Outpost Firewall 9.3

Discussion in 'other firewalls' started by kronckew, Dec 1, 2015.

  1. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    209
    Location:
    CSA Consulate, Glos., UK
    version 9.3 released today, see announcement HERE

    Outpost Security Suite Pro 9.3.4934.708.2079
    Release date: December 1, 2015

    The following improvements have been made:
    • Digital signatures verification logic is improved
    • Significant optimization of product start process is performed. Product start time is reduced in several times, system responsiveness during boot up and product updates download is improved
    The following issues have been fixed:
    • Issue with network operations driver start during installation on Windows 10 is fixed
    • Issue with descriptor leak during product operation is fixed
    • Issue with installation on systems with CPU lacking SSE2 support is fixed
    • Inability to update version 9.1 with specified configuration password is fixed
    • Issue with database update infinite loop during installation over version 9.1 with import of configuration with specific time for updates check is fixed
    • Setup wizard operation logic on systems with installed ESET Antivirus is improved
    • Issue with display of some processes in File and Registry Monitor on 64-bit platforms is fixed
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,124
    Location:
    R.I.P. Roger(roddy32)
    right on and thank you Wayne :)
     
  3. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    18
    Location:
    Wigan
    Thank you Wayne.

    It is my belief that Outpost 9.3 is faster than 9.1. Playback of streaming video on my venerable AMD Athlon XP 3000+ hardware no longer runs hesitantly and the system as a whole feels livelier. I am delighted with it. I also observe that a small drain in processor time which occurred after running Opera 12.17 for a few minutes is no longer an issue. With Outpost 9.1 (32bit), acs.exe would show a continual 2% processor usage. This issue seems not to happen now.

    All in all, it's like having a modest processor upgrade. :)
     
  4. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,124
    Location:
    R.I.P. Roger(roddy32)
    I see a speed improvement also
     
  5. Zev0

    Zev0 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    14
    I have a lifetime license. Currently have 9.2. Why when I hit the update button, it says I'm up to date?
     
  6. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    You probably have to install over it or uninstall and install the new one
     
  7. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,124
    Location:
    R.I.P. Roger(roddy32)
    Zevo. you need to go to the website and download your latest version and
    pound it over the top! internal updater takes a few days to catch up!

    also save/backup your .config file first and let her rip!! this is a great version for the best firewall
    on the market today..tomorrow and yesteryear ;)
     
  8. Zev0

    Zev0 Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    14
    Got it, thank you..
     
  9. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Ive always had a soft spot for outpost and indeed use the security suite very often,but I must say that it can be an open door to PUPS / malware if your not very careful with its settings and prompts.Its application ratings popup that is supposed to "guide" the user in rules wizard mode can very often "mislead" the user.I don't know how many times PUPs or pieces of malware that Ive intentionally run in rules wizard mode brings up the nice green "application rated as GOOD is requesting outbound connection".I ran the outbrowse PUP for the heck of it
    https://blog.malwarebytes.org/security-threat/2015/08/outbrowse-and-other-bundlers/
    a known PUP that 99% of antimalware products detect.Run it with OSS in rules wizard mode ,and im led to believe that everythings ok.This finally results in my browser opening and connecting to countless sites ,with adguard popping up and denying access to half of them as they are known phishing sites ,some trying to auto download stuff in the background and not a peep out of OSS.I honestly now believe that outposts application ratings are in themselves dangerous ,as they cant be relied on,but by their very nature trys to reassure the user ,that they are reliable.:(
     

    Attached Files:

  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In most security suites, PUA/PUP detection is part of real-time AV protection. So, the PUA/PUP should have been detected upon first program execution. Does Outpost have a PUA/PUP setting in its real-time protection setting and is it enabled? For many AV's, PUA/PUP detection is not enabled by default. For example during an installation of Eset, the user is prompted if they wany PUA/PUP detection.
     
  11. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Yes it does.Its called adware and other grey areas which is ticked.What concerns me is why, in rules wizard mode (auto learn is not enabled )when the PUP is executed ,does outpost show the application as GOOD?.It continues to show the application as good ,even when at one point it says executable unknown.
    EDIT
    I can see that the original process is classified as GOOD which has spawned the unknown application.Thats my mistake.
     

    Attached Files:

    Last edited: Dec 3, 2015
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Your first alert was a HIPS alert that the source process was attempting modify explorer.exe memory. I have to assume that Outpost's reputation scanner deemed the source process known and safe. BTW - most AV reputation scanners do so. Why? Because they don't want to be penalized for a false positive on the AV lab tests. The labs don't consider PUP/PUA as malware.

    However, any knowledgable user would know that memory modification of explorer.exe by a non-system app is a no-no. Outpost alerted you to suspicious activity by an OK process. I would suspect that if you were running in auto block mode, Outpost would have blocked the app execution i.e. memory modification activity at this point?

    As far as the actual PUP execution alert, again Outpost shows "green" i.e. good because the PUP is not considered actual malware.

    -EDIT- Software that displays malware like behavior is not considered malware unless it does something malicious.
     
    Last edited: Dec 3, 2015
  13. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Yes I think you are right.Agnitum does not detect anything wrong with that file at Virus total.Nothing wrong with that in itself but the resulting green for safe/go pop ups is a recipe for disaster if you were not a knowledgeable user.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    HerdProtect shows a number of AV's that detect beejaicjcd.exe as an app containing a PUA/PUP. I guess a complaint could be made why Outpost's AV scanner did not pick it up immediately upon execution as such rather than wait for the execution of the actual PUP .exe itself.

    Appears its AV can't special case apps containing PUA/PUP from real malware apps? And that is a problem since the average user does not know how to properly respond to a HIPS alert. On the other hand, Outpost is not a product for the average user.
     
  15. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    I don't really have a problem with the av scanner not picking it up ,as they all fail at one time or another.Its the nature of the hips alert that's been gnawing at me.One thing is that beejaicjcd.exe is signed ,albeit dodgy looking.Maybe that's why the hips alert stated it was good.Nevertheless I think id prefer a hips alert that just gave the information rather than suggesting its good or bad .Outpost isn't for the average user ,but trys to be ,and i think that's the problem
     
  16. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    I agree that a green "good" rating is misleading. Got tripped on it in the past.

    I don't think it's the AV part that's at issue. Anti-leak might be. Or component watch.
    Outpost has a sandbox which should catch stuff like that, I would think.
    ellison, if you still have the logs from that run, or you're willing to redo the run, take a look at the sandbox logs which are plain text.
    It'll be nearly incomprhensible, but might tell you what it decided and why.
    Files to look at are sandbox.log which is most current, also sandbox.0 and even several .zip files. Just search for those program names and examine the log around them.
    I presume anti-leak just allowed the first application, and didn't mind running the second one.
    I don't have Outpost at the moment, so can't try.

    EDIT: Before you rerun, remove both from the known components list to make sure you're starting fresh as if Outpost has never seen them.
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    At which point it's too late :(
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    In this scenario and if the .exe was not a PUP but malware, allowing the process modification to explorer.exe would be it ..............

    Might want to look into if Outpost has settings on how it handles signed non-system processes. Like to trust, or not trust.
     
  19. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Need to remember that outpost is primarily a firewall and not an antimalware.its malware blocking ability should not be a reflection of the firewall product as a whole.
     
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    I think the answer is Allow (e.g. CALC is always allowed). Likely depends on what wants to run it and how. Perhaps these extracts answer your question and you could then explain to us :)

    From Outpost v92 manual (less info here than in the older guide - see below):
    From a 2007 Outpost manual:
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Regarding this:

    If a component of an application has been changed and the application is about to establish a connection, Outpost Security Suite Pro will inform you of the changed component and ask whether this connection should be allowed.

    Eset has the same thing. Only applies to apps where a physical change has occurred. Best example is when an app is updated by the vendor. In Eset, it is only applicable for apps when a outbound firewall rule has been created.

    Outpost Security Suite Pro will not warn you when a component from this list is requested by an application to which it is not registered.

    Best example was the modification of explorer.exe already quoted; most likely done by the source .exe trying to inject a disk based .dll into explorer.exe. A few problems with this. Malware with the right permissions can register .dlls and services. Questionable if this would prevent fileless memory injection of a process commonly used by exploits.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Ellison64 posted he is using OSS. That includes the AV/behavior blocker does it not?
     
  23. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Yes he most certainly did.
    Lets not allow ourselves to judge outpost purely on its malware blocking but more on its firewall capabilities.
     
  24. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    we're not judging the firewall which is the best one in this universe. We have questions about Outpost's general protections. ellison't query is not related to AV in Outpost. It's more related to something in the Outposts's HIPS section: Antileak, Component and SustemGuard, which is not well understood.
     
  25. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Both the suite and firewall include HIPS. The only difference between the two, IIRC, is that suite includes an AV.

    Re: your last sentence in post#21 "Questionable if this would prevent fileless memory injection of a process commonly used by exploits"
    I think MBAE test launching a calculator is relevant, but I'm not sure. This one Outpost fails. But CALC is not commonly used by exploits :)
     
Loading...