Outpost Firewall Pro 2009 Testing and Optimization Thread

Discussion in 'other firewalls' started by Escalader, May 3, 2009.

Thread Status:
Not open for further replies.
  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,759
  2. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    When the user installs OP FW Pro 2009, the product will scan for other incompatible or partially incompatible "3rd party" security products. For example it will disable it's own Real Time Spyware protection component if it scans and finds Nod32 or Antivir Premium.

    Now from my point of view, I would like to be able to engage/disengage that component my self by ticking a box in case there is a need for that tool in the future say if I change my Antivirus tool to one that doesn't possess the realtime component.

    So what I have tested and it works is as follows. I removed OP FW pro and Nod32 and cleaned up the PC. Then I reinstalled OP FW Pro 2009 on it's own and it's scan had nothing to find and I selected ALL it's components so the install is full function. Then I installed Antivir Premium (on 30 day trial).

    At that point I imported back all my rules and all it did was show the RT Spyware protection component as unengaged. But I can now engage it if I need to.

    For the record I'm relying on Antivir's RT feature called guard as files are opened and closed. No false positives yet and in interative mode I get to decide to delete or quarantine as I prefer. I'm NOT advocating one AV over another here, just testing to see how a user can preserve options by the order in which they install two products.

    My goal was two fold, have one and only one strong RT scanner for Malware yet have the ability to use a different one if needed.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Here is some detail for you on OP loopback.


    In the most recent iteration of OP FW Pro 2009, scanning of loopback traffic had been turned OFF by default. The vendor gave the reason was efficiency. However, it is possible to turn it back on. The steps to do this follow and are copied from the OP User support forum. I have tested this procedure and it works. I see no change in efficiency but maybe my traffic flow is so low so it doesn't matter.

     
    Last edited: Oct 10, 2009
  4. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    This can be done. If during the install you tell the wizard that, for example, you don't have NOD32, even though it found it, then it will NOT disable it's own real time anti-spyware protection. Once the module is installed you then have the option within the interface to toggle on or off. Doing this, of course, increases the potential for interference but control is then totally within your hands.
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks for the clarification Manny!:)
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    In the most recent iteration of OP FW Pro 2009, scanning of loopback traffic had been turned OFF by default. The vendor gave the reason as efficiency. However, it is possible to turn it back on. The steps to do this follow and are copied from the OP User support forum. I have tested this procedure and it works. I see no change in efficiency but maybe my traffic flow is so low so it doesn't matter.

    Again, I'm not advocating anybody invoke OP's loopback feature on their setups. All this post does, is show how to do it. You need to KNOW if your applications use loopback or not and whether or not you want to filter the traffic.


     
  7. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi
    There is a way to use malwaredomains list (domains.txt) in Outpost IPblocklist? Tried BISS blocklist manager to convert but not worked.
     
  8. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,273
    Location:
    USA
  9. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Hi G1111

    I already use CoU blocklist. I'm asking for malware domains list because looks like is updated more frequently. Last update for CoU is Sep 15 2009. The automatic updater is a good idea.

    thx for the help.
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I'm not familiar with malwaredomans list BUT there may be some confusion on this matter of the OP Block list.

    I do use BISS and it works fine BUT it doesn't apply to OP Block list. BISS helps users manage their HOST File. That operates separately from the OP Block list which is embedded into OP.

    So what you maybe could do is what I do, do both. Load the OP Block list in following the help and documentation at OP Forum and the product help.

    Then use BISS to load and manage your HOST File. Just to remind folks the HOST File can do 2 things, block sites you don't want to go to via the use of 127.0.0.1 as the ip for the site forcing a loopback AND putting safe ip's and sites in that you use all the time saving the need to do DNS translations. I have about 5 sites in HOST File like that but many many more as blocked.

    If the domains list is in the proper format for HOST and BISS it should be loadable there. But again I don't use it so don't know.
     
  11. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
  12. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    657
    Location:
    HKEY/SECURITY/ (value not set)
    @ Escalader and others that are experienced with Outpost Firewall Rules.
    Need feedback on the architecture and cascading order of the following Outpost Firewall Rule Set.
    The Network is behind an Firewall Router acting as the DNS Server, obtaining an IP Address automatically, and DHCP disabled. Computers in the Network have Static IP's.

    Outpost Firewall Rules for: svchost_exe

    (001)
    Allow Time Server UDP for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the remote address is: ntp2.usno.navy.mil (192.5.41.209)
    and Where the remote port is: 123
    and Where the local port is: 123
    Allow
    and Report this activity

    (002)
    Allow Outbound UDP to Local SNMP for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the direction is: Outbound
    and Where the remote address is: Local_Network
    and Where the remote port is: SNMP
    Allow

    (003)
    Allow ICMP Local for SVCHOST.EXE
    Where the protocol is: ICMP
    and Where the remote address is: LOCAL_NETWORK
    Allow

    (004)
    Allow Outbound TCP Local for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote address is: LOCAL_NETWORK
    Allow

    (005)
    Allow Outbound UDP to Local DNS for SVCHOST.EXE
    Where the Protocol is: UDP
    and Where the direction is: Outbound
    and Where the remote address is: GATEWAYS, DNS_SERVERS
    and the remote port is: DNS
    Allow

    (006)
    Block Other Outbound UDP to Possible Trojan DNS for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the direction is: Outbound
    and Where the remote port is: DNS
    Block
    and Report this activity

    (007)
    Allow Outbound TCP to Local DOMAIN for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote address is: GATEWAYS, DNS_SERVERS
    and Where the remote port is: DOMAIN
    Allow

    (008 )
    Block Other Outbound TCP to Possible Trojan DOMAIN for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: DOMAIN
    Block
    and Report this activity

    (009)
    Allow Outbound TCP to HTTP for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: HTTP
    Allow

    (010)
    Allow Outbound TCP to HTTPS for SVCHOST.EXE
    Where the protocol is: TCP
    and where the direction is: Outbound
    and Where the remote port is: HTTPS
    Allow

    (011)
    Block Inbound UDP to SSDP 1900 for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the direction is: Inbound
    and Where the local port is: 1900
    Block
    and Report this activity

    (012)
    Block Outbound UDP to SSDP 1900 for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the direction is: Outbound
    and Where the remote port is: 1900
    Block
    and Report this activity

    (013)
    Block Inbound TCP to UPnP 5000 for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Inbound
    and Where the local port is: 5000
    Block
    and Report this activity

    (014)
    Block Outbound TCP to UPnP 5000 for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    and Where the remote port is: 5000
    Block
    and Report this activity

    (015)
    Block Inbound TCP to DCOM 135 for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Inbound
    and Where the local port is: DCOM
    Block
    and Report this activity

    (016)
    Block UDP from DCOM 135 for SVCHOST.EXE
    Where the protocol is: UDP
    and Where the local port is: 135
    Block
    and Report this activity

    (017)
    Block Other Inbound TCP for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Inbound
    Block
    and Report this activity

    (018 )
    Block Other Outbound TCP for SVCHOST.EXE
    Where the protocol is: TCP
    and Where the direction is: Outbound
    Block
    and Report this activity

    (019)
    Block Other UDP for SVCHOST.EXE
    Where the protocol is: UDP
    Block
    and Report this activity


    HKEY1952


    EDIT: For clarity
     
    Last edited: Oct 19, 2009
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hello HEYKEY1952:

    First a word of caution any non tweakers and "i don't do rules people" , if you don't know what you are doing, no disrespect to anybody it is better to either do nothing or let the vendor SW rules wizard create the rules for you. View the vendor SW as an expert system (may not be perfect) that knows more about rules than you do. This stuff can consume your life!:'(

    Here is a current link for the thread on DHCP it is a good read.

    http://www.blackviper.com/WinXP/Services/DHCP_Client.htm

    One rule set I would remove and have is the allow for 135 the time sync thing. The PC knows what time it is doesn't need to go out to a mother ship site to find out the time of day. I hate unneeded outbounds from my PC. So I never have to debate about what site is worst to get the time from as I don't ask!

    Unless the PC battery is dead I like to disable this service in admin tools and then the whole matter is gone service is not in need of rules if it doesn't exist.

    Here is a copy paste of a current rule list. It is adapted from the OP documentation and the stickies here at Wilder's.

    I took a quick look at your rule list and I like all your block rules. Some of the allows I'm still looking at and the fact that you say no DHCP seems odd for me as I'm behind a router and it is the way ALL my DNS lookups are done via OpenDNS. The primary and secondary lookups are right in the router settings. This takes the DNS lookup load right off the PC.

    So why are you using DNS unless your router is unable....o_O?

    What brand/type of router is this?

    For me I disable the DNS service in admin tools of xp sp3 and rely 100% for DNS service on the router via DHCP, for me behind a router that is the way to go.

     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Okay, I'm back having reinstalled OP FW Pro 2009 current build.

    Today I got this message in the log I don't understand.

    Now the dates of creation and modification for this dll were OLD not this month!

    So the system "learned" it.

    Does anybody using OP FW Pro 2009 have a clue what I'm looking at here?
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont currently have OP installed, but will reply.

    That is an alert from the component control. Have you changed the default settings

    I would suspect that what you are seeing is the date stamp of the creation of the dll (not when it was installed or flagged as in use on the system)

    There are various settings in outpost component control, so it would depend on settings. (I have not looked deep at the component control in the latest builds, but in earlier builds there was a repository of shared dlls, which would be allowed/learned to be used by applications)


    - Stem
     
  16. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Since you reinstalled OP then it hasn't learned anything with components even if you brought over your old configuration. It doesn't matter what the dates are for components its when they are used and when OP first sees it that makes the difference. This must be the first time since you reinstalled OP that you used JV16pt.exe with that component. [I don't know what recognition.dll is.]

    You must have Component Control setup to monitor all components not just executables. You should expect more dialog boxes with this setting since OP is considering every files used by a program.

    This is self inflicted I'm afraid.
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Manny:

    I'm not complaining about the self inflicted message at all. :D

    Just trying to grasp the meaning. Thanks for replying. Yes, under Host Protection I do have all components monitored.

    I will ask jv16 what recognition.dll is it belongs to them after all.
     
  18. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Figuring out what all these dll files are could become a full time job. I generally look at the properties of these files and scan it. If it looks right then I accept it and go on.

    I wrote an FAQ about component control for v2.5. It's a little old but the concepts really remain the same. This amount of control can be really time consuming and there's little information provided by Component Control largely because it has no idea whether or not such a component is legit or what it's doing. It leaves it up to the user to figure it out. It would be nice if Agnitum had something that could tell you that such a file belongs to this program.

    http://www.outpostfirewall.com/forum/showthread.php?t=12233
     
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Yes, as in my reply to Manny I turned on ALL the monitors.

    Yes I think that's correct as the old dates don't match the dll cache OP is maintaining. As a test I changed the name of the dll (put word test in the front) then jv16 would NOT start so I suspect this dll checks the licence which is a downloaded xbin file called license(1).xbin.

    When I restored the xbin file name jv16 starts normally. However as , I did all this work OP was totally silent!

    Yes, correct. It is called Known Components. The user can edit this list.

    The jv16 dll recognition.dll is duly listed there. It has hundreds of entries in it. If I wanted to ( I don't) I could clean out every single entry to see what OP would do. Don't try this at home folks!
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks Manny, I'll read your link! More learning:D

    Yes agreed, no way we would try to study all these dll's! I'm only dealing with the one I got a pop up about to see what is what. Hopefully the vendor is doing or will do due diligence on these components by validating by all means possible that they should be on my setup at all!
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Outpost would probably simply add back most of the entries itself automatically based on some internal white_list. You can see a simple example of that by removing "notepad.exe" from that list, execute notepad, and it is automatically added back (regardless of user settings I have made)


    - Stem
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Stem:

    Yes, I did do the total wipe as a test several weeks ago (on my own) just to see what would happen. I had my image backup ready as a safety net.

    What happened was well nothing really, in due course they got added back in.

    What I also think is that IF you un-installed say Spyblaster ( why do we pick on that:D) the dll's for it STAY in the list but I want to verify that!

    I look at the list and see some exe's with ? for manufacturer/vendor yet MS say as the path.... one was OP itself no vendor? Raxco was a another.

    Also I see old duplicates from 2004 the year I got this beast!
     
  23. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    All Windows system components are added to the component control database automatically since they are so widely used. That's a change from what's written in the FAQ where the user had to rebuild the database manually; say after a Windows update to add those new/changed Windows components. If those Windows components/executables are on the list then they get added in automatically as illustrated by the Notepad example.

    The remaining non-Windows files, if removed from the component control database, will then have to be entered back manually. If all components are checked then the list could be several hundred to thousands of items long depending on how much software you use. So it could be a while to reconstitute the list.

    As an aside and because this is also a change - Host Protection performance was improved with SmartScan by creating "invisible" status cache files in each folder. If a component hasn't changed, as indicated by its status, then it moves on to the next one and so on.

    Edit: Oops, I forgot. The file properties on the list depend on what the vendor has done. For example, the files in yellow are from two different programs from O&O but one lists the vendor but not the other. It's how O&O did it since the list just reads from what the vendor has done. Just above that, all my listings [only the exe's] show Agnitum as the vendor. If you have all ddl's showing then there are probably more discrepencies in how files are listed.
     

    Attached Files:

    Last edited: Oct 30, 2009
  24. Dr payne

    Dr payne Guest

    Any ideas on "stateful inspection"? I have it (testing) all the rules for VPN.SMS (Smarthide, hxxp://www.smarthide.com/) and also Opera, no problems yet, and no noticeable slow downs . What is your opinion about "stateful inspection"? I have read the thread about it in the outpost forums, kind of grey. o_O
    Don't mean to change the subject. I am learning so much reading this thread, thanks.:thumb:
     
  25. pbw3

    pbw3 Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    113
    Location:
    UK
    I agree, I have gained lots from this..

    There is a current thread that partially looks at SPI here:
    https://www.wilderssecurity.com/showthread.php?t=256231
    Anywhere from post 12 onwards, and especially later on in the thread (there is a specific test carried out at Post 72, and earlier at post 56), hopefully that might be useful..
     
    Last edited: Oct 31, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.