Outpost 3.0 - What to expect

[Paranoid2000]

Outpost 3.0 has now been released with the following features (please see Outpost 2.7 - what to expect for details on previous versions):

What's New:

1. An Anti-Spyware plugin has been added which offers spyware detection/removal (both real-time and on-demand) along with an "ID block" feature. Please see the Anti-Spyware FAQ for more information (note: if you are using a Hosts file to block known ad/spyware sites, you should exclude this in the plugin before doing a scan since it will report any entries here and large files take a long time - 5 minutes or more - to process).
2. Attack Detection plugin - an Ethernet section now offers ARP filtering. Please see the ARP Filtering FAQ for more information.
3. Smart Advisor - Rules Wizard prompts now include a link that can provide help from Agnitum on rules settings. This does require Outpost to have rules allowing access to advise.agnitum.com and details of the connection needing advice are sent to Agnitum (application, protocol, port, remote address, etc though with no personally identifiable data) - those concerned about this should avoid using this feature.
4. The Internet Explorer plugin for controlling Active Content/Ad settings is now named QuickTune and can be enabled or disabled via Tools/Enable QuickTune.
5. Default ICMP settings have been relaxed again (Options/System/ICMP/Settings) and now allow incoming (as well as outgoing) Pings and Traceroutes. While the security impact of these is small (making systems more visible online), those concerned may wish to adjust their settings as follows: Clear Echo Reply/Out, Echo Request/In, Time Exceeded/Out, Destination Unreachable/In and Out, Router Solicitation/In and Out. Note that some applications may be adversely affected by such settings.
6. The DNS Cache plugin has an option to block extra-long DNS requests. DNS requests that are matched by the cache will also be reported as Blocked traffic (which is more accurate since the plugin is preventing outgoing traffic, but worth noting).
7. All network access is blocked if Outpost is terminated - preventing any malware which successfully shuts down Outpost from being able to send data out.

What's Fixed:

1. Subnet masks and wildcards can now be used correctly when editing rules.
2. The Allow/Block Once option (in Rules Wizard dialogs) will apply to all communcations for that local/remote port and address.

(note: these lists are not complete but try to highlight the most significant issues reported - please check the Outpost History of Changes on Agnitum's website for more details).

Upgrading:

Via Agnitum Update
This is the easiest option, but updates are restricted in number to avoid server overload. If you receive a message that you already have the latest version (and your version number as supplied in Help/About Outpost Firewall... is earlier than that shown in the Current Build in the top-right) then either retry later or download a copy of Outpost 3.0 from the Agnitum website.

By Direct Download
Outpost 3.0 is available from Agnitum's website (there may be a delay before resellers have it on their sites also - if in doubt use the main Agnitum site). To use your existing configuration, take the following steps:

1. Make a backup copy of the configuration .conf and .cfg files first (to another folder, to be safe). If you have customised other files (like the preset.lst rules preset file), then take a copy of those too;
2. Disconnect from the Internet;
3. Uninstall your existing copy of Outpost and any third-party plugins using Add/Remove Programs in the Control Panel (remove the plugins first);
4. Reboot your system when prompted;
5. Pre-Install Preparation: To minimise the chances of problems arising from an Outpost installation, check that your system is clear of malware (see the AumHa Parasite Fight! page for instructions and links), close all running programs and disable any background virus scanners. If you are running any software that restricts application activity, software installation or registry modification (e.g. Process Guard, Abtrusion Protector, System Safety Monitor, RegDefend) please note that the Outpost install will add a service and make numerous registry changes - ensure either that these actions are permitted for the Outpost installation or that the security software is disabled during the install;
6. Install the downloaded copy of Outpost. Outpost 3.0 will prompt you to do a full system spyware scan at the end of its install - it is suggested that you do not do a scan until (a) you have been able to update the plugin's signature database and (b) you have excluded the Hosts file if you are already using one for ad/spyware blocking (see the Anti-Spyware FAQ for details);
7. Copy your saved configuration files into the Outpost program folder and load them using the File/Load Configuration option;
8. Check your configuration to ensure that everything appears normal;
9. Reconnect to the Internet.

Known Issues:

1. Large Hosts files may result in Outpost seeming to hang (5-10 minutes typically for a file with 15,000 entries) during the initial scan by the Anti-Spyware plugin. The file can be excluded from future scans once the initial check is complete (via Properties/Advanced and clearing the Windows Hosts file checkbox) or the Anti-Spyware plugin can be disabled entirely. Quarantined hosts files can be recovered but this will result in a similar delay as the file is restored.
2. The Anti-Spyware plugin's Real-Time Protection may increase Outpost's CPU utilisation - if this results in unacceptably high CPU usage by Outpost, try disabling it.
3. Ethernet options (including ARP filtering) are enabled by default in the Attack Detection plugin (Properties/Ethernet)- this can cause problems with some ISPs (e.g. where Proxy ARP is being used or cable ISPs which normally see higher levels of ARP traffic) so if your Internet connection is lost when installing Outpost 3.0 and you use a network card, try disabling the options there (starting with the bottom four).
4. The "Block extra long DNS requests" option in the DNS Cache plugin will prevent access to domains with long names. If problems are encountered accessing certain sites (e.g. Hotmail), then try disabling this option. If this helps, then either leave the option disabled or add the domain to the Exclusion list (DNS Cache Properties/Miscellaneous).
5. Carrying out a full system scan with the Anti-Spyware plugin will result in a large number of temporary .tmp files being created which are not deleted afterwards. This is a known problem that will be addressed in a future update - until then, these files will need to be deleted manually (a free cleanup utility like CCleaner can be useful here). Update: This has now been fixed in build 557/437.

[Paranoid2000]

Anti-Spyware FAQ

How does this compare to other anti-spyware applications?
PC Pro magazine in the UK ran an anti-spyware comparison test (published in their November 2005 issue) which included a test of a preview beta version of Outpost 3.0 (on page 88). In this, Outpost 3.0 achieved a detection rate of 81 percent, removal of 72 percent and blocking of 53 percent. In comparison, PC Tools Spware Doctor (the winner) achieved 94/88/66 (detection/removal/blocking), Sunbelt CounterSpy 88/84/54, WebRoot SpySweeper 82/80/48, Microsoft AntiSpyware 61/72/41, Lavasoft AdAware 48/62/24 and Spybot Search and Destroy 56/52/36. Outpost would have gained 4th position in this test (3 other products were also tested).

How can I update the signature database?
Agnitum Update (either run automatically or manually) will update signatures as well as Outpost itself. To update just the signatures, select Tools/Check for Spyware Base Updates.

Will spyware signature updates be free indefinitely or only available during the Outpost upgrade licence periond?
Signature updates will be available for free during the upgrade period of your Outpost licence. When this period ends, the licence will need to be renewed to continue receiving updates.

I have encountered a false positive/suspicious file. How do I report it?
False positives (where the plugin is reporting an innocent file as malicious) and suspicious files not detected by the plugin should be sent to the Suspicious Files page.

I have spyware the plugin cannot remove. How can I clean my system?
Sadly, many items of malware are highly resistant to removal, being able to restore themselves if not completely eradicated. In addition, an increasing number are using rootkits, making removal almost impossible - specialised rootkit detection software may help but cannot guarantee success.

Cleaning systems from malware is therefore a demanding task requiring specialist skills so is beyond the province of this forum. Instead, please review guides like Castlecops: Malware Removal and Prevention or AumHa: Parasite Fight! - these cover the initial steps that need to be taken before seeking the help of a removal analyst. These analysts are volunteers who spend many hours helping others so please do not waste their effort by opening threads at multiple forums, choose one and stay with it.

How secure is the ID block/Private Data Transfer feature?
This feature will detect data you specify in all network packets so should function with most applications. It cannot however detect encrypted data, so any applications using encryption (which includes web browsers on https:// pages as well as more sophisticated malware) will bypass this. This weakness applies to all such features offered by security software, not just Outpost.

ARP Filtering FAQ

What is ARP?
ARP stands for Address Resolution Protocol. It is used on Ethernet networks (virtually all Local Area Networks use Ethernet) to provide a means of looking up an IP address for a given Ethernet (MAC) address. MAC addresses are set in the network card's firmware and are (usually) globally unique, but most cards do allow this address to be changed. As such, MAC addresses tend to be fixed for a computer while the IP address can vary.

How important is it?
For those connecting via a LAN, ARP is critical and problems with it typically result in the loss of all connectivity (e.g. even pinging your local router would fail).

Should I use the features listed in the Ethernet tab of the Attack Detection plugin?
For most home users, these features are not important. What they cover are attacks that can be launched from within a local network (LAN). If your computer is the only one connected to the Internet then there is virtually no possibility of this happening, as is the case for LANs where every computer is under your control.

These features are useful for computers in a potentially hostile LAN environment where other users have control over computers - university and school networks being a good example. Unsecure business networks and some cable ISPs (which arrange their network as one large LAN) are another example where ARP protection may be useful.

For more details on the protection these options provide, please review the Ethernet Attacks Protection PDF document available on Agnitum's Outpost Documentation page. The "Smart ARP" option is the most important - the other 4 options will not provide any further protection over this but will detect a broader range of "unusual" behaviour in ARP traffic, which may mean more false positives for some networks (cable-based ISPs notably).

How does this compare to the SuperStealth plugin?
The "Smart ARP" option provides similar functionality but requires less setting up than the SuperStealth plugin required. The other options are not addressed by that plugin.