OutPost learning thread

Hi Stem,

Sorry to hear that you're having some problems with your settings regarding various interceptions/internet access . So far, I'm liking this firewall.

The only changes I have made are the ones we discussed earlier in this thread, though. But so far, all is well....no problems to report (knock on wood).

Just thought I would share a few findings with you:

1) Previously, I had Online Armor (Full). For the past two+ years...whenever I would try to update Ace Utilities (or System Tune Up, by Ace Utilities)...is would download the update, but would not INSTALL! I thought OA might be preventing it...but checking OA, Ace Utilities was "Allowed" AND "Trusted". So I never could figure it out. And since the versions I had of both AU and STU worked fine, it wasn't any big deal. Well, since uninstalling OA and installing Outpost...I have now been able to update to the latest versions of both AU and STU.

2) The "File and Folder Lock" protection/feature seems to work pretty well. Kind of. I ran the "Fix Invalid Shortcuts" features of both Ace Utilities and System Tune Up....with both finding several "invalid ESET NOD32" entries. When I went to Start > All Programs > ESET > ESET NOD32 Antivirus...the entries were listed...but unavailable. If I selected any of the entries (Documentation, AV, SysInspector, SysRescue, License Agreement, Uninstall) NOTHING would happen! As if they were completely missing! So while the ability to "lock" the folder is nice, I have since removed the folder from the "File and Folder Lock" component of Outpost. I have left the EKRN.exe protected in the "Exclusions" list, however.

Also, I read elsewhere...that Avast! has a "Web Shield" option, much the same as NOD32. Someone reported that they are able to run both the Avast! Web Shield AND the Outpost Web Control component simultaneously without any problems. I'm debating if I want to try the same with ESET and Outpost.....thoughts?

 

Hi JR,

When my patience returns I will look again, that was on Vista by the way.
After re-intalling OP onto Vista(default setup-basic), connecting out with IE and checking windows updates, there was 15 windows applications with full internet access, a number with inbound allowed. Not my kind of default setup.

As the drivers will alraedy be installed then I cannot see a direct conflict with those, although some care will be needed for any possible conflict which may not be easily apparent.


- Stem

 

I'm sorry you are having troubles with OP. I hope it starts behaving itself

 

Hi Stem:

For comparison purposes only I checked the Learning mode windows generated rules on W7 64 bit OP FW Pro V7.0.3 (3395.517.1242) and found a similar number of windows applications with www access.

Attached for reference is my list.

Users need to go into each set of exe rules and tighten them up!

I included several applications in the list that are not windows os per sa, BUT these are not numbered. (FF, Word, Outlook... )

 

Hi Escalader,

On my own setups I dont allow any auto generated rules from any network firewall, it is not something I do. Even the rules that are in the inbuilt win7 firewall (IMHO) are overkill and most are there for Microsofts testing. All those "core" rules that are put forward as being needed for internet, well, certainly not on any of my setups.

OP default setup and default rules creation is, not in my mind, how should I put it,... not as safe/secure as it should be.

I will be looking again a little later at the vista setup, as I want to get Rilla secure.


- Stem

 

Hi Rilla,

Dont worry about it

I will change the setup. It is mainly the internet rules we need to get into something more correct/secure for normal internet use.


- Stem

 

Hi Rilla,

Time to make some changes to the default setup for rules.

First of all we will stop OP from auto creating/changing any rules and then we will go through the rulesets that have been made and change them, although this will take some time as we will need to see what impact changes in the various rulesets as on your setup(which should not actually cause any problem, but it is better to still take some time/care and check for any possible problems).

First, so you can easily see what is happening at the firewall. Open OP main UI and select "Switch to expert view"



In the "event viewer" you will then be able to select the firewall log. The log will be filled with various allow/block events. I would expect you to see quite a number of blocked Netbios due to you unchecking the netbios option in the LAN setting(made earlier)



In the main OP UI, top right, select "settings". Then "General-> Improvenet and change to "Disable automatic rule creation" and uncheck "Automatically create rules for applications signed by trusted vendors"



Going back to the main OP UI, you will then see the firewall set as "Enabled: Rules wizard". With that setting, any application that is not blocked and does not currently have a rule to allow internet will cause a popup to ask. We will go through that process a little later.




- Stem

 

Hi Rilla,

Rules for services host (svchost).

Always a sticky area as a lot of users like auto security updates, but as Microsoft use many/varying IP ranges for the update servers, it is very problematic to make restrictions as to the connections made.

So, this is (NOTE: edited image to get a full view of the rules created) a pic of the rules created, although I have already changed the rules to be more restrictive.



Going through the rules from top down:-

2 rules for time syn:. Optional as to if you want these to be allowed or not. Some may not even want this service or prefer to use other possible time sync service, or simply like to have their clock sync. I have left these as allowed.
6 rules for SSDP: These are rules that are restricted to local LAN, however, unless you specifically need to control your router(for such as opening inbound ports), or you have other hardware on the home LAN that you connect to, then you should change those rules to BLOCK
2 rules for link-local multicast: From my own point of view, these rules are debatable as to if they are actually needed/useful. They do allow various multicast broadcast but I have not actually found at any time that actually blocking these causes problems. So I have these set to BLOCK. I always think why broadcast your presence when not needed.
3 rules for LDAP: Questionable to if needed, I have these set to BLOCK
4 rules (HTTP/HTTPs/DNS UDP/DNS TCP):This is where we come up against the problem of restrictions due to windows updates. I myself make manual updates and make rules on the fly when needed or even download manually updates, so these rules I would say depends on the users needs/wants. In this example, I have allowed the HTTP/HTTPs and allowed the DNS UDP. The DNS TCP is set to BLOCK because I do not use TCP for DNS lookups. So, make your own mind up on these rules.
1 rule for DCOM: I am not sure at all as to why that rule is added by default, IMHO it should not be added, and have that set to BLOCK.


If you have any other rules set for svchost, please post details



- Stem

 

If this restricts the updates I guess I could manually install them.

Yes, I have two extra rules that I don't se in yours. Here is a shot:

 

I'm having trouble trying to run a Panda online scan. Under blocked content in event viewer it is blocked even though I put it on exclusion list.

I have changed all rules (post 83#) as you have except I have Web Services Discovery, Generic Host Process Local UDP connection.

 

Hi Rilla,

The rules for svchost should allow for windows update.

The first is yet another broadcast, it could be classed similar to upnp. I would place a block on that. You may have hardware attempting discovery.

The second rule, open the rule and check its destination, it should only be to localhost.(loopback comms) which will probably need to be allowed and are not a direct problem anyway.


- Stem

 

I will need to check that. Where are you trying to perform the scan. I have made a quick search and found this site http://www.pandasecurity.com/activescan/index/ is that correct.

I will need to check through the vista setup once I know what scan you are attempting.

- Stem

 

I have just looked at that scan. I cannot actually class it as an online scan as it basically invades the system with the creation of an 80MB directory with driver loading and various registry changes.

Even with all permission set as allow, the scan did not show any sort of result, it just showed a blank screen.




- Stem

 

The url you have above is not what I have so maybe that's why. I have www.pandasecurity.com but yet you said you got nothing anyway. Strange.

Here is that last rule I have

 

I will check that a little later.
You may be better finding non-installation malware scanners. There is the Emisoft emergency scanner, I do not know how good it is (it is free), but it can be run without installation and offline, even from a usb stick. Probably OK for a backup scanner? http://www.emsisoft.com/en/software/eek/

That is local connections, so you can leave that as it is.



- Stem

 

Yes, I have been looking at a few different ones to put on my USB stick. That's the same av I'm using right now.

Okay, I will leave the last rule as is. I will wait and see what you want to do next.

 

How about a beer?


There are some rules we can change to block, they should not be needed.

Look in the "Settings-> Application Rules" for the following applications:-

Feedback.exe. For some reason that OP application is allowed both inbound and outbound TCP and UDP on all ports. Change those rules to BLOCK
Explorer.exe Although this can be useful to allow it outbound for some events, the fact it connects out during a local search, even a defrag makes me block it. The only real need for this is if you are using PPTP VPN and explorer will make DNS lookups for an host you are connecting to, so I will say to block any rules apart from DNS lookups for that.

These 2 can apparently have the settings changed as to if they connect out(but have not yet checked/confirmed). so...
Searchindexer.exe set the rules to BLOCK
searchfilterhost.exe set the rules to BLOCK

Mobsync.exe:This in earlier versions of windows was for updating your homepage for offline viewing, so I presume this is the same. I see no need for this, as I do sandbox any online activity so do not want this application downloading and storing internet content.
I set all rules to block.


Make the above changes and check for any problems, or if you have questions before making the changes, then just ask

I am currently going through the other rulesets to check what can be blocked.


- Stem

 

I'm with ya on that one. I have some left over from Friday night

I made the following changes to match yours.

I found a few times where I had a all incoming TCP rule and I took it out. I'm going to try to reproduce this cuz I want to know where it's coming from. I think Poco Mail, not sure.

Okay, will do. I can't believe that you end up block 99% of these rules, amazing.

 

I have some cans in the fridge, could be tempting later today


OK, we are now going to look at changing some of the rules that could possibly cause issue. But dont panic


LSASS.exe
Winlogon.exe
services.exe

On my setups, I can put complete blocks on all the rules made for those applications. Problems can arise if there is a need, for example, a logon to the ISP or some remote server where secure logon is needed. I think you would know if such is actually needed, but if not, then first, check through your firewall log to see if you can find any outbound from any of those applications, if you do, then let me know. Otherwise, set all the rules for those applications to BLOCK. If you do then get any problems later, then delete the internet rules for those applications, and you will get a popup to allow, You can then let me know and we can make some less open rules for your needs


There are other rulesets to look at/change, but as those are of some concern, then change them and run your system for a while and make a re-boot to make sure all is well for internet connections.


- Stem

 

No, I don't see any entries for those three services at all. I'm going to make the suggested changes and reboot.

I did find some strange stuff coming through firefox like 66.129.99.88 Protocol is Proto41 Process N/A outbound and map.e.pipeline.net TCP Out.
Edit

I forgot to ask do any of these have to do with port 995 ssl and 465 ssl for my mail?

 

Proto41 is related to 6to4, which is IPV6 packets made into IPV4 packets to run through IPV4 routers/networks.
We we look at the rules for firefox next.

No, your e-mail should still work correctly.


- Stem

 

Okay, rebooted and checked FW log and the blocks are netbios traffic, so that's a good thing.

 

So your saying your PC did not blow up with blocking all those applications

Looking at the FF rules, there are quite a few, but they are all outbound and are trying to cover various connections (streaming/proxy etc), so they will be OK.

A look to see what applications are left on my setup:-

Taskeng.exe: If you open that ruleset you will see rules for NOD32 and AVP/KIS, and others. Those are related to schedule tasks. Your own applications may go through that process, so what I advise for that is to actually delete all the current rules. That will cause a popup if any application attempts to use it. If you need details on how to handle popups for internet, I can post those.

Wmiprvse.exe set to BLOCK

Wmplayer.exe Personal choice, as you may use the media player for streaming from Internet, or retrieving info concerning played media.
If you dont use it for online and only for offline, or dont use it at all, then set the rules to block.

The only other current rules I have are for IE which I used for some quick tests, and ACS.exe which is one of OPs process for retrieving updates(and news) and OP_MON.exe(outpost again) which only internet outbound I have seen is for DNS lookups(for logging I believe).

So now we will take a rest, then we can go through any other application rulesets you have and if you need any other info.


- Stem

 

You hilarious. It amazes me how many of those rules were not needed and to boot sitting wide open at the same time.

I will make suggested changes for those three services. It's time for you to get some rest, thanks. I'll check back in tomorrow.

 

Hi Rilla,

I will check back in later to see if you have any questions etc.

I am now off out for sunday lunch


Take care,

- Stem