Sign in to follow this  
dallas7

Banking Mode and Domains List Strangeness

Recommended Posts

WinXPproSP3-32; OAP 5.1.0.1331; Firefox 7.0.1

I am trying to Feel The Love using Banking Mode but so far it's been pretty cold.

Please see the attached screen shot.

Trimmed for brevity, here are the copy/paste entries from the Firewall Log and ping returns:

[TDI] TCP, Connect, 0.0.0.0:18516 -> 91.212.136.10:80

[TDI] Passed according to banking mode

E:\>ping -a 91.212.136.10

Pinging updates.ikarus.at [91.212.136.10]

WOW: In taking the screen shot for this email, I just noticed the *.ikarus.at entry I created has vanished from the list! Banking Mode still seems to think it's there. What now?

[TDI] TCP, Connect, 0.0.0.0:18733 -> 66.40.145.204:80

[TDI] Blocked according to banking mode

E:\>ping -a 66.40.145.204

Pinging west01.us.nimbus.bitdefender.net [66.40.145.204]

[TDI] TCP, Connect, 0.0.0.0:18766 -> 199.7.55.72:80

[TDI] Blocked according to banking mode

E:\>ping -a 199.7.55.72

Pinging OCSP.AMS1.VERISIGN.COM [199.7.55.72]

How is it *.ikarus.at is passed while *.bitdefender.net is blocked?

Rather than re-re-learning that banking site I've obfuscated in the screen shot, I added that VeriSign FQDN as they seem to exist in a multitude of tree hierarchies. But that doesn't work. I thought of adding *.verisign.com but considering the behavior so far that might not work either. And wild carding VeriSign would defeat the purpose of the Banking Mode IMHO.

Note that I had to create eight FQDN entries for the Firefox Perspectives add-on since *.networknotary.org caused problems. I had at first thought it was due to latency which might still be the case. Or not. The eight entries work just fine.

Where am I going wrong? Hopefully it's just something so simple I'm just not seeing it.

Thank you.

Share this post


Link to post
Share on other sites

How is it *.ikarus.at is passed while *.bitdefender.net is blocked?

Since Ikarus is part of the dual AV engine in OA ++, that domain would most likely be hard coded into the program as whitelisted.

Rather than re-re-learning that banking site I've obfuscated in the screen shot, I added that VeriSign FQDN as they seem to exist in a multitude of tree hierarchies. But that doesn't work. I thought of adding *.verisign.com but considering the behavior so far that might not work either. And wild carding VeriSign would defeat the purpose of the Banking Mode IMHO.

I'm not sure what exact problem you are having with Banking Mode? I'm assuming your banking site isn't working correctly and you think it's something to do with the multiple Verisign domains being needed?

Note that I had to create eight FQDN entries for the Firefox Perspectives add-on since *.networknotary.org caused problems. I had at first thought it was due to latency which might still be the case. Or not. The eight entries work just fine.

You should be able to use a ? (which stands for "any character") in place of all the individual entries with different numbers. eg perspectives?.networknotary.org

Share this post


Link to post
Share on other sites
1) Since Ikarus is part of the dual AV engine in OA ++, that domain would most likely be hard coded into the program as whitelisted.

2) I'm not sure what exact problem you are having with Banking Mode? I'm assuming your banking site isn't working correctly and you think it's something to do with the multiple Verisign domains being needed?

3) You should be able to use a ? (which stands for "any character") in place of all the individual entries with different numbers. eg perspectives?.networknotary.org

1) Good point! I had added Ikarus as Ashampoo A-M pulls the T3 sigs from there (and the A2 sigs from its own domain). I wonder if OAP is smart enough to know that and purge such entries from the Domain List?? I'll add it again and see what happens. This is almost fun.

However, I did observe that the Ashampoo updates failed until I added *.ashampoo.com (and *.ikarus.net). Which indicates *.ashampoo.com works but *.bitdefender.net does not. What's wrong here?

2) Yes. The banking site will stall screen refreshes as it hammers the Internet until it finds either svrintl-crl or svrsecure-g2-crl which were used when that banking domain was learned. I'd not mind adding new VeriSign FQDNs manually until performance becomes acceptable, but as you can see from my experience with OCSP.AMS1. - it's isn't working.

3) Sorry. I forgot to mention I tried the ? and still had the problem. I am satisfied with the eight entries as that is all that is needed. Just adding it to the discussion.

Thank you.

Share this post


Link to post
Share on other sites

1) Good point! I had added Ikarus as Ashampoo A-M pulls the T3 sigs from there (and the A2 sigs from its own domain). I wonder if OAP is smart enough to know that and purge such entries from the Domain List?? I'll add it again and see what happens. This is almost fun.

Yes, domains on the internal list don't show up in the Domains list and will be removed if entered manually.

However, I did observe that the Ashampoo updates failed until I added *.ashampoo.com (and *.ikarus.net). Which indicates *.ashampoo.com works but *.bitdefender.net does not. What's wrong here?

In the firewall log you posted, it looks like BitDefender was using more than 3 levels of domains in it's address. For example, *.bitdefender.net would be effective for something like somedomain.bitdefender.net (which is using 3 levels) but not for anotherdomain.somedomain.bitdefender.net (which is using 4 levels).

2) Yes. The banking site will stall screen refreshes as it hammers the Internet until it finds either svrintl-crl or svrsecure-g2-crl which were used when that banking domain was learned. I'd not mind adding new VeriSign FQDNs manually until performance becomes acceptable, but as you can see from my experience with OCSP.AMS1. - it's isn't working.

I am not sure what else you can do other than use wildcards for VeriSign to cater for changing domains and different domain levels.

Share this post


Link to post
Share on other sites

Yes, the *.ikarus.at I plugged in yesterday is gone. Sneaky! ;)

The Banking Mode was never a bullet point in my research for what I needed to find for a new Win7 64-bit system as my much-loved Malware Defender is 32-bit only. I turned off Malware Defender on this XP system so I could run a trial OAP and ended up purchasing a license.

So, I'll mess with Banking Mode some more for that bank and if it works out it works out. That said, it does well with PayPal and another bank I use.

I'm pretty much squared away with OAP otherwise; it bends nicely to my will and my Complete Control Obsession.

Thanks again for your patience and steadfast support. You're the best. Cheers!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.