is there some middle ground with logging restricted to "exceptions" that produces a reasonable (less than 10mb) memory footprint with access to critical log information?
     
  7. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hollywoodpc should know the intricaces of OPFW as he is using it and he is knowledgeable with its operation.
    With that said, here are a few discussions which may add some additional information here and here and here
    Cheers :)
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Just tested it again with PG enabled (with IE set to Permit Always) and Open Process Control disabled (but with Hidden Process Control enabled). PG blocked tests #2-#6. OP blocks test #1 only if you have HPC enabled.

    Test #1 (allowed by PG but blocked by OP's Hidden Process Control)

    Tue 29 - 14:50:56 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
    [EXECUTION] Started by "c:\program files\atelier web\awft\awft.exe" [312]
    [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" ]

    Test #2

    Tue 29 - 14:51:11 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\program files\internet explorer\iexplore.exe [1052]

    Test #3

    Tue 29 - 14:51:18 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\windows\explorer.exe [516]

    Test #4

    Tue 29 - 14:51:24 [MODIFY] c:\program files\atelier web\awft\awft.exe [312] was blocked from modifying c:\windows\explorer.exe [516]

    Test #5

    Tue 29 - 14:51:36 [PHYSICAL MEMORY] c:\program files\atelier web\awft\awft.exe was blocked from accessing physical memory

    Test #6

    Tue 29 - 14:51:42 [PHYSICAL MEMORY] c:\program files\atelier web\awft\awft.exe was blocked from accessing physical memory


    Nick
     
  9. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    interesting. good to know. thnx nick.

    hollywood: i for the first time disabled logging last night. it does make a huge difference. i still need to read up on what else can be done to logging without totally disabling it. for now, i just might leave it disabled. my logs are very boring and uneventful anyways. haven't seen anything out of the ordinary in a few months. i also need to experiment with the plug-ins a little more. right now i'm just using one of them.
     
  10. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    I agree Diver .
    It should not make that much difference . Sadly , there is not a way to partially turn off logging as far as I am aware . One of the downfalls too , is that Open Process Control can only be turned on or off . No way to include or exclude certain programs . I THINK they are currently looking into this . As for the tests that Nick did . Not sure exactly wehat was done but , with PG off , NORMALLY Outpost will catch things trying to modify . That is with Open Process Control enabled . Hope that helps .
     
  11. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    I used to watch my logs and felt I needed them . Since disabling , I find I do not mis them . And YEP . Amazing the difference with logging turned off . Almost like the whole firewall is nothing more than a big log . lol .
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    OP does block all tests with PG disabled. That is with Open Process Control and Hidden Process Control enabled. Here's a description of the tests from the AWFT help file:

    Technique 1: Attempts to load a copy of the default browser and patch it in memory before it executes.

    Technique 2: Creates a thread on a loaded copy of the default browser.

    Technique 3: Creates a thread on Windows Explorer.

    Technique 4: Attempts to load a copy of the default browser from within Windows Explorer and patch it in memory before execution. Defeats PFs which require authorization for an application to load another one (succeeding on Technique 1) - Windows Explorer is normally authorized. This test usually succeeds, unless the default browser is blocked from accessing the Internet.

    Technique 5: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer.

    Technique 6: Performs an heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, then creates a thread on the select process.


    I disabled logging last year and only use the Attack Detection plug-in...running under 3MB here as well.

    Nick
     
  13. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    sry, but i'm finally at home. what do you mean by having hidden process control set to enable? you have it set to 'allow access' or 'block access'? you would think that with pg running, we would be able to set hidden process control to 'allow access' and keep open process control 'unchecked'. but since there doesn't seem to be any conflicts between pg, open process control, and hidden process control running all the time (at least on my computer), i'm assuming that i have kind of a layed protection going on and am probably more secure. o_O

    by the way, i only use the attack detection plug-in as well. the others didn't seem like anything i needed.
     
  14. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I set HPC to prompt for the tests. Normally I have it set to Allow and I leave Open Process Control checked (only as an additional layer of protection in case I screw up and let something slip by PG).

    Nick

    Edit: the only reason I don't block with HPC is that I run Proxo as a service (running hidden) and have not figured out how to exclude it from being blocked.
     

    Attached Files:

    Last edited: Mar 29, 2005
  15. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    i've gone back to the outpost forums and help files to mess around with some of the features in outpost i didn't pay much attention to in the beginning. thnx for the responses guys, it really helps.
     
  16. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Good luck Intox and thank you Nick !
     
  17. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    oops! i forgot something. is it ok to just leave the firewall policy set in the 'rules wizard' mode?
     
  18. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Sure . Most will tell you to put it in Block most mode after you run it a day or two in rules mode . Mostly , I keep it in rules mode . But , block may prove to be better . Just be sure to run it a few days so it knows the programs you want to allow . Then , set it to block . You probably know this but , just in case Intox , you can always add a program you trust to the trusted app area . Do not forget to right click on Active Content and click properties . There is where you can block referrers , cookies , active x , popups , applets , etc ..... so go nuts ! And have a drink ON ME
    Good luck my friend
     
Loading...
Thread Status:
Not open for further replies.