Insert Real Name

Member
  • Content Count

    44
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Insert Real Name

  1. Yes, I can really recommend the Secunia PSI 2.0 program as a good complement to the protection of OA. It installs a bunch of small footprint services that monitor new software installs/updates on your machine, as well as existing well-known software already installed. When anything it monitors is out-of-date with respect to security-relevant updates, it will either install a silent update package for you, or provide you with a direct link to the software vendor's downloadable updates. Simplifies software maintenance greatly. I've been using it for 2 or 3 years.
  2. I know you are trying to be funny re. number of OA popups, but consider that OA's purpose is to protect you from real threats, not to "entertain" you with popups. Therefore: 1) When you download an installer, you have to make up your mind: i) is the downloaded file from from a trusted source, which can vary in the amount of trust you may give it, e.g. correctly signed by the software company, or file hashes--if available--are correct, or is the download site protected by an HTTPS certificate that you think you can trust (and you've checked the certificate chain, if you are really paranoid)? It's still wise to upload the installer to a service like VirusTotal.com and anubis.iseclab.org if you have doubts about the instraller's potential effects on your system. If you can't really trust the installer, but still want to try the program, then use some kind of sandboxed virtual pc to eliminate any effects on your regular pc--this is just cautious common sense. The OA whitelist of installers and programs can never be complete, running software like OA always means accepting that you will have to make manual choices than if OA is not running. 2) If the download meets your standard of trust, then there is NO reason NOT to let OA treat the installer as "Trusted" and as an "Installer", in order to reduce the number of popups. Often there is an additional option in the initial OA popup: "Create system restore point". Use it! 3) Even with all these options checked, there still will be some popups, I've seen them when global keyboard hooks are installed, certain types of DLLs and OCXs are registered, direct physical disk access is requested, etc. In these cases OA is just alerting you that the installer is doing things that are a little more intrusive than the simplest installers, e.g. using external programs to install the DLL or system service components of the program you are installing. These are components which, in any case, need your decision on allowed/trusted status, now or at some later point. Maybe OA should cut out all such popups for a "trusted" installer and just "allow" them once and log the action--I'm not sure, but I prefer to know what is going on and decide on allow/trust status.
  3. CLOSE_WAIT indicates that the communication between your application and the remote point has finished, but your application has not yet closed its end of the connection. It's a perfectly normal state for an internet connection that has just finished.
  4. Make sure that advertisement updates are the only purpose for the DNS queries that avastui.exe makes! You wouldn't want to block program and signature updates, or any other important function... it's always safer to use the "Endpoint Restrictions" in the avastui.exe firewall rule to block specific IP numbers or ranges (the firewall logs will have those numbers, if you set up logging for successful use of the rule). DNS records corresponding to a particular IP numbers can always be checked at sites like www.robtex.com so that you don't block something important.
  5. You might try this approach: edit the avastui.exe rule in the firewall to i) delete all the existing permitted ports, ii) log everything (success and failure). In the OA Programs tab, remove avastui.exe from Trusted program status and set it to "Ask". When it does run and displays OA pop-up permission notices, make sure you don't let OA remember your decision. What you'll get is a blow-by-blow account of all the things avastui.exe is doing: internet sites, other programs it may start, etc. Somewhere in all that information may be a clue, perhaps as simple as blocking one internet server that has the advertisement source, or a program that it starts to display the advertisements. Once you find that out, then set the program back to "Trusted", but also configure the firewall to block sites, if that's required, or the advanced program options to block avastui.exe from starting certain other programs. I don't run Avast; OA++ is enough for me.
  6. Glad my idea put you on a successful path to resolving the problem. Some programs don't pay attention to environment variables but provide command line options to change such things.
  7. Thank you very much for clearing up the difference between x86 and x64 systems (I suppose the screen capture I linked from the OA 5.0 online help is the x86 version of OA).
  8. No, they were certainly present on my installation of OA++ 4.5 on Windows 7 x64 SP1 before I upgraded to OA++ 5.0 on Monday. I tested them earlier in 2010 on Windows 7 x64 No-SP (at least I recall testing the option to prevent processes from being killed by other processes--that worked). Can anyone running OA 5.0 Prem. or ++ on Windows 7 x64 SP1 verify that those options continue to work?
  9. I should have been clearer: the "Protection" and the "Performance" groups in "Advanced Options" have gone, see: versus my OA 5.0 version: What's strange is that the new OA 5.0 help still shows those missing advanced options: So is this a bug in my OA 5.0 installation? Everything seems to be working so far--I made a fresh installation, not an upgrade, on Windows 7 x64, and I work in a regular limited user account, these extra advanced options always showed with OA 3.x-4.x
  10. Also, in many cases, remember malware delivered via the browser actually has to run to do damage. If it does it while still in the low privileged ("protected") IE browsing session, it really can't do much more than trick you into running a program with normal privileges, and this can be caught by OA by making sure that the iexplore.exe process (and maybe others: ielowutil.exe, ieframe.dll, ieshims.dll as well? I don't know) always ask before running external programs. See attached screenshot, where that option hasn't been chosen yet. Some experimentation is always necessary, since these OA options really can get in the way of ordinary work. Oh, I just noticed another loss of functionality in OA 5.0: the Advanced Options for each program on the Programs list used to have options to not let other programs terminate the program, not fiddle around with the program's memory space, etc. Those are gone now, but quite honestly I doubt more than 1% of users ever tried them. The new File and Registry protection in Advanced Mode allows denying access to user-chosen file and registry locations to all but trusted programs. This is a great addition, and I hope OA's internal architecture allows them to add creating such rules for individual programs, e.g. your trusted browser should only be able to create/write files in its cache, application data, and downloads directories, any other location should cause a permission dialog to pop up...
  11. Try this small experiment: run the program from the command line, if possible, but, before you run it, on that same command line, set the environment variable TEMP to another empty folder you've created for the purpose, and make sure you have added it to the list of locations OA should ignore (Configuration-->Options-->Ignore). E.g.: SET TEMP=C:\Users\arto\AppData\Local\MyProgramTemp C:\Program Files\MyProgram\MyProgram.exe If this works, then turn those commands into a batch file MyProgram.bat and use that as the target of the shortcut you use to start the program. Hope this helps.
  12. I do as the original poster does: make sure the program I'm installing passes various anti-virus tests, etc., so that I have confidence that it does only what it's advertised to do; then I always engage Learn mode for any complex software installation and, if a reboot is required, I keep learn mode engaged until I have tested everything I can in an initial run of the program. And I review the history page to see what OA has picked up. A lot of programs auto-update, which inevitably means that files already registered in OA are going to change, so producing more pop-ups to renew your decision about trust: I really want OA to do this--if I am confident about the updates the first time, I'll then designate the program(s) that started and carried out the update(s) as installers; this will cut down a lot of pop-ups. I may still get pop-ups to renew decisions about trust when the updated components run the first time, but that's OA's expected function: asking you if this updated program component is something you recognize and allow. So re-installing programs won't help here; the best thing is to use the OA history records to change the status of certain program components to both trusted + installer.
  13. No, I'm sure RBC isn't the only financial web site doing this, but I do want to emphasize that I'm far from expert in these matters and that, in any case, I have no knowledge of how OA actually does its Banking Mode--I'm making a lot of assumptions. I'm not sure how it could ever deal with round-robin DNS. Normal DNS address queries deliver just one result, I think, special queries have to be crafted to get all of the address records for one host name--and even then, with geographically distributed DNS, you might get different sets of addresses for queries originating in different areas. The few times I've directly contacted OA support (both in the TallEmu and Emsisoft eras), they've been clear in explaining the product's limitations and what improvements may be expected.
  14. Well, I certainly went off-topic from your original post! sorry about that. I just had a quick look at your latest posted screen capture and your description of how you got there. The pop-up does state that OA can't access the OA trusted DNS server. Since you have set OA in Banking Mode, it's shouldn't let you visit any website, trusted or untrusted, under those circumstances, since the trusted DNS server is unavailable. Can you verify that no site is accessible, i.e., when you reach the error pop-up on your attempt to access your banking in Banking Mode, try opening another web browser window, and attempt to go to another website not on your trusted list? OA should block the attempt, the browser window should display a message to the effect that the site in question is unavailable. Now, switch OA back into its regular mode: if you hit the reload button for the web site that it just blocked, it should now load normally, since the trusted DNS is no longer required. The loss of learned banking mode sites also needs some attention, even though I think the loss of access to the OA Trusted DNS is the real problem here: go through the OA learning procedure with your bank site access (make sure OA is in its regular mode when doing this). Without rebooting yet, open a command prompt window (Start-->All programs-->Accesories-->Command Prompt) and note down the results of executing nslookup www1.royalbank.com . It will be something like Non-authoritative answer: Name: www1.royalbank.com Address: 198.96.131.233 and it's the numbers that you want to note down. Now, reboot your machine, go through the rigmarole of banking Mode and attempt to access your banking. When you reach the error pop-up, use nslookup to note www1.royalbank.com address numbers again. They will probably be different: I just tried nslookup www1.royalbank.com a second time, and the result is Non-authoritative answer: Name: www1.royalbank.com Address: 142.245.40.233 Different, which only shows that RBC is just using some kind of round-robin DNS to balance the load among several of its customer service web servers. (My bank probably does load balancing too, but the IP addresses don't change, and OA banking mode does work well--PayPal also works.) I don't know if that kind of round-robin technique is compatible with OA banking mode, since OA's trusted DNS server will make its own DNS lookup of www1.royalbank.com and may receive yet another, different result! So that's as much as I can help you, I'm afraid...
  15. Some ISPs tweak their DNS infrastructure so that the standard "domain not found" answer to a lookup (NXDOMAIN, if I remember correctly) is replaced by a redirect to a search portal (Bing, Yahoo, etc.) that allows the ISP to earn click-through money (or some other traffic recompense). Also, any ISP can just throw together a bunch of Linux servers, configure the DNS servers to accept queries, and call it a day--I'm exaggerating, of course. But public DNS servers, like the ones Google makes available at 8.8.8.8 and 8.8.4.4, can also play a role in keeping customers out of known malware or hijacked domains, ensure that their cache is not poisoned by careful monitoring, etc. Your ISP DNS will probably be a tiny bit faster (although that is debatable in the case of Google, they've massively deployed it across their network). One of the things Online Armor might look into, is embedding a Secure DNS (DNSSEC) client in the program as the trusted DNS; most of the top-level domains have this infrastructure already in place, I believe; this would do the trusted name resolution entirely through cryptographically secured lookups. No need any longer for an Online Armor trusted DNS service.
  16. I'm sure CatPrincess was just abbreviating the fact that most people just take the DNS service provided by their ISP (normally through the usual DHCP mechanism when they set up their Internet connection) without further ado.
  17. I've always wondered why can't Emsisoft provide a proper offline help file in the OA installation, so that people can actually learn about the software, even without internet access?
  18. I've always wondered how the DNS spoofing protection in Banking mode is actually implemented: does OA store the DNS hostnames & actual IP addresses of "Protected" sites provided by the Trusted DNS? If so, then there may be a problem when the user's default DNS servers yield a different DNS lookup result than OA's Trusted DNS does, because the authoritative DNS server for a host may give a result that depends on the origin of the query: e.g., a query from Europe may direct the browser to the bank's European host servers, while a query from Canada may may direct to the bank's North American servers, all in the intent to provide faster response times for online banking customers depending where they are located. I've seen this kind of discrepancy between OA's Trusted DNS result and your usual DNS server result when attempting to use OA in Banking mode on www.ebay.com (after all, www.ebay.com does want your money...): several popups stating that normal DNS and Trusted DNS don't agree on IP lookups, hence suspicion of DNS spoofing. Well, I'm assuming this was because www.ebay.com has geographoically localized server infrastructure around the world. I dropped the attempt, especially as the learn process for www.ebay.com was adding dozens of "Trusted" sites to my web site list, not all of them under Ebay's direct corporate control. (But banking mode does seem to work with Paypal...)
  19. This is really good advice: I tried updating Vista --> Windows 7 with OA still installed, just to see if everything would "just work". Of course, it did not. Reinstalling OA in exactly the manner CatPrincess has explained (2 reboots after uninstalling, before installing anything) solved the problem. It shouldn't even be necessary to manually delete the remaining traces of Online Armor in the "Programs" folder. Also, adjusting file/directory permissions, or running OA in compatibility mode, is certainly going to cause problems: just let it run normally in Windows 7.