User Guide Reference Outpost Firewall 4.
Abstract This is the complete and detailed reference to the Outpost Firewall Pro software. For an entry-level guide, please see the Quick Start Guide. Please note that if you are using Outpost Firewall FREE or a version other than 4.0, then some dialogs and settings will differ. Copyright © 1999-2006 by Agnitum, Ltd. All rights reserved.
Table of Contents Part 1: For All Users .......................................................................................... 6 1 GETTING STARTED ................................................................................................................................... 7 1.1 STARTING OUTPOST FIREWALL .................................................................................................................. 7 1.2 STOPPING OUTPOST FIREWALL .................................................
6.3 HOW TO DISPLAY LOGS ............................................................................................................................ 81 6.4 WORKING WITH LOGS AND FILTERS ......................................................................................................... 83 6.5 WORKING WITH FAVORITES ...................................................................................................................... 86 APPENDIX A: CUSTOMIZING OUTPOST MAIN WINDOW.........................
Welcome Congratulations on finding and using Outpost Firewall, the most powerful yet userfriendly personal firewall software today! Big claims for sure, but easily verified. This User Guide is arranged in two parts. The first part is for all users, but the second part is intended only for those users who are technically advanced.
Part 1: For All Users
Getting Started 1 Getting Started 1.1 Starting Outpost Firewall Once installed, the Outpost Firewall starts automatically when Windows is loaded. Thus, Outpost Firewall starts protecting your computer immediately before other programs can compromise your system. When Outpost Firewall starts, its icon is placed in the system tray, on the right-hand end of the Windows task bar. If, for some reason, Outpost Firewall does not start when Windows loads, you can start it by following these steps: 1.
Getting Started 1.3 Outpost Firewall Alerts Outpost Firewall displays alerts to notify the user of specific events and keep the user aware of the activities performed by Outpost Firewall. Alerts are displayed in popup boxes that automatically close in ten seconds. To keep a lengthy alert from closing so you can read it fully, simply click anywhere in the pop-up box. The following alerts can be displayed: Alert Description Outpost Firewall has detected and blocked an attack against your system.
Getting Started Outpost Log Cleaner is performing the database cleanup. This is displayed only when the Display alerts option is selected in the Log Cleaner settings. Outpost Firewall automatically downloads the latest news and plug-ins announcements from Agnitum web site and displays them when you click My Internet or Plug-Ins in the left panel tree in the main window. Tip: To disable this feature, right-click My Internet or Plug-Ins and clear Download Agnitum News and/or Download Plug-Ins Information.
An Orientation 2 An Orientation 2.1 The System Tray Icon The system tray is the right most part of the Windows task bar that generally looks like this: The blue circle with the question mark is Outpost Firewall’s icon. This icon is one of the primary ways you can access Outpost Firewall’s many controls, settings and logs. This icon changes with each of Outpost Firewall’s major modes so you can see which mode is being used to protect your system at any time. These modes are covered in 3.
An Orientation 2.2 Outpost Firewall’s Main Window The Outpost Firewall main window is used to monitor the network operations of the computer and to modify the firewall settings. It is used to monitor the network operations of the computer and to modify the firewall settings. To display Outpost Firewall’s main window: 1. Right-click the Outpost Firewall system tray icon. 2. Select Show on the shortcut menu.
An Orientation 2.3 The Panels The left panel and information panel are similar to the left and right panels of Windows Explorer. The left panel is a listing of the components secured by Outpost Firewall on your computer and the information panel gives specific data about any component highlighted in the left panel.
An Orientation the detailed statistics to make certain that Outpost Firewall is correctly configured and functioning properly. The Outpost Firewall setup package that you downloaded from Agnitum web site contains some additional plug-ins. Plug-ins are independent from the primary Outpost Firewall engine and you may install or uninstall any or all of them. You can even get third-party plug-ins from other developers and web sites.
An Orientation 14 Here is an example of the information panel showing some of the many types of data it displays: The line which has a minus sign by its side is expanded to show its individual data. To hide this extra data, click the category’s minus sign. A line without a plus or minus sign preceding has no extra data to be shown. For advanced information about customizing the information panel, see the Columns section of the Appendix A.
An Orientation The choices in the menus shown above are self-explanatory to those users who would need to use them. Outpost Firewall makes extensive use of shortcut menus for all of its different items, categories, panels, and icons. A little experimenting will help you discover all of them and is far more instructive than reading detailed descriptions of each item. 2.
An Orientation Outpost Firewall’s Toolbar Buttons Button Function Corresponding Menu Path Changes Outpost Firewall’s policy Options > Policy Starts spyware system scan. Tools > Run Spyware System Scan Accesses the Options dialog window Options Changes the listed item grouping View > Group By Narrows a log listing to events within a specified time View > Filter By Time Enables/disables Self-protection mode.
Setting up Outpost Firewall 17 3 Setting up Outpost Firewall 3.1 Basic Information A firewall for your computer is like the lock on a door of your home. In most cities, we usually lock the front door of our homes when we leave. This is not because the majority of people are criminals or because we cannot trust our neighbors to mind their own business. We generally lock our doors to prevent criminal types from snooping, stealing or doing damage. The Internet is similar.
Setting up Outpost Firewall 18 It also restricts the flow of information coming into your computer as you see fit. You might set a rule about file sharing, for example, so that your computer shares your files only with other computers you trust on your local network. A common use for a firewall is to restrict the amount of information your computer gives out while it is connected to the Internet. 3.2 Initial Settings Outpost Firewall is ready for operation as soon as it is installed.
Setting up Outpost Firewall up and displays its icon in the system tray. Select Background if you want Outpost Firewall to run in invisible mode, without its system tray icon or any of its dialog windows. This option is provided for two reasons: to save system resources and for a parent or systems administrator to block unwanted traffic or content in a way that's completely hidden from a user. If you do not want Outpost Firewall to run automatically at startup, select Disabled.
Setting up Outpost Firewall 20 When Outpost Firewall is installed, the default mode is Rules Wizard mode. This mode helps you decide whether an application should be allowed a network connection. Rules Wizard facilitates the specifying of applicable network parameters for each type of application.
Setting up Outpost Firewall The choices you can make for an application in Rules Wizard mode are as follows: Choice Purpose Result Allow all activities for this application For applications you trust completely. All network requests by this application are allowed and the application is given the status Trusted application. Stop all activities for this application For applications that should not be allowed network access All network activities for this application are disabled.
Setting up Outpost Firewall 22 Note: Outpost Firewall Pro can perform on-the-fly spyware scan of the processes requiring network access for which no rules exist and display the result in the Rules Wizard window header. For details, see the Anti-Spyware section. Rules Wizard is not supported when Outpost Firewall is run in background mode as that mode is designed to run without user interaction.
Setting up Outpost Firewall 23 You can either choose to block all network traffic upon activation of your Windows screensaver, or you can specify the inactivity interval, after which network access is blocked. 3.5 Application Level Filtering One of Outpost’s most important features is application level filtering. This lets you decide which applications should have access and which should not.
Setting up Outpost Firewall 24 You can also directly add an application by dragging its icon from Windows Explorer or your desktop into the Options > Application dialog or by clicking on the Add button, then browsing to the location of the application’s .exe file and clicking on the Open button. If the same application is already listed in another category, it will be deleted from that other category. The Edit button lets you change any of the detailed settings for whatever application is highlighted.
Setting up Outpost Firewall 25 connection, depending on whether you are running Outpost in Rules Wizard or Block Most mode. Clicking the Preset button in the above dialog gives you choices that look like this: The choices on the Preset list will very likely be added to as time goes on or otherwise modified. This will be included in any updates of the Outpost Firewall software as was covered earlier. For advanced information about rule creation, see 5.4 Creating Rules for Applications. 3.
Setting up Outpost Firewall 26 Clicking this button displays the following dialog window: Select the desired component control level from the following options: • Maximum—Outpost Firewall will monitor all components that are being registered to be part of a legitimate application. It is recommended that you use this option only when you suspect an unknown malware to exist in your system because this option may seriously impact on your system performance.
Setting up Outpost Firewall 27 one application. By default, all components located in the Windows installation folder and its subfolders are added to this list after you install Outpost Firewall. Click Edit list to add or remove components. After you install a service pack, or other massive software update that affects a large number of common components, it is recommended that you rebuild the common components database so that Outpost Firewall is aware of the changes made to your system configuration.
Setting up Outpost Firewall 28 Tip: In a Rules Wizard prompt for the changed component, shared components are marked red and components of a specific application are marked green. 3.7 Anti-Leak Control There are several advanced penetration schemes that allow malicious software to bypass the security perimeter of a PC.
Setting up Outpost Firewall 29 Select an action in the list and the right part of the window will show you the element’s description and settings. The default setting for each action depends on the security level you chose during installation. To allow or block a particular action globally for the system, select one of these available options: • Prompt. Outpost Firewall Pro will prompt you each time an application tries to perform the selected activity. • Allow.
Setting up Outpost Firewall 30 To individually set rules for suspicious actions from a particular application (for example, to allow a specific application to modify the memory of other processes), click the Exclusions tab. Click Add and browse to the application’s executable file. After clicking Open, you will see the application in the list and will be able to specify its individual antileak settings.
Plug-Ins 4 Plug-Ins 4.1 Introduction One of Outpost Firewall’s most useful and effective design strategies is the employment of plug-ins. These modules can be created by third-party developers and easily added to increase Outpost Firewall’s capabilities. If you are interested in developing Outpost Firewall plug-ins, please visit http://www.agnitum.com/products/outpost/developers.html for samples, tutorials and the developer’s forum.
Plug-Ins • Stop—used to stop a highlighted plug-in from operating, but not to delete the plug-in from Outpost Firewall. • Settings—used to modify any of the settings for a highlighted plug-in. The types of settings vary with the different plug-ins. Note: Only those plug-ins having the status of “Started” can have their settings modified.
Plug-Ins 4.2 Ad Blocking More and more web sites are becoming filled with ads. With a fast connection these are generally not a problem but often it’s nice just to surf without the distraction of blinking, moving ads. To change the settings of Outpost Firewall’s ad blocking, right-click the system tray icon to get the shortcut menu, then select Options and go to the Plug-Ins tab.
Plug-Ins 34 Outpost Firewall can also block all banner ads having standard sizes. To do this, select the Image Size tab on the Options dialog. You will get the following display: Outpost Firewall lets you block all specific sized graphic images that have a link. Be sure to select Block images of specific size.
Plug-Ins 35 Note: Some banners cannot be replaced with transparent images and will be replaced with text messages regardless the option specified. Modern Internet advertisements not only include graphic banners, they also use various ActiveX objects to display advertisements. The simplest example is Macromedia Flash movies, which are broadly used on web sites.
Plug-Ins 36 To manage the plug-in configuration files, click the Export/Import tab in its properties dialog. Click Export (to save) or Import (to load) and then specify the configuration file name. You can also download ad blocking keywords from the Outpost Forum (AGNIS list) using the provided link.
Plug-Ins 4.3 Active Content Blocking The Active Content Filtering plug-in controls the operation of the following active elements: • ActiveX • Java applets • Programs based on Java Script and VBScript • Cookies • Pop up windows • Referrers • Hidden frames • Flash animations • Animated GIF images • Scripting ActiveX elements • Page navigation scripts This plug-in lets you independently allow or block any of these elements that might be contained in the web pages you are browsing.
Plug-Ins The following settings are available: • Block—blocks the element’s action. • Prompt—asks you each time this element attempts to activate. • Permit—allows the element to function. Note: The use of all active elements is enabled for all web pages by default. To configure individual settings for specific web sites, select the Exclusions tab: Click Add and type the site address (that has active content settings) that you want to personalize and click OK.
Plug-Ins 39 Properties dialog (see below) in which you can customize the specific site’s active content treatment settings. The site can inherit the settings from the global policy or you can assign each an individual value. Note: Settings that inherit default values are displayed in gray; settings that are assigned unique values are displayed in blue. Tip: This dialog can also be invoked by selecting a site on the Exclusions tab and clicking the Properties button.
Plug-Ins 4.4 Attack Detection This plug-in informs you of a possible attack on your computer from the Internet or the network your computer is connected to. It recommends the steps to be taken as well, in order to prevent damage to your computer. The Attack Detection plug-in lets you specify the conditions in which a warning is to be displayed. It also has response settings that will be used if a specified security level is exceeded.
Plug-Ins • • Play sound alarm when attack is detected—if selected, Outpost Firewall will play the specified audio file every time an attack is detected. Block intruder IP for—if selected, blocks all network exchanges from the computer attacking yours for the number of minutes you set (60 minutes by default). o Also block intruder subnet—if selected, blocks all network exchanges from the entire subnet to which the intruder belongs.
Plug-Ins • • detect and block. This ARP spoofing enables hackers to be able to 'sniff' (read) packets and view any data in transit, to direct traffic to non-existent hardware causing delays in data transmission or a denial of service on the affected equipment. Specialized hacker sniffing programs can also intercept traffic, including chat sessions and related private data such as password entries, names, addresses, and even encrypted files, by modifying MAC addresses at the Internet gateway.
Plug-Ins 43 Click the Advanced tab of the plug-in settings dialog and then click Edit list to display the Attacks dialog box. Here you can select the attacks you want Outpost Firewall to detect and avert. Note that the Advanced button displays a dialog that lets you change the settings that apply to all attacks in the list.
Plug-Ins 44 To change the setting value, highlight the setting in the list and click its value in the right column. Note: Alter these settings with care since an improper attack detection configuration can lead to significant problems with your system network connectivity. From a security point of view TCP and UDP ports in your system are divided into several groups according to the probability of an attacker using the port to break in.
Plug-Ins 45 exploited by well known Trojan horses. Click the tab according to the list you want to change. Click Add and specify the Protocol, Port number and Weight. Weight is a decimal value that indicates port importance. A greater number indicates a more vulnerable port. You may also add comments to describe the port’s purpose or anything you wish to note.
Plug-Ins 4.5 E-Mail Attachment Quarantine This plug-in checks the files attached to e-mail arriving at your computer. With this plugin, you can specify which attached files are to be quarantined so they cannot harm your computer as well as to alert you with appropriate messages. Different modes of file checking can be set in this plug-in according to the file type of each attachment.
Plug-Ins Click OK and the new file type will be added to the list of file types Outpost Firewall monitors: Select Rename It and/or Report It and click the OK button. After that, Outpost Firewall will display an alert message about any attachment that is received and renamed.
Plug-Ins 4.6 DNS Cache The Internet works by assigning a series of numbers to each computer connected to it. This is called the computer’s IP address. An example of an IP address is: 64.176.127.178. You can simply type in this series of numbers into your browser’s location field (near the top of your browser’s window) and press your keyboard’s Enter key and your browser will go to that computer’s web pages.
Plug-Ins 49 be an attempt to send out your private data as the domain name of a forth or higher level. To do that, select the Block extra long DNS requests check box. Additionally, you may want to receive pop-up alerts about such requests, if you want to stay informed about DNS attacks against your system. To receive alerts, select the Alert about blocked DNS requests check box.
Plug-Ins specific sites from your computer. To manage the list, click the Edit list button under Exclusion list.
Plug-Ins 4.7 Content Filtering Using the Content plug-in, you can block the display of particular web sites or pages containing objectionable material. To do this, select Properties on the plug-in’s shortcut menu: Select Block content containing specific keywords, as shown in the picture above, then start typing into the text field (above the large listing area) each word you want Outpost to look for to block web pages containing those words. As soon as you start typing, the Add button is activated.
Plug-Ins 52 Select Block sites with specific keywords in address as shown in the picture. Type in the URL or the part of the URL of the site you do not want displayed on your computer. As soon as you start typing, the Add button is activated. Click the Add button after you finish typing in the URL of each site to be blocked. Then click the OK button to have Outpost Firewall save the list.
Plug-Ins Click Export or Import according to the action you need to take and then specify the configuration file name. 4.8 Anti-Spyware Most computer users don’t realize they are storing confidential information on their computers that has commercial value to companies as well as hackers. With increasing frequency, people use computers, for example, to order goods and pay their bills over the Internet.
Plug-Ins spyware, get rid of abusing ads, and to protect your private data from being stolen by spyware and Trojans.
Plug-Ins The first step allows you to select the type of system scan. The following options are available: Quick system scan. This option allows performing a fast scan of your system, checking the weakest points. Recommended for every day usage. The following items will be scanned during this check: • Processes in memory • Vulnerable registry keys • Vulnerable files and folders (such as system %systemroot% folder, root %systemdrive% folder and Program Files) Full system scan.
Plug-Ins 56 Select the scan type and click Next. If the Custom scan is selected, the Select Objects to Scan step appears allowing you to explicitly select the objects to be scanned. Click Custom folders to select the specific disks, folders, and files to be scanned. In the Select Folders window, browse to and select the desirable locations. If you want to scan specific files, select the Show files check box to display the files as well. Click OK after making the selection.
Plug-Ins 57 The scanning process can run in background mode. If you want to work with Outpost Firewall Pro while the scan is underway, click the Background button and the wizard will be minimized to the progress bar on the information panel. Click Show Wizard to see the window again. You can abort the scanning and proceed to the results any time by clicking Cancel. When the scan is complete, the list of detected objects (if any) is displayed automatically. If your system is clear, i.e.
Plug-Ins 58 In the case you know about some of the found programs that they are not a sort of spyware but a legitimate software and do not want Outpost Firewall Pro to treat them as spyware (for example, you want to see ads displayed by some adware program), you can add such programs to Ignore list. Outpost Firewall Pro will ignore the programs on the list displaying no alerts on detecting their activity. Also these programs will not be displayed in the list of detected spyware.
Plug-Ins 59 After viewing the results, click Finish to close the wizard. Anti-Spyware plug-in provides the real-time non-stop protection against spyware. When real-time protection is enabled, all system vulnerable objects are permanently monitored to ensure the spyware is detected before performing any malicious activity. To enable the real-time protection, open the plug-in properties by right-clicking the plug-in in the tree and selecting Properties and select the Enable real-time protection check box.
Plug-Ins 60 To remove all the detected spyware from your computer, click Remove All. If you want, you can view the list of detected spyware programs and remove the programs selectively by clicking the More button, highlighting the spyware in the list and clicking Remove by its side.
Plug-Ins 61 You can restore the program and add it to the Ignore list to make Outpost Firewall Pro not treat it as a spyware by selecting the command on the item’s shortcut menu. You can also remove the item permanently by clicking the Delete link by its side. To clear the Quarantine entirely, use the corresponding command on the plug-in's shortcut menu. Note: Not every spyware program can be placed into quarantine.
Plug-Ins 4.9 Quick Tune Outpost Firewall provides the alternative way for controlling content of downloaded web pages directly from your browser. Quick Tune plug-in allows managing Ads and Active Content plug-ins settings using the special panel in Internet Explorer. To get access to the plug-ins settings from Internet Explorer, select Explorer Bar > Outpost Firewall Pro Quick Tune on the browser’s View menu.
Plug-Ins Doing this will give you the following dialog: Select String portion if you want to trim the URL down. Then click OK to save the ad’s URL into Outpost Firewall base. Note: To disable the plug-in, clear the Explorer Bar > Outpost Firewall Quick Tune checkmark on the browser’s View menu.
Advanced Settings 64 Part 2: For Advanced Users Only
The Outpost Log System 65 5 Advanced Settings 5.1 Introduction Our engineers configured Outpost Firewall’s default settings to give optimum protection for most computer systems and networks. Outpost Firewall was designed from the start to be effectively used in its pre-configured state even by computer novices who need not know about network protocols to have their computer system safeguarded against malicious applications or web sites.
The Outpost Log System 66 A configuration file can be protected by password. To do this, use the Options menu and select General then click Enable in the Password protection area of the dialog. To change to a new configuration, use the File menu, select Load Configuration and choose the configuration file you want or simply select the configuration name on the File menu between Save Configuration As and Exit.
The Outpost Log System 67 By default, your password protects only your configuration settings from being altered, but you can additionally select to protect the Log Viewer and Outpost Firewall service if you need to keep the system network history from being viewed by unauthorized persons or want to prevent them from unloading Outpost Firewall and disabling its protection and the restrictions you set.
The Outpost Log System 68 First, describe the event to which the rule applies.
The Outpost Log System 69 checks for rules matching the activity of the application in the Global Application and System Rules list and uses any that might apply. 5.5 System Level Filtering Open the Options dialog window and select the System tab: Note: These settings are for advanced users only. If any are incorrectly changed for your system or network, it could result in your firewall not working as expected.
The Outpost Log System 70 is not turned on or not connected to the Internet. It is recommended that you keep Outpost Firewall in stealth mode unless you have a reason not to. Global rules and rawsocket access—lets you specify global rules for all applications.
The Outpost Log System 71 Click Add and select the application that you want to grant rawsocket access. If you want Outpost Firewall to ask you each time an application that is not on the allowed list attempts to access rawsockets, select the corresponding check box. 5.6 Using Macro Addresses Outpost Firewall Pro allows you to specify macro addresses in rule descriptions to facilitate the creation of rules.
The Outpost Log System 72 ALL_COMPUTER_ADDRESSES. Specifies all IP addresses your computer has in different networks, including broadcast and multicast addresses. BROADCAST_ADDRESSES. Specifies addresses within broadcast ranges available to your computer. A broadcast address is an IP address that allows information to be sent simultaneously to all machines on a given subnet. MULTICAST_ADDRESSES. Specifies addresses in multicast ranges.
The Outpost Log System 73 Normally when you open this window you will see your network address, but if you selected the Configuration Wizard during the Outpost Firewall installation process and removed all detected networks, then this window will most likely be blank. To detect your network automatically, click the Detect button.
The Outpost Log System 74 Specify the domain name, IP address, or IP range. An example is given below the selection area for each type of address designation. An active Internet connection is required for Domain name (Internet connection needed) because the IP address needs to be looked up directly over the Internet. The IP address is saved along with the domain name you enter and this is the IP address that is mostly used by Outpost Firewall.
The Outpost Log System 75 If you want a particular application to always or never use Entertainment mode, select the Remember for this application check box before responding to the dialog box. You can also enable or disable Entertainment mode for specific applications in the Options > Application list using the commands on the application's shortcut menu.
The Outpost Log System 76 5.9 Running in Self-Protection Mode As anti-malware tools have grown stronger, hackers now try to switch them off using rootkits and other advanced tools before proceeding with their own unauthorized actions. To withstand this threat, Outpost Firewall Pro features so called Self-protection mode. With self-protection turned on, Outpost Firewall Pro protects itself against termination caused by viruses, Trojans or spyware.
The Outpost Log System 77 6 The Outpost Log System 6.1 Introduction Outpost Firewall performs many different functions as it protects your computer from attacks. Each action it takes is referred to as an event and every event is logged. To make it easy for you to view these event logs our engineers created the Outpost Log Viewer. This shows you the history of every operation Outpost Firewall performed including: • Every application and connection that was allowed or blocked by Outpost Firewall.
The Outpost Log System 78 6.2 Outpost Log Viewer’s Main Window The main window of the Outpost Log Viewer allows you to view and work with the logs. To access this window select Tools from Outpost Firewall’s menu and then select Outpost Log Viewer. This is how the window looks: The main elements of Outpost Log Viewer are: • • • • • • The Menu Bar.
The Outpost Log System 1. In the console tree, right-click a log or plug-in. 2. Select Expand All or Collapse All on the shortcut menu. The console tree consists of two tabs: Tree and Favorites. For more information about Favorites, see the 6.5 Working with Favorites chapter for details. On the Tree tab, there are the following groups of logs: • Alerts Tracker A listing of all the displayed notifications. • Allowed Connections A listing of every application and connection that Outpost Firewall allowed.
The Outpost Log System • System Log This is a record of every program start and every change made to the firewall policies, program options and configuration settings. The information is arranged in a table. The columns of this table represent the various log parameters, such as Application, Start Time, Protocol. Each log has its own set of parameters. See the 6.3 How to Display Logs chapter for details.
The Outpost Log System You can locate data more comfortably by showing or hiding specific parts of the Outpost Log Viewer window. To customize the Log Viewer’s layout, select Layout on the View menu. You will see the Customize View dialog, which looks like this: Select the elements you want to display and clear those you want to hide. To show or hide the console tree, you can also use the toolbar. button on the Outpost Viewer 6.
The Outpost Log System 82 To select the columns you want displayed for the selected log, right-click anywhere in the information panel and select Columns from the shortcut menu. Alternatively, you could select Add/Remove Columns on the View menu. You will see the Columns dialog that looks like this: Select the columns you want to be displayed in the information panel. To change the sequence of columns in your log, use the Move Up or Move Down buttons.
The Outpost Log System 83 information on the application in the Application column and select Include Selection. Then right-click the Start Time column on the required date and time and select Include Selection again. The information panel will now display all the records of the selected date regarding the selected application. This operation can be done so quickly that there is no reason to save the configuration. To create a permanent selection of records under complex conditions, create a filter.
The Outpost Log System 84 To create a filter, click the Add Filter button in the information panel. This command is also available in Outpost Log Viewer’s menu under Actions > Add Filter and in the shortcut menus of each log in the console tree. You will see the Filter dialog with a listing of the columns in that log: To specify a filtering rule, select each column of data you want to see. In the description field, the beginning of the rule appears, such as: “Where the Start Time is Undefined”.
The Outpost Log System 85 It is also possible to remove an unnecessary filter by highlighting it in the console tree and pressing the Remove Filter button. The filter will be removed from the console tree. You can quickly view a filter from within the Outpost Firewall’s main window (see the 6.3 How to Display Logs chapter for details) or add it to Favorites (see the 6.5 Working with Favorites chapter for details).
The Outpost Log System 86 6.5 Working with Favorites The console tree consists of two tabs: Tree and Favorites. Favorites is where you can keep things that you use often. You can add logs, presets or filters that you frequently use to the Favorites tab for convenient and quick access. In the console tree, right-click the required item (group of logs, log, log preset or filter) and select Add to Favorites.
The Outpost Log System 87 To create a new folder, click the Create Folder button. To rename or delete an item, select the item and click Rename or Delete. Clicking on Move to Folder displays the Select Favorites Folder dialog: Highlight the folder you want the item to be moved to and click OK.
Appendix A: Customizing Outpost Main Window 88 Appendix A: Customizing Outpost Main Window Layout You can choose not to display the folder bar, tool bar and the status bar in order to increase the amount of viewing space of the information panel.
Appendix A: Customizing Outpost Main Window • Allowed—shows the events log for all applications with a protocol that is supported and allowed for network operation. • Blocked—shows the events log for all applications with network connection attempts that were blocked. • Reported—shows the events log for all applications for which a report on their network operations must be made according to Outpost Firewall’s settings. 89 Note: The same object can be in several lists as applicable.
Appendix A: Customizing Outpost Main Window Please note that the Columns menu is available for Network Activity and Open Ports items only.
Appendix A: Customizing Outpost Main Window 91 The Column Headers and Listed Fields in this dialog correspond to those in the information panel as shown here: You can customize the listings by removing an item from the list using the Remove or button or adding a previously removed item back to the list using the Add button. You can re-arrange the sequence of the items for each listing also.
Appendix A: Customizing Outpost Main Window 92 • If cached—convert these to their DNS addresses if the information for the address conversion is stored in the DNS Cache module. • Always—always convert and display these addresses as DNS addresses. However, this is not recommended as it can result in a great number of DNS requests. The Display port as section lets you display the local port (on your computer) and remote port values as: • Number—ports are displayed as numbers.
Appendix A: Customizing Outpost Main Window • • • Local Port (on your computer) Remote Host (another computer than yours) Remote Port (on the other computer) Highlight one of the left panel items listed above, click the View menu and select Group By: You can also get this same display by highlighting the left panel category, Network Activity in our picture, and then clicking the Group By button shown here: Select the criterion by which the objects should be grouped.
Appendix B: Types of ICMP Messages 94 Appendix B: Types of ICMP Messages Field Value Description 0 3 4 5 8 10 11 12 13 14 16 17 18 Echo Reply Destination Unreachable Source Quench Redirect Echo Request Router Solicitation Time Exceeded For Datagram Parameter Problem On Datagram Timestamp Request Timestamp Reply Information Reply Address Mask Request Address Mask Reply Echo Request is one of the simplest methods of checking operating conditions of a network node.
Appendix B: Types of ICMP Messages 95 The Information Request and Information Reply ICMP messages are obsolete. They were used earlier by network nodes to determine their inter-network addresses, but are now considered outdated and should not be used. The Address Mask Request and Address Mask Reply ICMP messages are used to find out the mask of a subnet (i.e. what address bits define a network address). A local node sends an Address Mask Request to a gateway and receives an Address Mask Reply in answer.
Appendix C: Penetration Techniques 96 Appendix C: Penetration Techniques Outpost Firewall Pro allows to control the following actions: Components injection Windows operating system by design enables installing system interceptors (hooks) through which foreign code can be injected into other processes. Usually this technique is used to perform common, legitimate actions, for example, switching the keyboard layout or launching a PDF file within the web browser window.
Appendix C: Penetration Techniques 97 Here the point is program interactivity through the SendMessage, PostMessage API, and so on. This technique is sometimes used for legitimate inter-process interactivity, but can likewise be used for nefarious purposes by perpetrators. Outpost Firewall Pro controls such attempts. Active Desktop modification Installing the specific HTML file for Active Desktop, malicious processes can transfer private data on behalf of Windows Explorer.
Appendix C: Penetration Techniques 98 the legitimate actions. However, in those command-line parameters some piece of private or critical data may be contained, along with the host name as a target recipient of thereof. The example of using such technique is Wallbreaker leaktest (http://www.firewallleaktester.com/leaktest11.htm). Outpost Firewall Pro provides the restricted list of processes that are allowed to start default browser with command line parameters protecting your browser against tampering.
Appendix C: Penetration Techniques 99 application's memory, Outpost Firewall Pro detects it and display a pop-up prompt asking for your decision. The system works proactively: it allows you to permit or deny the modification of memory of other processes at the application level. For example, Visual Studio 2005 would be able to modify memory, while the "copycat.exe" leak test would be disallowed from doing so.
Appendix D: Technical Support 100 Appendix D: Technical Support If you need assistance in using Outpost firewall, visit its support pages at http://www.agnitum.com/support/ page for available support options including knowledge base, documentation, support forum, product-related web resources, and direct contact with support engineers.