ARP firewall stand-alone version FAQ for v 4.1.12007-06-0909:17 What platforms does the firewall software support?
A: At present, Windows 2000/xp/2003 is supported, and vista(x32) is supported from 4. 1beta2, but windows 98/me/vista(x64) is not supported.
Q: What does the ARP firewall mean by displaying different types of data?
A: At present, there are several types of data displayed by ARP firewall.
(1) External ARP attack-The displayed data is the ARP attack of others on you (others attack you).
(2) External IP conflict-the data displayed is the IP conflict attack of others on you (others attack you).
(3) External ARP attack-the data displayed is your ARP attack on others (you attack others).
(4) External IP attack-the data displayed is your fake source IP attack on others, usually TCP SYN Flood.
(5) External IP flood-When the speed of sending data by your computer exceeds the set threshold, the firewall will start interception, and the intercepted data will be displayed here.
(6) Security mode-In security mode, only respond to ARP requests from the gateway and intercept ARP requests sent by other machines. The intercepted data is displayed here.
(7) Suppress sending ARP-When the speed of sending ARP by your machine exceeds the set threshold, the firewall will start interception, and the intercepted data will be displayed here.
(8) Analyze the received ARP- display all ARP packets received by this machine to analyze the network situation. The data shown here is only for experienced network managers to analyze whether there are potential attackers or poisoned machines in the network, which is not necessarily related to the existence of ARP attacks. If you are not a network administrator, the network is normal now, and you can completely ignore the data displayed here.
Q: How can I tell if I am infected with ARP (virus)?
A: Only if the ARP firewall shows "external ARP attack" can you show that you are infected with ARP virus (or you are using attack software).
Q: In the analysis of received ARP, some machines sent a lot of ARP data. What should I do?
A: If you are a network administrator, install an ARP firewall on a machine that sends a lot of data. If you are not a webmaster, I suggest you either report this situation to the webmaster or don't worry: D
Q: ARP firewall indicates that "external ARP attack" has been blocked. What should I do?
A: If your network is affected, I suggest you set the active defense to always run. If the situation does not improve, please gradually increase the defense speed. You can report this situation to the network administrator and ask him to eliminate the source of the attack.
Q: Why are there many "non-broadcast reply" packets from the gateway in the "Analysis of ARP Received"?
Answer: After actively defending the ARP message sent to the gateway, the gateway will reply to the ARP reply message. In two cases, the firewall will send a proactive defense packet to the gateway.
(1) When active defense is set to "Always Run"
(2) Active defense is set to "alarm", and when an attack is detected, it is switched to "alarm-start defense".
Q: Why did ADSL report that "WINDOWS\System32\svchost.exe" attacked the outside world after connecting?
I'm very sorry, it was a false alarm. We will solve this problem in the next version. The form of this false alarm is "foreign ip attack", and the type is "IP protocol number: 139" or "IP protocol number: 2" (only V4. 1 has this problem).
Q: What is flood control?
A: flood attack is a DoS attack, which is usually called denial of service attack. The flood suppression function of ARP firewall can intercept data (TCP SYN/UDP/ICMP) when it reaches the threshold according to the threshold you set. There is not much difference between the data packets used for denial of service attacks (DoS attacks) and ordinary data packets, and the packet sending speed is almost the only standard. Some applications may cause a lot of traffic (such as PPLive, Emule, BT, etc. ). If the flood suppression threshold is set improperly, it may affect your normal use. If you are not familiar with flood attack (DoS attack), it is strongly recommended not to turn on the "flood suppression" function, so as not to affect your normal use!
Q: What is the function of flood control?
Answer: The significance to stand-alone computer is to avoid local virus and become the source of DoS attack. Intercepting the external DoS attack data of this machine can reduce the network traffic of this machine, ensure the smooth network, find the DoS virus of this machine, and avoid bringing potential trouble to yourself.
Significance to local area network: If all ARP firewalls with flood suppression function are deployed in the local area network, it can protect local area network machines from DoS attacks, kill DoS attacks from the source, and ensure smooth local area network!
Q: After installing v4. 1, how do you feel a little stuck playing games (or running other programs)?
A: If you feel stuck, please check whether the ARP firewall reports "external IP flooding". If there is, it is because the DoS (flood attack) threshold you set is too low, and the normal application has triggered the threshold. If you are not familiar with flood attack (DoS attack), it is strongly recommended not to turn on the "flood suppression" function, so as not to affect your normal use!
Q: Which is better, the stand-alone version or the online version?
A: The core codes of the stand-alone version and the online version are the same. The stand-alone version is suitable for protecting the stand-alone, and the online version is suitable for protecting the whole network.
Q: To protect a network, should we choose the stand-alone version or the online version?
A: There are two ways to protect the network.
(1) Deploy the stand-alone version. Advantages: (Currently) Free Disadvantages: Without unified management function, it is impossible to grasp the status of all clients in time. The stand-alone version has an expiration time, and it needs to be reinstalled or upgraded after expiration.
(2) Deploy the online version. Advantages: it has unified management function and can grasp the whole network situation in time. There is no expiration limit within the validity period of the official version of the key. Disadvantages (? ): A small registration fee is required.
Remember: whether it is a stand-alone version or a network version, if you need to protect the whole network, you must deploy all of them to achieve the best results.
Q: Does ARP firewall support diskless system?
Answer: Because the NDIS driver needs to be installed when installing the ARP firewall, the network will flash for a few seconds during this process, so it is not supported to install directly on the diskless client. Please install through the master disk.
Q: Why can't the following machines surf the Internet after the ARP firewall is installed on the machine that enjoys surfing the Internet as an agent?
Answer: When the agent * * * enjoys surfing the Internet, the machine will modify the incoming and outgoing data (NAT principle), which conflicts with some functions of the ARP firewall, and the ARP firewall will consider it as an external attack. If this happens, please cancel "intercept native ARP attack" and "intercept native forged IP attack" in the software configuration.
Q: Is it effective to install Microsoft's "ARP patch"?
A: In windows 2000 system, it is invalid to bind IP and MAC through arp -s command. Microsoft's "ARP patch" solved this problem. This does not mean that after installing the "ARP patch", there will be no more ARP problems. Please distinguish clearly.
Q: Why did 360 security guards find out the malicious software "webhop malware-danger-c: \ Windows \ System32 \ Drivers \ Oreans32.sys" after installing it?
A: Themida is a software encryption program for color shadow software, and oreans32.sys is a part of Themida. This is a false alarm of 360 guards. Caiying software never binds malicious software, and has submitted relevant information to 360 security guards. 360 security guards have solved this problem in the latest version of the malware feature library, please feel free to use it.
Q: Why do some anti-virus software (such as AVG anti-spyware software) report "snetcfg.exe" as the back door in the firewall installation directory?
A: snetcfg.exe is a tool provided by Microsoft to install drivers. The driver of ARP firewall is installed through snetcfg.exe. This is a false alarm from anti-virus software, please feel free to use it. Snetcfg.exe program can be deleted without affecting the normal use of ARP firewall. We will solve the problem of false positives in the next version.
Q: What are broadcast, non-broadcast, request and reply, and what are their uses?
Answer: (1) Broadcast-all machines in the LAN can receive it.
(2) Non-broadcast-only your local machine can receive it.
(3)Request- is an ARP request packet, requesting to obtain an IP MAC address.
(4)reply- is an ARP reply packet, which announces the MAC address of an IP.
Suppose the IP of your machine is 192. 168.0.2. When your machine wants to communicate with192.168.0.1,it will first check whether there is 192.5438+08 in its ARP cache table. If not, your machine will send an ARP "broadcast-requests" packet (all machines in the LAN can receive it) and ask what is the MAC address of "192.168.0.1"? Tell me quickly. 192.438+008. In this way, after you get the MAC address of192.168.0.1,you can communicate normally. The above process is the working process of ARP protocol, so ARP protocol is the cornerstone of LAN communication. Generally speaking, all broadcast packets are request packets and all non-broadcast packets are response packets.
Q: What is the function of "active defense" added in version 4.0 Beta 4?
A: ARP attack software generally sends two types of attack packets:
(1) sent an incorrect ARP packet to this machine. This attack packet can be intercepted by ARP firewall 100%.
(2) Send false ARP packets to the gateway. Because gateway machines are usually out of our control, we can't intercept such attack packets. The function of "active defense" is to "tell" the gateway what the correct MAC address of this machine should be, while ignoring the false MAC address.
Q: What do the three different configurations of "active defense" mean?
A: Active defense supports three modes.
(1) has been deactivated. Under no circumstances will the correct MAC address of this machine be sent to the gateway.
(2) be alert. Usually, the correct MAC address of this machine will not be sent to the gateway. When it is detected that this machine is being attacked by ARP, it will start sending the correct MAC address of this machine to the gateway to ensure that the network will not be interrupted.
(3) keep running. Always send the correct MAC address of this machine to the gateway. If the attacker only sends the attack data to the gateway, but not to the local computer, then if the active defense is in the "alert" state, there is no guarantee that the network will not be interrupted. The "always running" active defense function can deal with this situation. When the active defense is set to always run, the opportunity will continuously send ARP packets to the gateway, and the gateway will reply to the ARP packets after receiving them. Therefore, when the active defense is set to always run, it is normal that there are a large number of ARP packets from the gateway in the "Analyze Received ARP" packet.
Q: What is the appropriate speed setting for "active defense"?
A: The default configuration of the active defense function is: alert state, and the contraction speed is 10 pkts/s ... After a lot of tests by color shadow software, the defense speed of 10pkts/s can deal with most ARP attack software on the market. When sending the correct MAC to the gateway, two types of data packets will be sent at a time, each with a size of 42 bytes, so when the speed is 10, the network traffic is: 10 * 2 * 42 = 840 bytes, that is, less than 1 kilobyte/second, and it can also be calculated that when the defense speed is/.
Q: Why can't the ARP firewall detect the attack, but I still can't connect?
A: There are several reasons:
(1) It may be that the attacker only sent the ARP attack packet to the gateway, so the ARP firewall did not detect the attack. Solution: It is suggested that users set the "active defense" function to "always running" to gradually improve the defense speed according to the network situation. For example, if the speed is 10 and the network is still intermittent, then adjust it to 20. If 20 doesn't work, switch it to 30.
(2) Before the ARP firewall is started, the machine has been attacked, and the gateway MAC address automatically obtained by the ARP firewall is false. Solution: Consult the network administrator to get the correct MAC of the gateway, and then manually set the IP/MAC of the gateway in the ARP firewall.
(3) If the above two methods are not feasible, then it is estimated that the reason for dropping the line has nothing to do with ARP attack. After all, there are many reasons for disconnection, such as hardware problems, line problems, problems with applications (such as games) and so on.
Q: Active defense has been set to "keep running". Why did you get disconnected?
A: The reason may be that,
(1) There are many reasons for network disconnection, and ARP problem is only a common one, so it is possible that the network disconnection is not caused by ARP problem.
(2) If the attacker attacks the gateway faster than your defense speed, the network disconnection is inevitable, and the network may be intermittent at this time. The radical solution is to eliminate the source of attack. If you can't destroy the attack source, you can only adjust the defense speed to the maximum. If the defense speed is set to the maximum and the network is intermittent, then in this extreme case, installing any software on this machine can no longer help you.
Q: The ARP firewall I installed must be tracked before I can surf the Internet. When the tracking stopped, I couldn't get on it immediately. Why?
A: The entrance was attacked. The MAC of your computer obtained by the gateway is wrong. After clicking "Trace", ARP firewall will scan the MAC of outsourcing contract. During the tracking process, the gateway can regain the correct MAC address of your computer, so the network can be connected for a period of time. After the tracking stopped, the gateway was attacked again, took your MAC by mistake, and your network was disconnected again. In this case, just set active defense to "always enabled", and active defense can continuously inform the gateway of your correct MAC.
Q: You can access the Internet by modifying the IP, but you can't access the Internet without changing it. Why?
A: The entrance was attacked. The MAC of your computer obtained by the gateway is wrong. In this case, just set active defense to "always enabled", and active defense can continuously inform the gateway of your correct MAC.
Q: I have bound the IP/MAC of the gateway on this machine (assuming the IP/MAC of the gateway is correct). Why can't I surf the Internet?
A: There are two conditions to ensure smooth network.
(1) The gateway MAC is correct on the local computer.
(2) On the gateway, your MAC is correct.
Although you have bound the IP/MAC of the gateway to this machine, you can't guarantee that the MAC address of your machine obtained by the gateway is correct. In this case, just set the active defense to always run. The function of active defense is to inform the gateway of your correct MAC address.
Q: What if the Internet speed is limited?
A: There are many ways to limit the network speed, and ARP spoofing is a popular way. If the speed limit is achieved by ARP spoofing, the default configuration of ARP firewall can help you lift the limit. If the effect is not great, it is recommended to set the active defense to "keep running". If this is not enough, it can be concluded that ARP spoofing has not reached the speed limit. In this case, I'm sorry that ARP firewall can't help you (and no software can help you, because it can't be bypassed in principle).
Q: What is the function of the security mode? Will there be adverse consequences after it is activated?
A: The function of security mode is to only respond to the ARP request of the gateway, that is, other machines can't get your MAC address through normal channels except the gateway. Note: This doesn't mean that other machines can't get your MAC, it just becomes more difficult. Therefore, the effect of security mode can only reduce the probability of being attacked, but can not be completely eliminated. Advantages of security mode: it is more difficult for attackers to obtain your MAC address, which reduces the chance of being attacked. Disadvantages of safe mode: other machines in the LAN can't contact you actively. Under normal circumstances, enabling safe mode will not affect the normal use of the computer.
Q: If the attacker's MAC is forged, is there any way to find out who the attacker is?
A: If your switch has a network management function, you can find it. Assuming that the MAC address forged by the attacker is AA-AA-AA-AA-AA-AA, the method is as follows:
(1) Log in to the core switch and query the source of the fake MAC by the following command.
#sh mac address table dynamic address aaaa.aaaa.aaaa
The command output is similar to the following:
media access control
-
Vlan Mac address type port
- - - -
7 00 10.db58.3480 dynamic Po 1
7 aaaa.aaaa.aaaa dynamic gi1/011< & lt& lt& lt& lt
(2) Query whether the host connected to GI111is a network device by the following command.
# Show cdp neighbors
If Gi 1/0/ 1 1 is connected to the switch, please log in to the switch and repeat the above operation. If you connect to a host, then this host is an attacker.
Q: Why is the same data displayed twice? For example:
A: Because the interface width is limited, only important information is displayed. It seems that the two rows of data are the same, but in fact some of them are different, so they will be displayed separately. Note: Starting from 4. 1beta 1, this problem has been solved.
Q: Why does the firewall always prompt "The mac address of the gateway in the arp cache table has been modified and repaired?"? It may be infected with a virus, or it may have been attacked before the arp firewall was started. ?
A: This prompt will appear in two situations.
(1) There is virus or other malicious software in this machine, which has tampered with the MAC address of the gateway in the ARP cache table of this machine.
(2) The way the firewall obtains the gateway MAC is set to automatic, which has been attacked before the firewall is started.
(3) When the status of the network card changes (such as plugging and unplugging the network cable, obtaining the IP address through DHCP, disabling and re-enabling the network card), the program may generate false positives. Since v4. 1beta 1, the problem of false alarm has been solved.
Note: ARP firewall can detect that the gateway MAC in the native ARP cache has been tampered with and repaired, but it cannot prevent viruses or malware from tampering again. In this case, please check the virus.
Q: Is the stand-alone ARP firewall free? Why is there an expiration time?
A: At present, it is a free trial. We will constantly update and improve the ARP firewall. In order to let users download, install and use the latest version in time, the expiration time is set in the current version. Please download the new version then.
Q: After the virus modified the system time, the ARP firewall could not be used normally. What should I do?
A: (1) The online version v3. 1 being developed will cancel the time limit of the client.
(2) The stand-alone version v4.2 under development will introduce the function of "Do not modify the system time", which will prevent viruses from modifying the system time and locate the virus process that tries to modify the system time.
Q: The software has not expired, but why does the software prompt "Version expired"?
Because you changed the system time before or during the software running. Changing the system time at will may cause the software to run abnormally. In this case, it is suggested to solve it as follows:
(1) Uninstall the firewall software.
(2) Set the system time to the correct time.
(3) Reinstall the firewall software
If for some reason, it is really necessary to temporarily modify the system time to do some tests, then it is suggested that
(1) Do not modify the system time while the firewall software is running.
(2) Before running the firewall software, ensure that the system time is correct.
Q: Why is the attacker IP displayed as Unkonw?
A: When the attacker's IP is displayed as unknown, there are several possibilities:
(1) Active IP/MAC collection function is not enabled. Solution: Click the "Tracking" button in the menu bar.
(2) If the "trace" is completed or in the state of "active collection-automatic start", it is still displayed as unkown, then the attacker's MAC address may be forged and the corresponding IP address cannot be traced.
(3)v 4. 0. 1 has a BUG. In some cases, even if the MAC address exists, the attacker's IP address may not be traceable. V4.0.2 has solved this problem.
Q: I forgot the protection password of ARP firewall. What should I do?
A: There are several ways.
(1) Enter the software configuration interface and clear the previously set password.
(2) If you can't enter the software configuration interface, delete the aas.ini file in the ARP firewall installation directory, and then run the software again.
Q: Why isn't the local IP/MAC displayed after "Block local external attacks" is unchecked? (v4.0. 1 has this problem)
A: This is a BUG in the program. This BUG does not affect the defense effect of the firewall, but the local IP/MAC cannot be displayed. Please feel free to use. V4.0.2 has solved this problem.
Q: Do I need to uninstall the old version before installing the new version? Is the cover installation of the new edition of Instinct the old edition?
Answer: Before installing the new version, you need to uninstall the old version, and you can't cover up the installation of it.
Q: How do I uninstall the software?
A: You can choose one of the following methods.
(1) into the "control panel >; Add or remove programs "
(2) Running the installation program will prompt you with three options: Modify/Repair/Remove, and select Remove to uninstall.
(3) 4.0.2 A new "uninstall" menu was added to the start menu bar.
Q: How do I uninstall the ARP firewall manually?
A: According to the following methods,
(1) Turn off the ARP firewall.
(2) Open the interface of network card properties, locate two drivers with the words AntiARP, and click Uninstall.
(3) Open the registry, search for "AntiARP" and delete all found entries.
(4) Delete files
Q: The software settings have been set to start automatically, but why not?
Answer: Check whether the AntiARPStandalone key in HKLM \ Software \ Microsoft \ Windows \ current version points to the correct path. If it is not correct, delete AntiARPStandalone, and when the firewall runs again, the correct key value will be automatically written. (or manually enter the correct key value)
Note 1: 4.0.2 has solved this problem and should not happen again.
Note 2: Vista system does not support the "auto-start" function.
Q: What if there is a process in the Task Manager, but there is no interface?
A: At present, several users have fed back this question, so it is temporarily impossible to confirm the reason. In this case, try the following methods:
1. Enter the program installation directory, open the Config.ini file, and change the following entries, as shown below:
Auto run =0
AutoMin=0
Automatic protection =0
2. Restart the machine
Q: Why does the ARP firewall display garbled code?
Because your machine has not set the language correctly. You can refer to the following solutions (thanks to lzawindows):
(1) go to control panel > regional and language options.
(2) Ensure that the installation file page of East Asian language has been selected and installed.
(3) On the Regional Options page, select Chinese (China) in the Standards and Formats box, and select China in the Location.
(4) Select "PRC" in the non-unicode programming language of the advanced page, and then restart the computer.
Q: Why is the network disconnected during software installation?
A: Version 4.0, a stand-alone version of ARP firewall, relies on drivers to intercept ARP attack data, and drivers need to be installed when software is installed. At this time, the network will be interrupted for several seconds, which is normal. Please feel free to use.
Q: Why does the software report an attack when it changes the local IP address?
Answer: In order to reduce the resource occupancy rate, ARP firewall reads the IP address setting of the network card every 5 seconds. When changing the local IP address, the operating system broadcasts the new IP and MAC addresses to the network. At this point, if the firewall has not obtained the new IP address from the network card, it will intercept the above ARP broadcast packet and report that the local computer is attacking outwards. After the above ARP broadcast packet is intercepted, it will not cause any problems to the normal use of the local network. Please rest assured. Note: Starting from 4. 1beta 1, this problem has been solved.
Q: Does the firewall support ordinary users?
A: It has been supported since v4. 1beta 1, but it was not supported in previous versions.
Q: Is there a green version (not installed)?
Answer: ARP firewall needs to cooperate with the driver to intercept malicious data, so it needs to install the driver through the installer. There is no green version.
Q: Why does ARP firewall also intercept packets from external attacks? Can we ban interception?
Answer: If this machine is infected with ARP virus, these viruses will send a lot of attack data to the outside world, which may bring some unnecessary troubles to users, so ARP firewall will intercept foreign attacks by default. Starting from v4.0. 1, intercepting external attacks is supported as a configurable mode.
Q: Why can I see other hosts with the "arp -a" command after running the ARP firewall?
Answer: ARP firewall does not intercept all ARP packets, but only false ARP packets. Therefore, there is no guarantee that you can't see other hosts with the "arp -a" command, but you can ensure that the MAC of the gateway is correct. On the other hand, if you can't see any host with the "arp -a" command, then your machine is "disconnected" (or has no communication with all the machines in the LAN).