Kerio - Tiny Support → How to get started with Tiny Trojan Trap

I just installed this puppy today. Wow, I am very high up a very steep learning curve. Right now I'm leaving everything in unrestricted mode until I figure out what I'm doing. I'm printing out the users manual (all 100+ pages) and will start reading through it this weekend.

I was wondering if anyone had experience with this app and could provide pointers on getting started with it? I reviewed my unrestricted apps and didn't see anything I didn't expect, did see a few things missing that TTT didn't catch for some reason and added them.

In case it makes any difference, my email client is PocoMail, my default browser is Opera, and I also run NOD32 AV, Look 'n' Stop firewall and TDS-3 AT, as well as Proxo.

Any suggestions for getting traction with this thing would be much appreciated.

Conejo,

Smart choice reviewing the unrestricted catagory. Even snarter choice wanting to print the manual (I did and I am NOT sorry) but slow down and breath first. The manual you are speaking about (100+) is for version 1. The manual was never updated BUT you can use the manual for TPF 3 (95+).

PocoMail (like Eudora) can go into the Outlook or OE catagory (whichever works better), Opera can go right into the IE catagory (only problem I see is that certain plugins will not SAVE to disk. For example Acrobat.) AV programs can be left as unrestricted but to feel safer just put it in the harmless catagory. I have KPF in my unrestricted catagory so I think lnS should work fine there, if not, put it in harmless. TDS was running fine in my unrestricted group but I can't say much more since I uninstalled it in favor of Trojan Hunter (Magnus, if your watching, this advertisement was gratis ). Proxomitron runs fine in unrestricted but it would also be fine in it's own catagory that has registry writing restricted (you can't disable writing to disk otherwise you will somewhat cripple Scott's excellent program). Just be aware that you can restrict any catagory in any way you see fit, you can't restrict on a per-program basis UNLESS the program is in it's own catagory. A word of advice, leave all of the Windows files that TT placed as unrestricted where they are. leave the System catagory alone and NEVER check treat System group as a regular group. I would leave all "common files" in the unrestricted group where TT placed them. Just use common sense and safe computing practice. Maybe keep a notebook so you can write everything you do. This way, you can reverse anything if necessary.

Feivel

Hi Conejo & Feivel.

Any mods about? - if you relocate all our assembled ramblings into one thread / (baby) forum, it might help everybody.....

Conejo: have you played with the cookie editor? - I cannot get it to show any cookies at all......

ukbubs......good idea.

Feivel1.......are you operating in 'easy' mode or 'advanced'? I'm in 'easy' mode. I've tried moving Poco to Medium, but it's not allowed to write to it's own .ini file there, so I have to move it to low. Don't know if that's customizable or not.

Re the manual, are you saying the 50 pages I've printed so far are worthless? Oh no. So should I print out the TPF manual instead or just parts of it?

ukbubs,

Cookie and cache editor do not work for me but the content filtering does work like a charm.

Conejo,

I am in advanced mode since I find easy mode to be a bit limited for me. From the advanced mode, put PocoMail into the Outlook catagory. If it still gives you ini problems, a quick work around is to go back to easy mode and select directories in the left hand pane. Under "unprotected directories" click add and direct the dialog to the directory that has the PocoMail ini. Now PocoMail has access to write the ini As toward the printout being useless - NO. The manual for version 1 is still very helpful, just realize that some of the information is abit dated (such as the AV integration). Continue printing version 1 manual and check the TPF 3 manual online (sort of like an eratta) and you'll be fine.

Feivel

Feivel1....ok, thanks for that info. What I've ended up doing is moving PocoMail to the medium restricted category, but added it's own directory as unrestricted. So far so good. I"ll see what happens when I try to print, save attachments, etc...

One thing, the default security setting for the preconfigured apps, of which OE is one (though I don't believe I have it installed) is LOW. So is that the setting you're using for your email client?

Conejo,

That is what the easy mode calls it (yes you do have OE). In the advanced mode it is called "Outlook Express." I too had the same ini problem with Eudora (and same thing with attachments). The ini problem was because I am constantly fiddling with the ini from within Eudora (Eudora doesn't write to the ini on startup). The attachments are in a Eudora subdirectory. Reluctantly I added JUST the directories containing the ini and attachments to my "safe directory" list.

Feivel

Feivel1....I'm assuming that if I set a parent directory as unprotected that this designation is not automatically inherited by subdirectories? be nice to be able to switch that on and off on an individual basis.

Conejo,

The designation of a parent directory is inherited by it's child(ren). the option to do so can be used on an individual basis in a sense. The "safe" directories are only allowing UNRESTRICTED apps full access so any programs you do not want to access those directories can be put into a NEW catagory that is esentially unrestricted but restricted just enough (even by setting say content filtering, which does NOTHING to any non-internet app) to disallow access to the "safe" directory.

Feivel

Feivel & Conejo:

Its a bit more complicated than that: I think I'm right that some app gps ensure that spawned apps inherit the same restrictions, but some don't.

I suggest you lean very heavily on the details of each app gp and get familiar with them. Look at the system security, file security and registry security properties of each gp (double click on the icons as named in advanced mode / security.

ukbubs,

The different groups all have different spawning protection. Conejo's question was regarding the "Detente" directory (anyone like that designation ) and that was what I answered. You are right about concentrating on each apps details (restrictions) but remember that it is not exactly the apps restrictions but the catagorys restrictions. Be very careful about confusing group and catagory (I know I confuse them at times). They are two different things. Consider it this way, a group is the set of catagories and a catagory is a subset of the group.

Feivel

Thanks Feivel.

It was the spawning protection issue I was focussing on.

Your point shows why I've not created any custom groups yet, nor moved my Outlook / OE / IE6 out of their default preconfigured groups.....

As far as I can see, it is the spawning protection piece which is the key to what makes TTT so valuable.

[text was edited by author 2002-04-29 03:50:02]

I've just started using TTT, and I must say there are certain aspects that really confused me.
Under "execution" settings, it seems that the settings for "Dangerous Applications" and "Harmless Applications" are the same. That is really misleading, and I'm sure there is an underlying difference since one is, well... dangerous.

And btw, is it better (in terms of security), to place an application under "harmless" rather than "Unrestricted"?
Thanks.

Euphoria...good questions, ones I just came up with after reviewing some of these settings. The other one I had was medium and low appear to have the same settings, so what's the diff there?

Feivel1....when you speak of 'categories', are you talking about the security attributes of the groups as seen through the menu Edit/Execution Settings dialogue box?

I took a deep breath and went to advanced mode last night and was looking around. It appears the paradigm is, there are groups, and each group has security attributes. You can either place apps in existing groups or you can create your own groups with customized attributes (though of course you can also modify the attributes of existing groups). So, if you want a single application to have unique security attributes, you create a group and put only that app into it.

If I'm right about this, then I'm thinking the next thing I really need to learn is what each of those attributes controls and how it impacts functionality.

Side note: for grins I tried moving Opera and PocoMail into the High Restricted group. The apps functioned ok, but my hard drive started to constantly chatter and my machine slowed to a crawl. I couldn't even reboot the normal way, I had to just press the power button to turn the pc off, then when it came back up everything was moving VERY slowly (not just Poco and Opera). I had to move them back to Medium, then reboot again (it worked this time), then everything basically seems fine. Not sure what's up with that.

There seems to be slight confusion about groups versus catagories. Let me use a concrete example from the advanced window. there is a GROUP named User Groups that contains the CATAGORIES Low, Medium, High, Installation and Unrestricted. Apps can not be put into groups, they must be put into a catagory. The catagory goes into a group.

Good question Euphoria. I have noticed the same (go look) Execution settings for Unrestricted also. However I have found programs that do not work as unrestricted but do work fine as Harmless. What the differences are are (that sounds funny) not entirely obvious. At first glance, Unrestricted seems more like an extremely low restriction. I am fairly certain that the difference lies in a "built in" restriction on directory access. Securitywise, I would say an app is better placed as unrestricted instead of harmless.

The same Execution settings are also found for Dangerous. Please notice that the only program placed there (on NT based systems) is cmd.exe. I am not sure what version of Win you have so I can't say what TT placed there on your system. All I can say is there are restrictions that are working in that catagory. Execution settings are user customizable but there is a "default" protection and that is why TT protects somewhat directly out of the box.

Conejo,

Glad you made it to advanced Now you opened a can of worms for yourself.

As to the slowdown, the HD chatter has to do with the HD access being denied for both Opera and PocoMail (in High, there is generally only read access allowed). Why it was slow upon reboot, I have no idea but I suspect that it was in part coincidental that you changed Opera and PocoMail's settings. As I suggested, put Opera in the IE catagory. That will restrict registry writes,(yes, Opera writes there) enable content filtering, enable spawning protection (for plugins), limit disk access and more. I really can't say anything about PocoMail since I am more than happy with Eudora and I am to lazy to try another email client. it might be beneficial to put PocoMail in the OE catagory but remember to allow write access to the PocoMail directory (and wherever you keep attachments).

Feivel

I'm almost ready to test drive this new release. I want the sandbox, and reviewing the docs, it looks like it's still similar to what I tested out. If so, it really helps if you're familiar with NTFS permissions, just because it makes the process of what you need to do with the filesystem easier to grasp. If you don't, you'll find that you'll take to them like a duck to water, if you can master the trap.

This is a really granular app. It gets down low into the system. But it does work. However, one thing I discovered was that some of the file level restrictions were a little tighter in some of the apps that were being "trusted" than I liked, but they were tweakable. It really does take a while to grow in to. But I think it was worth the work, and I look forward to seeing how this looks, now. It was a solid app when I tried it, and a good app as secure4U. I have no doubt it'll do its job. It's just the learning curve that may daunt some people... but you'll get a great education in how a win32 system works "under the hood" in the process... and it may be a little surprising at times, and decidedly a bit complex and sometimes unintuitive. But it's win32... what would we expect?

gwion, et al.......one thing I"d like confirmation on. I realize there's probably a lot more 'under the hood' of this thing, but it seems to me the key thing for me to first learn is what are the different parameters addressed in execution settings, and how are they applied for each different restricted group. That seems to be a key part of this app, would you agree?

Also, on an earlier thread you mentioned how you effectively sandboxed IE so that it was turned into a mere browser. For illustrative purposes, can you tell me how you did that? Did you do it via execution settings, or execution settings plus other settings?

I'll be downloading, soon...meanwhile, I don't want to try to replicate anything from the beta, because 30 days was a short trial, really, and I have no idea if I was doing things right or not. So, for the moment, I think I need to do a refresher course in the PDF and your posts, to get reoriented. [it's been a few months] ... I'll do a complete review thread when I get it up.

For right now, without an active setup, my comments could be more misleading than helpful, so, for now, I better defer... keep an eye out, though. I won't be miserly with my observation or tips, be assured ... in fact, an FAQ section will surely be a good idea, too, for the longer run...

Conejo,

The default setup places IE into it's own group (which should work for other browsers also). In it's default group, IE is limited to being a browser, the integration into the OS is still there but I think this is what gwion was referring to. As a little experiment for you, just run any browser as unrestricted with the ACTIVITY WINDOW of TT open. After you do a few things with the browser, make sure to "remember" what was noticed during the browsers use. Now move the browser into the IE directory and run it the same as you did previously. Watch in the activity wimdow and you will be amazed at what is blocked and/or monitored now.

Feivel

I decided not to wait out and use the full demo period. I went to Tiny's site and registered TT this morning. As I expected, I received an email with my key within 15 minutes. What I didn't expect was IMMEDIATE fullfilment. I have never seen such a thing. When I entered my information, Tiny processed the order right then and when the confirmation page loaded, my serial number was staring me in the face. Guess the email was just a saftey net on Tiny's part. I'll say one thing, they certainly seem to be EXTREMELY oriented towards customer service.

Feivel

I've never had cause to doubt Tiny's professionalism. Or Kerio's, for that matter ... it's one of the reasons I came to like the firewall, way back when. Trust is an important thing. I think they make an effort to build that, and to preserve it, and little details like that go a long way. Somehow, I respect a company that lets the product largely market itself, stands on their own record, and focuses their energies and budget on customer service and product development... may they always be so ...

Good to hear, Feivel and gwion. I'm gonna wait another week and make sure all is good in TTT land, and if my machine and this app continue to behave as they have been, Tiny will be getting some of my hard earned money.

I don't know how the firewall users feel about having TTT questions now littering their forum. I sure wouldn't mind having one specifically devoted to TTT. I'm guessing that as more users become comfortable with this app, more people will be drawn to it and its use will grow exponentially. That will especially happen if those of us on the somewhat leading edge of this thing can tailor a guide on how to get started and how to spend no more than 15 minutes after installation getting this thing configured to provide basic protection. Once that fear-factor is removed, this will become very, very popular.

Conejo

Agreed on all fronts.......

We're it --- all Kerio and Tiny security products welcome here. Give us time. I will probably open up an FAQ, soon as I get my own copy and try it out in the latest release...

gwion,

Open it up, I'm ready willing and able (some here may disagree on the last point) to help.

Feivel