Re: Trend Micro WFBS beta starting soon
- From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>
- Date: Tue, 30 Sep 2008 14:06:46 -0700
6) Make the Anti-Spam > Email Reputation spam filtering honor the Allowed
Senders whitelist from Anti-Spam > Content Scanning in order to reduce false
positives. (Requested during previous beta).
Content scanning is email address or domain based, while Email Reputation is
based on IP addresses, so it may not be possible.
Next?
Gregg Hill
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in
message news:OY1DBHzIJHA.2156@xxxxxxxxxxxxxxxxxxxxxxx
Hello!
Trend is starting the WFBS 5.1 beta soon. To all users who may want to
participate, please bring up the following issues that remain unresolved.
You can log in or register here:
https://www.trendbeta.com/login/register_en.php
1) Keystroke Encryption causes "abababab..." characters on remote systems
when using RWW or LogMeIn.
2) Pattern updating is not "network aware" and results in long delays
before getting pattern updates for laptops off the LAN. I reported it
during previous beta as "Laptop has been on the Internet on a different
network for six hours, and still shows old pattern 5.239.00 dated
2008-04-24. How about you make pattern updating "network connection aware"
so that as soon as it sees a network connection, it automatically tries to
update, whether on the LAN via the server or remote in roaming mode via
the Internet? Six hours without an update is crazy!" The pattern file was
several days old and did not update until I rebooted the laptop again, and
then only after 30 minutes.
3) When viewing the Live Status screen, it shows green for Outbreak
Defense even if there are computers on the network with known MS
vulnerabilities, as determined by the Vulnerability Assessment feature
that resides under the Outbreak Defense umbrella. It still showed green
even with three "Critical" vulnerable computers at one of my clients. A
green light or icon is a universal symbol of "Go!" or "Good" and should
NOT show when a vulnerability exists. At the least, it should be yellow
even if there is only one vulnerability in order to draw attention to it
for further examination.
Trend's reply was basically "Outbreak Defense was not designed to alert
users about vulnerabilities." I replied, "Your system should do one of two
things: WARN with a yellow symbol indicating that the system has
vulnerabilities, or MOVE the "Vulnerable Computers" item out from under
Outbreak Defense into its own console section, and flash the yellow light,
if that is not the function you intended for the Outbreak Defense section
of the console." They have the Vulnerability Assessment feature, but it is
apparently mistakenly placed under the Outbreak Defense, where it is
ignored.
If you want the details of why this can be a problem, send an email to
"greggmhill" on my Yahoo account.
4) Pattern update frequency: Question posed during 5.0 beta: In the beta,
we could not set the scheduled update interval. Can we do that now, so
that laptops can be set to check every hour, or at least more often than
every 8 hours? I just tried via the registry ScheduleUpdateInterval but it
reset itself to 28800 after a few minutes. I suggested during the beta
that we be allowed to set the interval, and I thought that it would
enabled in the final release. Am I missing something, or is it fixed at 8
hours?
A: This is by design and it will always return to 8 hrs. Our developers
decided not to change this for this release. We have this as a feature
request instead and for approval of the Product Manager for next versions.
5) Trend firewall, even set to High, has inbound NetBIOS ports open. My
notes to them during last beta:
a.. Maybe you could add a "Super Secure Laptop" firewall choice to future
versions to ease configuration. I created a "Laptops" group, and with its
firewall settings for Out of Office set to High, I want to be able to have
access to a terminal server that accepts connections on the default 3389
port, web browsing, email, etc. I changed all the default settings except
for MSA and set them to Outbound only, so that all ports inbound are
closed, in order to mimic a high-end corporate hardware firewall. Most
high-end firewalls can block all outbound traffic, yet allow one to open
an outbound port, then the inbound side is trusted only when someone makes
a connection outbound first, and there is no need to have the port
explicitly open inbound. For example, DNS requests outbound on port 53
should be allowed, but there is no reason to always have port 53 open
inbound unless one is running a public DNS server. The DNS request from a
browser should go out, hit a DNS server, and be allowed back in because it
is not an unsolicited connection. For my Laptops group, I have set all
ports in Advanced mode High setting to Outbound only (except for MSA,
because I do not know how it behaves), and I added Outbound only ports for
Remote Desktop Protocol on port 3389, NNTP on 119, NTP on 123, RPC on 135,
IMAP on 143, SharePoint (for SBS clients) on 444, ICMP protocol to allow
troubleshooting with ping, and oddball web ports 8080 and 8081 for some
router config ports. This setup gives me a very secure firewall and leaves
only one thing open inbound, MSA, and I am not sure it even needs to be
open.
a.. Since Beta period is over, what we can do is to file this as
Feature Request for now.
a.. Barring adding the above firewall choice, perhaps you could change the
defaults for the High setting so that the ports are not open inbound, with
the possible exception of MSA. Having inbound ports open is not necessary,
and should NEVER be the default for a "High" firewall security setting,
ESPECIALLY since you allow inbound NetBIOS connections, which is possibly
the most-hacked port in existence.
a.. We'll be raising this as feature request and for approval of the
Product Manager
a.. My testing with my custom Laptops firewall settings (all inbound
blocked except MSA) and my added ports seems to allow completely normal
Internet access.
Regarding NetBIOS, it should NEVER be open by default for a "High"
firewall security setting! If it is open, it is UNSECURED. Unsecured is
NOT "high" security!
For the Medium setting, NetBIOS should not be open inbound (not in my
opinion), since laptops tend to be used at WiFi spots and that would make
them susceptible to hacking. On my LAN, with NetBIOS blocked, I can still
browse shares on the other computers or on my server. If another computer
were to try to reach a share on my laptop, it would be blocked.
Please remember that you are protecting CORPORATE computers with this
software, not some pokey little home user, and corporate systems should be
more secure than home systems.
I believe that another menu choice to **temporarily** disable the firewall
would be good (they can kill it now, but then they have to remember to
re-enable it). Also, maybe a choice to allow users to change it from High
to Medium or to Low, would be a good addition to allow laptop users to
**temporarily** lower their defenses when on their home networks. Perhaps
a choice to disable it for an hour or until the next reboot, at which time
it would go back to its administrator-chosen settings.
I just thought of another firewall choice, one that users could be allowed
to enable while on a home network. You could call it "Temporarily Enable
File and Printer Sharing" and when someone chooses it, it opens inbound
NetBIOS connections until the laptop is rebooted. Just a thought!
They replied that they would add it as a feature request.
6) Anyone else have suggestions?
Gregg Hill
.
- References:
- OT: Trend Micro WFBS beta starting soon
- From: Gregg Hill
- OT: Trend Micro WFBS beta starting soon
- Prev by Date: User Name Change What is the best way?
- Previous by thread: Re: Trend Micro WFBS beta starting soon
- Next by thread: how do you add windows xp sp3 to the list of Client Operating Syst
- Index(es):
Relevant Pages
|
