99655

Understanding Tiny Firewall

Контрольная

Информатика, кибернетика и программирование

HSE is driven by rules. Rules are created using the Admin Tool and stored in several xml databases (each for different protection functionality).

Английский

2016-10-06

132 KB

0 чел.

1. Understanding Tiny Firewall

1.1. TF2005 Overview

Tiny Firewall 2005 Standard Edition is a host security solution offering real time protection against hackers and malicious spyware and trojans with detailed reporting. Tiny Firewall 2005 Standard Edition includes three basic components:

Host Security Engine

Admin Tool

Activity Monitor

Host Security Engine (HSE) HSE includes security technologies offering complete protection of the host computer:

  • network protection
  • application start control
  • file system protection
  • registry and computer settings protection
  • services, COM interfaces and other system security protection

HSE is driven by rules. Rules are created using the Admin Tool and stored in several xml databases (each for different protection functionality).

Admin Tool Admin Tool allows:

Create rules and define applications

Analyze events generated by the protection drivers.

Rules are applied according to built-in sorting mechanism which is explained in different parts of this manual. Rules can be seen in a simple view (descriptions only) or in a detail view (all components of rules). The applications may be defined using path, MD5 checksum or both. The applications may be grouped into groups where one application may be a member of multiple groups simultaneously. Admin Tool displays the events stored in an event database. This database is XML and other tools may be utilized to analyze the events. The access to Admin Tool may be limited using the password.Activity Monitor Activity Monitor displays the events generated by the protection drivers in a real time. In order to prevent the screen from flooding by identical events it is possible to set the consolidation time interval which would cause that 10 identical events which would occure in a certain time span would be displayed as one event with a certain count. Using the right hand click it is possible to display the content menu and proceed with the certain action such as 'close connection', create new rule' and others. The windows of the Admin Tool may be rearranged to appear in tiles, as a list or in tabs.

1.2. Host Security Engine Summary

1.2.1. Applications

The applications play vital role in the host security engine design. The known applications are being organized in theApplication Repository .

The general idea behind theApplication Repository is that only applications which exist in theApplication Repository may be assigned with the rules. All other applications which do not exist in the Application Repository are treated as "unknown' applications and only general rules effective for 'All' applications may be applied to them.

Once the application would be enrolled in the application repository it could be used in the rules.

Note! It is recommended to group applications into the application groups in order to assign them with the group policies thus simplifying the configuration. At the enrollment of the new application the user could avoid many additional dialogs asking whether to permit specific access for the particular application if he would assign the application to group right away

When the unknown application starts it is being recognized as the unknown application and the user is presented with the dialog (this must be enabled in the configuration (Files and Folders -> Options). At this point the user can decide whether he wants to enroll the application in to the Application Repository and whether he wants to put the application into some of the Application Groups.

Note! Only the applications which would be run repetitively are recommended to be entered into the application repository. It is recommended to us e 'Run Once' option for applications which you don't know whether you will want to run them again or which you do not trust completely.

Default Policy

The default policy comes with one predefined group called TRUSTED. This name of the group is used in rules t o set liberal access to the network and computer resources. Most users will do with the default group. For users which need to group the applications more granularly there are following guidelines.

Effective Group Policies

In general the user could do with fairly simple group policy. All trusted applications could be put into Trusted group and the Trusted group could get unlimited access to computer resources either by general rules or by applying the Exceptions on such group.

More advanced users could create more sophisticated group policies thus protecting themselves against to more sophisticated attacks.

Grouping by Type

One view to look at the possible grouping of application is to create one application group for network communication, one for file access, one for application spawning etc. Then, since one application can be the member of multiple groups, it is possible to select one set of applications as trusted for network access, another set of applications trusted to access system files, another set of applications trusted to access important documents, another group being allowed to start other processes etc.

Example:

Kazaa may be member of:- unrestricted communication group (it is P2P, it's got to communicate on random local ports and all ip addresses)- very restricted file access group (you don't want Kazaa to send you stuff right? So you will allow Kazaa to touch music files only plus whatever system it needs).

Now - when you say - OK, I trust Kazaa, I move it do different group with less restricted file access you don't want to deal with its network configuration, right?

You can imagine that "application group" would be rather called "resource group". Then you assign applications to groups 'access to Docs and Settings', 'run as a server on ports less then 1000', 'access to Run keys' etc. It would be up to the complexity of your environment to create higher or lower number of groups.

1.2.2. Network Security

The network firewall included in Tiny's host security engine is the most sophisticated network security engine out there. It is a combination of stateful filtering on NDIS and TDI layers which, in simple terms, ties specific network activity to specific applications.

Bi-directional stealthing firewall

The network security engine performs a stateful inspection on both outgoing and incoming packets. This level of understanding of the network protocols allows the application of selective filtering rules for outgoing and incoming traffic thus differentiating between hackers attempts to compromise the endpoint application allowing at the same time this legitimate application the communication to the internet.

Application Specific Filtering

All network activity is compared with the applications readiness to communicate over the internet. Thus only application allowed to communicate over the internet will be allowed to do so. Furthemore it is possible to distinguish between the application run as a system service or user process (only selected versions support this functionality). The applications are recognized by their name, path and checksum to ensure that only authorized applications will be allowed to communicate over the internet.

Interface Specific Filtering

The sophisticated network security engine can recognize traffic coming through various interfaces and apply different rules based on the interface. This is extremely useful when managing the computer with multiple interfaces or when VPN traffic is involved.

Security Zones

Furthemore there can be different rules applied based on the security zone which is assigned to the interface. Thus traveling person may switch between the zones on the airport or in the office and have appropritate policies applied immediately without further tweaking the rules. (Management server may do this automatically if available).

Spoofing protection

The network security engine includes the protection against spoofing - hijacking of the ongoing network connection by the attacker.

Server Compatibility

Network security engine was developed to comply with the strict requirements for functionality on Windows 2000 and Windows 2003 server. In fact Tiny's network security engine is the fastest network protection engine out there surpassing its competitors by speed and low system requirements.

Ready for 64 bit

Even though the 64 bit versions of Windows operating system were not released yet Tiny's security engine has version fully supporting 64 bit platform. You may check the 64 bit versions at separate product pages.

1.2.3. System Security Guards

The Windows Security engine protects the computer resources against unwanted and suspicious accesses and changes. The Windows Security engine allows you to set your own list of trusted application and their access rights to the system. The Windows Security engine isolates the applications minimizing their impact on system resources.

The most attractive features include:

  • code injection prevention prevents malicious processes to misuse trusted applications
  • process spawning control prevents malicious processes from starting other applications
  • complete file protection preventing unwanted changes to your file system
  • complete registry protection preventing unwanted changes to your registry
  • system service installation control preventing trojans installing themselves as a system service
  • device protection preventing misusing of USB devices, COM ports, modems, and other devices
  • complete Dll loading control allows to specify which dlls may be loaded by which applications - no more undetectable trojans

... and many more

The system security of Tiny Firewall 6.0 is provided by the set of several guards. Each guard may be selectively enabled or disabled for particular application in order to achieve the compatibility where you might see potential problems (remember - not all application you install are coded correctly):

File Access GuardBy accessing the file system, a hostile process could gain access to all your data and files. Windows system files, contacts and all personal and work files should be protected against unknown applications. Why should some new executable downloaded from the internet have the opportunity to modify pictures from your digital camera or your documents? To make the things easier for those managing computers for others Tiny Firewall 6.0 incorporates the support for special vaiables special variables like %RemovableDrives%, %CdRoms% or %SystemRoot% in addition to absolute paths such as "C:\MyWorkDocs" and also wildcards "C:\*.doc".

Registry GuardThe windows operating system saves the system and application configurations within the registry database. If a hostile process changes settings within the registry database, it might leave applications or your entire system unusable or create a security hole at least. By changing the registry database a hostile application can also gain unwanted access to the resources on your computer. The default TF6 configuration prevents applications other then trusted to modify the most dangerous areas in your registry such as Run keys (misused by trojans to autostart themselves at the system start).

Process Spawning GuardWith Process Spawning Guard you could define whether particular process could be started by some other process or by the user only. You could also define whether the new application would run in the security context of the parent application or its own. This can prevent misuse of trusted applications by a hostile code. Typical example of how to misuse known application is to start "cmd.exe del *.*" without any control of the user. Without TF6 you can say good bye to your files!

Dll Loading GuardSome applications are able to dynamically execute external code by loading a supplied dll and executing a predefined exported method in it. This is a case of rundll32.exe process as well as of all applications capable of containing plugins or ActiveX (such as Internet Explorer). Of course, knowing that behavior, malicious application can force its own dll to be executed by such trusted application thus hiding the malicious activity. Another use of Dll Loading Guard is to prevent loading of custom dlls by a particular application if they are changed.

OLE/COM GuardSimilar to Dll Loading Guard, OLE/COM Guard can prevent to load an unknown code (usually a COM dll) into an otherwise trusted application. However, in this case, rather then identifying the unknown code by a dll checksum or name, CLSID is used instead. Current version of the TF Administration Center makes the CLSID selection much easier by displaying all present COM objects on the computer in human readable form (names). Another use of OLE/COM guard is to avoid controlling one application from another through known COM interface of the target application.

Services Control GuardOne of the most dangerous events that might happen on your computer is to let a malicious application install itself as a service. This will lead into that application acting as a part of the operating system itself, thus completely bypassing the operating system security. TF6's Services Control Guard prevents just that from happening.

Device Access GuardIn teh very near future we shall see trojans or applications sending the information to the internet using raw IP access thus completely bypassing traditional firewalls. We could see trojans now attempting to format the harddrives. Device access control prevents these and other events from happening.Also - if an Administrator wants to prevent other users to connect their flash or portable hard disks to a computer or using modems, infrared or computer serial/parallel ports, here is the place to do so.

System PrivilegesA malicious application can hide communication to the Internet and other malicious activities by injecting a code into a trusted process. Then the activity thus seems to be done by the target trusted application and one would only wonder why suddenly would certain application communicate. Or a hostile process might attempt to acquire debug system privilege thus gaining unlimited control over the target application. By terminating applications such as firewalls, anti-virus etc., a hostile application can thus get rid of some obstacles preventing it to do the malicious actions. Not with Tiny Firewall 6.0 though...

Check for unknown processesAll processes starting on the computer are inspected by TF's Windows Security engine and compared with the records of known applications in the Application Repository. If the process does not have the record in the application repository the user may be shown the dialog with the choices to run application once, enroll it permanently into Application Repository or terminate it. Thus user is having complete control over the processes running on his computer.

Integrity GuardThe Integrity Guard settings are available in the Administration Center in the Application Repository. You can prevent loading a known executable as well as dll first identified by their names and paths when their checksum was altered.

1.3. Admin Tool

1.3.1. Overview

Admin tool allows to manage TF and query/view the event logs. You can edit default rules, rules created as a results of Ask user dialogs or create your own rules. You can set up more or less restricted security policy for your computer.

Admin Tool is a separate application fully independent from the firewall engine. You might choose not to install Admin Tool when using TF with the central management.

Skins Admin Tool includes several variants/skins how you could view and operate the rules. To choose different skin go to menuSettings->Options.

Enabled/Disabled Rules Rules may be conveniently enabled/disabled using theEnable/Disableoption. Disabled rule will be present in the rules database among the other rules and the security engine will not reflect it.

Network Security Zones Using the 'My connection' selector displayed on every Admin Tool screen you can quickly and easily change the Security Zones. In Admin Tool you can set certain rules to apply only in case that the traffic is coming through the Interface connected to a particular zone. Security Zones selector allows to change the zone of your currently active interface quickly and conveniently.

1.4. Activity Monitor

1.4.1. Overview

Activity Monitor displays important information based on the activity of the host security engine. Activity Monitorincludes three panels:

Event Log

Connections

Processes

Using the right hand click it is possible to display the context menu and proceed with the certain action such as 'close connection', create new rule' and others. The windows of the Admin Tool may be rearranged to appear in tiles, as a list or in tabs.

1.4.2.Event Log

Activity Monitor displays the events generated by the protection drivers in a real time. Each event has time stamp and the information which process caused it.

Activity Panel only displays the events which were generated per instrutions in rules! In order for event to get generated the activity MUST match the rule and the rule MUST be set to Monitor!

During the active session the activity panel displays the following information:

The actions undertaken by thehost security engine

The application which is requesting the access

Module

The type of access

The object accessed (if applicable)

The time of the access

 A right-click in the Activity panel would display a pop-up menu with the"Copy Rule"and the "Clear Window " option. This will remove all monitored events from the Activity Window."Copy Rule"will copy selected rule in the text format.

There are three types of actions:

  • Monitored
  • Prevented
  • System Information History (lines) It is possible to set the number of lines available for scrolling. The parameterHistory inOptions dialog specify such number. Truncating Events In order to prevent the screen from flooding by identical events it is possible to set the consolidation time interval which would cause that 10 identical events which would occure in a certain time span would be displayed as one event with a certain count. To set the parameters for truncating events click on theOptions button and set theMerge Treshold time interval.Merge Treshold interval specifies the maximum amount of time for the engine to truncate the events provided that no other event of a different type was generated.Example: The application tries to access certain registry repeatedly. Such activity matches reporting rule. The host security engine generates set of events and because themerge treshold time was set to 1000ms (1 second) the Activity Monitor displays one event with increasing count. After 600ms some other process would generate activity matching other rule set to monitor. The host security engine interrupts counting of events, displays another line with the new type of event and begins the new count of events of original activity provided that such activity persists.

1.4.3. Connections Monitor

Connections monitor shows the live connections including the information which process started the connection (inbound/outbound). The monitor also shows processes listening on specific ports, i.e. ready for the communication.

Columns description:

  • Process - which process started the communication
  • Protocol - usually TCP or UDP
  • Local port - port on your computer

Status

  • Listening - port is open and waits for communication
  • Closed - communication on the port finished
  • Inbound - connection was started from remote computer (the row is red)
  • Outbound - connection was started from your computer (the row is blue)
  • Remote IP address
  • Remote port
  • Interface -which interface (e.g. Ethernet card, Wi-Fi card) is used for the communication
  • Time

1.4.4. Running Programs

Running Programs panel shows the processes running on the computer, their membership in the security groups and the information what security guards are enabled. There are several actions available by right clicking on the application:

  • enable/disable guards
  • enroll application to group(s)
  • kill the application

2. Configuring Security

2.1. Applications

2.1.1. Application Repository

The general idea behind the application repository is that only applications which exist in the Application Repository may be assigned with the rules. All other applications which do not exist in the Application Repository are treated as "unkn own' applications and only general rules effective for 'All' applications may be applied to them.

Once the application is enrolled in the application repository it can be used in the rules. It is recommended to group applications into the application groups in order to assign them with the group policies thus simplify the configuration.

When unknown application starts it is being recognized as unknown application and the user is presented with the dialog (this must be enabled in the configuration (Files and Folders -> Options). At this point the user can decide whether he wants to enroll the application and whether he wants to put the application into some of the Application Groups.

Grouping the application is generally recommended. The user could avoid many additional dialogs asking whether to permit specific access for the particular application.

Default Policy

The default policy comes with one predefined group called TRUSTED. This name of the group is used in rules to set quite liberal access to the network a nd computer resources. Most users will do with the default group. If you have the need to group the applications more granularly you might enjoy following guidelines.

Effective Group Policies

In general the user could do with fairly simple group policy. Al l trusted applications could be put into Trusted group and the Trusted group could get unlimited access to computer resources either by general rules or by applying the Exceptions on such group.

More advanced users could create more sophisticated group policies thus protecting themselves against to more sophisticated attacks.

One view to look at the possible grouping of application is to create one application group for network communication, one for file access, one for application spawning etc. Then, sinc e one application can be the member of multiple groups, it is possible to select one set of applications as trusted for network access, another set of applications trusted to access system files, another set of applications trusted to access important doc uments, another group being allowed to start other processes etc.

Example:

Kazaa may be member of:- unrestricted communication group (it is P2P, it's got to communicate on random local ports and all ip addresses)- very restricted file access group (you do n't want Kazaa to send you stuff right? So you will allow Kazaa to touch music files only plus whatever system it needs).

Now - when you say - OK, I trust Kazaa, I move it do different group with less restricted file access you don't want to deal with its network configuration, right?

You can imagine that "application group" would be rather called "resource group". Then you assign applications to groups 'access to Docs and Settings', 'run as a server on ports less then 1000', 'access to Run keys' etc. It wo uld be up to the complexity of your environment to create higher or lower number of groups.

2.1.2. Known Applications

You can view the known applications under the Application panel. The panel displays both Applications and their groups.

There are two basic categories of the application groups:

  • System groups (group applications running under the system account).
  • User Groups (group applications running under the user account).

Several rules apply:

One application may be member of several groups at the same time. The same application may be enrolled in both System and User groups.

All unknown applications running under SYSTEM account are automatically put into

$KnownSystemApps group

$KnownSystemApps group has unlimited access to all the system resources by default. You can guard them only if you enableGuard system processes checkbox in Windows Security options tab and ticked the appropriate guards in Exception panel.You cannot delete $KnownSystemApps group.

Trustedgroup has inbound/outbound TCP/UDP access for/from all the IP addresses and ports allowed and canspawn everything.You can delete Trusted groups.

Application(s) has been enrolled; lets go back to the main panel by pressingBack to the list of Applicationsbutton.

Editing application entries

1. Click on the entry you want to change

2. Click Edit button, new panel will appear.

3. Make changes

4. PressSave & exit button

Removing application entries

1. Click on entry you want to delete

2. Press Remove button, confirmation dialog will appear

Filter

You can select what should be displayed inKnown applicationstab in order to match certain criteria by means of Filter dialog window.

1. Click on Filter button, dialog will appear:

2. Select the parameters (name, group etc.), press OK

3. Only matching entries are displayed in Known Applications panel now.

4. To disable the filter, click on filter button again and check 93Any 8594 checkboxes or fill in *for all the parameters and press OK.

Example:Let us say that were looking for all the applications from $KnownSystemApps group, identified by path, located in %systemroot%\system32 folder (%systemroot% is usually c:\windows). So set your filter as displayed below and press OK:

Generating applications

Generating applications is useful for mass enrollment of the application from one folder with possible adding those enrolled applications into a group. Applications are in this case always identified by checksum.

1. Click on Generate button, dialog will appear:

2. Press 938594 button, browse for folder containing binaries. If you want to add only one file, tick the radio button 93Specify a single file94

3. SelectCommon orUserrepository for newly created entries.

4. Select a group for enrolling or create new one.

5. Press Finish

Right mouse context menus

Groups:

Deletewill delete chosen group. Multi select is allowed.

Addwill add new group.

Entries:

Remove application (s ) confirmation dialog appears, entries will be removed

Copy to group(s) a dialog window let you select to which group(s) you want to copy the selected entries

Remove from group(s) - a dialog window let you select from which group(s) you want to remove the selected entries

2.1.3. Enrolling the Application - Interactive Enrollment

The applications may be enrolled into the application repository interactively during 'Ask User' dialog session. The application may be enrolled as standalone process and it can be assigned to the Grou p(s) (recommended!). When enrolled to group the application would enjoy group policies immediately which could eliminate unnecessary 'Ask User' dialogs when accessing computer resources.

Note: In order to receive the dialogs about the unknown application you must have the optionGuard system processes in Windows Security options tab enabled.

2.1.4. Enrolling the Application - Manual Enrollment

Remember! The recommended and the most convenient way of enrolling the applications is to let TF to enroll the unknown processes interactively using Unknown Application dialog. This dialog pops up automatically whenever unknown process executes.

If you need to prepare the configuration of TF for other users you may want to enroll the applications to application repository. There are several ways of enrolling the application to Application Repository. First click onEnroll button which would display new panel:

Select the type of identification inApplication is identified by itsdialog

Identification by Checksum

Checksum is a unique digital signature of the file. Each file has unique checksum (e.g. C1380D4D08FA8D1B03D2EF812E2331F9) based on its size and contents.

To add a checksum:

Click appropriateAdd.. button. You can choose whether you want to add a single file(s) or the content of an entire folder(s). Using the standard Browse dialog which pops up select the target you want to enroll.

You may associate one application name with the multiple entries. For example: create a record 'Office' and associate it with all executables checksums in the Program Files\ Office folder. Then you could create the rules applying to all such executables using this one Application Repository entry. Sometimes you may find the benefits of using this approach instead of using one name for specific application and grouping them into groups. The disadvantage of this approach is the inability to auto update the applicatio n's signature when the application would be updated.

Identification by Path

Applications may be identified by their location in file systempath .

Click on the button on the right side of thePathtext box and useChoose filedialog.

Identification by File Name

Applications may be identified by their File name.

Write the file name of the application into File name text box.When done with the identification continue in following steps:

UseAssign to application group dialog at the bottom of the panel to assign the new application to group(s). If you selectedNone you might choose the database (common or user) you want to enroll the application to. Otherwise the application would enroll to the database where the selected group resides.

Add theApplication name(near the top of the panel). You must name the enrolled entries since their names are used in the rules. Applications enrolled automatically using Unknown Application dialog would get the name automatically generated as the name of their .exe file . If such name would already exist they would get the name appended by a number ('application(1).exe').

Application Descriptionoptionally you may describe your application. Applications enrolled automatically would get their description from their name.

Click onSave&ExitorSave&Newbutton

2.1.5. Enrolling the Application - for Integrity Check

Using Checksum and Path simultaneously allows to control the integrity of the specific executable against to changes instantly. When the executable would get changed you would get immediately notified whether to allow or deny such change.

Remember: Integrity check may be resource intensive. Enroll only such applications where the integrity check is mission critical.

You may inspect the integrity of the executable based on:

  • Checksum and Path
  • Checksum and File Name

Setting up the integrity check for the application:

Enroll the application as described in 'Manual Enrollment' topic.Choose the identification as mentioned above

Select the type of the Integrity Check:

  • No integrity checkapplication will be run without an attempt to check its integrity. For example, the virus with the same name could be run instead of the original binary if only path or
  • Monitor integrity corruptionCorrupted application will be executed an d its execution monitored as an event.
  • Integrity check ask userthe user will be asked whether to run corrupted executable
  • Integrity corruption protectionthe execution of corrupted binaries is automatically prevented.

2.2. Network security

2.2.1. Sorting Network Security Rules

The security engine incorporates the automatic rule sorting mechanism which sorts rules based on the specific logic. The user interface displays the rules sorted according this sorting logic.

The benefit is that no matter where and how you enter the rule you would always know that the rule will be applied correctly.

Sort Order

The rules are sorted similar to how the Excel would sort the table - by Column A, then B, then C etc. In the network security module these columns and their order are:

  • Priority (High, Low)
  • Preferred (Preferred High > High > Preferred Low > Low)
  • Application - by alphabet with ascending sort in this order: Application, Group, Any(*)
  • Protocol - in this order: TCP, UDP, TCP/UDP, ICMP, Other
  • Direction - in this order: in, out, in_out
  • Local port - ascending in this order: single port, range
  • Remote port - ascending in this order: single port, range
  • Remote IP address - in this order - Single, Subnet, Any
  • Time - Any has the lowest priority

2.2. Security Zones

TF6 incorporates security zones Safe Zone a nd Dangerous Zone. The network interfaces may be assigned to these zones. The zones may be assigned to the particular rules. Such rules would apply only when network communication would be going through the assigned network interface.

As an example you cou ld protect your file sharing ports (UDP 137-138, TCP 139) and apply this protection only for dangerous zone. When at your home or corporate LAN you could move your network interface into the Safe Zone which would result the ability to share your files. Wh en at the airport wireless LAN simply move the interface to Dangerous Zone and all restrictions will be applied to such traffic.

Note! Identifying networks by their IP addresses which is often used by other firewall vendors is dangerous and may compromise y our security. For example your interfaces may be assigned with the same 192.168.1.5 address whether you are on your home LAN, corporate LAN or at the airport!

2.2.3. Stealthing System Ports and the Computer

135, 139, 445 etc, are vital for Microsoft Networking eg. File Sharing, Computer Browsing etc. The activity on such ports is performed by Windows System processes. Therefore all rules that would close these ports must be assigned to the applications running under System account in the assignment. You could either choose particular application or rather 'All System' assignment (recommended).

To stealth these ports you need to check:

  • What is the zone of the Interface you want to block?
  • Is there a rule with particular zone and ports assigned?
  • Is the application(s) assigned to this rule System?

Hint: You may want to stealth these ports when you are outside and leave them opened when you are at your LAN. Use Security Zones to achieve this. When on LAN m ove your active network interface to Safe Zone (which would have the sharing allowed). When outside of LAN move your active network interface to dangerous zone.

Internet Sharing and Stealth Mode

To stealth the computer in general and shield the application running under user accounts go to Options dialog 'Prevent Closed Port Access' which has three choices:

  • Don't Hide Closed Ports - leave all unused live ports visible from the Internet
  • Filter Incoming Requests - all ports unoccupied by a live application w ill be stealthed and packets dropped before they would reach them. This is complete stealth mode resulting that ICS would not work.
  • Filter Outgoing Responses (ICS setting) - this option will result stealthing of all ports not used by ICS.

To stealth the computer use second option 'Filter Incoming Requests'. Note, ICS enabled computers should use third option.

2.2.4. Handling ICMP Protocol

ICMP is a specific protocol. In order to create the rule for ICMP protocol pre-define or 'Direct Specify' the firewall object, choose ICMP protocol and select from variety of ICMP commands.

DO NOT FORGET TO ASSIGN THIS RULE TO SYSTEM APPLICATIONS! ICMP protocol is handled by Windows system processes.

You can configure ICMP only for all apps (*) (choose System apps!) and as a system rule.

2.2.5. Closed Port Access

Closed Port Access means that there is an attacker coming from the Internet trying to establish/probe the connection on a port, which is not used by a specific application. TF6 names such port as 'Closed Port'. The existence of ports may reveal the attacker information that the computer exists at a given location and is a potential target.

2.2.6. Creating Network Security Rules

In order to add new rule click anywhere within the rule group (Hi Common, User, Low Common). The row will turn a bit darker. Click Add new rule and new rule will be created above existing rule you clicked on.

You can also use the right mouse button and choose Add from the context menu or press INSERT key to create new rule. Dont forget to press CTRL + S or click on Save changes button in upper right corner of Admin tool to save changes!

The new rule will be created using generic description. To adjust the rule according to your needs proceed in following steps:

Step1 - define communication protocol

If you wish to adjust Protocols and Ports definition click on Protocols&ports field. Click again and choose one of the objects from the combo:

Note: Inbound ICMP rules can be assigned for system processes only, because applications can't work directly with Inbound ICMP packets.

Direct specify option will bring up the Direct specify Object dialog:

Here you can define the c ommunication protocol yourself. Choose the protocol, entire local port (or port range e.g. ports between 21 500), remote port and direction of the traffic.

Step 2 - define target

Click on the next field to select IP address. Another click will bring up the combo box:

Direct specify shows IP address dialog, where you can write chosen IP address. Another combo box allows you to select whether you want single IP, IP range (e.g. 192.168.0.1 - 192.168.0.10) or net mask. You can also use new Ipv6 format.

Add global object will create new IP address object, which can be found in Predefined IP addresses tab in Network security.

Step 3 - define the Application

Click on the next field to select the Application. Another click will bring up the combo box:

Here you can select All (*), which means, The rule will be applied to every group and every application94, or you can choose some group or application from the rest of the combo box.

Note: System processes (processes running under system accounts) are listed separately from processes running under user accounts. You can inspect which process are running under which account from Activity Monitor.

Step 4 - define Access

Allow the rule will allow communication for specified objectsPreventthe rule will prevent communicationAsk User a pop-up will appear asking you what you want to do (Allow/Prevent)

Ask User could be used in Client rules only!

Step 5 - define Audit level

Ignorethe activity matching the rule would not be displayed in Activity monitor

Monitorthe activity matching the rule would be displayed in Activity monitor

Alertwarning window pops up when the activity matches the rule

Step 6 - define Day & Time

Allow us to specify when the rule is enabled (e.g. only between 6:00 and 8:00 AM)

Allrule is enabled permanently

Direct specify dialog box called Specify time of the day will appear. You can specify times when the rule will be enabled.Multiple select is allowed.

Custom itemsthe list of objects predefined through Time Intervals tab

Step 7 - define Security Zone

TF6 incorporates security zones. The network interfaces may be assigned to Safe Zone or Dangerous Zone. The zones may be assigned to the particular rules.

As a result the rule would apply only in case that the network communication would be passing through the network interface assigned to selected zone.

As an example you can protect your file sharing ports (UDP 137-138, TCP 139) and apply this prote ction only for dangerous zone. When you are at your home or corporate LAN you move your network interface into Safe Zone and you will be able to share your files. When you run your laptop at the airport wireless LAN you simply move the interface to Danger ous Zone.

Safe Zone rule is applied only to interfaces connected to Safe Zone (your Ethernet card connected to LAN)

Dangerous Zone - rule is applied only to interfaces connected to Dangerous Zone (modem connected to Internet)

All - rule is applied to both interfaces

Step 8 - assign the rule to specific User Account or to System Account

This column governs for which user the rule would be applied. (E.g. rule is enabled only for Joe) When you click on this column, a dialog window would appear.

2.2.7. Deleting rules

Delete Rule button would remove the selected rule(s). A confirmation dialog would appear. Multiple rules selection is allowed using Ctrl or Shift buttons.

You can also delete selected rule by right clicking on it or by pressing DELETE key.

2.2.8. Predefined Objects

Predefined IP Addresses dialog allows to add custom defined IP address objects. These objects may be re-used at the rule definitions.

After clicking Add button the dialog window appears:

name the IP address object

choose the IP address format (IPv4 or Ipv6)

choose

Single IPone IP address only

RangeIP address range, the second text box will turn grayed

Mask -defines IP address range using mask

click on Add

click on OK to create the new IP address object

To remove or edit IP address (range, mask) added to the IP address object select the object and click on remove or edit button.

When you double-click on the row containing entire rule, you can rename the rule (Label column) or Edit the rule (Content column) directly.

2.2.9. Testing your security

There are several methods of testing your firewall settings. For example you can visit www.grc.com (http://www.grc.com/) and test the security of TPF5 firewall using theShields UPtests. The computer must be connected directly to Internet in order to get the best results. If your computer would be located behind router or other computer providing Internet Sharing functionality the results of GRCs test would refer to such router/computer.

Your network interface should be inDangerous Zonein Network security-> Zone settings tab or you should modify the rules for the Safe Zone accordingly.

Scanning the ports

1. Open your favorite browser, go tohttp://grc.com/default.htm (http://www.grc.com/), and findShields UP. Link under Hot Spots rubric or go directly tohttps://grc.com/x/ne.dll?bh0bkyd2

2. Find this part of the page: there are couples of tests on the silver bars in this table.

File Sharingyou can test your file sharing vulnerability. The result should be stealth. In case that you failed, make sure that the network interface you use is in the Dangerous Zone or adjust your rules accordingly.

Common Ports -This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on your computer.

All Service Ports -Determine the status of your system's first 1056 ports.Slower, but much more complex test.

User Specified Custom Ports Probe - This Internet port probe attempts to establish standard TCP Internet connections with any set of up to 64 ports specified by the user.

3. Run all tests.

When you find open port try to figure out what is the port used for. GRC has good documentation about it. If you think that theres Trojan installed on your system (strange open port was detected), delete all applications from Applicat ion Repository that you are not 100% sure about. TF6 will enroll all application once again giving you the chance to check them out. You may need to leave some open ports accessible, e.g. SMTP server, web server etc. Otherwise the external clients would not be able to connect.

Improve the firewall rules so that all the ports (except the ports you really need to leave accessible) will be stealth.

2.2.10. Outgoing/Incoming Connection Alert

TheOutgoing/Incoming Connection Alert dialogs appear everytime there is a network activity matching any rule with 'Ask User' option set.

Typically you may want to define few default rules which would specify that all traffic would display the dialog in case it would not be permitted or prevented by other rules. Such default rule would have the lowest priority if you would use general object definitions such as 'All aplications', 'All protocols', 'All IPs'.

When the Connection Alert dialog pops up:

Apply permanentlycheckbox will create new Firewall rule for the connection. When you tick it, more options will be available:

Add rule to Common configuration checkbox - rule will be added to the High Priority Common rules in the Network Security rules tab.

Only to this connection application can connect only to detected IP address (e.g. 64.12.161.185) on detected port (e.g. port 5190).

To all communication this option creates a rule allowing/preventing all connections to all IP addresses and all ports in given direction (outbound or inbound) for the application which invoked the dialog.

To modified communication >click onmodify here to edit the dialog with the options for the new rule

Apply until Application ends the application will be allowed to communicate of a specific port and IP address temporarily until terminated. This option is available only withApply permanently option checked andAdd rule to Common configurationoption unchecked.

Allow/Denybuttons the communication will be allowed or denied. IfApply Permanently option is checked then pressing the button would create the rule for this connection with Allow/Deny access result.

What We Would Recommend!

You can tick theAdd to group checkbox. Instead of creating the rule for the application you can add the application to group which would make the application subject to all rules defined for selected group.

If you would like to start the new group just type in the group name you intend to use.Remember - you must define the rules for such group!

2.3. Windows Security

2.3.1. Guards Exceptions

TheExceptionsenable and disable various security guards for particular applications or groups of applications running under particular user account.

The main use of Exceptions is when you find out that the application would be incompatible otherwise or when you want to release the security restrictions for Administrator yet keep the restrictions for regular users.

You may also find out that the application would be 'using' particular guards too extensively without any security impact - then you might want to disable the particular guard for such application.

Note! By disabling particular guard for particular application running under particular user account you may expose your computer to security risks.

2.3.2. Sorting System Security Rules

The security engine incorporates the automatic rule sorting mechanism which sorts rules based on the specific logic. The user interface displays the rules sorted according this sorting logic.

The benefit is that no matter where and how you enter the rule you would always know that the rule will be applied correctly.

Sort Order

Priority (High > Normal (optional user rules) > Low)

Preferred (Preferred High > High; Preferred Low > Low)

Application (Application > group (alphabetically) > any app (*))

Path (Subdirectory has higher priority then a rule for a parent folder. Rules with object directly specified are sorted ahead of rules with predefined objects (alphabetically sorted).Any (*) object has the lowest priority.

Other criteria such as Time of Day (subset has priority over a longer time interval)

Note: The Application Spawning it is sorted first by a child application and then by a parent application. The first priority has the application, then groups (alphabetically) and then Any (*).

2.3.3. Unknown Application

The Unknown Application dialog appears when TF6's Windows Security module detects that the inspected application does not exist in the Application repository yet. The dialog offers several choices:

Terminate Applicationapplication will terminate. Useful choice for unknown or unwanted applications such as msblast.exe.

Move to Quarantine Folder - g reat choice to move the weeds immediately out of your computer. The Quarantine folder is located in the Program Files/Tiny Personal Firewall directory

Run Onceapplication will be allowed to run only once, the same dialog will appear next time you run it . This is a favorite choice when you don't know the inspected process well enough to enroll it permanently into Application Repository

Run in install modeApplication will be automatically added to the Installation Applications user group. Everything w ill be allowed for this application and all child processes it would spawn. No ask user dialogs will be shown. Application will be deleted from application repository when finished. Useful choice when installing new software.

Note: Trojans and Spyware are frequently part of the installation process of many legitimate applications (screensavers, various tools) downloaded from various legitimate sources such as download.com etc. Therefore such trojans and spyware will always make it to your computer. In ord e r to protect against to these spywares and trojans TF6 allows to check the Installation log (to uncover programs that may not look like as the part of the installation package) and also TF6 requires you to classify new started processes before they woul d be entered into the Application repository.

Add this checksum to the applicationyou can have installed applications e.g. with the same name but different checksums. This checkbox allows you to assign new checksum to the already enrolled application. Works only for applications identified by checksum.

Create a new record for this applicationapplication will be enrolled to the Application Repository.

Use Common repositorycheckboxapplication will be enrolled to the Common repository (common for all users of tpf). When unchecked, application will be enrolled to the User repository. This option is available only for administrators.

Add to groupcheckboxselect group you want the application enroll to.

Newbutton allows you to create new group in Application repository.

Advancedbutton will show Advanced Enrollment Settings dialog:

Identify by radio buttons you can choose the way that will be the application identified.Assign nameyou can change the application name shown in Application repository.Let binary guard check integrity of this applicationthis option allows you to select the way that integrity guard will deal with integrity corruption of the application.Monitor integrity corruptionintegrity corruption will be only monitored.Ask userin case of corruption dialog appears, asking user what to do (prevent or allow).Integrity corruption protectionexecution of corrupted binaries is automatically prevented

PressOKbutton to close the Unknown Application dialog.

2.3.4. File Security

The File Access protection is probably the most visible and most simple to explain part of ou r Windows Security engine. Without the file access protection you can buckle up your files seat belts because one day your files are going to say "bye bye".

Imagine Microsoft Word or Excel. These application have typically high level of trust or - in anot her words - nobody is really concerned about their security. Now imagine all APIs which these application have and their macro capabilities. Did you know that Microsoft Word could be told to delete some of your data?

Hide Them! Or imagine Windows Explorer . The Explorer is really your window through which you see your computer and your files. This also means that the Explorer has the rights to access all your data and can delete them! With TPF5 you can easily 'hide' particular data or the entire hard drive for unprivileged user so that when he would log on he would not be able to see them! Still - should you desire so - he would be able to use them using specific application (such as book keeping, accounting, statistics etc.)

Windows Security File Guard can eliminate these threats and can easily become your partner in the managing the file access rights on your computer.

In the managed environment the file access rights may be modified based on who is logged on the computer or where is the computer located.

Technically Speaking File Access Guard intercepts the access of the processes to the file system. It recognizes particular type of access (Read, Write, Create, Delete) for each process/application running under specific user account. One application may ha ve different access rights if running under User1 from the same application running under User2 - SIMULTANEOUSLY!

2.3.5. Predefined File Objects

Using File Objects you may define collections of files and folders and use them as a group in the rules. There are two levels of the objects - Common and User. Common objects may be used in Common rules, User objects may be used in User rules. Only user with administrative privileges may define Common Objects.

Adding an Object (User or Common)

Click onAdd Object button.

New row appears.

Click on in the Identification column and name the object.

Now find in the File Tree the object you want to use, press right mouse button and selectCopy to selected definition.You can repeat it as many times as you need, add lots of files or folders to one object.

Deleting an Object

Click on the definition.

PressDeletebutton.

When confirmation dialog appears, click onYes.

Deleting an entry from the Object

Click on Contents field

Click on the entry you want to remove

Deleting from database dialog appears

Click onYes

Or you can click on the Object using right mouse button and select remove.

2.3.6. Hidden Folder Example

Let's create hidden folder. This folder will be invisible to all installed applications except of notepad.exe, which we'll use for writing secret notes.

Make sure that Windows security module is enabled.

Create a directory named c:\hidden

Run Admin Tool and go toFiles and Folders panel.

Right click onHigh priority common rules . SelectAdd new... from the context menu

InObjectfield of the new rule selectdirect specify and fill inc:\hidden or select it using browse function

Leave -All (*) in the application field (rule will be enabled for all applications)

SetPermission toDenyfor each access type (R,W,C,D). SetAuditlevel toMonitor(we will change it to ignore later)

Go to theExceptionspanel and enable file guards for all applications/groups except of userinit.exe.

Press CTRL + S to save changes

RunActivity monitor

Try to access the directoryc:\hidden using Windows Explorer or any other application e.g. command prompt (cd \ ;dir),IE, notepad.exe (ctrl + o) etc.

You shouldn't see the directory!Look at the Activity monitor - there should be plenty of Prevented messages (red minus), as applications we used tried to access the directory. The directory c:\hidden should not be visible in Admin Tool's file tree as well.

Now change the Audit level of the rule to ignore for all access in order to keep the folder 'stealth'. This should result complete invisibility of the folder to any user of this PC.

Remember: By assigning this rule to particular user account (e.g. Guest or other) you may hide this directory for particular user account only.

Now let's open up the access to ourc:\hiddenfolder for notepad.exe.

Right click on our rule, selectCopy .

Select notepad.exe in theApplication field (hint - to select it fast press 'n' when you pop up the list of applications.

ChangePermission to allow. Press ctrl + S.

Run notepad, write something, save it to the hidden directory.

Remember! You must have Win Security module enabled. If you have entries in the Exception Panel they must have have File guards enabled (except of userinit.exe) in Exceptions panel! Otherwise the folder won't be stealth.

2.3.7. Registry Protection

Registry is a database used to store settings and options for the 32 bit versions of Microsoft Windows and the applications. It includes information and settings for all hardware, software, users, and preferences of the PC. Whenever user makes changes to Control Panel settings, File Associations, System Policies or installed software the changes would be reflected and stored in the Registry.

There are five main branches of Registry each containing a specific portion of the information stored in the Registry. They are as follows:

HKEY_CLASSES_ROOT - This branch includes all file associations to support the drag-and-drop feature, OLE information, Windows shortcuts and core aspects of the Windows user interface.

HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.

HKEY_LOCAL_MACHINE - This branch includes computer specific information about the type of hardwar e, software, and other preferences on a given PC, this information is used for all users who log onto this computer.

HKEY_USERS - This branch includes individual preferences for each user of the computer. Each user is represented by SID sub-key located under the main branch.

HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

RUN keyshttp://support.microsoft.com/?kbid=179365are special Registry keys. They are frequently misused by viruses and Trojans to auto start various spyware application on or even before user's logon. The ability to protect Run keys from unwanted entries is THE very effective weapon against to most aggressive viruses.

2.3.8. Registry Protection Rules

Registry tab ofWindows Securitypanel allows to set rules for registry. Left window frame displays registry tree (similar to regedit) and right panel displays the rules.

Rule processing priority:

High priority common rules have higher priority than User rules, which have higher priority than Low priority Common rules.

Inside each group(High, User, Low) the Applications are sortedalphabetically (!) and have higher priority than Groups, which are alphabetically sorted as well. All application sign '(*)' has the lowest priority.

The order of rules you create them does not matter since their priority is set by the position of the ob ject in the tree. Therefore the object deeper in the tree (e.g. HKLM/Software/TinySoftware) will inherit the settings tied to the object higher in the tree (HKLM). That said means that the settings for the object deeper in the tree will have higher priori ty then the settings for the object higher in the tree. As an example the allow access to HKLM/Software/TinySoftware registry will prevail over the deny access set for the same application or its group to HKLM.

Adding a rule

ClickInsert after button.

Click on Object field in the new rule. You can select predefined object or find the key you need by clicking on Direct specify . In this case, a dialog appears:"Enter a key" field offers search for specific key.

Select for which application or Group the rule would be effective

Set the access result of the rule in the permission table:

Types of Access:

Readkey may be read

Writekey may be changed

Createkey may be created

Deletekey may be deleted.

SpecifyDay & Time when the rule would be effective

Allrule is enabled permanently

Direct specify dialog box called Specify time of the day will appear. You can specify times when the rule will be enabled. Multiple select is allowed.Custom itemscan be created throughTime Intervals.

Assign the rule toUser(s) account(s)so that the rule would be applied only to application or group of applications running under that particular user account.

2.3.9. Applications Spawning

What is Spawning?

The spawning is the application activity when one process starts another.

Example:

When you open up notepad or just any application using menu Start it is a spawning. Eplorer.exe which is your user interface through which your access other ap plication is built in Windows operating system and controls just about any process running on your computer excluding the system services.

Strange enough when you open up Windows Explorer to see the files on your drive the explorer.exe starts itself. Once the explorer.exe represents the user interface and the other instance is the Windows

explorer opening up as an application.

2.3.10. Application Spawning Rule

Rule processing priority:

High priority common rules have bigger priority than User rules, which have bigger priority than Low priority common rules.

Inside of each priority group (High, User, Low) the Application namesof spawned object (child processes) are sortedalphabetically (!) and have bigger priority than the Groupsof spawned object , which are alphabetically sorted as well. All aplications '(*)' have the lowest priority.

Last sorting can be done according tospawning object (parent processes).Alphabetically sorted Application names have priority than alphabetica lly sorted Groups, All aplications '(*)' have the lowest priority.

Inserting a spawning rule

Click on the row where you want to add a rule

Click on Insert after button, new row appears

Click on Start what (child) and select the application or group to be spawned

Click on Start by (parent) and select the application or group which will spawn the previous application or group

Now look at the bottom of the Admin tool:Use childs child (spa wned process) will run in its own security context. All and only rules assigned to such child process or to group where the child process is a member will be applied).

Use parents - child (spawned process) will run in parents security context. It means t hat rules effective for the parent process will be applied to the child process as well. The child process still may have defined other set of rules for the situations where the child process would be started by some other application or undertaking.

As anexampleMS Outlook may have different set of rules when it would be started by user's direct activity (by explorer.exe - user interface) then when it would be started by some other application (which might be trojan potentially).

Ask usertpf will ask which of above two scenarios will be applied

Day & Time column select the time and date where the rule will be valid

Assign the rule toUser(s) account(s)so that the rule would be applied only to application or group of applications running under that particular user account.

Example:

The spawning rules may be used simply where each rule would not conflict with another. Using hierarchical inheritance the administrator may define spawning rules which would be effective only in case that preceding rules would be in accordance.

Note: By inheriting the security of the parent application (1) the child process (2) is inheriting the parent's identity. Therefore if such child process (2) would try to start another process (3) such process (3) would not see this child (2) as a child (2) but as its parent (1).

As confusing as it may seem the application of this logic is quite simple:

Example of recursive security assignment:

Create two spawning rules:

realplay.exe started by iexplore .exe - allow spawning in parent's security context, monitor

realsched.exe started by realplay.exe - allow spawning in parent's security context, monitor

any(*) started by any(*) - ask for access (allow/deny) and ask for security (child's/parent's)

When realplay.exe would be started by iexplore.exe it would inherit the security settings and the identity of iexplore.exe.

Then when realplay.exe would try to start realsched.exe it would not be seen as realplay.exe but as iexplore.exe. Therefore the second rule in the list would not apply and the user would be presented with the ask user dialog in which he would have to confirm what security would be given to realsched.exe.

However when the same realsched.exe would be started by explorer.exe (Windows Explorer) such start would be allowed according the the second rule in our list.

2.3.11. Access to OLE and COM interfaces

What is OLE and COM?

OLE (object linking and embedding) was originally developed for the applications to cooperate between each other. Later it has been extended to a complete system - COM.

The Component Object Model (COM) is a technology that combines the benefits of object-oriented programming with binary reuse, language independence, version-ability, self-registration, and ease of licensing. The management of the COM technology covers such topics as ActiveX, inter process communications and distributed COM. If misconfigured it could create potentially significant problems resulting the application being unable to start etc.

2.3.12. Create OLE/COM Rule

Adding a new rule

Highlight the appropriate High priority-User-Low priority area and insert the new rule

Find desired COM object in Registered COM objects frame, right click on it and select Copy to Selected rule(s)

Click on Application row and select the Application which the rule would be applied to

Set the accesses and their auditing at the bottom of the view:COM Init - use ActiveX and other COM objects (automation, etc.)Create In-Proc Server- COM objects can be created only in the process boundaries (e.g. ActiveX), thus process security applies on themCreate local server - separate COM executables can be started or accessed from an applicationCreate remote servers - the same as local servers but in addition on remote computers

Set the time and date when the rule will be valid

Assign the rule toUser(s) account(s)so that the rule would be applied only to application or group of applications running under that particular user account.

2.3.13. Services

What are services?

The difference between the regular applications and the services is that the services are started by the system automatically rather then by a user. Please do not be mistaken by the applications starting every time you boot up the computer automatically. Such applications are started because of the entries in the Run k ey in registry. Even though these applications start automatically they are not considered as the services.

The services can be automatically started when the computer boots, they can be paused and restarted. The services do not show any user interface. The services are monitored using the Windows systems tools and the events are displayed in the Control Panel -> Administrative Tools -> Event Viewer. All these parameters make services ideal for use on a server or whenever you need long-running functionality that does not interfere with other users who are working on the same computer. You can also run some services in the security context of a specific user account that is different from the logged-on user or the default computer account. The reasons for tha t may be different - from the ability to control them through the opportunity to assign them with various security privileges.

Services settings determine the protection of the computer against to hostile programs that could register themselves as a system service or stop or delete other services otherwise.

2.3.14. Create Services Rule

Adding a rule

Click on the list of rules an insert the new rule

Find service in theServices descriptive names frame, right click on it and selectCopy to selected rule(s)

Set the access result of the rule on the permission table:Query service statusright to query services statusStart serviceright to start the serviceStop serviceright to stop the serviceRemove serviceright to remove serviceOpen serviceright to open handle to serviceInstall serviceright to install service. Some viruses install their own services acting like Trojans horses then.Control service right to e.g. restart the service

Set the time and date when the rule will be valid

Assign the rule toUser(s) account(s)so that the rule would be applied only to application or group of applications running under that particular user account.

2.3.15. Miscellaneous

In this part ofAdvanced Securitypanel you can set the rules for VBA macros, Process termination, System shutdown, System low-level API calls, Clipboard access and Dangerous devices access.

VBA macros - Visual Basicae for Applications (VBA) macros. MS Office documents (e.g. *.doc, *.xls) may contain some VBA macros, which are often misused by various viruses and Trojans. Without VBA Macro guard these macros could replace or delete the important files just by running *.doc attachment. VBA ma cros and JScrips are interpreted by wscript.exe or cscript.exe.

Do not run - Running of VBA macro will be prevented

Use Custom VBA Settings- VBA macro would be allowed to run with the security settings set for the custom application 'VBA Macro'. The rule s et for such application would be applied for every macro process.

Inherit from Parent- VBA Macro would be allowed to run in the security context of the parent application (e.g. MS Word - whichever access would MS Word has the macro would have it too).

VBA Auto Macro -used in the background are invisible for a user. For example by creating or opening a new document some hidden macro can be run. These VBA macros are very dangerous and thus you can treat them separately.

Do not run - Running of VBA macro will be prevented

Use Custom VBA Settings- VBA macro would be allowed to run with the security settings set for the custom application 'VBA Macro'.

Inherit from Parent- VBA Macro would be allowed to run in the security context of the parent application

Forced process/Thread termination- With this option enabled all thread and process manipulation of the selected application or group is restricted in accordance with the set policy.

System shutdown -When this option is set to prevent, no system shutdown requests will be allowed from the selected application or group.

System low level API -When this option is set to prevent, a number of unusual application requests are not allowed for the selected application.

Clipboard access -This option can prevent an application to copy data into or paste from the clipboard.

Dangerous devices access- When this option is set to prevent, access rights requests, (e.g. reformat hard drive) are not allowed from the selected application.

Following device accesses are blocked Dismount volume, Lock volume, Set compression, Unlock volume, Disk eject media, Disk format tracks, Disk load media, Disk media removal, Disk reassign blocks, Disk set drive layout, Disk set partition info, Disk verify, Serial lsrmst insert.

Userscolumn allows assigning entire rule (or rather policy since there are several rules together on one line) to selected users.

2.4. Log Viewer

TPF5 stores the events reported by the firewall engine in the log. Each log has the maximum s ize of 1MB and logs are stored for 7 days. One day represents one or several logs based on the number of activities reported by the engine. After 7 days the particular log(s) would get deleted.

XML

The events are reported and stored in the XML format. The XML log provided by TPF5's engine is easily readable and allows for simple and advanced analysis using external data mining tools.

For simple queries TPF5 includes built-in log analyzer which provides the basic access to logs.

Finding an Event in Log Viewer:

Click onShow Filter button, above window appears

Fill in the time period inShow logs From Totext boxes

Select the Module which generated the Event

Select the application or leave it blank

Select the Access result (e.g. action was prevented)

PressGo button

Note: Filtered and unfiltered log would display on several pages where each page would correspond to one xml file as explained earlier.

3.Troubleshooting

3.1. When TF doesn't seem to work properly

It is our experience that most of the problems reported with the use of TF relate to the rule settings. Wrong rules (especially rules related to file and registry access) may easily cause other application not working properly or not starting at all.

The rule of thumb is to allow unrestricted access to all resources for the applications that you know (move them to Trusted group). The applications that you don't know may be subject to more restrictive decisions and you always have the opt ions to allow the application particular activity only 'once' - until it ends.

When you run into problems always look at the Activity Monitor for events with 'Prevented' status. If you see such events and these events would be related to your application t ry to delete or adjust the rules accordingly. As a last (but not uncommon) resort you may disable TF modules to see whether the problems were caused TF or not.

For example: you may try to connect to FTP server unsuccessfully, because you set all inbound TCP connection to be prevented (remember, unlike HTTP TCP protocol is more complicated and may include active incoming connections on port 20).

When reporting the problems always use utilitysysreport.exe , which dumps important information about your conf iguration (tpf rule settings, system settings, installed SW etc.). It is located in the TF folder (usually C:\program files\Tiny Firewall) and its result sysinfo.cab can be found in SysReport subdir.If you are using multiple security products you may experience (on a very rare occasion0BSOD (http://bsod.org/(http://bsod.org/)) (Blue Screen Of Death, Bugcheck for Microsoft people ;). If BSOD occurs, reboot and go to %systemroot%\minidumps (%systemroot% is windows installation folder, usually c:\ windows), find the newest *.dmp file and send it to Tiny Software. The file can be located in another place e.g for Win2k it is usually in C:\winnt or in the location specified in System properties tab( press Win key + Pau se) ->Advanced- >Startup and Recovery->Settings...

3.2. Starting TF with the security modules disabled

Enabling Windows Security guards and using incorrect rules on System Processes may lead to the system instability and or the comp uter may not boot properly after restart because you may have disable access of system process to its vital resources. If you would experience difficulties during the boot and could not logon you must follow the steps below.

reboot into Safe Mode

run Start -> Run and typeregedit

go to HKLM/System/CurrentControlSet/Services/KmxAgent/Parameters and SecurityEnabled key to 0

Reboot (you will notice that TF icon is gray - security was disabled

Run Admin tool and delete conflicting tool. If you are unsure restore the default configuration.

3.3. Emergency Uninstallation

On a very rare occasion your Windows may not start correctly or at all. This may occur if combining several firewalls together or if your application or devices have drivers from less experienced software developer.

In case you cannot start your windows, follow this uninstallation procedure:

  • reboot into Safe Mode
  • delete system32\drivers\kmxcfg.u2k
  • run Services control applet (Control Panel -> Administrative Tools) and set Startup type (in properties) to 'Disabled' for the following services:
  • FW Configuration Interpreter
  • FW Event Manager
  • FW Policy Manager
  • reboot normally and remove TF using Add/Remove Programs in Control Panel


 

А также другие работы, которые могут Вас заинтересовать

53115. УКРАЇНОЗНАВСТВО В ДОШКІЛЬНОМУ ЗАКЛАДІ 1018.5 KB
  Ряд орієнтовних конспектів занять з різних розділів програми, сценарії свят та розваг, опис ігор та додатковий художній матеріал, які можна використати в роботі. Заняття мають в основному комплексний характер, що позитивно впливає не тільки на ознайомлення з культурою, побутом свого народу, але і на розвиток мовлення дітей. Запропоновані конспекти занять та сценарії свят апробовані...
53118. Правильні многогранники конспект уроку 288 KB
  Мета уроку: формування поняття правильні многогранники; знайомство з видами правильних многогранників: правильний тетраедр куб октаедр додекаедр ікосаедр. Відкрити гіперпосилання другого пункту плану Многокутники Застосувавши малюнки виконані за допомогою Програмного засобу Динамічна геометрія потрібно повторити : ▪ многогранний кут 360; ▪ кожен кут правильного трикутника дорівнює 60 тому з правильних трикутників можнаутворити 3 види правильних многогранників 3 60 360; 4 60 360; 5 60 360: аправильний...
53119. Інформаційно-дослідницькі проекти з геометрії 2.04 MB
  Метод координат велике відкриття Декарта. Метод координат велике відкриття Декарта. Тему Декартові координати і вектори у просторі вивчаємо 8 годин. Протягом 4х тижнів 2 команди однієї групи працювали над складанням 2х інформаційно – дослідницьких проектів: Метод координат – велике відкриття Декарта.
53120. Розв’язування прикладних задач по темі «Об’єми та площі поверхонь геометричних тіл» 7.5 MB
  Які властивості має паралелепіпед Які види паралелепіпедів ви знаєте Які властивості має прямокутний паралелепіпед Чому дорівнює площа бічної поверхні площа повної поверхні та об’єм призми Знайти площу повної поверхні та об’єми фігур. Що називається віссю та апофемою правильної піраміди Чому дорівнює площа бічної поверхні площа повної поверхні та об’єм піраміди Знайти площу повної поверхні та об’єми фігури. Чому дорівнює площа бічної площа повної поверхні та об’єм циліндра Знайдіть площу повної поверхні та об’єм...
53121. Чотирикутники 174 KB
  Чотирикутник у якого протилежні сторони паралельні Паралелограм 4. Паралелограм у якого всі сторони рівні Ромб 6. Паралелограм у якого всі кути прямі Прямокутник . Інших чотирикутників не знали пізніше їх класифікували на паралелограми ромби прямокутники.
53122. Трапеція та її властивості. Геометрія (8 клас) 365.5 KB
  Мета: Сформувати в учнів поняття трапеції її елементів розглянути означення рівнобічної та прямокутної трапеції зміст властивостей кутів трапеції прилеглих до бічної сторони та кутів та діагоналей рівнобічної трапеції. Формувати вміння: відтворювати вивчені твердження; за готовими рисунками знаходити елементи трапеції; розв’язувати найпростіші задачі на обчислення. План вивчення нового матеріалу Означення трапеції її елементи Властивості кутів трапеції прилеглих до бічних сторін; висот...
53123. Розв’язування трикутників 214.5 KB
  Мета: формувати вміння і навички розв’язування трикутника за трьома його основними елементами; повторити теореми синусів косинусів та наслідки з них; повторити основні типи задач на обчислення елементів довільних трикутників; розвивати пошукову пізнавальну активність учнів логічне мислення уяву зв’язне мовлення; виховувати самостійність наполегливість впевненість у собі інтерес до предмету. Сторону трикутника пропорційні до синусів протилежних кутів теорема синусів. Квадрат сторони трикутника дорівнює сумі...