Jump to content

ruirib

Member
  • Posts

    69
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by ruirib

  1. Thank you for that reply, Fabian. I appreciate the candor, which I have seen in past replies, as well.

     

    My reason to use EAM and OA is to get a double layer, security wise. I am honest, and if I had to go with a single one, I would go with OA instead of EAM, for the simple reason that OA, in what regards HIPS features, is based on whitelisting and I really don't know of a more effective way to fight unknown malware. As good as behavior detection may be, even recent results show that it's not without failures. By going with the new EIS, even with a better firewall, the best OA feature, malware fighting wise, is effectively lost.

     

    I will be contacting support to reverse my decision to convert my EAM + OA licenses in EIS. I do hope you continue to improve OA, as I find the firewall a bit lacking. I guess for the time being I may resort to EAM + OA with no firewall and the native Windows firewall.

     

    Thank you again.

  2. I liked the two seperate programs.Malware,and Armor. And knew my way around Hips.

     

    My question is,does the New EIS give me the same level of protection,as the two seperate progs

     

    Thanks

     

    Andrew

    In a way, I am trying to get definitive answers to that. It seems that EIS doesn't do that. There is no whitelist of allowed programs, so the HIPS part seems to be gone. The firewall may be better and clearly the interface seems simpler, but it is a lot less informative. If first impressions are confirmed, I think EIS is clearly different from EAM + OA and it provides one less layer in terms of protection. To be honest, I find the offer to upgrade EAM + OA to EIS to be a bit deceptive, as it implies the packages are identical in function. I found the program whitelist was the OA feature I valued the most and that seems to be lost in EIS.

  3. As stated by the title, is it fair to say that?

     

    If so, what advantages does EIS (whatever the version number is) bring when compared to an EAM + OA combo? And while you are at it, would you state the disadvantages, from the perspective of the manufacturer?

     

    I am running the new EIS version, but seeing the almost complete lack of control over the firewall and the apparent loss of the HIPS features, I am wondering whether i jumped the gun, when I upgraded my licenses. That's obviously my fault, of course, but I would still like to know your opinion on the questions above.

     

    Thank you.

  4. I didn't, and I don't think it's a good idea to swap between mode whenever I need to install apps.

     

    Just now I realized that the program guard actually prevented me from pairing with my Bluetooth keyboard.........this is something really annoying, at least a notification should have come out to let me know if that blocked the action, instead of showing nothing.

     

    For certain, it won't be much of an issue for me as I seldom further modify my system after it has settled;

    but for many other Windows 8.1 users, I believe it will take a while until they have figured out that is the Online Armor Program Guard blocking them from pairing their mice and keyboards, or installing any Windows Apps. This could really be something that drives them away.

     

    You are really seeing the effect of the ill conceived dual nature of the Windows 8 UI. I can bet that when you are trying to add an app, if you move the mouse to the top left corner, you will see OA asking for your input. Should the notification show on the Windows 8 tiled interface? I am not an expert on what Windows 8.x allows in terms of what non Windows 8 metro apps can use for notification, but I haven't seen a such an app showing notifications when you are in the metro UI.

     

    That said, the advice given is a good one. You know when you are going to install apps, so if you are really keen on them, setting OA in learning mode is not hard to do. You can also use the mouse as I described whenever you install an app, because you know OA will ask for permission to go on.

     

    I am a long time OA user, using it currently in a laptop that started with Windows 8.0 and is now running the latest Windows 8.1.

  5. Fabian,

     

    Thank you for your replies. I think there is no point in debating every single point you made, since we would disagree. I think I have stated my concerns and you have provided your views in a clear manner.

     

    I think I will agree with you on that initial statement about OA not being known for being an excellent firewall. That seems clear, now. I hope EIS is a better solution, in that respect.

     

    Regards

  6. Which is already an enterprise scenario.

     

    Well, it may be a matter of semantics, but I would call it more of a power user scenario. Any user with a bit more knowledge and a willingness to experiment may install software that communicates over any given port and it should be possible to use OA to protect such ports with minimum effort (or none at all, preferably).

     

     

    In that case Online Armor isn't the product for you. The only aspect trusted and untrusted computers interact with are protected ports. Meaning if you have any server running and allowed it to open a port, this port will be accessible from both trusted and untrusted computers unless the port was specifically set to be restricted. You can't even create rules manually to do what you want to do in Online Armor at the moment, which brings me back to my previous statement that rule creation in Online Armor's firewall is very limited. So you can't create rules manually to get the result you want in Online Armor by specifically dropping all incoming packets from a given network except if they were sent from specific IPs in your network. 

     

    Damn, wish you would have told me that about 5 years ago, been wasting license money all this time :).

     

    Emsisoft Internet Security will allow you to do exactly that by the way:

    qrQhNZ4.png

    Using that dialog, you can just create rules to drop all packets from a specific network, before application rules are taken under consideration, except for packets that have been sent from specific computers you trust. That's the first time anyone has seen that dialog by the way, so consider yourself special ;).

     

    Thanks, I appreciate you showing that. 

     

     

    Except that you won't even get to the PC from the outside in the first place due to the aforementioned prevalence of routers. Even if the system is connected directly to the internet, you need a vulnerable service first that you can access from the outside, which is exceptionally rare for most home users since all Windows default services are already protected. So this leaves you with stuff coming in from a connection initiated by your computer first (like your browser for example), which no firewall will protect your from because a firewall only cares about who and what is sending or receiving packets and not the content of these packets.

    Or just tell them to add RDP to their protected port list. Which will fix the issue you are referring to. If they even use RDP, which they most likely won't because TeamViewer and Co. are just so much more hassle free since they just work and don't require ugly port forwarding rules :).

     

    So if we add RDP to the list, you will find a different port that is not on it. And you can apply the same arguments to that new port as well. And another one, and another one. The default ruleset covers exactly that: The defaults. RDP is not a default. If you try to take into account all possible services the user may enable or install, you quickly end up with a convoluted port list containing thousands of entries.

     

    As I said before, many people use laptops out in the wild, with no firewall in between. These users surely want to know their laptops are protected, as well. 

    The user who started this on the Windows Secrets Lounge was already advised to add the RDP port to the protected ports list.

     

    Indeed, full protection would likely mean "protecting" all ports. If that turns out to be expensive, do it the other way around, unprotect used ports. It would be a more economical way of doing things. It would be easy to produce this from the allowed ports list that already exists for each allowed program. Anyway, this discussion may be a bit theoretical now, since you are doing it anew.

     

     

    But even if you somehow come up with a set of guidelines on how to choose which of all the possible ports is worth being added to the restricted port list or not, you still end up with a huge issue: Online Armor Free does not allow access to Advanced Mode which contains the restricted port list. So if there was an Online Armor Free user out there, that does want to use RDP over the Internet (which isn't so far fetched, given that this is the original purpose of RDP), he can't, because only computers and local networks can be marked as trusted. He can't delete the port restriction either, simply because he does not have access to the required menus.

     

    That's a commercial decision, not a technical one. I understand introducing limitations in low cost (or free) versions, but somehow diminishing from the feature set of  paid versions because of free versions, doesn't look that easy to understand. Of course, different configurations could be used for free and paid versions, even with the added maintainability issues - but that is your concern, and it should not affect your customers.

     

     

    Since you are a developer you are also quite aware about how difficult it is to change defaults. Should the defaults be applied to the existing installations as well? This will break any setups that rely on RDP not being restricted. You will understand how big of an issue losing remote access to a system you don't have physical access to can be just because we decided to publish an update that suddenly added RDP to the list of restricted ports. Should we not apply the new default? Than potentially thousands of existing installations will remain "unprotected".

    Bottom line is: Changing the default config is not nearly as easy as you make it out to be.

     

    Users expect continued operation with no (or minimal) disruption  so that should determine what to do. That doesn't mean that the possibility of giving users the option to choose, let's say,in Advanced Mode, the choice of loading a new set of defaults, with adequate warnings, would not be possible.

    Even when you introduce a new product to replace OA (Emsisoft Internet Security may it be) and the product works differently in this respect, some existing users that migrate to the new solution (even if not all), will experience similar situations, so warnings and full clarification of the change in behavior will still be required.

     

    Look, as I said in my opening post, I understand that this goes back the origin of OA, but this doesn't limit the damage that such a glaring failure from OA can cause.

     

    Again, I thank you for your candor. I think you have provided me with enough info to understand the full scope of the situation. Is there any idea on when the new security product will be on the market?

  7. Actually, both will create default firewall rules to enable remote access to the ports involved. So in fact you don't have to create those firewall rules to allow connections. You need to create them to limit connections, which is the same approach Online Armor takes. That being said, Online Armor is not built for an enterprise environment. We don't even support server versions of Windows officially. So any enterprise scenarios can be dismissed simply based on the fact that the product isn't tailored towards that clientele.

     

    It does provide full stealth by default. Enabling RDP is not the default. That's the point.

    Why do you think only enterprise scenarios would need this? I am a developer, I have MySQL and SQL Server installed both on my desktop and laptop, as I need them for development work. I run my own network at home and I use my laptop in multiple networks. I have my network cards as untrusted in OA and I individually trust machines I want to allow access to my computers. It works fine at home but, in the case of the laptop, I want to use it in whatever networks I intend without need for reconfiguration and I would like it to be stealth and for sure wouldn't want RDP attempts to occur from machines I have not authorized. The purpose of the firewall in OA should include not allowing machines not marked as trusted in networks not marked as trusted to connect to a machine running OA in anyway.

     

     

     

     

    Microsoft's stance is the opposite. They actually encourage people to use something other than MSE and see MSE as the bare minimum base line of protection. Just look at Microsoft's reactions to some of the tests.

     

    I have seen different replies in different contexts. One of such replies is based on the telemetry data collected by Microsoft, that purportedly shows MSE would be effective in a huge percentage of  such "real world scenarios" - the telemetry data is collected from "real" computers spread out through the world. If I was to be reassured by such a reply, I would be using MSE, not EAM.

     

     

    Online Armor's credibility is not that it is an excellent firewall. Quite frankly the firewall part is by far the weakest part of it due to lacking IPv6 support and the fact that it doesn't allow for more complex rules. If you ever tried to create more advanced rules that are possible in almost every firewall product out there, you know what I am talking about. It is also the reason, why we decided to rebuild the firewall core of the upcoming Emsisoft Internet Security suite from scratch instead of just using the Online Armor firewall parts. Online Armor's strength is outbound control as well as the HIPS. Both aspects are far more relevant to home users, which is the target audience for Online Armor, and were completely ignored by the test you are referring to.

     

    Well, I don't see how things can be put that simply. I don't want threats coming in, even if OA is great at stopping them getting out, once they get in. That doesn't make sense to me, I am sorry to say it. I have always seen (and recommended) OA as a great part of a decent security strategy, and I am quite surprised that you are so clearly stating OA's firewall is not that good. I guess I will have to think more carefully whether I can recommend OA, at least for people who will be running it in scenarios where there is no hardware firewall.

     

    I also think your previous statement is a bit contradictory. I don't think home users have very complex needs regarding the creation of firewall rules and OA's firewall should be a good option for such users. It does lack in terms of default config, it seems, but even that could be easily overcome, if you so desired.

     

    As to the credibility, you should be careful about what you say, really. I came here today alerted by a user on the Windows Secrets Lounge that was simply asking if he should switch from OA to something else. Also, the replies on the Wilders Security forum do not seem to follow your reasoning, at not least not a relevant part. To me, personally, it does affect OA's credibility to the point that I may have to stop recommending it, which is something I have been doing for many years, at least until a decent reply to the questions raised by the test in question is given.

     

    I thank you for your openness, even if I am not that happy about OA's firewall apparent weaknesses. 

  8. Technically RDP isn't a threat unless you turn it on (it is off by default in Windows). Also, incoming RDP traffic wouldn't make it past the Network Address Translation on most routers and modems, so this would only be an issue on connections that don't have NAT (such as 3G/4G "mobile broadband" connections).

    On top of that, Windows user accounts are required by RDP by default. If you have a single user account and no password, then it shouldn't work at all (at least on Windows 7). If you have a password, then someone connecting via RDP would need to know it. Obviously the security settings can be changed for the Remote Desktop Service, and there are older and potentially more vulnerable versions of Remote Desktop, however for these things to be changed without your knowledge then an infection would need to bypass the protection of Online Armor's HIPS and your anti-virus software.

    There's also the fact that RDP is one of the most widely used remote access protocols, and blocking it would be unacceptable to a great many people and businesses.

    RDP works fine when part of the restricted ports list and the connecting computer is trusted or the network is trusted. 

     

    The issue is precisely of relevance when you are not behind a hardware firewall, which happens often enough, as it doesn't seem that you want OA to be bought only by those that use it behind a hardware fireall. In such a situation, it would be expected that OA provides complete stealth. Hey, the Windows firewall does it, how is it understandable that OA does not?

     

     

    RDP is off by default. You must turn it on first, which is equivalent to your expressed consent to use RDP. How would bothering you to enable it twice be of any benefit to you?

    It would provide a better degree of control. Your reply applies to multiple situations where you are going to use a firewall. If I want to enable MySQL or SQL Server I need to install such apps and open my firewall to allow connections. I don't see how this is different.

     

    I understand there is a trade off between ease of use and security and the balance is rather delicate. However, having a firewall that does not provide full stealth by default, is not, IMHO, a very good option. You can even argue that OA is configured to deal with most frequent or most likely threats, but that still is not enough. Microsoft's own arguing about MSE, for example, is that it fares well enough in real life situations, as it protects against most likely threats. Should we use MSE over EAM because of that? I doubt that your answer will be yes, and rightly so.

     

    To be honest, this situation is not Emsisoft's fault alone, as much of this situation persists from the time of Tall Emu. I find it rather surprising that you don't see this as a liability, one that can affect OA's credibility. 

  9. It would be interesting to have a reply to the concern's about OA's default configuration here and not on Wilders. This is the place where people that use OA should expect a decent reply to the very disturbing results in AV comparative's test.

     

    I also find Fabian Wosar's reply to the RDP issue (basically confirming RDP access will always be allowed by default, since the RDP port is not part of the restricted port's list) to be quite surprising. How is it acceptable that in its default configuration, OA behaves worse than the native W7 firewall?

    • Upvote 1
  10. OA version 7.0.0.1866 running on both computers. In the destination computer, interfaces are not set as trusted, but both computers are listed as trust in the other computers trusted list. I have been running this same setup for a long time (years, actually).

     

    The problem is with accessing SQL Server on the desktop. SQL Server is listed in the allowed list of programs. There is a rule allowing inbound and outbound traffic on the ports used by SQL Server, including port 1433. In spite of all of this, now randomly I am unable to access the server in the desktop, from my laptop. If I disable OA's firewall, I can connect without issues, if  I enable it sometimes I can access SQL Server, sometimes I can't. Right now, I am totally unable to do it, so I am keeping OA's firewall down.

     

    History shows the firewall allowing access, but it's not happening even with OA in learning mode!

     

    I need this solved. Any ideas on how to do it?

     

    Thank you.

×
×
  • Create New...