OA++ Win7 Persistent, Brief Connections to OA Servers OK?

[dallas7 1]

Is it normal for OA++ oaui.exe to open a port 80 TCP connection to various sub-domains (including www) at online-armor.com for a couple of seconds every 90 seconds or so? (I'm seeing that on my Win7 system, not my XP system running OA Premium.)

Thanks!

[catprincess 19]

I'm not sure if it would happen that often, but if you have "Lookup external IP address" ticked on the Options -> Firewall section, OA will periodically make these connections to obtain the address.

[dallas7 1]

The behavior persists even when "Lookup external..." is disabled. I've attached a screenshot from W7/OA++ (rather than a text copy) to show I'm not making this up.

And I was mistaken about the behavior in OAP under XP. I noted a port 80 TCP rule for oaui.exe, probably built during post-install learning. I monitored connectivity similar to W7/OA++.

I deleted the rule and was almost immediately prompted to build a new one...

Created: 10/30/2011 9:31:36 PM

Summary: Firewall: User decision

Description: C:\Program Files\Online Armor\oaui.exe, Outgoing TCP access allowed to: (online-armor.com;www.tallemu.com;www.online-armor.com;crs.online-armor.com;crq.online-armor.com;lus.online-armor.com) MY.WAN.IP.ADR:80

Event type: Firewall: User decision(15)

Event action: Allowed(2)

Here is a copy of the connectivity...

30/10/11 21:55:50 TCP -> 192.168.0.7:1060, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/0) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

30/10/11 21:57:26 TCP -> 192.168.0.7:1061, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/1840)Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

30/10/11 21:57:27 TCP -> 192.168.0.7:1061, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/0) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

30/10/11 21:58:06 TCP -> 192.168.0.7:1062, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/880) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

This activity is continuous and persistent.

I decided to block the port 80 rule and the connectivity to 80.237.x.x went berserk:

31/10/11 10:02:04 [TDI] TCP, Connect, 0.0.0.0:1197 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/4016) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:04 [TDI] TCP, Connect, 0.0.0.0:1198 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/2112) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:04 [TDI] TCP, Connect, 0.0.0.0:1196 -> 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/1080) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:05 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:05 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:05 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:05 [TDI] TCP, Connect, 0.0.0.0:1201 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/2712) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:10 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:10 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:10 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:10 [TDI] TCP, Connect, 0.0.0.0:1202 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3032) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:14 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:14 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:14 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:14 [TDI] TCP, Connect, 0.0.0.0:1203 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3432) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:18 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:18 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:18 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:18 [TDI] TCP, Connect, 0.0.0.0:1204 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3072) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:22 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:22 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:23 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:23 [TDI] TCP, Connect, 0.0.0.0:1205 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3196) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:27 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:27 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:27 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:27 [TDI] TCP, Connect, 0.0.0.0:1206 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3212) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:31 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:31 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:31 ICMP <- Echo reply 192.168.0.7 80.237.152.26Passed by ICMP rule

31/10/11 10:02:31 [TDI] TCP, Connect, 0.0.0.0:1207 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3008) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:35 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:35 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:35 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:35 [TDI] TCP, Connect, 0.0.0.0:1208 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/2360) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:40 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:40 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:40 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:40 [TDI] TCP, Connect, 0.0.0.0:1209 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/1480) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:44 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:44 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:44 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:44 [TDI] TCP, Connect, 0.0.0.0:1210 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/2528) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:48 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:48 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:48 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:48 [TDI] TCP, Connect, 0.0.0.0:1211 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3284) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:52 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:52 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:52 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:52 [TDI] TCP, Connect, 0.0.0.0:1212 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3412) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:02:57 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:02:57 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:57 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:02:57 [TDI] TCP, Connect, 0.0.0.0:1213 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3292) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:01 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:03:01 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:03:01 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:03:01 [TDI] TCP, Connect, 0.0.0.0:1214 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3688) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:04 [TDI] TCP, Connect, 0.0.0.0:1215 -> 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/3024) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:04 [TDI] TCP, Connect, 0.0.0.0:1216 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3400) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:04 [TDI] TCP, Connect, 0.0.0.0:1217 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3516) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:05 [TDI] ICMP, Connect, 0.0.0.0 -> 80.237.152.26, C:\Program Files\Online Armor\oaui.exe(1456/1524) [TDI] Passed by rule.

31/10/11 10:03:05 ICMP -> Echo request 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:03:05 ICMP <- Echo reply 192.168.0.7 80.237.152.26 Passed by ICMP rule

31/10/11 10:03:05 [TDI] TCP, Connect, 0.0.0.0:1218 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/596) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:54 [TDI] TCP, Connect, 0.0.0.0:1219 -> 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/3564) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:54 [TDI] TCP, Connect, 0.0.0.0:1220 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3676) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

31/10/11 10:03:54 [TDI] TCP, Connect, 0.0.0.0:1221 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/3956) [TDI] Blocked by rule: "TCP, --> oaui.exe, [80], -(*)"

Needless to say, I returned the rule to allow and things returned to "normal":

31/10/11 12:12:04 [TDI] TCP, Connect, 0.0.0.0:3452 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5788) [TDI] Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:04 TCP -> 192.168.0.7:3452, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5788) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:04 [TDI] TCP, Connect, 0.0.0.0:3451 -> 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/5176) [TDI] Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:04 TCP -> 192.168.0.7:3451, 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/5176) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:05 TCP -> 192.168.0.7:3452, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5788) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:05 [TDI] TCP, Connect, 0.0.0.0:3453 -> 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5188) [TDI] Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:05 TCP -> 192.168.0.7:3453, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5188) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:05 TCP -> 192.168.0.7:3451, 80.237.191.14:80, C:\Program Files\Online Armor\oaui.exe(1456/5176) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

31/10/11 12:12:06 TCP -> 192.168.0.7:3453, 80.237.152.26:80, C:\Program Files\Online Armor\oaui.exe(1456/5188) Passed by rule: "TCP, --> oaui.exe, [80], +(*)"

I could accept this if I understood why it is necessary. Otherwise, I'd like to turn it off. What say?

Thank you.

[catprincess 19]

Does this still happen if you set "Check for updates" to manual? I assume you are running the latest version, 5.1.1.1383?

[dallas7 1]

Yes and yes. On both systems, XP/OAP and W7/OA++.

I have updates set to one hour on both. I've observed updates are handled by OArau.exe with connections to update.emsisoft.com.

oaui.exe is wanting online-armor.com, www.tallemu.com, www.online-armor.com, crs.online-armor.com, crq.online-armor.com or lus.online-armor.com.

[dallas7 1]

I went back to Options to return Updates to Every Hour and noticed that other thing and thought, "I wonder...?"

I unchecked "Send anonymous information about programs...." and lo and behold the crazy oaui.exe bahvior ceased!

Rechecking it returns the craziness. Re-unchecking it stops it. I'm going to leave it unchecked.

Cheers!