iWarren

Online Armor - Best Practices.

Recommended Posts

Hello,

I've been using Online Armor for a few years and have found it to be quite useful and easy to use.


I was wondering if someone could tell me if there is any forum link, (or website) that offers best
practices (or a guide) on using Online Armor.   For example here is some following questions
to be addressed.  


When setting up the firewall.

 * Do you block windows local ports?

 * Which ports are a good idea to allow?

 * Do you also block all ports 0-65535 as well after allowing specific ports?

 * What is the bare minimum ports required to connect to the internet safely?

    (this may vary by setup, ie do you use a router?)

  * Do you set your network to "Trusted" under Interfaces by default?
 
  * Do you allow ICMP's of any kind?
 
  * Endpoint Restrictions (Located in firewall properties of a program),
                    should these be used to contact specific DNS servers?
                       

When setting up Domains

* Shouldn't this be populated with hosts I connect to,  or is this specifically for name servers?

 

* Is there any best practices for ones to connect to? (Is it a matter of preference to which ones
 you trust?  Perhaps local servers which require less server hops?)

    
When setting up programs.

* How many of you set up OA to auto-lock with a password?

  (and would this still be beneficial if the machine was compromised

    internally, or is it primarily to prevent tampering from physical access to the machine?)

* OA installs a driver in internet connections, does this provide a role in filtering security?

  (What would happen if it was disabled?)

* What role does OA helper service provide?

 OA has two services installed. Online Armor, and Online Armor helper.

  If you "unintentionally" block a crucial windows program, these services may need to be

  disabled in safe mode, and then enabled after a reboot and then run OAui.exe to configure program.

* What Windows programs are required as a bare minimum to function properly?

* When the "File Shield" and "Registry Shield" are enabled,

   what rules should you generally apply?

* What Autoruns should you idealy like to see listed.

* Should emsisoft products (or any products for that matter)
    be listed and allowed in the Anti-Keylogger?
    
* When windows first starts, how do you know Online Armor is the very
    first program to boot to ensure its protection?
    
* In the Programs property window, (ie double clicking a program) there are
    permissions listed.  
    
    "Start applications"
    "Set global hooks"
    "Physical memory access"
    "Remote code"
    "Remote data modification"
    "Suspend process"
    "Create executable"
    "Use DNS API"
    "Enumerate files"
    "Direct disk access"
    "System shutdown"
    
 Is there any best practices for allowing some of these permissions?
 Perhaps a listing of the bare minimum for Windows applications may be in order.
 This seems like an area most people neglect due to the tediousness of setting each
 programs permissions.
 
 Protection
 
    "Restart if terminated"
    "Protect from termination"
    "Protect from suspend"
    "Protect from remote control"
    "Protect from remote data modification"
    
Another area i believe is overlooked.  What programs do you have that utilize this?


What are a good practice when enabling program options?

* Do you allow OA to automatically trust programs deemed okay by emsisoft?
* How many of you enroll in the anti-malware network?
* Should you clear unknown programs by default?
* Should you runsafer unknown programs by default?
* Should you detect hidden processes?

Options

Firewall.  

 

* Should you block all traffic on reboot?  Why shouldn't you?

What I've noticed is that when discovering what to block and allow, a lot of
 trial and error comes into play.  I was thinking a detailed guide on best practices
 might be in order, and then publicly advertised.

I realize with different OS's/machines/routers/unique programs, all of these scenarios
will vary, and no one wants to be put in the position of telling someone to block
something that was actually vital. However, in the interest of security,  I think it would
be a good idea to detail what could potentially keep the machine more secure.

The machine is only as well protected as the firewall configuration,  if you tell it to allow
all firewall traffic, and allow all programs, it is almost as secure as no firewall at all.

If i'm missing something, or overlooked something, I'd be happy to correct it.

 

Thank you for your time.

Share this post


Link to post
Share on other sites

Hello iWarren,

 

Here is link to Online Armor help:  http://help.emsisoft.com/oa/index.shtml

 

It's a starting point.

 

You can also search the Online Armor section of the forum.  It covers many topics.  Link here:  http://support.emsisoft.com/forum/53-online-armor/

 

I suggest you post closely related topics together with a question in the thread topic header.

 

Then wait for response as Emsi Staff are first rate.

 

Best Regards,

 

hjlbx

Share this post


Link to post
Share on other sites

I was wondering if someone could tell me if there is any forum link, (or website) that offers best

practices (or a guide) on using Online Armor. For example here is some following questions

to be addressed.

The Online Armor help would be a good start.

 

* Do you block windows local ports?

Define local ports. If you mean ports that are only opened on the loopback interface, then no. We don't. They are only accessible to applications running on your system and are used for local inter process communication. If you mean if we block ports opened by Windows services on non-loopback interfaces, then the answer is partially. Systems you specified as trusted can access them. All other systems can't.

 

* Which ports are a good idea to allow?

The minimal number of ports to get your applications to work properly. What that number is or which ports those are largely depends on your requirements and applications.

 

* Do you also block all ports 0-65535 as well after allowing specific ports?

If there is no rule to allow access, it is automatically blocked. So there is no need to add an additional block rule.

 

* What is the bare minimum ports required to connect to the internet safely?

Depends on your type of internet connection. There is no clear cut reply for that.

 

* Do you set your network to "Trusted" under Interfaces by default?

If it is a trusted network you can set it to trusted and avoid configuring every system in it manually.

 

* Do you allow ICMP's of any kind?

Depending on your settings and the trust settings of the network and systems involved we do. The exact decision tree is quite complex though.

 

* Endpoint Restrictions (Located in firewall properties of a program),

should these be used to contact specific DNS servers?

If you can guarantee that none of your applications will ever issue a DNS request to a different server, you can use it for that.

 

* Shouldn't this be populated with hosts I connect to, or is this specifically for name servers?

Neither. It is only used when handling BITS connections, blocking domains or allowing domains while banking mode is enabled. Unless you want to manually block domains or want to use banking mode, you will never have to use it.

 

* How many of you set up OA to auto-lock with a password?

(and would this still be beneficial if the machine was compromised

internally, or is it primarily to prevent tampering from physical access to the machine?)

It is more to prevent other users using your system from changing settings. A skilled malicious attacker with full administrator rights or physical access to the machine will not be stopped by it.

 

OA installs a driver in internet connections, does this provide a role in filtering security?

(What would happen if it was disabled?)

Online Armor would be unable to perform any packet filtering.

 

* What role does OA helper service provide?

It provides utility functions to the Online Armor service required for Online Armor to work properly.

 

* What Windows programs are required as a bare minimum to function properly?

You will have to ask Microsoft for that. They are the only people who know all internal dependencies.

 

When the "File Shield" and "Registry Shield" are enabled,

what rules should you generally apply?

The rules that you see fit. If you don't know which rules would fit your setup chances are you shouldn't use that feature.

 

* What Autoruns should you idealy like to see listed.

Depends on the software you use.

 

* Should emsisoft products (or any products for that matter)

be listed and allowed in the Anti-Keylogger?

Depends on the products you use. Under default use neither of our products should show up there. There are certain utilities that may cause processes that don't exhibit such behavior on their own to show up in the list.

 

When windows first starts, how do you know Online Armor is the very

first program to boot to ensure its protection?

You don't. Online Armor can't be the first service that starts as it has various dependencies on other services so those ultimately have to be started before Online Armor.

 

Is there any best practices for allowing some of these permissions?

Enable the minimum required to get the application to run without issues.

 

Another area i believe is overlooked. What programs do you have that utilize this?

Online Armor doesn't set those options on its own for any process. If you have a program that you want to run all the time, you can enable it manually. Which programs to enable it for depends on your personal preferences.

 

* Do you allow OA to automatically trust programs deemed okay by emsisoft?

Most people do.

 

* How many of you enroll in the anti-malware network?

We don't track usage of that function. So there are no numbers about it.

 

* Should you clear unknown programs by default?

If you want to keep your rule set small, you can. It's up to you though. It is not strictly required.

 

* Should you runsafer unknown programs by default?

If you have UAC disabled, it may be a good idea. If you are running Vista or later with UAC enabled it is unnecessary.

 

* Should you detect hidden processes?

Doesn't make too big of a difference nowadays as process hiding rootkits are pretty much dead.

 

* Should you block all traffic on reboot? Why shouldn't you?

It may interfere with your ability to logon to your system (network based logins) or your network connectivity. So it is dependent on your setup.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.