|
Posted by louise on December 4, 2007, 11:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> Thanks so much for recommending the Armor Online Free firewall. It
>> really works - is low on resources and speaks to you in comprehensible
>> language when it poses a question. And it's free!
>>
>> I've put it on my desktop and my portable without a single problem.
>
>
> There is no parent-child control in Online Armor's firewall. Say you
> allow your browser to connect. Well, then you have also allowed any
> caller (parent) program to execute that browser to get a connection to
> some unknown web page. By regulating who can call (parent) another
> program (child) then you know who is really asking for the connection.
> For many users, this is not a critical feature since few firewalls
> provide parent-child control. Comodo has it in their older v2.4 but
> dropped it in their new v3 firewall that now include HIPS. The firewall
> just got added in version 2 of Online Armor (OA) so it will need some
> fixing or features to get up to speed with other firewalls.
>
> So the assumption is that you have permitted the parent program to run
> but relinquish any control over whether or not it can make connections
> using child programs; i.e., in Comodo Firewall Pro v3, you get to
> regulate the load a program using HIPS (the parent and child programs),
> like in Online Armor, and you can regulate which programs can make
> connections (the child programs), but you cannot control if the parent
> can call the child to make the connection. As a result, both Online
> Armor and Comodo will fail all leaktests UNLESS you, as the user, see
> the prompt and deny the execution of the parent program - but that is
> not the point of leaktests. Rather than regulating who can call what
> for a connection, you're only choice is whether the parent loads or
> not. Online Armor is promising to add parent-control into their
> firewall, a brand new feature added in their latest version 2. But they
> have lots of fixes to make and other more security-related updates to
> make to their product so they aren't promising when to deliver on
> parent-child control.
>
> While other HIPS products are better at controlling ALL auto-start
> programs in the various locations available under Windows, Online
> Armor's AutoRuns protection is limited to just a few areas. They don't
> cover the WinLogin/Notify, Session Manager bootexecute, and other areas
> that users normally never touch. They are promising an update sometime
> later to address the lack of coverage for auto-start processes.
>
> There have some instances where programs would generate a prompt when
> they loaded, the user answered to allow the load and remember that
> action (and it does get remembered), but the program never shows up in
> the list under their Program Guard. Once remembered and because it
> isn't in the list, you cannot later revoke that run permission. It
> looks to be a UI error in the grid control that they use not showing all
> the recorded rules.
>
> Currently Online Armor does not encrypt the registry keys used by that
> program. This can provide info to malware or malcontents on how the
> product is configured and possibly could alter that behavior to reduce
> protection (their documentation is poor, basically just an overview, and
> they don't define the purpose of these registry keys). They also do not
> protect these registry keys against alteration. Online Armor does not
> load under Safe Mode so even if they protect those registry key then
> they won't be protected if you reboot into Safe Mode. They need to
> encrypt those keys. When OA attempts to read them, and if altered and
> hence corrupted, OA will be unable to read those altered values and know
> they were changed outside of OA. They promise to later address this
> security hole to protect against alteration (but only when OA is
> running) and use encryption (to detect alteration under Safe Mode and to
> then revert to whatever would be the most restrictive values for those
> corrupted settings and also alert the user to that act).
>
> The free version doesn't let you backup your settings. The paid version
> does. However, you can save the .dat files in the OA install path to
> backup your settings. Since OA protects against any access to these
> .dat files when it is running, even to copy them, you have to reboot
> into Safe Mode, copy the .dat files, and then reboot into normal mode.
>
> Online Armor does not run under Safe Mode. It has been deliberately
> designed that way. One reason for this behavior is that uninstallation
> may fail under normal mode; e.g., you won't be able to read their
> unins000.log file to do the uninstall. In most cases, but not
> guaranteed to be the only case, the user has disable Program Guard
> (HIPS) and loses access to the UI (i.e., the user can no longer get at
> the configuration or status windows for the product). Rebooting won't
> fix the problem. Loading the UI (oaui.exe) won't fix the problem. The
> product has to be uninstalled and that can only be done under Safe
> Mode. However, because OA does not run under Safe Mode also means that
> you have no HIPS or firewall protection while under Safe Mode. If
> malware still loads, like using the WinLogon/Notify event (instead of
> the normal auto-start locations), then it now has free reign to load.
> The malware is also unfettered under Safe Mode (with networking enabled)
> to connect. Not all malware gets neutered in Safe Mode.
>
> Currently there is no option in OA to block all network access until the
> firewall has fully loaded. This means there is a window of opportunity
> in which malware could load and also connect. About the only advantage
> the Windows Firewall provides is that the network stack is disabled
> during Windows startup until the Windows Firewall (if enabled) has fully
> loaded. Comodo v2.4 has the option to block network access until it is
> fully loaded. OA doesn't have this option but is promising to add it
> later. Of course, if the firewall is flaky then you might not get any
> network access even after the firewall loads. Comodo v2.4 hasn't had
> this problem. I don't know about v3 since it lost some functionality,
> uses a non-intuitive HIPS (try figuring out how to block a program from
> loading without visiting their forum), lost the parent-child firewall
> control, and is way too flaky so I abandoned it long before having
> enough history to know if enabling the option to block network access
> until Comodo is loaded is reliable. Again most users don't even think
> about this window of opportunity for any firewall that doesn't have this
> option (but those same users don't think about the vulnerability of OA
> not running under Safe Mode, either).
>
> Unlike Defense Wall which reduces permissions for unknown or untrusted
> processes which attempt to run silently but is really for newbie or lazy
> users, OA with its HIPS will be asking lots of questions. (Note:
> Defense Wall is not a HIPS product as they claim since it never
> interferes with the load of a program, only with the priviliges it gets
> after it loads. It doesn't need to continually prompt the user because
> it doesn't regulate what can load. Softsphere also doesn't provide a
> free version of Defense Wall.) OA also tries to alleviate the deluge of
> prompts by downloading a list of certified good applications; however,
> if you update the program and it isn't in their list or you haven't
> updated the list yet, you'll get prompted because of the new version (of
> an old program that you allowed to run before). Many users want to use
> their host rather than repeatedly answer prompts about what is allowed
> to run. Of course, a list of certified apps is someone else's decision
> that the program is okay so some OA users won't use that list and
> instead want to get prompted on every program so they know what is
> allowed to run or not. That is why many HIPS products have a learning
> mode including, I believe, OA (but I don't remember if learning mode
> works in the free version). Be warned that the free version will NEVER
> retrieve updates to this certified apps list. Updating in the free
> version of OA is manual - but you can't even do a manual update to
> retrieve the new list. Manual updating means you get an e-mail telling
> you that there is an updated list, you have to download it using the
> link in the email, and then you point at that file to insert the new
> definitions. So manual updates are very manual. And you won't get
> notification of those updates unless you insert your email address
> during the installation. You cannot register after the installation to
> get those email notification of updates. You cannot subscribe to a
> mailing list to get those email update notices. If you chose to not
> disclose your email address during the installation, you will have to
> uninstall and reinstall and give your email address under that new
> install. And then what you get are emails telling you to download a new
> file and then have to point at it to insert its contents. The paid
> version has automatic updating. Forcing manual updates in a free
> version is nasty, especially regarding a security program, but this
> extremely manual update process that relies on email notification just
> sucks. It means a significantly reduced number of users of the free
> version will get the email notifications and only a subset of those will
> perform the manual file update.
>
> Online Armor is pretty good but it needs several security issues
> addressed, some which were so obvious that it seems they pushed it out
> the door way too soon simply because they wanted to show off their new
> firewall that got included in version 2. Visit their forums to see what
> is missing, promised for later updates to the product, and problems with
> it. I almost got this product and there is enough in the paid version
> to make me buy it but it needs a bit more work. Between Comodo's version
> 3 and Online Armor, both having HIPS and firewalling, I'd go for Online
> Armor - but after a few more updates (so I'm sticking with Comodo v2.4
> for now and might get ProSecurity [paid] for HIPS if Tall Emu takes too
> long with the updates for OA).
>
Thanks for your detailed analysis.
I don't understand however, why I would care if I got their
automatic updates for newly approved programs. I don't
install new programs every day by any means, and when I do,
I don't mind answering the questions about what I want to
allow - especially since there is a "remember" checkbox. Is
there another reason to get the paid version?
I installed the 2.x version of Comodo and it nearly brought
down my machine. I don't know why, but I do know it
couldn't remember what it was supposed to allow and
everytime it got confused, things froze and its questions
were endless and seemed kind of lame - I uninstalled it,
retreived my system, and would be hesitant to try Comodo
again - new version or not.
I'll take a look at ProSecurity - never heard of it.
BTW, since you seem quite knowledgeable, I'll take the
liberty of asking you another question: I'[m running NOD32
(new AV version), use Firefox mostly, and I do use Outlook
with a good spam filter. I'm running XP, SP2. Do you think
it is necessary to run an antispyware program?
Thanks again.
Louise
| 
XML site map