Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by iWarren

  1. After updating to

    i have had lots of firewall issues


    To start out, all of my previously applied application firewall rules did not work.

    I had to delete my application entries manually and re-apply firewall settings.


    Eventually I just reset everything to factory defaults.


    Then i set the firewall settings to prompt me to allow firewall settings.

    When it would prompt me to allow a port, sometimes i'd go to create a "custom rule" (bottom button)

    and when I tried to apply it, the prompt window would not close and caused an application hang.

    I've had to restart dozens of times because of these application hangs.


    After that, a2start.exe failed to accept any more custom rule changes, and would require a restart to work again.

    another problem... i would allow a port, and then block 0-65535 underneath it.

    for some reason, this somehow blocked the port i was allowing, and would only work if i removed the 0-65535

    (which leads me to believe it might not be completely blocking everything now)


    keep in mind, i had absolutely no issues with any of these settings prior to these updates.


    am i the only one having these sort of problems?


    I find it frustrating because, i'm spending a great deal of time troubleshooting and reapplying my rules

    due to these past 2 months of updates.

  2. Here is my current setup,


    EIS v.


    Windows Services (TCP) - Block - IN/OUT - TCP -


    Public Networks


    Windows Services (UDP) - Block - IN/OUT - UDP -


    Public Networks


    Traffic handled by application rules (TCP/UDP) - According to app rule -


    0-65535 (ie blank entry)

    All Networks


    then I have an added rule:

    "Rule 3389" - Block - IN/OUT - TCP - 3389

    All Networks


    When I need to use port 3389, i move the port below "Traffic handled by app"

    When I don't need to use port 3389, i move the port above "Traffic handled by app"


    The issue is, if I set it as "All Networks", it keeps blocking the "Traffic handled by app"

    regardless whether its above or below.


    However if I change it to "Public Networks", it blocks the way it should.


    I say its an intermittent issue, because yesterday I had this issue, and while trying

    to troubleshoot it, it seemed to start working properly, and i couldn't duplicate

    the results.


    I tried it again today, and the issue was present again.


    Could you verify these results?

  3. I'd like to point out, everything works as it should if I don't touch the firewall enable/disable setting...

    It connects to the internet, and stays connected.

    the firewall also does work the way it should.


    its when i disable/enable the firewall again, that it stays in the stopped state

    at this point, the firewall doesn't work, and the connection eventually drops out.

  4. 1. I disabled the firewall

    2. Rebooted

    3. Opened Emsisoft (you can see the firewall is disabled)

    4. Opened Device Manager (Emsisoft WFP Filter says it is Started)

    5. Opened DebugView from Microsoft SysInternal Suite (monitoring all events/ kernel / win32 instructions)




    1. Enabled Firewall in EIS

    2. Closed Device Manager Properties and Re-opened to read current status (It still says Started)

    3. DebugView, the way I read it, there was no change in services, also why "Request queue is empty"




    1. Disabled Firewall in EIS

    2. Closed Device Manager Properties and Re-opened to read current status (it now says Stopped)

    3. Debugview, indicates calls were made to services to disable fwwfp and sets status code to zero (ie. disabled)




    1. Activated Firewall in EIS

    2. Closed Device Manager Properties and Re-opened to read current status (it still says Stopped)

    3. Debugview, doesn't appear to have made a call to start the service again.




    At this stage, I can not connect to any websites, and I also believe is related to why my internet drops out (as svchost times out on connecting)

    Even after I restart the fwwfp service manually from Device Manager, i have to reboot in order to connect to the internet.


    I am using Version


    I have reinstalled twice, rebooting twice in between installations.


    I have reset settings to Factory Defaults several times.

  5. That doesn't really address the problem.


    That falls into the "automatic rule settings" which i changed to "ask" to prompt me to create the rules.


    Ever since the update on July 8th,

    i've consistently had to reset Factory Defaults, as well as re-initialze the Firewall.

    I've had 3 BSOD's (something to do with the kernel_ data) and i've had "Application Rules"

    that should have applied, but didn't... and then when i delete the program and added the rule

    they seem to work.


    i also had the GUI crash several times yesterday, once while resetting factory defaults, the app hanged.

    and then had an error where i'd click on "Settings" and then on "Protection" and the Settings menu

    overlayed on top of the Protection menu.


    All of these incidents occured after a fresh install, and all of my troubles started from that one update on July 8th


    I truly appreciate any troubleshooting / tech support you can provide, but please don't respond with an automated

    message, as this is not an issue of resetting defaults, restarts or reinstalls. 

  6. i still don't think the firewall is working correctly... I loaded factory defaults, for Global Firewall Rules

    and it was able to connect, asking me for the appropriate allowances to connect

    svchost asking for 67-68  and 80,443


    and then having no rules set....... for MSDTC.exe (which connects to a remote computer) using port 3389

    it was still allowing the rule, when it should have been blocked by the first 2 default firewall settings.


    i deleted the program MSDTC.exe from the list, and let it connect again... which then prompted me if i

    wanted to allow/block.  I blocked it, and that seemed to work.


    I think the issue is, somewhere along the line.. the behaviour blocker isn't deleting the rule in its internal listing,

    so it still allows it, even when the rule has been removed from the listing.


    I can not reproduce the error, but it seems that sometimes what its allowing/blocking isn't always whats being

    displayed in the firewall settings.

  7. I reinstalled and that definitely cleared up some issues,

    it told me to install Windows6.1-KB2958399-x86

    and then microsoft sent me on a goose chase to find the file.

    emailing me a link to their website for download... and then i

    kept getting "500 server not found" errors. then an hour later

    the file becomes available... and the self-extractor doesn't look

    like your typical Windows extraction tool.

    All that aside... i can now connect... i tried loading my old settings,

    and it started to disconnect again, so i cleared all the settings and

    started new. I think part of the problem was... I may have been

    blocking Router Advertisements as i wasnt allowing any ICMP's on

    a private network.

    Private network i assume is defined as and local ip ranges?

    Also... i couldn't get it to work without having it allow

    TCP/UDP on the Private network, when i try to insert 0-65535 in the blank,

    it doesn't seem to work, but when i leave the port rule empty, it seems to work.

    at least its working, though i kind of had other plans for my day instead of troubleshooting the firewall :|

  8. Last night there was an update that required a restart

    I rebooted and there was a notification that i would have to reset some rules.

    I'm afraid I didn't get a clear look at the notification so I cant tell you more.


    After the update though, my internet couldn't connect unless the firewall was disabled.


    This morning i've spent hours trying to get it back up again, tried exporting/importing

    my settings to perhaps re-initalize it, with no success.


    Then i cleared all settings to factory default. Still it won't connect, I input the same rules

    as i always have, and nothing.


    I started Wireshark to see if I could ascertain what was going on, if I disable the firewall

    it connects instantly, and here is a successful connection attempt:

  (68) -> (DHCP)

    Network Adapter -> BROADCAST

    ROUTER -> Network Adapter (ARP) ->  (IGMPv3)

    Network Adapter -> BROADCAST (ARP)

    ROUTER -> Network Adapter (ARP) ->  (IGMPv3) ->  (IGMPv3) ->  (IGMPv3) ->  (IGMPv3) -> (5355) (LLMNR) ->  (IGMPv3) -> (53) (DNS)

    Network Adapter -> BROADCAST

    ROUTER -> Network Adapter


    then it picks up with a series of DNS requests

    i see some communications on port 443, i believe thats svchost

    establishing a network connection,


    then its business as usual with some DNS, couple arp packets, and LLMNR (5355)

    which i believe is name resolution for the computers workgroup name.


    With the firewall enabled,  'Network and Sharing Center' indicates "Identifying . . ."

    and hangs there for a couple minutes, before connecting... and then 10 seconds later

    it drops the connection.


    I've had a similar situation in the past when svchost wasnt allowed to connect to 80, 443

    in the initial stages of the connection attempt.  (not saying thats what it is, but thats what

    the situation acts like.)


    With the firewall enabled this is what happens:

  (68) -> (67) DHCP

    Network Adapter -> Broadcast  (ARP)

    Network Adapter -> Broadcast  (ARP)

    Network Adapter -> Broadcast  (ARP)

    Network Adapter -> Broadcast  (ARP)> (IGMPv3) -> 5355 (LLMNR) -> 5355 (LLMNR)> (IGMPv3) (68) -> (67) (68) -> (67) (68) -> (67) (68) -> (67) (68) -> (67)

    Network Adapter -> BROADCAST

    ROUTER -> Network Adapter (ARP)  <--- here it finally responds to the arp request.> (IGMPv3)

    Network Adapter -> BROADCAST

    ROUTER -> Network Adapter (ARP)> (IGMPv3)> (IGMPv3)> (IGMPv3) -> 5355 (LLMNR) -> 5355 (LLMNR) -> (53) (DNS)

    Network Adapter -> BROADCAST

    ROUTER -> Network Adapter (ARP)> (IGMPv3)

    Network Sharing Center indicates it has a Network+Internet connection at this point.


    Then it makes about 20 attempts at DNS

    then Network Sharing Center drops the connection and goes back to identifying.


    So its somewhere between the point of DNS and svchost.exe not securing a connection on 443 or 80

    is my guess.


    Also, its not my connection rules because i've tried allowing 0-65535 UDP/TCP and all ICMP

    also tried it with factory defaults for all settings.


    My next option will be to uninstall the application and go from there.


    I did read another post by a user that perhaps theres a conflict with Emsisoft and Realtek adapters?


    I know it all stems from that last night update, Got any ideas?


    By the way... my typical rules i use are:


    TCP IN 80, 443  (for svchost)

    UDP IN 68 (for router)

    UDP OUT 53, 67  (for DNS and router)


    i used to allow 5355 but i discovered it wasnt required.


    Then i setup 80, 443 specifically for svchost and block 0-65535.

    This setup has worked for a long time (until that update)

  9. Hello,

    I've been using Online Armor for a few years and have found it to be quite useful and easy to use.

    I was wondering if someone could tell me if there is any forum link, (or website) that offers best
    practices (or a guide) on using Online Armor.   For example here is some following questions
    to be addressed.  

    When setting up the firewall.

     * Do you block windows local ports?

     * Which ports are a good idea to allow?

     * Do you also block all ports 0-65535 as well after allowing specific ports?

     * What is the bare minimum ports required to connect to the internet safely?

        (this may vary by setup, ie do you use a router?)

      * Do you set your network to "Trusted" under Interfaces by default?
      * Do you allow ICMP's of any kind?
      * Endpoint Restrictions (Located in firewall properties of a program),
                        should these be used to contact specific DNS servers?

    When setting up Domains

    * Shouldn't this be populated with hosts I connect to,  or is this specifically for name servers?


    * Is there any best practices for ones to connect to? (Is it a matter of preference to which ones
     you trust?  Perhaps local servers which require less server hops?)

    When setting up programs.

    * How many of you set up OA to auto-lock with a password?

      (and would this still be beneficial if the machine was compromised

        internally, or is it primarily to prevent tampering from physical access to the machine?)

    * OA installs a driver in internet connections, does this provide a role in filtering security?

      (What would happen if it was disabled?)

    * What role does OA helper service provide?

     OA has two services installed. Online Armor, and Online Armor helper.

      If you "unintentionally" block a crucial windows program, these services may need to be

      disabled in safe mode, and then enabled after a reboot and then run OAui.exe to configure program.

    * What Windows programs are required as a bare minimum to function properly?

    * When the "File Shield" and "Registry Shield" are enabled,

       what rules should you generally apply?

    * What Autoruns should you idealy like to see listed.

    * Should emsisoft products (or any products for that matter)
        be listed and allowed in the Anti-Keylogger?
    * When windows first starts, how do you know Online Armor is the very
        first program to boot to ensure its protection?
    * In the Programs property window, (ie double clicking a program) there are
        permissions listed.  
        "Start applications"
        "Set global hooks"
        "Physical memory access"
        "Remote code"
        "Remote data modification"
        "Suspend process"
        "Create executable"
        "Use DNS API"
        "Enumerate files"
        "Direct disk access"
        "System shutdown"
     Is there any best practices for allowing some of these permissions?
     Perhaps a listing of the bare minimum for Windows applications may be in order.
     This seems like an area most people neglect due to the tediousness of setting each
     programs permissions.
        "Restart if terminated"
        "Protect from termination"
        "Protect from suspend"
        "Protect from remote control"
        "Protect from remote data modification"
    Another area i believe is overlooked.  What programs do you have that utilize this?

    What are a good practice when enabling program options?

    * Do you allow OA to automatically trust programs deemed okay by emsisoft?
    * How many of you enroll in the anti-malware network?
    * Should you clear unknown programs by default?
    * Should you runsafer unknown programs by default?
    * Should you detect hidden processes?




    * Should you block all traffic on reboot?  Why shouldn't you?

    What I've noticed is that when discovering what to block and allow, a lot of
     trial and error comes into play.  I was thinking a detailed guide on best practices
     might be in order, and then publicly advertised.

    I realize with different OS's/machines/routers/unique programs, all of these scenarios
    will vary, and no one wants to be put in the position of telling someone to block
    something that was actually vital. However, in the interest of security,  I think it would
    be a good idea to detail what could potentially keep the machine more secure.

    The machine is only as well protected as the firewall configuration,  if you tell it to allow
    all firewall traffic, and allow all programs, it is almost as secure as no firewall at all.

    If i'm missing something, or overlooked something, I'd be happy to correct it.


    Thank you for your time.

  • Create New...