Thanks so much for recommending the Armor Online Free firewall. It
really works - is low on resources and speaks to you in comprehensible
language when it poses a question. And it's free!
I've put it on my desktop and my portable without a single problem.
There is no parent-child control in Online Armor's firewall. Say you
allow your browser to connect. Well, then you have also allowed any
caller (parent) program to execute that browser to get a connection to
some unknown web page. By regulating who can call (parent) another
program (child) then you know who is really asking for the connection.
For many users, this is not a critical feature since few firewalls
provide parent-child control. Comodo has it in their older v2.4 but
dropped it in their new v3 firewall that now include HIPS. The firewall
just got added in version 2 of Online Armor (OA) so it will need some
fixing or features to get up to speed with other firewalls.
So the assumption is that you have permitted the parent program to run
but relinquish any control over whether or not it can make connections
using child programs; i.e., in Comodo Firewall Pro v3, you get to
regulate the load a program using HIPS (the parent and child programs),
like in Online Armor, and you can regulate which programs can make
connections (the child programs), but you cannot control if the parent
can call the child to make the connection. As a result, both Online
Armor and Comodo will fail all leaktests UNLESS you, as the user, see
the prompt and deny the execution of the parent program - but that is
not the point of leaktests. Rather than regulating who can call what
for a connection, you're only choice is whether the parent loads or
not. Online Armor is promising to add parent-control into their
firewall, a brand new feature added in their latest version 2. But they
have lots of fixes to make and other more security-related updates to
make to their product so they aren't promising when to deliver on
parent-child control.
While other HIPS products are better at controlling ALL auto-start
programs in the various locations available under Windows, Online
Armor's AutoRuns protection is limited to just a few areas. They don't
cover the WinLogin/Notify, Session Manager bootexecute, and other areas
that users normally never touch. They are promising an update sometime
later to address the lack of coverage for auto-start processes.
There have some instances where programs would generate a prompt when
they loaded, the user answered to allow the load and remember that
action (and it does get remembered), but the program never shows up in
the list under their Program Guard. Once remembered and because it
isn't in the list, you cannot later revoke that run permission. It
looks to be a UI error in the grid control that they use not showing all
the recorded rules.
Currently Online Armor does not encrypt the registry keys used by that
program. This can provide info to malware or malcontents on how the
product is configured and possibly could alter that behavior to reduce
protection (their documentation is poor, basically just an overview, and
they don't define the purpose of these registry keys). They also do not
protect these registry keys against alteration. Online Armor does not
load under Safe Mode so even if they protect those registry key then
they won't be protected if you reboot into Safe Mode. They need to
encrypt those keys. When OA attempts to read them, and if altered and
hence corrupted, OA will be unable to read those altered values and know
they were changed outside of OA. They promise to later address this
security hole to protect against alteration (but only when OA is
running) and use encryption (to detect alteration under Safe Mode and to
then revert to whatever would be the most restrictive values for those
corrupted settings and also alert the user to that act).
The free version doesn't let you backup your settings. The paid version
does. However, you can save the .dat files in the OA install path to
backup your settings. Since OA protects against any access to these
.dat files when it is running, even to copy them, you have to reboot
into Safe Mode, copy the .dat files, and then reboot into normal mode.
Online Armor does not run under Safe Mode. It has been deliberately
designed that way. One reason for this behavior is that uninstallation
may fail under normal mode; e.g., you won't be able to read their
unins000.log file to do the uninstall. In most cases, but not
guaranteed to be the only case, the user has disable Program Guard
(HIPS) and loses access to the UI (i.e., the user can no longer get at
the configuration or status windows for the product). Rebooting won't
fix the problem. Loading the UI (oaui.exe) won't fix the problem. The
product has to be uninstalled and that can only be done under Safe
Mode. However, because OA does not run under Safe Mode also means that
you have no HIPS or firewall protection while under Safe Mode. If
malware still loads, like using the WinLogon/Notify event (instead of
the normal auto-start locations), then it now has free reign to load.
The malware is also unfettered under Safe Mode (with networking enabled)
to connect. Not all malware gets neutered in Safe Mode.
Currently there is no option in OA to block all network access until the
firewall has fully loaded. This means there is a window of opportunity
in which malware could load and also connect. About the only advantage
the Windows Firewall provides is that the network stack is disabled
during Windows startup until the Windows Firewall (if enabled) has fully
loaded. Comodo v2.4 has the option to block network access until it is
fully loaded. OA doesn't have this option but is promising to add it
later. Of course, if the firewall is flaky then you might not get any
network access even after the firewall loads. Comodo v2.4 hasn't had
this problem. I don't know about v3 since it lost some functionality,
uses a non-intuitive HIPS (try figuring out how to block a program from
loading without visiting their forum), lost the parent-child firewall
control, and is way too flaky so I abandoned it long before having
enough history to know if enabling the option to block network access
until Comodo is loaded is reliable. Again most users don't even think
about this window of opportunity for any firewall that doesn't have this
option (but those same users don't think about the vulnerability of OA
not running under Safe Mode, either).
Unlike Defense Wall which reduces permissions for unknown or untrusted
processes which attempt to run silently but is really for newbie or lazy
users, OA with its HIPS will be asking lots of questions. (Note:
Defense Wall is not a HIPS product as they claim since it never
interferes with the load of a program, only with the priviliges it gets
after it loads. It doesn't need to continually prompt the user because
it doesn't regulate what can load. Softsphere also doesn't provide a
free version of Defense Wall.) OA also tries to alleviate the deluge of
prompts by downloading a list of certified good applications; however,
if you update the program and it isn't in their list or you haven't
updated the list yet, you'll get prompted because of the new version (of
an old program that you allowed to run before). Many users want to use
their host rather than repeatedly answer prompts about what is allowed
to run. Of course, a list of certified apps is someone else's decision
that the program is okay so some OA users won't use that list and
instead want to get prompted on every program so they know what is
allowed to run or not. That is why many HIPS products have a learning
mode including, I believe, OA (but I don't remember if learning mode
works in the free version). Be warned that the free version will NEVER
retrieve updates to this certified apps list. Updating in the free
version of OA is manual - but you can't even do a manual update to
retrieve the new list. Manual updating means you get an e-mail telling
you that there is an updated list, you have to download it using the
link in the email, and then you point at that file to insert the new
definitions. So manual updates are very manual. And you won't get
notification of those updates unless you insert your email address
during the installation. You cannot register after the installation to
get those email notification of updates. You cannot subscribe to a
mailing list to get those email update notices. If you chose to not
disclose your email address during the installation, you will have to
uninstall and reinstall and give your email address under that new
install. And then what you get are emails telling you to download a new
file and then have to point at it to insert its contents. The paid
version has automatic updating. Forcing manual updates in a free
version is nasty, especially regarding a security program, but this
extremely manual update process that relies on email notification just
sucks. It means a significantly reduced number of users of the free
version will get the email notifications and only a subset of those will
perform the manual file update.
Online Armor is pretty good but it needs several security issues
addressed, some which were so obvious that it seems they pushed it out
the door way too soon simply because they wanted to show off their new
firewall that got included in version 2. Visit their forums to see what
is missing, promised for later updates to the product, and problems with
it. I almost got this product and there is enough in the paid version
to make me buy it but it needs a bit more work. Between Comodo's version
3 and Online Armor, both having HIPS and firewalling, I'd go for Online
Armor - but after a few more updates (so I'm sticking with Comodo v2.4
for now and might get ProSecurity [paid] for HIPS if Tall Emu takes too
long with the updates for OA).
