Jump to content

Some questions and paranoia


Recommended Posts

I have a few questions and worries about my Online Armor installation.  Please excuse me if they are naive questions, as I am not a computer expert.  I want to make sure these things are normal, that nobody is sharing my internet connection, and that there are no security holes.  

 

Thank you in advance for any help you can give. 

 

1.  On the Online Armor Firewall Status page, the graphs often show activity, inbound and outbound data and connections, even when there is nothing showing in the "Active Connections" list.      

 

2.  "System"  and multiple instances of "svchost.exe" are almost continually present in the "programs" list below the graphs, even when there are no active connections shown below in the "Active Connections" list.  

 

3. The System program (which uses a lot of CPU according to Process Explorer even though it never shows up in the Active Connections list), shows ports 139 (netbios-ssn), 445 (microsoft-ds), and 2869 (ms-icslap).  Are these safe?

 

4.  At the top of the Online Armor Firewall Status page (in the dark blue header bar) where the IP address of my computer is supposed to be listed, there are two IP addresses.  One I think is the IP address of my computer. The other is an address that I looked up, and it belongs to my ISP.  Is this normal to have TWO addresses there? I am concerned, because I looked up a screenshot of Firewall Status Page on one of the Online Armor help pages, and the example given there showed only one IP address. 

 

5.  On the "Firewall Settings" page, under the "Computers" tab, there are multiple computers listed in addition to the router gateway.. The first entry says Wireless Nework Connection (my computer, right?).  It is followed by (I think) the router address, and then other computers. 

 

Are these computers the computers in my house using the router?  We do have several computers in the house.  Is it normal for them to have ending address numbers ranging from 103 to 105 but then skip to 109?    I don't think we have had nine computers connected to this network, even over time.   Perhaps it is possible if you count people who visited briefly and brought guest computers - I'm not sure.  This concerns me, that the most recent computer added to the network (just a week ago) has such a high ending number. 

 

6.  When I am using my Firefox browser, the "Active Connections" list shows two separate TCP connections to my localhost.  The same thing happens if I am using my Thunderbird email client.  Is this normal? 

 

7.  I get a lot of kernel messages in the Firewall that look something like this:  OADriver:  OB_OPERATION_HANDLE_CREATE...   with numbers and letters and "code" following it.  Is this normal to get these messages? 

 

8.  I generally set my wireless internet connection to "Public" because I don't want any sharing between computers even in my house, and I am paranoid about intrusions.   Does this have any bearing on what I described above, re: the list of computers on my network?  

 

9.  I am unable to turn off Network Discovery and File and Printer Sharing in Windows 7, no matter whether the connection is set as Public or Private.  I am able to change the settings, but they revert to "On" as soon as I have set them.   Looking up the problem online led me to several pages where people were attributing that problem to whatever firewall was being used.   What can I do to turn off Network Discovery and File and Printer Sharing? 

 

 

I am sorry if these questions are unclear or paranoid.  I am hoping you can help me rule out intrusions and understand why there is so much activity on these graphs, when nothing is in the "Active Connections" list.  Thank you so much for helping me. 

Link to post
Share on other sites

1.  On the Online Armor Firewall Status page, the graphs often show activity, inbound and outbound data and connections, even when there is nothing showing in the "Active Connections" list.      

 

2.  "System"  and multiple instances of "svchost.exe" are almost continually present in the "programs" list below the graphs, even when there are no active connections shown below in the "Active Connections" list.

The information on the Firewall Status page, such as "Active Connections", often doesn't appear to show accurate data. I recommend using a program such as TCPView from Microsoft to verify whether or not there are any active network connections.

3. The System program (which uses a lot of CPU according to Process Explorer even though it never shows up in the Active Connections list), shows ports 139 (netbios-ssn), 445 (microsoft-ds), and 2869 (ms-icslap).  Are these safe?

Ports 139 and 445 are related to Windows networking. Port 2869 is related to things like the Windows Firewall and Internet Connection Sharing. The first two are safe for internal networks only, and are very dangerous to expose to the Internet. The last one shouldn't be a serious threat, however it should be blocked by default rather than being allowed to be open.

4.  At the top of the Online Armor Firewall Status page (in the dark blue header bar) where the IP address of my computer is supposed to be listed, there are two IP addresses.  One I think is the IP address of my computer. The other is an address that I looked up, and it belongs to my ISP.  Is this normal to have TWO addresses there? I am concerned, because I looked up a screenshot of Firewall Status Page on one of the Online Armor help pages, and the example given there showed only one IP address.

Are you sure that the second address isn't your IPv6 address? Are the numbers separated with periods like the first address, or are they separated with colons?

5.  On the "Firewall Settings" page, under the "Computers" tab, there are multiple computers listed in addition to the router gateway.. The first entry says Wireless Nework Connection (my computer, right?).  It is followed by (I think) the router address, and then other computers. 

 

Are these computers the computers in my house using the router?  We do have several computers in the house.  Is it normal for them to have ending address numbers ranging from 103 to 105 but then skip to 109?    I don't think we have had nine computers connected to this network, even over time.   Perhaps it is possible if you count people who visited briefly and brought guest computers - I'm not sure.  This concerns me, that the most recent computer added to the network (just a week ago) has such a high ending number.

Yes, those are other computers/devices that are connected to your local network.

The addresses are normal. Gaps can happen because of the way a router assigns addresses (not every router handles what address to assign each computer the same way).

6.  When I am using my Firefox browser, the "Active Connections" list shows two separate TCP connections to my localhost.  The same thing happens if I am using my Thunderbird email client.  Is this normal?

It can be depending on what ports are open. TCPView will give you a much more detailed view of what is going on.

7.  I get a lot of kernel messages in the Firewall that look something like this:  OADriver:  OB_OPERATION_HANDLE_CREATE...   with numbers and letters and "code" following it.  Is this normal to get these messages?

Where are you seeing these messages?

8.  I generally set my wireless internet connection to "Public" because I don't want any sharing between computers even in my house, and I am paranoid about intrusions.   Does this have any bearing on what I described above, re: the list of computers on my network?

You can select to not trust other computers on your network in Online Armor, however they will still be able to see each other and ping each other.

9.  I am unable to turn off Network Discovery and File and Printer Sharing in Windows 7, no matter whether the connection is set as Public or Private.  I am able to change the settings, but they revert to "On" as soon as I have set them.   Looking up the problem online led me to several pages where people were attributing that problem to whatever firewall was being used.   What can I do to turn off Network Discovery and File and Printer Sharing?

I am not aware of the firewall causing this issue, however you can try uninstalling Online Armor and restarting the computer a couple of times (to ensure that everything has been removed) in order to test to see if it is indeed the cause.

Link to post
Share on other sites

Thank you very much for your replies.  Here are my responses: 

 

 

The information on the Firewall Status page, such as "Active Connections", often doesn't appear to show accurate data. I recommend using a program such as TCPView from Microsoft to verify whether or not there are any active network connections.

 

Thank you for clearing that up and for the suggestion.  Do you know if this is something Emsisoft is working on or will be able to fix in the future, so the information is more accurate? 



Ports 139 and 445 are related to Windows networking. Port 2869 is related to things like the Windows Firewall and Internet Connection Sharing. The first two are safe for internal networks only, and are very dangerous to expose to the Internet. The last one shouldn't be a serious threat, however it should be blocked by default rather than being allowed to be open.

 

Thank you. 


Are you sure that the second address isn't your IPv6 address? Are the numbers separated with periods like the first address, or are they separated with colons?

 

They are periods in both.  The first number is the same number at the top of the list of computers I mentioned before, listed as "Wireless Internet Connection."  Is that just my computer?  (192.168.1.XXX)?    The second number, I figured out by searching, is my own IPv4 address.  I do not use an IPv6 connection (I unchecked that box in the adapter properties). Does that make sense, or is it  normal, to have the computer number and then the IPv4 address listed up there? 


Yes, those are other computers/devices that are connected to your local network.

The addresses are normal. Gaps can happen because of the way a router assigns addresses (not every router handles what address to assign each computer the same way).

 

Thanks for the reassurance. 



It can be depending on what ports are open. TCPView will give you a much more detailed view of what is going on.

 

Okay, I will try that. 



Where are you seeing these messages?

 

They appear under "History."   There are new messages this morning: 

 

Firewall:  Automatic decision.   svchost.exe (?)  Outgoing RAW access allowed   (not sure what the question mark signifies?)

 

and

 

Program Guard:  kernel event OADriver:  Load:  \REGISTRY\USER

 

 

You can select to not trust other computers on your network in Online Armor, however they will still be able to see each other and ping each other.

I have untrusted them and they now appear in red.  

I am not aware of the firewall causing this issue, however you can try uninstalling Online Armor and restarting the computer a couple of times (to ensure that everything has been removed) in order to test to see if it is indeed the cause.

 

If I uninstall and reinstall, is there a way to save my current settings for ports and programs, etc., so that they can be automatically applied after I reinstall, instead of having to go through and set them all over again?   Or maybe that would defeat the purpose if I have something set wrongly that is causing this problem?   How worried should I be about this if I want nothing shared?   

 

Also, is there anything else you can recommend I do to make sure my computer functions as a stand-alone computer as much as possible,  unreachable by anyone remote, even on a Wireless network that other computers use, too?  I have disallowed remote connections under Computer properties...

 

 

Thank you very much for your patience and help.  I appreciate it very, very much. 

Link to post
Share on other sites

Do you know if this is something Emsisoft is working on or will be able to fix in the future, so the information is more accurate?

We developed a new firewall SDK for our new Emsisoft Internet Security, and we intend to integrate that into Online Armor some time after Emsisoft Internet Security is finally released to replace Online Armor's current firewall engine. I'm not certain how much of the information displayed on the firewall status screen will change when that happens, however anything that has to do with the firewall should have some changes made to at the very least make it compatible with the new firewall SDK.

They are periods in both. The first number is the same number at the top of the list of computers I mentioned before, listed as "Wireless Internet Connection." Is that just my computer? (192.168.1.XXX)? The second number, I figured out by searching, is my own IPv4 address. I do not use an IPv6 connection (I unchecked that box in the adapter properties). Does that make sense, or is it normal, to have the computer number and then the IPv4 address listed up there?

Yes, the "Wireless Internet Connection" is the network device in your computer that is assigned the 192.168.1.xxx address.

The other address should be your modem/router's address on the Internet. These devices often hide your internal network from the Internet using Network Address Translation (NAT), and that is why your computers all have different addresses than what your modem/router is being assigned by your Internet Service Provider.

They appear under "History." There are new messages this morning:

Firewall: Automatic decision. svchost.exe (?) Outgoing RAW access allowed (not sure what the question mark signifies?)

and

Program Guard: kernel event OADriver: Load: \REGISTRY\USER

The question mark is a link to the Online Armor website to see information about the program. The "OADriver: OB_OPERATION_HANDLE_CREATE" messages are normal, as creating handles is a fairly normal thing for programs to do.

If I uninstall and reinstall, is there a way to save my current settings for ports and programs, etc., so that they can be automatically applied after I reinstall, instead of having to go through and set them all over again? Or maybe that would defeat the purpose if I have something set wrongly that is causing this problem? How worried should I be about this if I want nothing shared?

In Online Armor's "Options" there is a Backup/Restore tab where you can save your settings and rules, and import them again after the reinstall.

Also, is there anything else you can recommend I do to make sure my computer functions as a stand-alone computer as much as possible, unreachable by anyone remote, even on a Wireless network that other computers use, too? I have disallowed remote connections under Computer properties...

Blocking Windows networking ports is the biggest thing, as well as disallowing remote connections. As long as your local network and the computers on it aren't trusted, Online Armor shouldn't allow anything from them to access your computer automatically.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...