iWarren

Member
  • Content Count

    138
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by iWarren

  1. I'd like to point out, everything works as it should if I don't touch the firewall enable/disable setting... It connects to the internet, and stays connected. the firewall also does work the way it should. its when i disable/enable the firewall again, that it stays in the stopped state at this point, the firewall doesn't work, and the connection eventually drops out.
  2. 1. I disabled the firewall 2. Rebooted 3. Opened Emsisoft (you can see the firewall is disabled) 4. Opened Device Manager (Emsisoft WFP Filter says it is Started) 5. Opened DebugView from Microsoft SysInternal Suite (monitoring all events/ kernel / win32 instructions) 1. Enabled Firewall in EIS 2. Closed Device Manager Properties and Re-opened to read current status (It still says Started) 3. DebugView, the way I read it, there was no change in services, also why "Request queue is empty" 1. Disabled Firewall in EIS 2. Closed Device Manager Properties and Re-opened to read current status (it now says Stopped) 3. Debugview, indicates calls were made to services to disable fwwfp and sets status code to zero (ie. disabled) 1. Activated Firewall in EIS 2. Closed Device Manager Properties and Re-opened to read current status (it still says Stopped) 3. Debugview, doesn't appear to have made a call to start the service again. At this stage, I can not connect to any websites, and I also believe is related to why my internet drops out (as svchost times out on connecting) Even after I restart the fwwfp service manually from Device Manager, i have to reboot in order to connect to the internet. I am using Version 10.0.0.5532 I have reinstalled twice, rebooting twice in between installations. I have reset settings to Factory Defaults several times.
  3. i had uninstalled/installed a couple days ago and the version i'm using is 10.0.0.5532 Protection -> Firewall at the bottom right is a button that says "Automatic rule settings" which opens up a window called "Advanced Firewall Settings" allowing you to Allow/Block/Ask whether a connection is allowed by default.
  4. That doesn't really address the problem. That falls into the "automatic rule settings" which i changed to "ask" to prompt me to create the rules. Ever since the update on July 8th, i've consistently had to reset Factory Defaults, as well as re-initialze the Firewall. I've had 3 BSOD's (something to do with the kernel_ data) and i've had "Application Rules" that should have applied, but didn't... and then when i delete the program and added the rule they seem to work. i also had the GUI crash several times yesterday, once while resetting factory defaults, the app hanged. and then had an error where i'd click on "Settings" and then on "Protection" and the Settings menu overlayed on top of the Protection menu. All of these incidents occured after a fresh install, and all of my troubles started from that one update on July 8th I truly appreciate any troubleshooting / tech support you can provide, but please don't respond with an automated message, as this is not an issue of resetting defaults, restarts or reinstalls.
  5. i still don't think the firewall is working correctly... I loaded factory defaults, for Global Firewall Rules and it was able to connect, asking me for the appropriate allowances to connect svchost asking for 67-68 and 80,443 and then having no rules set....... for MSDTC.exe (which connects to a remote computer) using port 3389 it was still allowing the rule, when it should have been blocked by the first 2 default firewall settings. i deleted the program MSDTC.exe from the list, and let it connect again... which then prompted me if i wanted to allow/block. I blocked it, and that seemed to work. I think the issue is, somewhere along the line.. the behaviour blocker isn't deleting the rule in its internal listing, so it still allows it, even when the rule has been removed from the listing. I can not reproduce the error, but it seems that sometimes what its allowing/blocking isn't always whats being displayed in the firewall settings.
  6. managed to get it to work by loading factory defaults, and then just allowing connection attempts as they arise. for some reason it didn't like my custom rules... although they appear to be the same as what was set up. not sure whats going on there.
  7. yeah its still acting up. it connects because i think it isn't blocking anything, and then when i turn the firewall on/off, it starts blocking again. but then after its reinitialized, it kicks me off the internet again.
  8. I reinstalled and that definitely cleared up some issues, it told me to install Windows6.1-KB2958399-x86 and then microsoft sent me on a goose chase to find the file. emailing me a link to their website for download... and then i kept getting "500 server not found" errors. then an hour later the file becomes available... and the self-extractor doesn't look like your typical Windows extraction tool. All that aside... i can now connect... i tried loading my old settings, and it started to disconnect again, so i cleared all the settings and started new. I think part of the problem was... I may have been blocking Router Advertisements as i wasnt allowing any ICMP's on a private network. Private network i assume is defined as 192.168.0.1 and local ip ranges? Also... i couldn't get it to work without having it allow TCP/UDP on the Private network, when i try to insert 0-65535 in the blank, it doesn't seem to work, but when i leave the port rule empty, it seems to work. at least its working, though i kind of had other plans for my day instead of troubleshooting the firewall :|
  9. Last night there was an update that required a restart I rebooted and there was a notification that i would have to reset some rules. I'm afraid I didn't get a clear look at the notification so I cant tell you more. After the update though, my internet couldn't connect unless the firewall was disabled. This morning i've spent hours trying to get it back up again, tried exporting/importing my settings to perhaps re-initalize it, with no success. Then i cleared all settings to factory default. Still it won't connect, I input the same rules as i always have, and nothing. I started Wireshark to see if I could ascertain what was going on, if I disable the firewall it connects instantly, and here is a successful connection attempt: 0.0.0.0 (68) -> 255.255.255.255(67) (DHCP) Network Adapter -> BROADCAST ROUTER -> Network Adapter (ARP) 192.168.0.2 -> 224.0.0.22 (IGMPv3) Network Adapter -> BROADCAST (ARP) ROUTER -> Network Adapter (ARP) 192.168.0.2 -> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.252 (5355) (LLMNR) 192.168.0.2 -> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 192.168.0.1 (53) (DNS) Network Adapter -> BROADCAST ROUTER -> Network Adapter then it picks up with a series of DNS requests i see some communications on port 443, i believe thats svchost establishing a network connection, then its business as usual with some DNS, couple arp packets, and LLMNR (5355) which i believe is name resolution for the computers workgroup name. With the firewall enabled, 'Network and Sharing Center' indicates "Identifying . . ." and hangs there for a couple minutes, before connecting... and then 10 seconds later it drops the connection. I've had a similar situation in the past when svchost wasnt allowed to connect to 80, 443 in the initial stages of the connection attempt. (not saying thats what it is, but thats what the situation acts like.) With the firewall enabled this is what happens: 0.0.0.0 (68) -> 255.255.255.255 (67) DHCP Network Adapter -> Broadcast (ARP) Network Adapter -> Broadcast (ARP) Network Adapter -> Broadcast (ARP) Network Adapter -> Broadcast (ARP) 192.168.0.2-> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.252 5355 (LLMNR) 192.168.0.2 -> 224.0.0.252 5355 (LLMNR) 192.168.0.2-> 224.0.0.22 (IGMPv3) 0.0.0.0 (68) -> 255.255.255.255 (67) 0.0.0.0 (68) -> 255.255.255.255 (67) 0.0.0.0 (68) -> 255.255.255.255 (67) 0.0.0.0 (68) -> 255.255.255.255 (67) 0.0.0.0 (68) -> 255.255.255.255 (67) Network Adapter -> BROADCAST ROUTER -> Network Adapter (ARP) <--- here it finally responds to the arp request. 192.168.0.2-> 224.0.0.22 (IGMPv3) Network Adapter -> BROADCAST ROUTER -> Network Adapter (ARP) 192.168.0.2-> 224.0.0.22 (IGMPv3) 192.168.0.2-> 224.0.0.22 (IGMPv3) 192.168.0.2-> 224.0.0.22 (IGMPv3) 192.168.0.2 -> 224.0.0.252 5355 (LLMNR) 192.168.0.2 -> 224.0.0.252 5355 (LLMNR) 192.168.0.2 -> 192.168.0.1 (53) (DNS) Network Adapter -> BROADCAST ROUTER -> Network Adapter (ARP) 192.168.0.2-> 224.0.0.22 (IGMPv3) Network Sharing Center indicates it has a Network+Internet connection at this point. Then it makes about 20 attempts at DNS then Network Sharing Center drops the connection and goes back to identifying. So its somewhere between the point of DNS and svchost.exe not securing a connection on 443 or 80 is my guess. Also, its not my connection rules because i've tried allowing 0-65535 UDP/TCP and all ICMP also tried it with factory defaults for all settings. My next option will be to uninstall the application and go from there. I did read another post by a user that perhaps theres a conflict with Emsisoft and Realtek adapters? I know it all stems from that last night update, Got any ideas? By the way... my typical rules i use are: TCP IN 80, 443 (for svchost) UDP IN 68 (for router) UDP OUT 53, 67 (for DNS and router) i used to allow 5355 but i discovered it wasnt required. Then i setup 80, 443 specifically for svchost and block 0-65535. This setup has worked for a long time (until that update)
  10. In the Firewall settings, does leaving the "Ports" entry blank mean the same as entering ports 0-65535 ?
  11. Hello, I've been using Online Armor for a few years and have found it to be quite useful and easy to use. I was wondering if someone could tell me if there is any forum link, (or website) that offers best practices (or a guide) on using Online Armor. For example here is some following questions to be addressed. When setting up the firewall. * Do you block windows local ports? * Which ports are a good idea to allow? * Do you also block all ports 0-65535 as well after allowing specific ports? * What is the bare minimum ports required to connect to the internet safely? (this may vary by setup, ie do you use a router?) * Do you set your network to "Trusted" under Interfaces by default? * Do you allow ICMP's of any kind? * Endpoint Restrictions (Located in firewall properties of a program), should these be used to contact specific DNS servers? When setting up Domains * Shouldn't this be populated with hosts I connect to, or is this specifically for name servers? * Is there any best practices for ones to connect to? (Is it a matter of preference to which ones you trust? Perhaps local servers which require less server hops?) When setting up programs. * How many of you set up OA to auto-lock with a password? (and would this still be beneficial if the machine was compromised internally, or is it primarily to prevent tampering from physical access to the machine?) * OA installs a driver in internet connections, does this provide a role in filtering security? (What would happen if it was disabled?) * What role does OA helper service provide? OA has two services installed. Online Armor, and Online Armor helper. If you "unintentionally" block a crucial windows program, these services may need to be disabled in safe mode, and then enabled after a reboot and then run OAui.exe to configure program. * What Windows programs are required as a bare minimum to function properly? * When the "File Shield" and "Registry Shield" are enabled, what rules should you generally apply? * What Autoruns should you idealy like to see listed. * Should emsisoft products (or any products for that matter) be listed and allowed in the Anti-Keylogger? * When windows first starts, how do you know Online Armor is the very first program to boot to ensure its protection? * In the Programs property window, (ie double clicking a program) there are permissions listed. "Start applications" "Set global hooks" "Physical memory access" "Remote code" "Remote data modification" "Suspend process" "Create executable" "Use DNS API" "Enumerate files" "Direct disk access" "System shutdown" Is there any best practices for allowing some of these permissions? Perhaps a listing of the bare minimum for Windows applications may be in order. This seems like an area most people neglect due to the tediousness of setting each programs permissions. Protection "Restart if terminated" "Protect from termination" "Protect from suspend" "Protect from remote control" "Protect from remote data modification" Another area i believe is overlooked. What programs do you have that utilize this? What are a good practice when enabling program options? * Do you allow OA to automatically trust programs deemed okay by emsisoft? * How many of you enroll in the anti-malware network? * Should you clear unknown programs by default? * Should you runsafer unknown programs by default? * Should you detect hidden processes? Options Firewall. * Should you block all traffic on reboot? Why shouldn't you? What I've noticed is that when discovering what to block and allow, a lot of trial and error comes into play. I was thinking a detailed guide on best practices might be in order, and then publicly advertised. I realize with different OS's/machines/routers/unique programs, all of these scenarios will vary, and no one wants to be put in the position of telling someone to block something that was actually vital. However, in the interest of security, I think it would be a good idea to detail what could potentially keep the machine more secure. The machine is only as well protected as the firewall configuration, if you tell it to allow all firewall traffic, and allow all programs, it is almost as secure as no firewall at all. If i'm missing something, or overlooked something, I'd be happy to correct it. Thank you for your time.