Could someone explain exactly how the AV element actually works? As far as I understand it, it doesn't scan e-mail messages or attachments, nor does it scan spreadsheet, word or pdf documents on opening etc. So what does "on execution" really mean. Am I right in assuming that a "nasty" can be downloaded without being caught at the point of entry i.e. it is allowed into the system, but as soon as it "activates" or is "activated" it should be caught?
If that is the case, how does running a scan find these nasties, as up to this point they obviously haven't been activated and are sitting there doing nothing?
In most cases if an AV detects anything the normal route is to quarantine and then delete if safe to do so, however, in the scan box the options are run safer, allow, block, ask, extract and delete, there is no quarantine as such! If you are not sure of something what is the best option to choose that stops any damage to the system temporarily e.g. if you block something, does it show up in a block list with the option to unblock it? if not what is the best option to choose. Also when would you use "run safer" and "extract".
To put my mind at rest, is an AV that doesn't catch nasties on the way in, but only on the way out so to speak, just as good?
My apologies if the questions all sound pretty stupid and easy to deal with, but if I don't ask I will never know.

Paul

As far as I understand it, it doesn't scan e-mail messages or attachments, nor does it scan spreadsheet, word or pdf documents on opening etc. So what does "on execution" really mean. Am I right in assuming that a "nasty" can be downloaded without being caught at the point of entry i.e. it is allowed into the system, but as soon as it "activates" or is "activated" it should be caught?
'On execution' means when the malware 'starts to run'. Although OA ++ doesn't operate quite like a regular AV, Adrian's post here http://support.tallemu.com/vbforum/showpost.php?p=99110&postcount=3 explains that OA++'s Web and Mail Shields do scan files while they are being downloaded.

If that is the case, how does running a scan find these nasties, as up to this point they obviously haven't been activated and are sitting there doing nothing?
If you do a scan, it's checking the files, not whether they are running or not, so malware will be found even if it's not active.

In most cases if an AV detects anything the normal route is to quarantine and then delete if safe to do so, however, in the scan box the options are run safer, allow, block, ask, extract and delete, there is no quarantine as such! If you are not sure of something what is the best option to choose that stops any damage to the system temporarily e.g. if you block something, does it show up in a block list with the option to unblock it? if not what is the best option to choose. Also when would you use "run safer" and "extract".
Block would be the best option if you aren't sure as this will prevent the file from being run until you can decide whether you should delete it or not. There isn't currently a quarantine feature, though Tall Emu are going to look into this for a future version of ++ :).

The extract option can be used for extracting Alternate Data Streams. OA ++ can scan for these streams but it can't automatically tell you whether they are malicious or not until you extract them and then rescan the files that were extracted from the stream.

You can read more about 'RunSafer' here http://www.tallemu.com/webhelp3/KF-RunSafer.html and there's a subsection in this post on the OA blog http://onlinearmorpersonalfirewall.blogspot.com/2009/06/online-armor-best-practices-1.html that explains the types of programs that it's beneficial to use RunSafer on. In the context of the AV side of ++, you might use RunSafer if you've scanned a file and it's infected but for some reason you want to run it anyway. Using RunSafer can limit the damage that some malware can do. Still it's really safer not to run malware at all :)


To put my mind at rest, is an AV that doesn't catch nasties on the way in, but only on the way out so to speak, just as good?

Since malware can't do any damage unless it runs, OA ++ protects you very well :) When it tries to run, OA ++ alerts you and you can stop it before it ever does anything. As noted in the post of Adrian's that I linked to earlier, you are able to run a regular AV alongside OA ++ too if you wish. It's not necessary, but some people like having this option :)

Since malware can't do any damage unless it runs, OA ++ protects you very well :) When it tries to run, OA ++ alerts you and you can stop it before it ever does anything. As noted in the post of Adrian's that I linked to earlier, you are able to run a regular AV alongside OA ++ too if you wish. It's not necessary, but some people like having this option :)


Hi Catprincess,

Does using an Anti-virus with OA++ wouldn't that created incompatibility between the anti-virus of OA++ and the other anti-virus?

What are the "regular" AV that can ride alongside OA++ without conflictint with the OA++ AV?

Thanks,
Atomas31

Does using an Anti-virus with OA++ wouldn't that created incompatibility between the anti-virus of OA++ and the other anti-virus?
No, because of how the Emsi/Ikarus engine is incorporated into OA++, it's still compatible with other AV programs.


What are the "regular" AV that can ride alongside OA++ without conflictint with the OA++ AV?

Probably that depends on the person's system; some people have trouble with certain AV's while they work great for others. If the AV program of your choice worked with OA Premium, it should be okay with ++ also :)

OK I am probably going to seem really thick but I do not understand what "scan on execution" really means. If I open a PDF document using Acrobat, surely Acrobat as a program is "executing" and therefore a scan should take place, which seems the same as scan on read or opening of a document.
I need an idiots guide to understanding the difference?

Paul

OK I am probably going to seem really thick but I do not understand what "scan on execution" really means. If I open a PDF document using Acrobat, surely Acrobat as a program is "executing" and therefore a scan should take place, which seems the same as scan on read or opening of a document.
I need an idiots guide to understanding the difference?

Paul

Acrobat as a program is executing, but the PDF file itself is not an executable :) All files types are able to be scanned with the AV engine if you elect to do a system of individual file scan but OA's HIPS will only pass executable files to the AV engine to check. If this PDF file was malicious, and tried to sneakily run an embedded file to do it's deeds, OA should stop it in it's tracks, right away :)

A pdf file could be embedded with a malicious script that would do damages when it is run.
This is taken from
http://help.adobe.com/en_US/Acrobat/9.0/Standard/WS0A9F02BE-0B04-4e37-B971-16EEB6FD318E.html

At what point would OA++ catch or stop it (when would OA declare the .pdf itself to be infected)? Would OA detect the malicious script in the .pdf file before it is run, i.e., while downloading, scanning or opening the .pdf file or would it stop the malicious script itself once it starts running? What would have caught this malware, the web shield, the anti-virus?
Shouldn't the web shield have caught the malicious script during download?
What if web shield is disabled?

This thread has me totally confused (:

Acrobat as a program is executing, but the PDF file itself is not an executable :) All files types are able to be scanned with the AV engine if you elect to do a system of individual file scan but OA's HIPS will only pass executable files to the AV engine to check. If this PDF file was malicious, and tried to sneakily run an embedded file to do it's deeds, OA should stop it in it's tracks, right away :)

Ok but how will OA stop it in its tracks (see also thread 7 from Minoka), will the AV part do its job and provide the option to delete the infected object or will it be a pop up from the HIPS which will probably not identify it as as malicious, but just ask whether it should be allowed to run, block, run safer etc, which will require a lot more knowledge about what is going on to make the correct decision.
Not trying to be difficult here, just trying to understand what is doing what?

Paul

Ok but how will OA stop it in its tracks (see also thread 7 from Minoka), will the AV part do its job and provide the option to delete the infected object or will it be a pop up from the HIPS which will probably not identify it as as malicious, but just ask whether it should be allowed to run, block, run safer etc, which will require a lot more knowledge about what is going on to make the correct decision.
Not trying to be difficult here, just trying to understand what is doing what?

Paul

I am also a little bit confuse but I certainly wish that the Anti-virus would be the first one to catch it and ask us what to do... If I receive a message that it is a malware I will certainly block, delete, clean or something like that more than just a message indicating to me that application xyz want to start - accept or deny!?!?

Acrobat as a program is executing, but the PDF file itself is not an executable :) All files types are able to be scanned with the AV engine if you elect to do a system of individual file scan but OA's HIPS will only pass executable files to the AV engine to check. If this PDF file was malicious, and tried to sneakily run an embedded file to do it's deeds, OA should stop it in it's tracks, right away :)
This http://news.softpedia.com/news/No-Click-Required-to-Exploit-0-day-Adobe-Reader-Vulnerability-106186.shtml may have been fixed ...

So what does "on execution" really mean.
You quoted, but from where? That aside, I consider that 'on execution' really (probably and/or possibly) means 'on access'.

What if the launcher of .pdf files is NOT Adobe's? I use another reader :)

This http://news.softpedia.com/news/No-Click-Required-to-Exploit-0-day-Adobe-Reader-Vulnerability-106186.shtml may have been fixed ...

Not really relevant as it was just an example of a situation that may arise and how would it be dealt with!

Paul

You quoted, but from where? That aside, I consider that 'on execution' really (probably and/or possibly) means 'on access'.

Previous answers seem to not agree with this, I am now even more confused!

Paul

I am new to online armor++. I wonder if the av engine inside online armor++ is the same as a-squared 4.5? Are the signature database just as large? I have used a-squared and i think it is a good program. Is online armor++`s detection capabilities the same?

This is not to compare the two products, but only for me to understand.

I am new to online armor++. I wonder if the av engine inside online armor++ is the same as a-squared 4.5? Are the signature database just as large? I have used a-squared and i think it is a good program. Is online armor++`s detection capabilities the same?

This is not to compare the two products, but only for me to understand.

Yes, OA ++ uses the Ikarus/Emsisoft engine that is in A-squared :)

Thats great!! I like it alot! I`m surprised how lilght OA++ running. Thougt it might be a little heavier. It is N I C E! :)

Is anyone able to dissipate my -and others- 'confusion' as described earlier in the thread?

I am double-checking, but I would think that the Web Shield would catch it when it's being downloaded. Something to consider, however, is that a malicious script (such as in a PDF) is just going to download a malicious executable like a trojan. So even if it didn't catch it at first, it would still catch the trojan and prevent your system from being infected :) Of course you can also set OA++ to do scheduled scans.

However, if you want to have the real-time scanning of a regular AV then you can still use OA++ with another AV. With the state of malware today, it's not a bad idea to have multiple scanners, so using OA++ with a free AV would give you the best of both worlds. Even without, however, OA++ will keep your system from being infected.

As I've mentioned in another thread, this engine does give us more functionality than the Kaspersky engine did. So keep an eye out on future releases; it is likely that we will be increasing the functionality in OA++ :)

Not really relevant as it was just an example of a situation that may arise and how would it be dealt with!

Paul
I didn't mean to confuse. I was merely pointing out that there are many ways that nasties can infect a system (not just from .exe files or web pages). The particular example could be a problem for anyone who did not keep their applications up-to-date; in that case it was Adobe Reader.
Previous answers seem to not agree with this, I am now even more confused!
You asked what 'on execution' meant and I was advising that you should think of as meaning 'on access'. In other words, an anti-malware program would scan a file before permitting it to be executed/loaded/used, etc. It is not just executable files that should and would be scanned. Some anti-malware programs do not check downloads: they check whenever the download is used. There is nothing wrong with that approach as the nasty can do no damage until it is allowed to run.

My apologies for adding to your confusion.

Thank you ABx and judson for clarifying matters.

ABx, I do not always activate Web Shield since I use firefox with a number of add-ons. I am thus looking forward to whatever you find out after double-checking what Web Shield would catch ... or not :)

Let's see if I can add to everyones confusion. There are several points at which an AV can scan a file to detect if it's infected or not.

1. While it is being downloaded. We will have to wait and see what ABx has to say about that. I also use Firefox and have Web Shield disabled. Whenever I download a .exe file I get an OA 2 balloon messages that it is/has checked the file on OASIS. So some scanning is taking place.

2. When a file has been created. Like a download, mentioned above.

3. When a program is started. Before a program can run it has to be loaded into memory. When a program is loaded into memory, and before it actually runs, an AV can scan it.

4. By an "on demand" scan, either by scanning an entire disk, a single folder, or a single file.

IMHO all these methods are just as effective. The main difference is purely psychological. By that I mean it sounds better to have an AV detect something at point #1 then point #3. In reality detecting something at point #3 will stop an infection just as cold as any other method. It is just more comforting to have it stopped as early as possible.

As far as an infected .pdf file goes we have to remember that OA++ is more than just an AV, it is also a Hips. If you go into Programs, right click on any program, and choose "Advanced options" you will see a list of actions under the header "Permissions" that OA monitors. If your PDF reader of choice should load an infected file and the reader tries to do one of the things on that list then OA will react, depending on the setting in the list. Just to clarify, it is the script that tells the reader to do something and the reader will attempt to do it. So OA will detect an action from the reader and not the script. You can change the settings in OA "Standard mode" while "Advanced mode" will give you other options.

We also need to remember that OA is also a Firewall. So, to use ABx's example of a script wanting to download a Trojan, in order to do so it needs to go through the Firewall. If your reader has never accessed the Internet before then you will get a pop-up informing you that it now wants to do so. If you have blocked your readers access to the Internet then it will be unable to download anything.

This applies not only to a PDF reader, but any program, such as Word or Excel, that works on third party files, i.e. files that you receive from others.

So, is everyone now even more confused then ever. :rolleyes:

Ok since i played around a little with this. I use the EICAR test [it's a fake virus] to see what OA++ does.

http://www.eicar.org/anti_virus_test_file.htm

So basically, in Firefox and IE , OA++ does nothing . It didn't pick up the .zip , .com , .txt testfiles while downloading.



1. While it is being downloaded. We will have to wait and see what ABx has to say about that. I also use Firefox and have Web Shield disabled. Whenever I download a .exe file I get an OA 2 balloon messages that it is/has checked the file on OASIS. So some scanning is taking place.


I've seen this popup before as well but not consistently and definitely not for the particular test virus, so i don't know if i'm missing something here. Maybe it's only for specific filetypes?


Anyway other results:

If i scan it in Windows Explorer manually, OA++ picks up the virus in the .txt, .zip, .com
If i execute the .com [double click run], OA++ will pop up and tell me it's infected before it runs.

If i open the .zip OA++ does nothing.
If i extract the infected .com inside the .zip , OA++ does nothing.
If i open the .txt in notepad, OA++ does nothing.

Sometimes i see the popup "Sending request to OASIS" for files in my browser CACHE ....not sure what triggers that as it's not files i specifically downloaded but is part of a website...

Now in contrast MSSE [Microsoft's new AV] , all the places above where i said "OA++ did nothing" , MSSE in fact detected the virus.

So it's still open as to how secure it is in the end, basically the virus is allowed on your system with OA++ . Also if it's part of a file that is not explicitly an executable [i.e. a .txt / .doc ] it's not sure if it will be detected at all when opened in another application ...and we all know files does not need to be an executable to be malicious...


Obviously this "lack" of interference and real-time scanning from OA++ means it will work with other AVs without issues...simply because it only activates "at the last possible process" where most other AVs actually activates "at the point of entry" . For an AV to monitor -all- incoming files also implies alot of overhead, and Norton was notorious for doing these scans at the worst possible times [i.e. burning files or copying files would result in Norton scanning the files, resulting in a slowdown] .

So in layman terms, and as i asked in another thread, OA++ does not have a true real-time module . It does not sit there and monitor every single file coming in/being moved / being opened [which is why OA++ is so light] . It only checks when you execute a file, and "execute" refers to the file being an application which creates an actual process/thread .

It does not seem to detect/scan something like an infected Excel [.xls] file if i open it in Excel , it will only check Excel.exe when THAT runs [which is not the infected file] but not the actual non-executable file <---- this i can't confirm 100%, but based on .txt tests i don't see it working differently.
BUT this is really a catch 22, this type of scanning can totally kill your system, nothing like being in a game and your AV deciding to scan every file that your game is opening&using.....

In the big scheme of things, if you consider what a virus actually does at the end of the day , it's quite certain OA++ will pick it up eventually. If it infects something via a process not picked up by OA++ [i.e. injecting something into an .exe] it will be picked up when that .exe attempts to execute. If it's a Trojan type of thing and OA++ missed the actual file somehow, the firewall will most certainly catch it ...that's what all those leaktests are for anyway ;)

Well like ABx have indicated, you can run a regular anti-virus side by side OA++ without problems... So why not just to do that, benefice from both worlds and stop worrying about the security of your systems :)

That's what I did and now no more questions and I feel very, very secure ;)

About the .pdf file which contains a malicious embedded script.

OA automatically trusts, allows and make rules for well known programs, moreover it is often recommended, on this forum, to simply trust programs. A trusted program will be allowed most advanced options or special permissions and internet access.

If the reader itself, the executable, has not been changed., shouldn't one conclude that the reader -with all permissions granted- would launch the file and the malicious script would then be caught by the AV/AM?

Well like ABx have indicated, you can run a regular anti-virus side by side OA++ without problems... So why not just to do that, benefice from both worlds and stop worrying about the security of your systems :)

That's what I did and now no more questions and I feel very, very secure ;)

Yea but you're missing the point here. OA++ costs $30 more specifically for this AV part. Now if you need to use -another- AV , why are you going to buy OA++ and not simply OA Premium?

Most people [like me] don't want multiple AVs running simultaneously , it will always have a performance impact on your system and quite frankly it's stupid to do .

It's like buying Car Insurance multiple times for the same car when you can claim from only one. Sure if one fails you can try another, but paying double for "in case it fails" is kinda silly.

Yea but you're missing the point here. OA++ costs $30 more specifically for this AV part. Now if you need to use -another- AV , why are you going to buy OA++ and not simply OA Premium?


You don't need to run another AV; this is just an option for those that want to :)

You don't need to run another AV; this is just an option for those that want to :)

And you don't have to buy for another AV you can simply go with a free one!

I also understand your point and agreed with it silvertemplar but like you said if you don't like how the AV of OA++ works and/or don't want to add a free AV with it to make you feel more secure (eventough it is not necessary because we are already well protected) well just go with OA premium with the AV of your choice. That's the choice with have at this point!

About the .pdf file which contains a malicious embedded script.

OA automatically trusts, allows and make rules for well known programs, moreover it is often recommended, on this forum, to simply trust programs. A trusted program will be allowed most advanced options or special permissions and internet access.

If the reader itself, the executable, has not been changed., shouldn't one conclude that the reader -with all permissions granted- would launch the file and the malicious script would then be caught by the AV/AM?

You will be alerted by OA's HIPS if an unknown program attempts to modify or control a trusted program.

For example, if somenastymalware.exe (which is obviously not going to be on OASIS's trusted list wants to access the internet through my PDF reader (which is trusted), I'll be alerted. If an untrusted program is requesting a permission that involves a trusted program (as would be the case with a PDF exploit), then OA's HIPS will alert (in addition if the exploit is known as malware, the AV engine will flag it as such on the HIPS alert).

If a trusted program requests a permission that involves another trusted program, then OA will allow it without prompting :)

The HIPS part is -and has always been- clear to me, but thanks anyway!
Also, not all malicious files are executables...

The questions were about the AV and I believe things are getting clearer. I too did the eicar test as silvertemplar did.

It is just that I am accustomed to real time av progs and need to adjust :)

I hate to say it, but I just found out that the Web Shield does not currently scan files while downloading. I am sorry for stating that it did, but I had not heard otherwise prior to this. Unfortunately this engine does not offer the same function that we used for this before, however we are currently working with Emsisoft to get this functionality into OA++. We are also working on adding additional functionality as well :)

As to why you would use another AV - that's entirely up to you. OA++ is not meant to be two programs installed side-by-side, but rather it integrates the AV engine to add greater detection than our database alone offers. OA++ offers a rounded set of features that will keep your computer from getting infected, and is also made to accomodate other security software (with the obvious exception of another firewall). For many people OA++ is more than sufficient, but others want to add the features of a traditional antivirus as well. Both will keep your system from getting infected -- it just depends on the features you want.

For those that do want a little more of both, stay tuned and keep an eye on future releases :)

I hate to say it, but I just found out that the Web Shield does not currently scan files while downloading.


Hi ABx,

So what is the purpose of Web Shield and what does that shield actually do?


Thanks,
Atomas31

Hi ABx,

So what is the purpose of Web Shield and what does that shield actually do?


Thanks,
Atomas31

It still does what is described here http://www.tallemu.com/webhelp3/KF-Web.html and here http://www.tallemu.com/webhelp3/Websites.html It just not using the AV engine with the Web Shield.

Thanks, ABx.

Well, frankly, I never thought nor expected the Web Shield's job was to "scan files while downloading", but rather to filter the contents -and/or coding- of web pages and to block dangerous/malicious ones (java applets, embedded spyware/malware, activeX etc...) before they are loaded on one's machine. And, in my observations, it, the Web Shield, appears to do that. I posted somewhere else about java applets...

http://tallemu.com/webhelp3/KF-Web.html

There is a distinction between Web Shields and AM/AV modules.

At what point would OA++ catch or stop it (when would OA declare the .pdf itself to be infected)?
Good question. Depends on the Malware and the OA settings.

I have tested this with the Email-Worm.VBS.Peach with XP and Acrobat Reader 6.

OA ++ catches this particular PDF file only if you scan it.

http://img11.imageshack.us/img11/4295/1peach.png

If the Acrobat Reader is set to "Trusted", the script executes undetected, only Acrobat Reader warns you.

http://img22.imageshack.us/img22/3202/2peach.png

Only if the Acrobat Reader is set to "Unkown", OA warns you about the script.

http://img257.imageshack.us/img257/7564/3peach.png

But even this Peach.vbe is not detected by the Antivirus on execution, only the scanner identifies the malicious file.

http://img31.imageshack.us/img31/737/4peach.png

Related to OA these are limitations of On-Execution scanning and Trusted programs.
The last straw is to set programs like Acrobat Reader to "RunSafer", but if you don't...

Cheers

Seems to be a weakness in the OA HIPS functionality.

EDIT: I guess its safer to to reoke most of these trusted programs.

In subset's example, I would say that Acrobat Reader and wscript.exe (allowed and trusted by default) should not be trusted...
The results are quite similar to those obtained testing with eicar.

Forgot link to earlier thread about web shield
http://support.tallemu.com/vbforum/showthread.php?t=9600

Seems to be a weakness in the OA HIPS functionality.

EDIT: I guess its safer to to reoke most of these trusted programs.

Not really. Put OA in Standard mode if it isn't already. Then go to Programs and right click on your PDF reader (for example). Choose "Advanced options". A Trusted program will have a "? (n/a)" next to each option under Permissions. Like the text says "(click image to change option)". So, in subset's example, if you had set the option "start applications" to Block, then the reader could not have started WScript.exe.

If you feel you are a more knowledgeable user you can put OA in Advanced mode, repeat the procedure above and fine tune exactly which applications a program can start, among other things.

As for revoking trusted programs, I think a distinction needs to be made. I have, for example, a program that when run shows which programs are using which ports on my computer, much like the OA Firewall status screen. This program is from a reliable source, does not access the Internet, and does not work on third party files. So why should I not trust it?

A PDF reader, on the other hand does absolutely nothing if you just run it. It needs a third party file in order to do anything meaningful. I trust the PDF reader, but not necessarily those third party files. So I set my PDF reader to Trusted, but using the procedure described above I block, or set to Ask, those actions I don't want it to perform.

This is my SOP for any program that works on third party files. A little more work but a lot less worry. :D

Great post, Gene :)

If you know what you're doing then you can use the settings to squeeze a bit of advanced functionality out of OA. For most people, though, this is going to cause more problems than it's worth.

A PDF reader, on the other hand does absolutely nothing if you just run it. It needs a third party file in order to do anything meaningful.Exactly it. Even if you get a PDF with a malicious script that exploits your PDF reader, neither the PDF nor the reader are going to suddenly start behaving maliciously. What they will do is be forced to download a trojan and run it (through existing functionality).

Blocking the reader's ability to create .exe files is one way, and blocking its internet access is another, but of course these will also prevent the software from downloading updates. Setting the PDF reader to RunSafer would also mitigate a lot of potential damage, but may interfere with its ability to install updates.

Regardless, if OA is set to prompt when running Unknown programs, and the PDF reader is exploited, then at the very least you will get a popup asking you to allow or block the trojan from running. If you see such a prompt and still want to allow it to run, then you could easily set it to RunSafer and just not Trust it. That would put heavy restrictions on what the program file, legitimate or malicious, could do.

Of course the chances are that OA++ would actually pop up and tell you that it's malware :)

Another way to deal with the same problem is to disable things like Javascript in your PDF reader, keep the PDF reader up to date, or even choose a PDF reader that doesn't have the vulnerability in the first place :)

For those that prefer to have things scanned while downloading, this will be in a future version. We are also looking at what other neat stuff we can add. Of course it will also still be compatible with other AV software, for those that want the extra layer of protection :) We are also considering other ways to beef up the Web Shield in future versions. We don't have solid plans yet, but stay tuned :)

What is the difference between the Standard mode, advanced options that are not set and Trusted progs and the Advanced Mode, Advanced Options that are not set when progs are unknown?

IMO, advanced options should not be allowed by default just because one is using the Advanced Mode. In general, I think I know what I am doing, but a detailed and offline help facility would have avoided what is now 'my wasting my time in this thread'...

Hi minoka,

In Standard mode/Advanced options you can set a certain permission to Allow, Ask, or Block, and for a Trusted program "(n/a)", which is basically the same as Allow. So it's pretty much all or nothing.

In Advanced mode/Advanced options you can fine tune your settings. For example, you could specify which applications, if any, you will allow your PDF reader to start. Again, using subset's example, you could allow your PDF reader to start only your browser, which is handy if there is a URL in the PDF file. This would have stopped your reader from starting WScript.exe while still allowing it to start another application.

This is all very interesting Gene and Adrian! Just to be clear Adrian, OA will warn me if any unknown executable attempts to run, even if it is a trusted program which is attempting to run the executable?

For those that prefer to have things scanned while downloading, this will be in a future version. We are also looking at what other neat stuff we can add. Of course it will also still be compatible with other AV software, for those that want the extra layer of protection :) We are also considering other ways to beef up the Web Shield in future versions. We don't have solid plans yet, but stay tuned :)


That's excellents news! Thanks!

You bet I'll stay tuned :)
Atomas31

This is all very interesting Gene and Adrian! Just to be clear Adrian, OA will warn me if any unknown executable attempts to run, even if it is a trusted program which is attempting to run the executable?


If an unknown executable tries to run, and you have prompt on unknown turned on, then you will be prompted.

I think this thread makes it clear there are many questions about the AV/AS implementation in OA++ We will try to get some clear info available on it.


Mike

Gene,

As I wrote in other posts, I understand perfectly what you say about the .pdf reader and other file launchers, what is not clear to me is this:
Why are most advanced options allowed -by default- for Trusted progs while OA++ is in Advanced Mode? See my post 25.
Would it not be better and more secure to let the user allow/deny these options either manually or as they are 'run into' via prompts? In Advanced Mode, to fine tune a trusted prog, it looks like it is necessary to set every single option back to Ask for every single Trusted prog, before it runs. Setting progs to Unknown is much faster !
To me, it looks like Advanced Mode, at first, i.e., without user intervention, is actually not very secure (since all actions are allowed), less so even than Standard Mode.
Or am I still missing something?

Trusting progs is not something I have seen recommended in my previous firewalls (started with Atguard, I think), it is not recommended for the firewall I use on another machine, and I am still not trusting my progs in OA in spite of the advice to do so in many posts in this forum! A radical change I amy yet get used to...

Anyway, I am not quite satisfied with the answers re the AV/AM, so will wait for the 'neat stuff' announced by ABx :)

Mike: Thank you in advance. Reliable info is what is needed.

Alright thanks! Is there a user manual for OA?

Alright thanks! Is there a user manual for OA?

The webhelp is here http://www.tallemu.com/webhelp3/ The Antivirus information is currently a bit outdated though as refers to the old AV+. Most other sections should be current though.

Sorry to interfere, but, CatPrincess, imo web help is not exactly a user manual (:
There used to be one (I still have a copy of it!).

Also, as stated in post # 44, clear info about the current AV may be available soon.

minoka wrote:
As I wrote in other posts, I understand perfectly what you say about the .pdf reader and other file launchers, what is not clear to me is this:
Why are most advanced options allowed -by default- for Trusted progs while OA++ is in Advanced Mode? See my post 25.
Would it not be better and more secure to let the user allow/deny these options either manually or as they are 'run into' via prompts? In Advanced Mode, to fine tune a trusted prog, it looks like it is necessary to set every single option back to Ask for every single Trusted prog, before it runs. Setting progs to Unknown is much faster !
To me, it looks like Advanced Mode, at first, i.e., without user intervention, is actually not very secure (since all actions are allowed), less so even than Standard Mode.
Or am I still missing something?
Tall Emu has always stated that it's target audience is Moms and Dads, with enough options to please hardcore security users. So the basic principle is to keep it simple and reduce pop-ups as much as possible.

The problem with setting options to Ask is this:
1. During the initial reboot after an install OA is in Learning mode, so many of these options will be set to Allow anyway in order to insure a smooth (and successful) boot.

2. After that running a program with all options set to Ask will most likely produce a large number of pop-ups. It may be more secure this way but will drive most people crazy and also to another, quieter, security product.
Why are most advanced options allowed -by default- for Trusted progs while OA++ is in Advanced Mode?
Simply put, Trust means trust. You trust that the program is safe and not out to do harm. It is quicker, as you rightly point out, to set a program to Unknown. This will also produce more pop-ups. I suppose it is up to each user to determine just how many pop-ups they can live with.

I have to say at this point that OA, when running in Standard mode, would change an option from Ask to Allow if a user answered a pop-up with Allow. So basically it is a one time event. If you Allow Program A to start Program B via a pop-up, you won't be asked again when Program A wants to start Program C because the option has been changed from Ask to Allow. I have been running in Advanced mode for the longest time now so I cannot say with 100% certainty that it still works that way. Considering the target audience I can understand why it works like that.