ATTN: Fred W - re NOD32 and Online Armor

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Thanks so much for recommending the Armor Online Free
firewall.  It really works - is low on resources and speaks
to you in comprehensible language when it poses a question.
  And it's free!

I've put it on my desktop and my portable without a single


Re: ATTN: Fred W - re NOD32 and Online Armor

louise expressed precisely :
Quoted text here. Click to load it

I agree fully.
Glad I could help.

Fred  W. te A. (NL)

Re: Fred W - re NOD32 and Online Armor

Quoted text here. Click to load it

There is no parent-child control in Online Armor's firewall.  Say you
allow your browser to connect.  Well, then you have also allowed any
caller (parent) program to execute that browser to get a connection to
some unknown web page.  By regulating who can call (parent) another
program (child) then you know who is really asking for the connection.
For many users, this is not a critical feature since few firewalls
provide parent-child control.  Comodo has it in their older v2.4 but
dropped it in their new v3 firewall that now include HIPS.  The
firewall just got added in version 2 of Online Armor (OA) so it will
need some fixing or features to get up to speed with other firewalls.

So the assumption is that you have permitted the parent program to run
but relinquish any control over whether or not it can make connections
using child programs; i.e., in Comodo Firewall Pro v3, you get to
regulate the load a program using HIPS (the parent and child
programs), like in Online Armor, and you can regulate which programs
can make connections (the child programs), but you cannot control if
the parent can call the child to make the connection.  As a result,
both Online Armor and Comodo will fail all leaktests UNLESS you, as
the user, see the prompt and deny the execution of the parent
program - but that is not the point of leaktests.  Rather than
regulating who can call what for a connection, you're only choice is
whether the parent loads or not.  Online Armor is promising to add
parent-control into their firewall, a brand new feature added in their
latest version 2.  But they have lots of fixes to make and other more
security-related updates to make to their product so they aren't
promising when to deliver on parent-child control.

While other HIPS products are better at controlling ALL auto-start
programs in the various locations available under Windows, Online
Armor's AutoRuns protection is limited to just a few areas.  They
don't cover the WinLogin/Notify, Session Manager bootexecute, and
other areas that users normally never touch.  They are promising an
update sometime later to address the lack of coverage for auto-start

There have some instances where programs would generate a prompt when
they loaded, the user answered to allow the load and remember that
action (and it does get remembered), but the program never shows up in
the list under their Program Guard.  Once remembered and because it
isn't in the list, you cannot later revoke that run permission.  It
looks to be a UI error in the grid control that they use not showing
all the recorded rules.

Currently Online Armor does not encrypt the registry keys used by that
program.  This can provide info to malware or malcontents on how the
product is configured and possibly could alter that behavior to reduce
protection (their documentation is poor, basically just an overview,
and they don't define the purpose of these registry keys).  They also
do not protect these registry keys against alteration.  Online Armor
does not load under Safe Mode so even if they protect those registry
key then they won't be protected if you reboot into Safe Mode.  They
need to encrypt those keys.  When OA attempts to read them, and if
altered and hence corrupted, OA will be unable to read those altered
values and know they were changed outside of OA.  They promise to
later address this security hole to protect against alteration (but
only when OA is running) and use encryption (to detect alteration
under Safe Mode and to then revert to whatever would be the most
restrictive values for those corrupted settings and also alert the
user to that act).

The free version doesn't let you backup your settings.  The paid
version does.  However, you can save the .dat files in the OA install
path to backup your settings.  Since OA protects against any access to
these .dat files when it is running, even to copy them, you have to
reboot into Safe Mode, copy the .dat files, and then reboot into
normal mode.

Online Armor does not run under Safe Mode.  It has been deliberately
designed that way.  One reason for this behavior is that
uninstallation may fail under normal mode; e.g., you won't be able to
read their unins000.log file to do the uninstall.  In most cases, but
not guaranteed to be the only case, the user has disable Program Guard
(HIPS) and loses access to the UI (i.e., the user can no longer get at
the configuration or status windows for the product).  Rebooting won't
fix the problem.  Loading the UI (oaui.exe) won't fix the problem.
The product has to be uninstalled and that can only be done under Safe
Mode.  However, because OA does not run under Safe Mode also means
that you have no HIPS or firewall protection while under Safe Mode.
If malware still loads, like using the WinLogon/Notify event (instead
of the normal auto-start locations), then it now has free reign to
load.  The malware is also unfettered under Safe Mode (with networking
enabled) to connect.  Not all malware gets neutered in Safe Mode.

Currently there is no option in OA to block all network access until
the firewall has fully loaded.  This means there is a window of
opportunity in which malware could load and also connect.  About the
only advantage the Windows Firewall provides is that the network stack
is disabled during Windows startup until the Windows Firewall (if
enabled) has fully loaded.  Comodo v2.4 has the option to block
network access until it is fully loaded.  OA doesn't have this option
but is promising to add it later.  Of course, if the firewall is flaky
then you might not get any network access even after the firewall
loads.  Comodo v2.4 hasn't had this problem.  I don't know about v3
since it lost some functionality, uses a non-intuitive HIPS (try
figuring out how to block a program from loading without visiting
their forum), lost the parent-child firewall control, and is way too
flaky so I abandoned it long before having enough history to know if
enabling the option to block network access until Comodo is loaded is
reliable.  Again most users don't even think about this window of
opportunity for any firewall that doesn't have this option (but those
same users don't think about the vulnerability of OA not running under
Safe Mode, either).

Unlike Defense Wall which reduces permissions for unknown or untrusted
processes which attempt to run silently but is really for newbie or
lazy users, OA with its HIPS will be asking lots of questions.  (Note:
Defense Wall is not a HIPS product as they claim since it never
interferes with the load of a program, only with the priviliges it
gets after it loads. It doesn't need to continually prompt the user
because it doesn't regulate what can load.  Softsphere also doesn't
provide a free version of Defense Wall.)  OA also tries to alleviate
the deluge of prompts by downloading a list of certified good
applications; however, if you update the program and it isn't in their
list or you haven't updated the list yet, you'll get prompted because
of the new version (of an old program that you allowed to run before).
Many users want to use their host rather than repeatedly answer
prompts about what is allowed to run.  Of course, a list of certified
apps is someone else's decision that the program is okay so some OA
users won't use that list and instead want to get prompted on every
program so they know what is allowed to run or not.  That is why many
HIPS products have a learning mode including, I believe, OA (but I
don't remember if learning mode works in the free version).  Be warned
that the free version will NEVER retrieve updates to this certified
apps list.  Updating in the free version of OA is manual - but you
can't even do a manual update to retrieve the new list.  Manual
updating means you get an e-mail telling you that there is an updated
list, you have to download it using the link in the email, and then
you point at that file to insert the new definitions.  So manual
updates are very manual.  And you won't get notification of those
updates unless you insert your email address during the installation.
You cannot register after the installation to get those email
notification of updates.  You cannot subscribe to a mailing list to
get those email update notices.  If you chose to not disclose your
email address during the installation, you will have to uninstall and
reinstall and give your email address under that new install.  And
then what you get are emails telling you to download a new file and
then have to point at it to insert its contents.  The paid version has
automatic updating.  Forcing manual updates in a free version is
nasty, especially regarding a security program, but this extremely
manual update process that relies on email notification just sucks.
It means a significantly reduced number of users of the free version
will get the email notifications and only a subset of those will
perform the manual file update.

Online Armor is pretty good but it needs several security issues
addressed, some which were so obvious that it seems they pushed it out
the door way too soon simply because they wanted to show off their new
firewall that got included in version 2.  Visit their forums to see
what is missing, promised for later updates to the product, and
problems with it.  I almost got this product and there is enough in
the paid version to make me buy it but it needs a bit more work.
Between Comodo's version 3 and Online Armor, both having HIPS and
firewalling, I'd go for Online Armor - but after a few more updates
(so I'm sticking with Comodo v2.4 for now and might get ProSecurity
[paid] for HIPS if Tall Emu takes too long with the updates for OA).

Re: Fred W - re NOD32 and Online Armor

VanguardLH wrote:
Quoted text here. Click to load it
Thanks for your detailed analysis.

I don't understand however, why I would care if I got their
automatic updates for newly approved programs.  I don't
install new programs every day by any means, and when I do,
I don't mind answering the questions about what I want to
allow - especially since there is a "remember" checkbox.  Is
there another reason to get the paid version?

I installed the 2.x version of Comodo and it nearly brought
down my machine.  I don't know why, but I do know it
couldn't remember what it was supposed to allow and
everytime it got confused, things froze and its questions
were endless and seemed kind of lame - I uninstalled it,
retreived my system, and would be hesitant to try Comodo
again - new version or not.

I'll take a look at ProSecurity - never heard of it.

BTW, since you seem quite knowledgeable, I'll take the
liberty of asking you another question:  I'[m running NOD32
(new AV version), use Firefox mostly, and I do use Outlook
with a good spam filter.  I'm running XP, SP2.  Do you think
it is necessary to run an antispyware program?

Thanks again.


Re: Fred W - re NOD32 and Online Armor

Quoted text here. Click to load it

The point of their certified list is to eliminate the prompts.  Once
you've installed OA, and after running every application on your host
to ensure they get detected (so you answer THOSE prompts for apps that
are not on their list), you can run OA without any further updates if
you don't care about getting prompts when: (1) You install new
applications; and, (2) After any update to those applications (like
you run Windows Updates, Adobe Reader updates, program updates for
anti-virus software, etc).  Without the certified list, and only if it
includes the programs that YOU have installed, you will get the
prompts for every new program that you install and perhaps also when
you update it.

Quoted text here. Click to load it

My guess is that you don't understand the parent-child relationship
between the caller process that calls the child which does the actual
connection.  This is one reason why OA has not included parent-child
control and is only considering adding it later.  In Comodo v2, leave
the Component monitor set to "Learn" if you don't want to get the
prompts about the parent wanting to use the child or when different
components happened to be used by the child for a particular
connection.  A program may end up touching hundreds of different
components but not always all of them for every connection.

Quoted text here. Click to load it

Along with OA, it fared favorably against malware that attempts to
unhooks the services into which the HIPS products will hook into.  By
unhooking the HIPS program, it is rendered useless.  It also has most
of the features that are found in the top-end HIPS products.
ProcessGuard is long dead (DiamondCS abandoned that product).
AppDefend hasn't been updated in over a year although Jason, its
author, had promised needed and critical fixes would be available in a
month (and that was over a year ago).  System Safety Monitor (SSM) has
the configurability needed for a good HIPS but is too easily unhooked.
Antihook fared better than SSM but not as good as OA and ProSecurity.
Also, Antihook incurs the most impact on the system and makes it less

Just be aware that the free version of ProSecurity is worthless.  It
is far too crippled (as are the free versions of SSM and AppDefend).
In fact, some very basic HIPS functions are killed in the free version
of ProSecurity so that it misleads the user regarding its protection.
Trial the paid version to see if you want it.  You can trial software
in a virtual machine in VMWare Server (which is free) or under Virtual
PC 2007 (also free) so you don't end up polluting your working host.

Quoted text here. Click to load it

Yes, always unless you are a knowledgeable user.  The security
software is to cover your butt in case you make a mistake but often
you can severely reduce how much security software you have running if
you know what you are doing (i.e., if you operated the host securely
then you have less dependency on software to do that for you).  Even
with loads of security software, the final authority (and often the
weakest link) still resides with the user.  Tons of security won't
protect a host from a user that obviates that security.  Security
software that you don't understand, don't configure properly, and
don't maintain is usually a weak use of memory and disk space.

I have several anti-malware programs installed to provide for layered
detection of pests but I do NOT run any of them in the background.
That is, I install them but do not load them automatically (for
on-access scanning).  Instead I install them and disable them from
loading automatically because I only use them as on-demand scanners.
These include:  Lavasoft Ad-Aware, Spybot Search & Destory,
SuperAntispyware, and AVG AntiSpyware (was ewido).

I do let Windows Defender (WD) load automatically but its detection
rate is poor.  I don't use WD to detect pests.  I use it to detect
changes that affect the system behavior, like auto-run programs,
browser setting changes, etc.  Unlike Prevx (no longer free) which
intercepts these changes to pend them until you authorize them, WD
polls the system to detect the changes.  That is why it can never tell
you what process made the change because it always detects the change
too late, but it does detect the changes it was coded to detect and
lets you revert if you decide you didn't want them (whether it was
malware or goodware that made the change).  This is very similar to
how WinPatrol operates by *polling* for changes (but WD has more
change detections than WinPatrol).  I also use SysInternals Rootkit
Revealer and Resplendence RootKit Hook Analyzer to detect rootkit
behavior (which isn't necessarily bad as some good products, like
Daemon Tools, use it).  I also use AVG's AntiRootkit to detect files
that are hidden (not the hidden file attribute but are hidden in the
Win32 API system calls to show files from the file system) which
SysInternals will also show.  These tend to duplicate each other in
some coverage but have other detections that I like.  SysInternals and
AVG have shown me the .sys driver file that is hidden within the file
system that is used by Daemon Tools, for example.  When they tell you
something is suspect, YOU have to figure out if it really is bad or
okay.  They don't fix anything but simply notify of suspect targets.

There are some anti-malware programs that some users like that I won't
touch.  I won't touch Spyware Doctor due to its past history of using
false positives to prod users to buy the product when they were
trialing it.  It had a black history which maybe they've whitened by
now.  However, from only what I've read, it's coverage of pests isn't
that broad.

Re: Fred W - re NOD32 and Online Armor

VanguardLH wrote:
Quoted text here. Click to load it

Thanks an awful lot for clarifying so many things and making
suggestions I can actually use.

I have been running the various anti-spyware programs you
suggest (non-realtime), but wanted an educated opinion about
running any of them realtime.  I wont!  I do run AVG
AntiSpyware realtime on my portable which goes outside to
various mobile sites etc. - but not on my desktop.  I'm also
running OA on the portable along with NOD32 AV.

I also have Process Explorer and check it every so often to
see that I recognize everything running.  When I don't, I
google the process to find out what it belongs to.

I will start checking for rootkits periodically as well.

It sounds like I'll stay with the free version of OA for now
and remember paid ProSecurity if I have problems.  BTW, OA
does prompt me when a new version is installed such as an
update from Firefox (which I run with NoScript), but it
doesn't give me a reminder every time NOD updates virus
definitions.  So in fact, the reminders are becoming pretty
infrequent and I don't mind them - in fact, I like to know
that OA has noticed :-)

Another BTW -  I run   to access my desktop
from any computer when needed.  The last time I ran AVG
AntiSpyware, it found a worm, I deleted it, and since then,
gotomypc isn't working quite right.  Citrix has suggested
the "worm" was a false positive.  I'm not sure.  As soon as
I get a chance, I'll reinstall gotomypc and I'll be more
careful about deleting worms in the future.

Take care and thanks so much for all your help.


Re: Fred W - re NOD32 and Online Armor

On Wed, 5 Dec 2007 02:30:29 -0600, "VanguardLH"

Quoted text here. Click to load it

Are you sure about that? /

Pekka de G.

Re: Fred W - re NOD32 and Online Armor

"Pekka de Groot" wrote in message
Quoted text here. Click to load it

It's been about a year since the Wilders Security group
( decided to drop the support forum for that
company.  When Wilders dropped the dead forum for the stagnant
product, DiamondCS then had to remove the link to the support forums
from their web site (and they never provided their own support
forums).  You'll also notice that the revision history is no longer
listed on their redesigned web site (because they don't want you to
know how long it has been since their "new" 3.2 version got released).
You can still find the old DiamondCS forums at Wilders but they have
been archived.  Go read on why Paul
closed the DiamondCS forums.

If you separately download the manual
( ) and look
inside the .zip archive file, that .chm file is dated back to July
2006.  If you download and install the product from their web site
(into a VM under VMWare Server to eliminate having to uninstall it in
your production/working environment), the latest datestamp for the
installed files is January 20, 2005 (ignore today's datestamp on the
uninst* files since you created those during the install).  Do you
really want to use a security product that has seen no updates in
almost 3 years?

Just because there is a site for the product and they're still
accepting money doesn't mean the product has evolved.  People were
paying but not getting their serial numbers.  It is a dead product
because it went stagnant so it has not kept up with newer malware that
tries to unhook HIPS products or uses different vectors used to infect
a host.  After their web site redesign, they were listing 3.2 as the
latest version although users were already using 3.4.  Wayne
disappeared over a year ago with the company claiming illness and then
they claimed he came back sometime around this September.  But then
why did they drop the support forum just because Wayne got sick, and
why isn't the forum back after he returned, and why wasn't
ProcessGuard getting updated long before his illness and even during
his year-long absence?

ProcessGuard has been a long-time dead HIPS product.  Find something

Re: Fred W - re NOD32 and Online Armor

VanguardLH formulated the question :
Quoted text here. Click to load it

I saved your complete message, to reread several times more.
I snipped most, but left some points of ineterest.

Quoted text here. Click to load it

For many years I used ZoneAlarm and was a happy user.
But ZA got more and more "features" I did not want or like.

I even used Kerio 2.1.5 for some months and learned how to use it.

Then came Comodo 2.4 and again I had a firewall I liked.
From time to time Comodo asked for a "confirmation" of
decisions I had taken.
Some people regarded this as Comodo "forgetting things",
but I did not mind.
Also I appreciated that Comodo asked for "parent-child"
relations, what was never done by ZA.

Then I read about another newcomer, Online Armor Free.
I uninstalled Comodo and installed OnlineArmor Free.

OA now asked for every program on my PC, my permission
to run or not, not only for going to the outside world
(Internet), but also for running on my PC only.

As Louise already explained both Comodo and OA ask again for
permission when a new version of a program is installed.

OA asks also permission for some(?) parent-child relations.
I had to allow my email-program to start the browser.
I had to allow my newsreader to start the browser.
I had to allow my email checker to start my email program.

Both Comodo and OA allow me to delete entries op selections I made,
so questions can be asked again if I think that is required.

Reading about Comodo 3.0 and Defense+, I do not want to use that
for now, although I understand that some major changes in
Comodo 3 are to be expected.
So I feel my choice is at the moment between Comodo 2.4 and OA 2.1.

For the time being I keep OA 2.1.031.
I do not want a list of "certified" applications.
I can decide for myself what applications I will allow or not.
I connect to the Internet *after* my firewall and av-program
are both up and running.

Today I restored an image of my hard disc and had to setup
the rules for OA again, but ZA required the same after a restore.
It is nice (and usefull) to see all the programs present on your PC.
As I understand a new version of OA can be expected any day now.
(will be continued)

Fred  W. te A. (NL)

Re: Fred W - re NOD32 and Online Armor

FredW wrote:
Quoted text here. Click to load it
I'm not sure if this is parent/child but:

I use a batch file which loads 2 separate parts of one
program and then loads one of the features on my soundcard
(it's a speech recognition program that needs soundcard
adjustment).  OA definitely asks me about each section of
the program and again asks me about the soundcard loading.
This seems reasonable and I've now told it to remember.

However, I am on cable and it is "always connected" - so I
suppose there is a brief window of oppty but I believe my AV
runs first and that's enough.

BTW, I'm running the same version of OA and there are
certified programs.  When I get a prompt, it usually informs
me that the particular program in question is not on the
certified list, or is.  Go to configuration/programs and
there will be a long list of programs - if you uncheck the
hide/trusted, you'll see them all.  You can edit them.


Site Timeline