HZGN.COM
welcome to my space
X
Search:  
Feng Shui | Graphic Design | Cosmetics | Causes and Organizations | Regulatory Compliance | Gadgets and Gizmos | Computer Forensics | Tools and Equipment | Related articles
Welcome to:hzgn.com
NAVIGATION: Home >>
Problem with the rules of oupost 2.1
Published by: admin 2009-01-07
  • I'm new here. I have some questions. Please write in easy English. I'm not an Englishman.

    1. I have the Outpost Firewall 2.1 on my PC.

    A few days ago I get an info from the firewall. It says that my system communicate with a protocoll (I think UDP or something else). I was so silly to forbid that. So my question is how I can allow this communication?

    In the not allowed applications (in the oupost user menu) is no entry of the protocoll.

    2. What should I put in the rules for the following 3 datas. On the bottom there are the Possibilities.

    The datas are....

    Dcom Isass.exe
    LDAP userini.exe would make an outgoing connection....
    DCOM 135 svchost.exe Generich Host Process for Win32 Services would make an outgoing connection

    1. When sould the rule work....
    1.1 When the choosed protocolled is called....
    1.2 When the choosed targed is called
    1.3 when the choosed remote-host is called
    1.4 when the chossed remote-port is called
    1.5 when the choosed local port is called
    1.6 when the choosed time intervall is called

    2. Aktion: What should the rule make....?
    2.1 allow
    2.2 not allow (sending error)
    2.3 warn
    2.4 start application
    2.5 Stateful Inspection

    3. description
    3.1 When the protocoll is called
    3.1.1 TCP
    3.1.2 UDP
    3.2 and the direction
    3.2.1 outgoing
    3.2.2 ingoing (eingehend, I don't know it in English)
    3.3 And when the Remote Port is calle (what?)


    I thank you for the answers.


  • Good catch kronckew! I mistook that for the legitimate Lsass.exe (The MS LAS shell) which apparently was the exploit not yet patched.

    And for you Gunner, please patch your system after you remove this thing to stop from getting it again. After that, we should discuss how it got through your firewall in the first place.

    What You Should Know About the Sasser Worm and Its Variants (http://www.microsoft.com/security/incident/sasser.asp)


  • if you are not on a local area network, no, if you are, you may - try it blocked, if it doesn't work delete it from blocked or drag it into partially allowed & use the preset: (if you are on a LAN, see the configuration guide yet again for the network settings)

    if you need it then the presets are:

    Local Security Authority Service, lsass.exe
    RuleName: Local Security Authority Service UDP
    Protocol: UDP
    RemotePort: 88
    AllowIt

    RuleName: Local Security Authority Service TCP
    Protocol: TCP
    RemotePort: 1026-1029
    Direction: Outbound
    AllowIt

    can't see any for userinit.exe, you can always go into rules mode, delete it from the applications settings, run it & accept the guided settings. or look at the logs while it's blocked & see which protocols/ports are affected & add rules accordingly after dragging it to the partial area.
    never leave anything in the trusted apps area, tho you can stick them in there for temporary while testing.


  • How can I close DCOM with Outpost?

    Xbox Exodus - List_of_characters_in_Red_vs._Blue::
    2.1 Blue Team main characters. 2.2 Sheila. 2.3 Junior. 2.4 Sister. 2.5 audience indirectly of the various rules of the freelancer program and the AIs.
    http://www.xbox-exodus.com/?title=List_of_characters_in_Red_vs._Blue    HOME
    I'm not infected.

    So now I can make a rule for svchost.exe.

    But what should I set in the rules for userini.exe and Isass.exe?

    read the guide to setting up a secure configuration as in link above, it has a section on dcom, run dcombobulator as in earlier post.

    if you have a file called isass.exe you are infected with the sasser worm & must get rid of it. if you do really mean LSASS.exe, it does not need any rule. same for userini.exe.


  • Hello The Gunner, Welcome to the Forum. :)

    Please see 1 that is in our version 2 FAQ. This will help you in setting svchost.exe and blocking DCOM. Since you are new to Outpost please have a look at 1 this was written for Version 1 but alot of still applies to V2 and V2.1.


  • davids thread on svchost is at :

    Svchost rule setting (http://outpostfirewall.com/forum/showthread.php?t=3735&highlight=svchost+preset)
    Help - One Way Satellite connection - Outpost Users Support Forum::
    I went with a fresh install of 2.5.370.370 and as per normal, ran in Rules Wizard. This mode was suggested for Oupost 2.1 and I have not changed it.
    http://www.outpostfirewall.com/forum/showthread.php?p=90097    HOME

    i think you'll find this has been incorporated into the guide for a secure configuration above and which is also in the FAQ section of the forum.
    lsass.exe may be placed into the blocked section of the applications settings, and i'd put userinit.exe in there as well as neither needs to talk to the internet. on my setup i don't even have a userinit.exe on my system so it's not in my applications settings.

    lsass - lsass.exe - Process Information

    Process File: lsass or lsass.exe
    Process Name: Local Security Authority Service
    Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.
    Company: Microsoft Corp.
    System Process: Yes
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No

    Process File: userinit or userinit.exe
    Process Name: UserInit Process
    Description: Application used to run a program before a shell starts. The service runs logon scripts, reestablishes network connections and starts the shell.
    Company: Microsoft Corp.
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A


  • But don't lsass.exe and userinit.exe have to connect with the server?


  • Yes I know that. A few days ago Outpost says that I could allow oder not allow a communication per UDP Protocoll. I said no. But I can't find anything in the Option / Applications Menu like an UDP Protocoll, which I didn't allowed.

    Why?Most likely this was a temporary connection that you denied. Once you deny it, it is done. Only if that connection is attempted again will you see it. This could have happened from an email trying to get to another site or perhaps a website you were using attempting to make a connection. Once such a connection is denied, that's it. It's not made.


    Yes theres something about svchost.exe. But what should I take în the rules for userini.exe and Isass.exe?
    Block them until you find a reason to make a rule allowing a specific connection. This is a good general rule to follow if something is trying to make a connection and you are not sure why - block it. If it causes you problems then you need to make a specific rule for that connection.


  • Thank you man. You solved my problem.

    Now I'm so happy that I can jump onto a women.


  • Oh I mean Lsass.exe not isass.exe Sorry.

    The question with DCOM is clear.

    You mean I should take the userini.exe and the Lsass.exe to allowed applications and I shouldn't make a rule for it?

    I read something about David's SVCHOST rules. Where can I find it?


  • please see the link above re setting the svchost rules, and creating a secure connection.

    this may be too late for the moment as you seem to be infected with the sasser worm (isass.exe, etc) and will have to get that cured before anything will help. meanwhile the best thing to do is block isass.exe from doing anything.

    here's a link to a removal tool (free)

    Avast Virus removal tool (http://www.avast.com/i_idt_1060.html)

    this will remove sasser versions a thru f

    as you note above that you connect to a server, you'd best check ALL the pc's and servers in your network as they are probably zapped as well.

    you should also get rid of DCOM as it's not needed and just leaves a hole for things like this to get in. see (link) GRC's DCOMbobulator (http://grc.com/dcom/) for more info & program to do it with. again on all pc's/servers


  • How can I close DCOM with Outpost?

    I'm not infected.

    So now I can make a rule for svchost.exe.

    But what should I set in the rules for userini.exe and Isass.exe?


  • Thank you. The first question was solved. So there's only the second question.

    Block them until you find a reason to make a rule allowing a specific connection. This is a good general rule to follow if something is trying to make a connection and you are not sure why - block it. If it causes you problems then you need to make a specific rule for that connection.

    Yes I know that I should block all applications which I don't know. But when I block this 3 applications then I can't connect to the server. So I have to set a rule.

    Please say me what I should set for the rule of Isass.exe. userini.exe, svchost.exe

    Thank you


  • Thank you for your answers.

    If you made a rule that denied permission then change the rule. Go to Option / Applications and find the application you made the rule for and change it.

    Yes I know that. A few days ago Outpost says that I could allow oder not allow a communication per UDP Protocoll. I said no. But I can't find anything in the Option / Applications Menu like an UDP Protocoll, which I didn't allowed.

    Why?

    Please see A Guide to Producing a Secure Configuration for Outpost that is in our version 2 FAQ. This will help you in setting svchost.exe and blocking DCOM. Since you are new to Outpost please have a look at The Web Hikers guide to Outpost Firewall this was written for Version 1 but alot of still applies to V2 and V2.1.

    Yes theres something about svchost.exe. But what should I take în the rules for userini.exe and Isass.exe?


  • Block them until you find a reason to make a rule allowing a specific connection. This is a good general rule to follow if something is trying to make a connection and you are not sure why - block it. If it causes you problems then you need to make a specific rule for that connection.

    We should use a rhyme for that that is easy to remember :) Some thing like:

    When in doubt, block it out.
    In a bind, change your mind

    How's that for rules made easy?
    Regards,
    Chris


  • Hello Gunner, since you are operating in the Rules Wizard mode you will get a request from Outpost whenever a new connection is about to be initiated. If you denied permission once, then whenever that connection is attempted it will ask again.

    If you made a rule that denied permission then change the rule. Go to Option / Applications and find the application you made the rule for and change it.

    In general you should block applications with which you are not familiar. If it causes problems then you can modify the rules. Svchost is a special case. The references that Randy pointed you to will explain all this in great detail.

    If you need more information please come back.





    • Red Hat's Rough Recovery From CFO Exit
    Windows Live Finds a New, Pre-installed Home
    PRINT Add to favorites
    #If you have any other info about this subject , Please add it free.#
    Your name:
    E-mail:
    Telphone:

    Your comments:


    If you have any other info about Problem with the rules of oupost 2.1 , Please add it free.
    About us |Contact us |Advertisement |Site map |Exchange links
    Copyright© 2008hzgn.com All Rights Reserved