Re: OT: Trend Micro WFBS beta starting soon
- From: Holz <holz@xxxxxxxx>
- Date: 1 Oct 2008 00:09:04 GMT
On Tue, 30 Sep 2008 12:21:34 -0700, Gregg Hill wrote:
Hello!
Trend is starting the WFBS 5.1 beta soon. To all users who may want to
participate, please bring up the following issues that remain
unresolved. You can log in or register here:
https://www.trendbeta.com/login/register_en.php
1) Keystroke Encryption causes "abababab..." characters on remote
systems when using RWW or LogMeIn.
2) Pattern updating is not "network aware" and results in long delays
before getting pattern updates for laptops off the LAN. I reported it
during previous beta as "Laptop has been on the Internet on a different
network for six hours, and still shows old pattern 5.239.00 dated
2008-04-24. How about you make pattern updating "network connection
aware" so that as soon as it sees a network connection, it automatically
tries to update, whether on the LAN via the server or remote in roaming
mode via the Internet? Six hours without an update is crazy!" The
pattern file was several days old and did not update until I rebooted
the laptop again, and then only after 30 minutes.
3) When viewing the Live Status screen, it shows green for Outbreak
Defense even if there are computers on the network with known MS
vulnerabilities, as determined by the Vulnerability Assessment feature
that resides under the Outbreak Defense umbrella. It still showed green
even with three "Critical" vulnerable computers at one of my clients. A
green light or icon is a universal symbol of "Go!" or "Good" and should
NOT show when a vulnerability exists. At the least, it should be yellow
even if there is only one vulnerability in order to draw attention to it
for further examination.
Trend's reply was basically "Outbreak Defense was not designed to alert
users about vulnerabilities." I replied, "Your system should do one of
two things: WARN with a yellow symbol indicating that the system has
vulnerabilities, or MOVE the "Vulnerable Computers" item out from under
Outbreak Defense into its own console section, and flash the yellow
light, if that is not the function you intended for the Outbreak Defense
section of the console." They have the Vulnerability Assessment feature,
but it is apparently mistakenly placed under the Outbreak Defense, where
it is ignored.
If you want the details of why this can be a problem, send an email to
"greggmhill" on my Yahoo account.
4) Pattern update frequency: Question posed during 5.0 beta: In the
beta, we could not set the scheduled update interval. Can we do that
now, so that laptops can be set to check every hour, or at least more
often than every 8 hours? I just tried via the registry
ScheduleUpdateInterval but it reset itself to 28800 after a few minutes.
I suggested during the beta that we be allowed to set the interval, and
I thought that it would enabled in the final release. Am I missing
something, or is it fixed at 8 hours?
A: This is by design and it will always return to 8 hrs. Our developers
decided not to change this for this release. We have this as a feature
request instead and for approval of the Product Manager for next
versions.
5) Trend firewall, even set to High, has inbound NetBIOS ports open. My
notes to them during last beta:
a.. Maybe you could add a "Super Secure Laptop" firewall choice to
future versions to ease configuration. I created a "Laptops" group, and
with its firewall settings for Out of Office set to High, I want to be
able to have access to a terminal server that accepts connections on the
default 3389 port, web browsing, email, etc. I changed all the default
settings except for MSA and set them to Outbound only, so that all ports
inbound are closed, in order to mimic a high-end corporate hardware
firewall. Most high-end firewalls can block all outbound traffic, yet
allow one to open an outbound port, then the inbound side is trusted
only when someone makes a connection outbound first, and there is no
need to have the port explicitly open inbound. For example, DNS requests
outbound on port 53 should be allowed, but there is no reason to always
have port 53 open inbound unless one is running a public DNS server. The
DNS request from a browser should go out, hit a DNS server, and be
allowed back in because it is not an unsolicited connection. For my
Laptops group, I have set all ports in Advanced mode High setting to
Outbound only (except for MSA, because I do not know how it behaves),
and I added Outbound only ports for Remote Desktop Protocol on port
3389, NNTP on 119, NTP on 123, RPC on 135, IMAP on 143, SharePoint (for
SBS clients) on 444, ICMP protocol to allow troubleshooting with ping,
and oddball web ports 8080 and 8081 for some router config ports. This
setup gives me a very secure firewall and leaves only one thing open
inbound, MSA, and I am not sure it even needs to be open.
a.. Since Beta period is over, what we can do is to file this as
Feature Request for now.
a.. Barring adding the above firewall choice, perhaps you could change
the defaults for the High setting so that the ports are not open
inbound, with the possible exception of MSA. Having inbound ports open
is not necessary, and should NEVER be the default for a "High" firewall
security setting, ESPECIALLY since you allow inbound NetBIOS
connections, which is possibly the most-hacked port in existence.
a.. We'll be raising this as feature request and for approval of the
Product Manager
a.. My testing with my custom Laptops firewall settings (all inbound
blocked except MSA) and my added ports seems to allow completely normal
Internet access.
Regarding NetBIOS, it should NEVER be open by default for a "High"
firewall security setting! If it is open, it is UNSECURED. Unsecured is
NOT "high" security!
For the Medium setting, NetBIOS should not be open inbound (not in my
opinion), since laptops tend to be used at WiFi spots and that would
make them susceptible to hacking. On my LAN, with NetBIOS blocked, I can
still browse shares on the other computers or on my server. If another
computer were to try to reach a share on my laptop, it would be blocked.
Please remember that you are protecting CORPORATE computers with this
software, not some pokey little home user, and corporate systems should
be more secure than home systems.
I believe that another menu choice to **temporarily** disable the
firewall would be good (they can kill it now, but then they have to
remember to re-enable it). Also, maybe a choice to allow users to change
it from High to Medium or to Low, would be a good addition to allow
laptop users to **temporarily** lower their defenses when on their home
networks. Perhaps a choice to disable it for an hour or until the next
reboot, at which time it would go back to its administrator-chosen
settings.
I just thought of another firewall choice, one that users could be
allowed to enable while on a home network. You could call it
"Temporarily Enable File and Printer Sharing" and when someone chooses
it, it opens inbound NetBIOS connections until the laptop is rebooted.
Just a thought!
They replied that they would add it as a feature request.
6) Anyone else have suggestions?
Gregg Hill
Application / executable based port open rules. Some apps change their
port for incoming dynamically. Even the lousy windows port has an option
for it.
--
Holz
.
- Prev by Date: Vista LAPTOP client and SBS 2003 Environment
- Next by Date: WSS 2.0 or 3.0 and mail-enabled site w/o Exchange
- Previous by thread: Vista LAPTOP client and SBS 2003 Environment
- Next by thread: WSS 2.0 or 3.0 and mail-enabled site w/o Exchange
- Index(es):
Relevant Pages
|
