DDACS 2.0.1 Reference User Manual

This manual describes DDACS Windows endpoint protection suite version 2.0.1

DDACS 2.0.1 Reference User Manual

Product Features Outline

DDACS is a Windows endpoint protection suite. It provides access control and uses rules defined by you to protect your computer. In principle it offers the ultimate protection against malicious attacks. The reason is simple: if they can't get the desired harmful access, they can't harm!

DDACS is designed to counter primarily zero-day attacks, both preventing them with access control and isolating already attacked programs. It can help regain control over system that is already owned by malware without reinstalling the OS.

DDACS is suitable also for servers.

Features

Packet firewall
Inbound and outbound network traffic filtering
Payload filter

Web sites blocker
File access control
Programs blocker with time control
Application firewall
Server application rules
Client application rules with time control
Registry protection
Process killer (with pause/resume)
Parental controls
Administrator is subject to access control checks
Password-protected administration management
No time and resources consuming periodic operations
Very little resources use
Add, delete and remove rules at any time
Graphical control panel and corresponding command-line tools to use in scripts

Understanding DDACS

Filters and Rules

In order to use DDACS effectively and safely it is important to understand how it works.

DDACS operations are based around network, files and registry filters. The filters are software components that run in Windows kernel in position designed for filtering. All relevant requests and data pass through the filters.

Filters operate on data and requests that pass through them by applying user-defined rules checking. In general, a rule consists of the following properties:

Accessor - an entity, whose access the rule controls. Accessors are programs in rules applied on application firewall, files, registry and running programs filters. An accessor can be any legitimate DDACS pattern (thus a single pattern can match multiple programs) or "any program". A packet firewall rule doesn't define an accessor ("any program" can be considered an accessor).

Object - an entity, access to which the rule relates to. Objects are: network addresses in firewall rules, files, links and directories in files access rules, registry keys in registry access rules.

Access - kind of access that this rule relates to. Accesses can be: read, write, create, delete for files, registry keys and running programs (for running programs terminate is the analog of "delete"); connect, accept, send and receive for application firewall rules; for files rules an access may be also execute. A packet firewall doesn't define an access ("send" or "receive" can be considered an access, depending on direction being outbound or inbound.

Action - what to do when an access matches the rule. Actions can be: block (request is dropped and logged), allow (request is allowed, useful in defining common rules and exceptions from them), log (request is allowed, but logged similarly to blocked requests) and Prompt (Alert) (request triggers pop-up of user prompt; user's response will determine what to do with the request). Alert action can be set for Application Firewall, Files and Registry filters. Packet Firewall (General Firewall, WWW Blocker and UDP ports) can't be set to Alert.

Rules are automatically prioritized, with any generalization ("any" relevant accessor or object) lowering priority. A specific rule in any aspect has higher priority than common (generic) rule. This allows creation of common rules and exceptions from them (see rules examples section). Also, rules with action alert (prompt user) has lower priority than any other action.
Currently DDACS doesn't allow user-defined modifications to priorities. This ability will be introduced in ruture versions of DDACS.

Rules can be saved to disk and later (re-)loaded. Please note that when you add a rule, either by GUI or by command-line tool, it is applied immediately to your system but is not automatically saved. In order to save if you should use "Save" icon in GUI (diskette), or "save" option in command-line tool.

You may reload rules at any time by using "Load" icon in GUI (folder), or "load" option in command-line tools. Please note that reloading rules does not remove rules that were in use; reloading rules only adds saved rules to the effective set, ignoring complete duplications. If you don't need some rules, you have to just remove them by using "Delete" icon in GUI ("X") or "remove" option in command-line tools.

If you chose "load rules automatically" during DDACS installation, the last saved set of rules will be loaded when the system restarts. If you saved insuccessful set of rules, you may either remove the unneeded one by one or restore to default rules (restoring is only with command-line tools "restore" option.

All rules have priority and policy name properties. Priority is a number between 0 and 100 that decides which rule will take effect if several rules apply for the same access. It's intended to create rules chains: general Block/Alert rules and exception Allow rules (possibly exception to exception Block rules etc.). Bigger number means higher priority.

Policy Name is a text of up to 64 characters that allows creating rules groups. Rules that have the same policy name can be saved and deleted at once.

Alert (Prompt) rules allow receiving pop-up decision dialog an access hits the rule. Application Firewall, Files Filter and Registry Filter may pop up Alert dialog.

[user-alert.png]

Alert pop-up dialog informs the DDACS administrator user that a suspocious access is attempted and provides details on Policy Name, Accessor (program), Object and Access. Then the user is presented a choice of decision options.

Forbid denies the attempted access and creates a rule to block the same access in future
Forbid Once denies the attempted access, but doesn't create a rule. Future similar access will again pop up Alert dialog
Forbid Any Program denies the attempted access and creates a rule to block this access in future for any program
Block Program denies the attempted access and creates a rule to block the offending program from running in future
Suspend And Block Program denies the attempted access, suspends the running instance of offending program and creates a rule to block the offending program from running in future
Trust This Program allows the attempted access and creates a rule to allow any access under this filter in the future
Allow allows the attempted access and creates a rule to allow the same access in future
Allow Once allows the attempted access, but doesn't create a rule. Future similar access will again pop up Alert dialog
Log allows and logs the attempted access and creates a rule to log the same access in future

Network Filter (Packet Firewall)

Network filter applies rules specific to certain protocols. Network protocols are standard conventions established for communication between computers and devices over network. All network data are sent and received in packets, which are units of data with variable length and fixed maximum size. A packet consists of header (part that contain addressing and control information) and payload, which is actual data transmitted in a packet.

Some protocols, such as IP and UDP are stateless, dealing only with sending and receiving individual packets with data. Such protocols are said to operate on datagrams, every packet includes a datagram (data unit). A datagram may be only received or dropped entirely. Other protocols, such as TCP, are stateful, dealing with connections. Besides data they send also control information between the two computers in order to establish connection, maintain it, close connection, acknowledge received data and retransmit lost packets. Such protocols include specific procedures in order to establish, control and terminate connections.

Internet connections are based on TCP/IP protocol suite. TCP/IP protocols are layered (more properly would be said "nested") in a way similar to "matryoshka" nested dolls. A packet of protocol from higher layer is nested (encapsulated) in payload part of a protocol from lower layer. A protocol of the lower layer is called transport for a protocol from the higher layer. Hardware network data transmission level is called layer 1 or physical layer. Level of packets (called frames) prepared by software and understood and sent by the Network Interface Card (NIC) is called layer 2 or data link layer. IP and other purely software protocols encapsulated in layer-2 frames are called layer 3 or network layer. Protocols that are encapsulated in IP payload, such as TCP and UDP are called layer 4 or transport layer. Finally, layer 7 or application layer is used by applications that provide users access to internet. Examples of application-layer protocols are HTTP, FTP, and TELNET.

TCP and UDP transport protocols add port number to IP address in order to determine application-layer protocol. This allows different application-layer protocols to run between the same pair of IP addresses. However, even if it's not the same pair of computers that run multiple application-layer protocols, most application-layer protocols always use the same port numbers. E.g. HTTP servers use port 80 in order to accept connections; FTP servers use port 21, TELNET servers use port 23 etc. Some (mostly video and audio streaming) protocols negotiate different ports for different sessions, but they still use the same port in order to initiate a session and conduct negotiation. This is done so that client applications (the ones that must send initial packets when establishing a connection) could "know" on which port to look for the server. Sometimes servers may be configured to use non-standard port (e.g. HTTP to use port 15342), but then this information about using non-standard port must be communicated to all potential clients - otherwise the clients simply "will not know" that they should try to connect to server especially on 15342. Only server-side ports are the same for the same protocols – since they have to be known to clients that initiate connections. Client programs (the ones that initiate sessions by connecting to servers) have dynamically assigned ports. It is important to remember, since when you are creating a rule for client-server connection you will have to specify server’s address and port, but on the client side the most appropriate is any port number.

DDACS operates on layer 2, in a framework designed and intended in Windows for filter drivers. This placement allows filtering the complete data assembled by Windows protocols drivers on its way to NIC. Based on current set of rules the DDACS Network Filter decides whether to allow a network packet pass for transmission or drop it. Another part of Network Filter tests incoming packets for rules and makes a decision whether to allow a network packet enter Windows protocol drivers or drop it.

Please refer to Network Filter Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied.

Files Access Filter

Files Access Filter provides an additional layer of access permission checks based on accessor program's name and resource (file) name. The protectable resource may be any file system object - a regular file, a program, a directory or a symbolic link. For any accessed file read, write, create, delete and execute permissions may be set.

Please refer to File Filter Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied.

Application Firewall

Application firewall filters network requests made by applications. Rules specification is similar to General firewall, but it operates on network requests rather than data packets. Rules allow specification of source and destination addresses, ports, requests and accessor programs. Programs are specified in the same way as for files and registry and processes filters: a DDACS pattern, that allows either full program's path or even part of name (can match multiple programs with a single rule).

Please refer to discussion on TCP and UDP addressing in Network Filter.

Please refer to Application Firewall Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied.

Requests are specific to protocol: connect and accept for TCP, send and receive for UDP. Application Firewall is available only in TotalAdmin Edition.

Registry Filter

Registry Filter provides a layer of access permission checks to registry, similar to Files Access Filter: rules are matched based on accessor program's name and resource (registry key) name. For any accessed key read, write, create and delete permissions may be set.

Please refer to Registry Filter Rules for specification on how to create rules, how they are checked, ordered and how permissions are applied. Registry Filter is available only in TotalAdmin Edition.

Process Killer

Process Killer is a stand-alone feature that allows user to terminate, suspend and resume any running process. It is not based on any filter, but rather is provided as a convenience, in order to stop/pause a suspicious process for applying rules policy to it. Process Killer is available only in TotalAdmin Edition.

Licenses and Editions

DDACS 2.0.1 is available in TotalAdmin (full featured) and Free (feature-limited) editions. TotalAdmin edition is provided with 30-day evaluation, after which it needs to be paid and registered as unconstrained TotalAdmin edition. Free edition is not time-limited.

In order to obtain th unconstrained DDACS TotalAdmin edition you need to install first Free or TotalAdmin evaluation. Then you can upgrade as follows:

Go to DDACS purchase/registration page and purchase the TotalAdmin unrestricted license
Receive your Receipt ID in your e-mail box
Run DDACS Registration utility, check Register commercial edition, input (may copy+paste) Receipt ID and click OK
Restart your computer to run DDACS TotalAdmin unrestricted edition

Installing DDACS

Installation of DDACS is easy. Download a self-extracting installer package suitable for your operating system, run it and follow the installation instructions. The installation asks only three questions:

About installation directory (default is "c:\Program Files\DDACS")
If you want to install default rules set
If you want to start DDACS automatically
When asked to reboot, do it in order to complete installation

If you ever want to uninstall DDACS, follow the procedure below.

Open DDACS Command Prompt and run "ff -ra" in order to disable DDACS self-protection. You will be asked for administration password, input it in order to proceed
Run "uninstall-ddacs.exe" from command prompt or "Uninstall" from DDACS start menu
When asked to reboot, do it in order to complete uninstallation

Using DDACS

This chapter describes DDACS essentials and configuration tools and files.

DDACS Control Panel

DDACS Control Panel is the most convenient way to create and manipulate rules. It has tabs for all features included in the installed edition (please refer to editions/features grid table). Use the tabs to get access to relevant features.

There are 9 operating buttons: "Add", "Delete", "Edit", "Save", "Load", "Log", "Retrieve", "Process Killer", "Help" and "Exit" button. It's easy to distinguish them by their icons; besides, all buttons display a tooltip when you stop a mouse over them.

In order to add a new rule, click on "Add" button (green "+") and fill parameters relevant to the filter.

In order to delete a rule, select it and click on "Delete" button (red "X"). The rule is selected by clicking on its first parameter (here in "File System AC" it's "Program" column).

In order to edit a rule, select it and click on "Edit" button (pen with notepad). Fill or change parameters relevant to the feature.

"Save" (diskette icon) and "Load" (green arrow going out of a folder) buttons save and load rules for the current filter to/from rules file on disk. Each filter has its own rules file (see "Command-line Tools" below).

"Log" button opens violation log for the feature currently used.

"Retrieve" button retrieves currently effective rules from the filter. It's rarely needed.

"Process Killer" button opens Process Killer window.

"Help" button opens documentation.

"Exit" button quits Control Panel program.

Command-line Tools

Command-line tools provide an alternative CUI interfaces and automatic load functionality. In most aspects they duplicate functionality of relevant control panel filters, with summary of differences appearing below.

The control panel is the most convenient tool to add, remove and manipulate rules. Command-line tools are mostly intended to be used in start-up or installation scripts.

There are three command-line programs: "nf.exe" (Network Filter), "nfp.exe" (Application Firewall) and "ff.exe" (Files Filter).

nf has the following command-line usage:

nf - DDACS
network packet filter and related functionality management utility



    One of command options (-s, -r, -R, -rp,
-c, -S, -save, -l, -log, -clear_log, -ver, -help, -h, -?) must be
specified.



Usage:  nf -panel_id N {-s rule_number|-r|-R rule_number|-l|-c
command_file|-log|-clear_log|{-S|-save} command_file} [{-m | -m!}
pattern] -panel_id <id> [-pass <password>]

    -s:    set a
rule

    -r:    remove
a rule

    -R:    remove
a rule by number

    -l:    list
all rules

    -m:   
specify pattern to match in payload (must be enclosed in "")

    -m!:   
specify pattern to match not in payload (must be enclosed in "")

    -c:   
specify command file to read rules

    -panel_id
(req):    specify panel (CP tab) and feature
ID to associate with the rule. 1=file system  2=general
firewall  4=application firewall  5=TCP
clients  6=TCP servers  7=website blocker 
8=programs blocker  10=registry  12=UDP
ports  

    -log:    show
events log

   
-clear_log:    clear events log

    -S, -save:   
specify command file to save rules (old file is saved with ".bak"
extension)

    -stats:   
get stats

    -level:   
specify rule's level (0 - default)

    -pn:    give
policy name to a rule

    -rp:   
delete all rules that implement a policy

    -ver:    get
version

    -pass
<password>:    provide
password from command line (must be embraced with <>)

    -help, -h, -? [option] (command
option):    show help, possibly for specific
option

"-s" and "-r" are interactive commands, they will ask you for all relevant parameters. You may input "any" instead of actual parameter (where applicable: source and destination address, source and destination port, protocol). For source and destination addresses you may put "default" for default your computer's address. Please refer to Website Blocker and General Firewall for details.

For protocol type "ip", "icmp", "tcp", "udp" or "any".

"-c" option is used to load rules from a file. In order to be consistent with the control panel, use "ddacs-nf.rul" for general firewall rules and "ddacs-web-block.rul" for WWW Blocker rules. Note that rules in "ddacs-web-block.rul" must follow very special convention; refer to Website Blocker for details.

"-panel_id" option lets you specify panel (CP tab) ID. CP tabs manipulate only rules designated to them. Use "-panel_id 2" for rules designated for general firewall and "-panel_id 7" for rules designated for WWW Blocker.

You may notice that there are more rules listed by "nf" than by CP. This is because when you specify domain name as either source or destination address, the rule must match all IP addresses that this host is translated to. Since the Network Filter operates on packet level, it needs to have a rule per each IP address. When "nf" or control panel upload a rule, they upload a rule for each IP address . Consequently, there is an additional difference: when you delete rules for a domain with "nf -R" or "nf -r" you have to remove every IP rule that belongs to it. DDACS Control Panel does it automatically.

ff has the following command-line usage:

ff - DDACS files filter and general management utility



    No command is specified.



Usage:  ff -panel_id N -s [-time] [-level
<N>] [-pn policy_name] | -r | -R rule_number | {-ra | -Ra
| -rp policy_name} | -l [-a] | -c command_file | {-S|-save}
command_file | -log | -clear_log} | -ver | -U | -t | -self_protect |
-list_proc {-help | -?} | -suspend pname | -resume pname | -suspend_pid
pid | -resume_pid pid | -list_proc | -kill pid [-reg] [-pass
<password>] [-u]

    -s:    set a
rule

    -time:    use
start/end time (when setting a rule)

    -r, -R:   
remove a rule by number

    -ra, -Ra:   
remove all rules

    -l:    list
rules

    -a:    list
all rules (including invisible and permanent)

    -c:   
specify command file to read rules

    -S, -save:   
specify command file to save rules (old file is saved with ".bak"
extension)

    -panel_id
(req):    specify panel (CP tab) and feature
ID to associate with the rule. 1=file system  2=general
firewall  4=application firewall  5=TCP
clients  6=TCP servers  7=website blocker 
8=programs blocker  10=registry  12=UDP
ports  

    -log:    show
events log

   
-clear_log:    clear events log

    -reg:   
operate registry key rather than files

    -suspend:   
suspend all instances of a program

    -resume:   
resume all instances of a program

   
-suspend_pid:    suspend a process by PID

   
-resume_pid:    resume a process by PID

   
-list_proc:    list running processes

    -kill:   
terminate a process by PID

    -t:   
terminate agent

    -U:    allow
driver unload

   
-restore_defrules:    restore default rules

    -level:   
specify rule's level (0 - set defaults)

    -pn:    give
policy name to a rule

    -rp:   
delete all rules that implement a policy

   
-self_protect:    reload internal self
protection rules

    -ver:    get
version

    -pass
<password>:    provide
password from command line (must be embraced with <>)

    -help, -h, -? [option] (command
option):    show help, possibly for specific
option

As it immediately appears, the options are very similar to those of "nf" and they have the same meaning. Please refer to Files Access Filter and Programs Blocker for details.

"-c" option is used to load rules from a file. In order to be consistent with the control panel, use "ddacs-ff.rul" for general files access rules and "ddacs-prog-block.rul" for Program Blocker rules. Note that rules in "ddacs-prog-block.rul" must follow very special convention; refer to Programs Blocker for details.

"-panel_id" option lets you specify panel (CP tab) ID. CP tabs manipulate only rules designated to them. Use "-panel_id 1" for rules designated for general files access control and "-panel_id 8" for rules designated for Program Blocker.

Process killer and registry functions of "ff" are available only in TotalAdmin Edition.

nfp has the following command-line usage:

nfp - DDACS application forewall filter and related
functionality management utility



Usage:  nfp {-s|-r|-R
rule_number|-l|-log|-clear_log|{-S|-save} command_file} [-m "pattern"]

    -s:    set a
rule

    -r:    remove
a rule

    -R:    remove
a rule by number

    -l:    list
all rules

    -p:    get
list of processes and upload them to driver

    -m:   
specify pattern to match in payload

    -c:   
specify command file to read rules

    -panel_id
(req):    specify panel (CP tab) and feature
ID to associate with the rule. 1=file system  2=general
firewall  4=application firewall  5=TCP
clients  6=TCP servers  7=website blocker 
8=programs blocker  10=registry  12=UDP
ports  

    -log:    show
events log

   
-clear_log:    clear events log

    -S, -save:   
specify command file to save rules (old file is saved with ".bak"
extension   
-level:    specify rule's level (0 - default)

    -pn:    give
policy name to a rule

    -rp:   
delete all rules that implement a policy

    -time:    set
time constraints for program's usage

    -hosts_bl:   
set host blacklist rule

    -pass
<password>:    set password
from command line (must be embraced with <>)

-l may be used with -s or -r

The meaning of options is similar to options of "ff" and "nf" programs. "-s" and "-r" options are interactive and will require input of rule details. "nfp" utility is available only in TotalAdmin Edition.

The table below summarizes correspondence of parameter to "-panel_id" argument to installed feature and default rules file. You should use correct parameter in order for relevant feature to operate correctly. Default rules file is what is automatically loaded for each feature when the system starts (if you answered "yes" to an "Automatic Start" question during installation) and what is loaded and saved by GUI programs. Using command-line tools you can load additional files for every feature.

Panel ID	Feature	Default Rules File
1	Files Access Control	ddacs-ff.rul
2	General Firewall	ddacs-nf.rul
4	Application Firewall	ddacs-nfp.rul
5	TCP Clients Rules	ddacs-tcp-client.rul
6	TCP Servers Rules	ddacs-tcp-server.rul
7	Website Blocker	ddacs-web-block.rul
8	Programs Blocker	ddacs-prog-block.rul
10	Registry Access Rules	ddacs-reg.rul
11	Processes Access Rules	ddacs-proc.rul
12	UDP Ports Rules	ddacs-udp-ports.rul

Pattern Matching

Pattern matching is a unique feature of DDACS.

Patterns are loosely based on regular expressions syntax, however they don't implement all regex functions. One visible difference is that in DDACS patterns repetition specifiers (*, +, ?) are prefix to argument, while in classical regular expressions they are suffix. There are also several limitations on DDACS patterns compared to classical regular expressions:

sets can't be nested
alternations and multi-character sub-expressions are not supported

Basically patterns are strings of data to match with some characters having special meaning: they specify instructions to matching implementation embedded in data. A table below specifies syntactic elements of DDACS patterns.

Element	Meaning
.	Any single character matches
[xyz]	Any of the characters embraced in square brackets matches a single character. Any character not in set doesn't match
^x	Any character except x matches ("x" here is some single character). ^* (not anything) combination matches end of pattern. Use it to match the pattern exactly at the end
[^xyz]	Any character except any character belonging to set matches ("x" here is some single character)
?x	"x" appearing 0 or 1 times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then it is considered as appeared 0 times and that character is compared to the next character in argument string.
*x	"x" appearing 0 or more times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then it is considered as appeared 0 times and that character is compared to the next character in argument string. "*x" matches any number of repeated "x" characters
+x	"x" appearing 1 or more times matches ("x" here is some single character). The meaning of this construct is in matching "x" if it appears, so that the next character in search set is compared to a character after "x"; if "x" doesn't appear in search set in this positions then the matching fails. "*+" matches any number of repeated "x" characters, but no less tha 1.
\	Backslash has a special meaning. It is an escape character, which allows specification of characters that are non-printable or otherwise hard to specify. "'\\" means a single backslash character "\r" is "carriage return (ASCII 13) "\n" is "new line" (ASCII 10) "\t" is "tabulation" (ASCII 8) "\xHH" is a character specified by its ASCII code in hexadecimal ("\" ad "x" are literally backslash and "x", and "HH" are two hexademal digits (their ASCII codes). "\" followed by any other character means matching a single appearance of that character (the same effect as if "\" did not appear). This is important in order to type symbols that are used for control when not escaped: '.', '[', ']', '^', '*', '+', '?'

Patterns are used by many features of DDACS:

General (packet) firewall can optionally search for patterns in inbound and outbound packets
All files filter features use patterns for program names and target objects (files)
Registry filter uses patterns for program names and target registry keys

DDACS patterns are always case-sensitive. However, programs, files, registry and host names are matched case-insensitive.

Features and Editions

The table below specifies which features are included in what editions.

	Free	Total Admin
General Firewall	Yes	Yes
Application Firewall	No	Yes
Files Access Control	Yes	Yes
Website Blocker	Yes	Yes
Program Blocker	Yes	Yes
Registry Access Control	No	Yes
Process Killer	No	Yes
TCP Clients Rules	No	Yes
TCP Servers Rules	No	Yes
UDP Ports Rules	No	Yes

Network Filter

This chapter describes user interface and functionality of the Network Filter (general, or packet, firewall).

Purpose

The purpose of the Network Filter (packet firewall) is to extend built-in Windows networking security with packets-bound rules-based firewall. Flexible rules structure allow implementation of efficient security strategies.

Rules

The Network Filter rules are specified with the following parameters:

Source IP address and mask
Destination IP address and mask
Protocol
Source and destination ports for TCP and UDP protocols
Pattern to match in packets (optional)
Aggregate and decision inversion options
Action

Source (destination) IP address may be a regular dotted IPv4 address (in form of xx.xx.xx.xx), a host name or an option "any" meaning that any source (destination) IP address will match the rule. A special hostname "default" may be used instead of real IP address or host name, which will translate into default local computer address used for internet connection. Please note that this is not the same as localhost address (127.0.0.1), which cannot be used to connect to internet. An additional decision inversion ("any but this") option may be applied, which means that the rule matches all packets that don't match the rule's source (destination) IP address.

If host name is specified as source/destination address, then distinct rules will be created for all IP addresses that match the host name in DNS records.

Protocol specification lets you choose a protocol that the rule will match. It may be IP, ICMP, TCP or UDP. Please note that since TCP and UDP are nested in IP payload, a rule specified for IP protocol will match TCP and UDP tool. Additionally there are options "any" (meaning any protocol in packet will match the rule) and "any but this" - meaning that the rule matches all packets that don't match this protocol.

Source (destination) mask is a regular dotted IPv4 network mask. It has the same meaning for the Network Filter as network mask has for packets reception and sending: while matching a rule only masked-in (1's) bits are considered. This allows using a single rule in order to create access policy for a whole network. Please note that the mask is effective only for DDACS IP address matching. It doesn't affect real network settings, doesn't have to match them and doesn't have to conform to standard classful IP addressing.

Source (destination) port is applicable only for TCP and UDP protocols. It identifies port that will be matched in network packets in order to apply the rule. "Any" port and "any but this" options are available.

Pattern is optional to match the network packets. If specified, only packets that match the pattern are applied the rule. "Any but this" option is available, meaning that only packets that do not match the pattern are applied the rule. Please refer to Pattern Matching for description of patterns and how they are specified.

Action instructs the Network Filter what to do with the packet when a rule is applied. It's either “allow” or “block”. If no rule is applied to a packet, it is allowed.

The rules have priority rules recognized by the Network Filter. In general for every parameter specific rule takes precedence over aggregate rules (i.e. containing "any" and "decision inversion" options). A specific rule that specifies all parameters (protocol, source and destination addresses, ports if applicable and possibly pattern) has the highest priority. Every aggregate rule specification ("any" or "any but this") decreases priority by one level. This priority scheme is intended to allow specifications of general ("aggregate") rules and specific exceptions that will always apply. (Note that rules with the same number of aggregate options have the same priority level; their priority relative to each other is unspecified. Please take care not to have multiple aggregate rules of the same level match the same packets).

Specification of both "any" and "any but this" options is possible, but senseless: both options will apply, effectively nullifying each other - the rule will not match any possible packet.

Network Filter rules may be added and removed at any time using DDACS Control Panel or command-line nf utility. Please refer to DDACS Control Panel (GUI) and Command-line tools (CUI) for details. Additionally, current set of rules may be saved to files file and content of rules file may be loaded at any time (including start-up).

Website Blocker

Website blocker is a simplified interface to Network Filter designed to easily block access to unwanted websites. It allows you to specify IP address or name of a site and applies the following parameters:

Any source address
Destination address is set to the specified website.
Source port is any
Destination port is set to 80 (http) unless you specified non-standard port. You may also specify any destination port.
Source and destination masks are set to 255.255.255.255, specifying application of the rule to individual IP addresses that correspond to the website.
Pattern is not used

In order to specify website to block, open "WWW Blocker" tab and click on "Add Rule" button, which will open "Add WWW Blocker Rule" dialog. Enter site to block in "Site" edit box. If you are blocking access to server that accepts connections on a nonstandard port or a non-HTTP server, click on "Non-standard Port" and enter port number in its edit box.

[ddacs_cp_add_www.png]

Note that you would need to block connections to non-standard port only if you know that the server accepts them on that port. You may know that by looking on the address line that you are using to access website:

http://www.microsoft.com - uses standard port 80
http://www.microsoft.com:8080 uses non-standard port 8080.

When using non-standard ports, do not place port specification in the sebsite address specification (like ":8080" part of the address above). Other than that you may copy-paste from browser's address bar to "Add WWW Blocker Rule" edit box in order to block sites that you found to be unwanted while browsing.

You may block tunneled web access (like HTTPS) or different protocols specified with protocol scheme in web address (e.g. "rtsp://" or "ftp://"). If you need to block such protocols, use their website address with non-standard port appropriate to the protocol. You may copy address line from browser's address bar, similar to the described above. Suppose that you want to block FTP site like "ftp://3dftp.com". Select "WWW Blocker" tab on DDACS Control Panel, click on "Add Rule" button, then enter "3dftp.com" or "ftp://3dftp.com" in "Add WWW Blocker Rule" dialog's "Site" edit box, check "Non-standard Port" and enter "21", which is FTP control port. Click OK to add the rule. That's all, FTP access to site "3dftp.com" is blocked.

WWW blocker may be easily and effectively used to block any TCP client on your computer. Below you may find a table with some frequently used protocols that you can block with "non-standard port" option and ports to use:

Protocol	Port
HTTPS	443
FTP	21
RTSP	554
SIP	5060 (or 5061)
MMS	1755
TELNET	23
SSH	22

Alternatively, you may specify general firewall rule as described below.

UDP Blocker

UDP blocker feature lets you control UDP traffic. You can specify local and remote ports and choose what action to apply. Action that can be applied is "allow" or "block".

UDP blocker creates two rules for every pair of local/remote ports. One is with local address and port(s) as source and remote as destination and another one with remote as source and local as destination. This way traffic in both directions between local and remote ports is applied the specified action.

In the example below a UDP ports rule is set to block all communication between any local TFTP client and any remote server. We don't plan to use TFTP client on purpose, so any TFTP communication is not authorized by us and we want to block it.

UDP blocker feature is available only in TotalAdmin Edition.

[ddacs_cp_add_udp-port.png]

General Firewall

General Firewall feature allows explicit control with all means provided by Network Filter.

The simplest rules are blocking specific application-layer protocols or, alternatively, enabling them when by default they are disabled. Let's suppose that we want to block FTP access to ftp://3dftp.com, similar to example above. Select "General Firewall" tab, click on "Add Rule" button, then in the "Add General Firewall Rule" dialog:

[ddacs_cp_add_genfw.png]

Select "TCP" in "Protocol" combo box
Check "Any Source Address"
Enter "3dftp.com" in "Destination address" edit box, "255.255.255.255" in "Destination Mask" field
Select "21 (ftp") in "Destination port" combo box
Select "Block" in "Action" group radio buttons
Click "Add"

That's it, access to "ftp://3dftp.com" is blocked

As described in "Website Blocker" chapter Website Blocker, all TCP clients are easier blocked with "Website blocker". Suppose now that we want to allow reception of MMS stream data (via UDP port 1755) while entire UDP protocol is disabled by default. Select "General Firewall" tab, click on "Add Rule" button, then in the "Add General Firewall Rule" dialog:

Select "UDP" in "Protocol" combo box
Check "Any Source Address"
Enter "default" in "Destination address" edit box, "255.255.255.255" in "Destination Mask" field, or alternatively check "Any Destination Address"
Select 1755 (ms-streaming) in "Destination port" combo box
Select "Allow" in "Action" group radio buttons
Click "Add"

That's it, UDP port 1755 (MMS) is allowed as an exception to general UDP blocking rule.

Network Filter searches inbound and outbound traffic for patterns.

Patterns are matched as general purpose, they don't have any special semantics in a network packet. If an option to match a pattern was specified in a rule, the pattern will be searched for in the entire packet. If matched and other rule specifications match input too, then the action will be applied. It is possible to use patterns to specify for example domain names (so that a certain domain name will be blocked if appeared in any protocol; it is also possible to specify pure binary data, such as piece of virus or malicious program code.

Patterns allow creation of very flexible rules, but you should remember that they assume heavier processing on the Network Filter. Use them carefully and remember not to overload the Network Filter with too many patterns. If having doubts, test suggested set of rules on real system for some time and pay attention on regular performance.

Patterns are more effective in blocking TCP connections with unwanted content than UDP. While in UDP traffic only compromised datagrams will be dropped and the rest of traffic will arrive, when a TCP segment with compromised data arrives, it will be dropped no matter how many times it comes. As it will appear for both connection sides, a TCP segment with unwanted data will always be lost. Since TCP can't tolerate lost segments in connection, after reaching maximum number of retransmissions on the side that sends unwanted data, the entire session will be terminated.

Files Access Filter

This chapter describes user interface and functionality of the Files Access Filter.

Purpose

The purpose of File Access Filter is to enhance built-in Windows user-bound files access rules with programs-bound access rules. Also Windows files access control is effective only on NTFS; FAT32 and other file systems don't have native access control. DDACS provides access control based on file names and is not bound to any specific file system.

Rules

The Files Access Control rules are specified with the following parameters

Accessor program name
Accessed file name (pattern)
Type of access: read, write, create, delete, execute. May be any combination of these
Action: allow, alert, log or block

Accessor program name is a pattern. It's program's name, which will be compared to names of programs that actually try to access a file. You may specify only short program's name, so the program with specified name started from any path will apply to this rule. Using patterns, you may craft a pattern that will suit multiple programs with a single rule. You may also specify "any program" to apply this rule to or "any but this" to apply this rule to all programs except the specified.

Accessed file name is a pattern. You may specify a complete file name with path, only a file name or a pattern to match many names. Remember that DDACS pattern syntax is different from OS file naming wildcards. E.g. in order to specify "readme*" put down "readme*." Complete file names with extensions may be used as is, e.g. you may write "readme.txt" in order to specify this file instead of "readme\.txt" - since '.' matches any character, it will match dot too (but take into account that readme_txt will also match). You may specify "any but this" to apply this rule to all files except those that match specified name. If you would like the rule to apply to any file, specify "*." as file name.

Programs Blocker

Program blocker is a feature based on simplified interface to Files Access Filter, designed to easily block unwanted programs. It allows you to specify program name or full path, then creates a Files Access Control rule with the following parameters:

Any accessor program
Read and execute request
File resource is the program you requested to block

In order to add a program to block, activate "Program Blocker" tab. click "Add rule" and enter program to block

[ddacs_cp_add_prog.png]

The effect of this rule is that no program or another entity in the system may access the blocked program for read and execute, so the program can't be loaded into memory and run or even copied under another name. This feature is designed to stop malicious or otherwise unwanted program that already slipped through your computer's security and registered itself to run at startup, or infected another program that runs at startup. Blocking the program from running allows you to take time to delete it from disk or cure it with anti-virus.

Having patters specify program name allows flexibility when defining a single rule:

you may specify full path, so that only the version of a program installed there will be blocked
you may specify only program name, so that any version of the program that has the same program name will be blocked
you may specify a pattern, so that entire group of programs matching it and starting from any path will be blocked
you may specify full path with a more generic pattern, so that only versions of a program starting from the same sub-path are blocker

Note that the pattern syntax is different from file system wildcards. E.g. if you want to prevent any cmd-file from being executed, the correct file name specification will be "*.\.cmd". Also note that DDACS pattern matching is always case-sensitive, while Windows matches file names case-insensitive (although the file names themselves are case-sensitive). In order to specify complete blocking of "cmd" files, the file name specification should be "*.\.[Cc][Mm][Dd]". Particularly, specification of "*.cmd" will work for files like "batchfile.cmd", but it will also match files such as "mycmd" (without dot).

Additionally you may specify time constraints when the rule is in effect:

Start and end date and time, period during which the rule applies
Days of week
You may check periodically, so that the rule is applied on specified days of week infinitely

General Files Access Control

Files Access Blocker is an interface to Files Access Filter that allows you to specify all available options. In order to define a rule for File Access Blocker the following parameters should be submitted:

Accessor program name or "any program" checked - a pattern that is searched in path of accessor program during file operation filtering. You may specify a full path, a program name or a program name with sub-path or a pattern that will match multiple programs.

Protected resource file name, which is a pattern. You may specify full path, only file name, file name with partial path, part of a name etc. Note that if you want to prevent a specific program from accessing any file, the correct file name specification will be "*." (zero or more repetitions or any character), and not "*" or "*.*" as in file system wildcards. Also note that patterns in DDACS are case-sensitive, while Windows matches file names case-insensitive (although the file names themselves are case-sensitive). Please refer to Program Blocker examples to see how to specify case-insensitive names

Access to guard: create, delete, read, write, execute

Action to take when guarded access is detected: block, alert, log or allow

Note that File Access Blocker always guards opening or creation of files (except for delete). Create, read, write, execute is type of access that the accessor program specifies when opening/creating a file. An attempt to open protected resource with unwanted access will result in "Access denied" error reported to accessor program; and if the accessor program attempts to make an access not requested when the program was opened, then it will receive the same error "Access denied" from Windows.

Application Firewall

This chapter describes user interface and functionality of the Application Firewall (filter of applications network requests).

Application Firewall filter and all its features is available only in TotalAdmin Edition.

Purpose

The purpose of Application Firewall is to augment General (packet) Firewall protection with program-specific rules. While General Firewall operates on network packets based only on their contents, Application Firewall operates on Windows networking API requests made by specific programs.

Rules

The Application Firewall rules are specified with the following parameters:

Accessor program name (pattern)
Request (send, receive for UDP; connect, accept for TCP)
Source address and port (local address for connect, send; remote address for accept, receive)
Destination address (remote address for connect, send; local address for accept, receive)
Action: allow, alert, log or block

Accessor program name is a pattern. It's program's name, which will be compared to names of programs that actually try to access a file. You may specify only short program's name, so the program with specified name started from any path will apply to this rule. Using patterns, you may craft a pattern that will suit multiple programs with a single rule. You may also specify "any program" to apply this rule to or "any but this" to apply this rule to all programs except the specified.

Source (destination) IP address may be a regular dotted IPv4 address (in form of xx.xx.xx.xx), a host name or an option "any" meaning that any source (destination) IP address will match the rule. A special hostname "default" may be used instead of real IP address or host name, which will translate into default local computer address used for internet connection. Please note that this is not the same as localhost address (127.0.0.1), which cannot be used to connect to internet. An additional decision inversion ("any but this") option may be applied, which means that the rule matches all packets that don't match the rule's source (destination) IP address.

If host name is specified as source/destination address, then distinct rules will be created for all IP addresses that match the host name in DNS records.

Clients

Clients rules feature allows you to control destination sites to which client programs can connect, and time when the rule is in effect. Time control is effective for parental controls, as well as restricting any user's use of internet clients on your computer.

Clients rules always apply to connect (TCP) requests made by client programs. Source IP address is any. Destination address is remote site name or IP address. Action is block, alert, log or allow.

Time options let you to define periods of time during which the client rule is active. You may select start time, end time and optionally specify that applying the rule is periodic, i.e. the rule is active during specific days of week between start and end time.

[ddacs_cp_add_tcp_client.png]

In this example a program Internet Explorer (IEXPLORE.EXE) given by its full path is prevented from accessing web server www.google.com on port 80 (default HTTP port).

Servers

Servers rules feature allows you to control local server programs that accept connections from remote sites. The feature is primarily intended for "illegal servers", i.e. malicious programs that act as servers without advertising this part of their functionality. You can prohibit any program from being a server and make exceptions for the server programs that you installed, or you can prohibit just particular programs that attempt acting as servers when they shouldn't.

[ddacs_cp_add_tcp_server.png]

In this example a rule is created to prevent any program from providing TELNET service on our computer. We don't intend to use TELNET on purpose, so any program that attempts to accept TELNET connections should be prevented from doing so.

Full Application Firewall

Application Firewall feature allows you to control all requests that are filtered by Application Firewall filter for any program, for any local and remote address. You can use any specification for programs, local and remote addresses for prohibition rule and then create exceptions, or individually allow/prohibit programs from making network requests. You can choose the following actions when the rule is matched (applied):

allow - request is allowed

block- request is blocker

log - request is allowed, but recorded in violation log

alert - a pop-up Window appears, explaining request attempted by a program and asking you what to do with it. Request is blocked until you respond, then it's acted upon according to your choice. You may choose to allow once or block once, in such a case your decision is applied to current request and the next matching request from the same program will prompt you again. You may choose to allow or block permanently, in such a case a new rule will be created for the particular program that made an access - this new rule will override the "alert" rule.

In this example a rule is created to prevent a program IEXPLORE.EXE from any disk path (will work for multiple versions of the same program if their names are the same) to connect to remote server www.google.com port 80 from any local address and port.

Registry Filter

This chapter describes user interface and functionality of the Registry Filter.

Registry Filter is available only in TotalAdmin Edition.

Purpose

The purpose of Registry Access Filter is to enhance built-in Windows user-bound registry access rules with programs-bound access rules. Normally Windows allows only Administrator users to modify registry (create, modify and delete keys) and other users may have only read access. However, installers cause security prompt only once, and since they are granted Administrator privileges, nothing ever prevents them to create, write and delete any keys. In many cases however, it is still desirable to limit a program that reached privileged level to access just certain keys (or to allow it access anything but certain keys). DDACS registry filters adds a layer of elaborate program-based access control. You can specify what accessor programs can (or cannot) create, read, write and delete what registry keys.

Rules

The Registry rules are specified with the following parameters

Accessor program name
Accessed registry key (pattern)
Type of access: read, write, create, delete, execute. May be any combination of these
Action: allow, alert, log or block. Currently (as of version 2.0.1) alert is equivalent to block for registry rules.

Registry Access Control

Registry Access Control is an interface to Registry Access Filter that allows you to specify all available options. In order to define a rule for Registry Access Control the following parameters should be submitted:

Accessor program name or "any program" checked - a pattern that is searched in path of accessor program during file operation filtering. You may specify a full path, a program name or a program name with sub-path or a pattern that will match multiple programs.

Protected key name, which is a pattern. You may specify full path, only file name, file name with partial path, part of a name etc. Note that if you want to prevent a specific program from accessing any file, the correct file name specification will be "*." (zero or more repetitions or any character), and not "*" or "*.*" as in file system wildcards.

Access to guard: create, delete, read, write, execute

Action to take when guarded access is detected: block, log or allow

In this example a rule is created to prevent a program "notepad++.exe" given with its full path from creating, deleting sub-keys or writing values to key "CurrentVersion\\Run". The rule is intended to prevent a program from auto-starting through HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Special Features

This chapter describes special features that are not bound to any filter or use several filters.

Process Killer

Process Killer feature allows you to get list of all running processes, then terminate them or suspend and later resume.
Process Killer is opened by clicking a special icon in DDACS Control Panel or running a special GUI program. Using this feature is simple: a process PID of which is selected can be terminated, suspended or resumed by clicking respective button.

Process Killer is available only in TotalAdmin Edition.

Violation Log

This chapter describes using the violation log.

While most useful functionality of DDACS is effective and efficient management of access control, in invisible to the user manner, it is often also useful to know which rules were violated by what program. For this reason every DDACS feature also provides violation log.

Violation log takes form of an access that caused violation. Note that although this form is very similar to rule itself, it always appears as particular rule, showing what program made what access to what, even if the violated rule was aggregate.

The example below shows violation log of Files Access Control. Columns include violation time, action that was applied on access, violating program, file that it tried to access and what access was attempted.

[violation-log.png]

Violation log provides an interesting use case on its own. If you create a rule with action "Log" (either by rule creation/modification dialog or by choosing "Log" replacement for user-alert rule), the specified access will be granted, but recorded in violation log with action "[LOG]". This use case may be handy when used together with Sandbox feaure: files accesses are allowed, althogh go to Sandbox, network and registry access may be also allowed, but both will be logged. This will create a complete picture of accesses made by the sandboxed program, creating some trust for it, or to the opposite, confirming that it's malware.

Administration Management

DDACS 2.0.1 protects your administration with a password. It is assumed that the user is typically "over-privileged", in other words that guests and other users often work with computer owner's/administrator's privileges. It is therefore important to protect your security settings, so that when a user takes place as privileged, but is not DDACS administrator, he will not be able to change DDACS rules.

All DDACS programs (GUI and command-line) ask for password and check it when they start. Password may be changed with GUI or command-line password utility.

[ddacs_password_mgmnt.png]

DDACS installs with empty password. It is recommended to change it to password of your choice immediately after installation.

Defining Your Protection Strategy

This chapter discusses security threats that you may address with DDACS and optimal strategy to achieve your goals. The [DDACS 2.0.1 Use Cases] document provides ready receipts for different protection needs and strategies

Objectives

Objectives of good protection strategy are maximizing system's security while minimizing extra processing assumed on it for security checks. In order to achieve that, you need to understand potential threats, define security policies, realize how policy enforcement affects system performance and implement the policy using the minimal performance toll.

User Access Strategy

Despite that DDACS 2.0.1 doesn't provide user-bound access control, defining user access properly is important. Take into account the following considerations:

Are there other users besides you that will be using the protected computer? If the answer is "yes", then you should set their privileges in such a way that they can't run DDACS Control Panel and command-line tools, alter and remove rules. You should also protect other files in DDACS directory (rules files, uninstall program) so that other users will not be able to alter them or uininstall DDACS. The easiest way is to install DDACS with administrator privileges and have other users will less privileges
Create a separate set of rules for guest users to limit their access. Save them grouped by policy names. Load the rules before you give your computer to guest user and remove them when you get it back

Don't leave Alert rules in effect when giving computer to a guest user. Alert can't be answered by other user than DDACS administrator, so access that pops alert will remain "hanging" in the administrator user's login

If you use scripts to load and remote sets of rules, you ought to keep password in scripts as command-line tools parameter. When giving computer to a guest user, add also a rule to prevent any access to the scripts for the time when the computer is given away

Files Access Strategy

It is important to understand what kind of programs you intend to run and what kind of threats they project.

Since you are computer's administrator, the highest risk bear programs that you run yourself and that may have functionality not known to you. Those include first of all programs that you just downloaded from the internet (or received from another unreliable source) after reading their information and want to try.

A good policy would be to understand what files the program needs to access and allow only them, forbidding access to the rest of the system. Typically the programs access files that reside in their installation directory and that they prompt user to lead, save or otherwise use. You may enable files as the program asks you for them or when it reports that a certain file that it needs is denied access to
In order to load and execute the programs need read access to DLLs, both in Windows system directory and its own. In order to allow programs load, allow it read and execute access to all DLL files and forbit it write, create and delete access to any DLL file. This will allow the program run, but not allow it, for example, copy system DLL to its installation directory, modify it and use that modified system DLL in order to compromise system security. (This assumes that creating DLLs is not the program's documented functionality, e.g. the program is not a development environment
Unless the program's documented functionality includes running other programs, you may want to forbit it execute access to ".exe", ".cmd", ".bat", ".com" and possibly all files. Note that programs may run other programs if they intentionally open files formats for which there is a registered viewer/editor (e.g. a program may open "BMP" file for editing by running Paintbrush on it or show text file in Notepad). In most cases the well-behaved program will report failure of opening the file and possibly the program that it tried to use for open. It's then safe to add exception rule for that program that will allow it run default viewer ("pbrush.exe" or "notepad.exe" in example above)
If a program unexpectedly fails after you applied the rules and possibly the operating system reports its attempted access to some file it shouldn't access then it's a good indication that the specific program is not safe to run. You may block it completely from running with Programs Blocker and uninstall it (with provided uninstaller, Windows Control Panel or simply remove it from disk)
Sometimes malware distributes via e-mail attachments, using door opened by not attentive users who set e-mail program's options "Automatically Run Attachments" to "On". Even if you don't have this option "on", you may occasionally want to run attachments. If the attachment you want to run is an executable, create file access rules for it similar to example above on a program downloaded from internet. Otherwise, if the attachment is a script, create a rule for e-mail client and/or for default viewer registered for this kind of scripts
Similarly to e-mail programs you may want to limit access of scripts run by web browser. Many browsers boast versatile and sophisticated security policies, but there are always exploits found and used in them. This is the case where an additional access control will only help. If setting rules for scripts, specify browser program name (e.g. "iexplore.exe") as accessor program

For programs that come from trusted source, but include known exploits you may implement strategy similar to non-trusted programs.

You may want to block running programs that are infected or are already temporary executables created by malware, using Program Killer and Program Blocker. Once the program is blocked, you may run anti-virus to cure it, uninstall or delete its executable file.

Network Access Strategy

Compared to files access, network access doesn't present so immediate and strong threat to your system. At least if files access control is used effectively, your important files can't be overwritten or deleted and sensitive data will have any access disabled, with exception of some trusted programs. However, network attacks may be very annoying; additionally some sites you may find inappropriate for you or for other users of your computer.

Block inappropriate sites with Website Blocker
Block UDP inbound and/or outbound traffic completely, then allow specific ports on which your trusted programs communicate
You may want to block all TCP client access to your computer (meaning that servers are running on your computer), then allow ports for specific servers if you run them. TELNET, FTP server ports are the first candidates for blocking. Allow NetBIOS ports if you use Windows sharing
You may want to block all outbound ICMP traffic (ICMP is used to communicate errors). If it is blocked, your computer will not respond to erroneous packets and may be considered offline by other parties. If you want to ping a remote server, temporarily allow ICMP exception to that specific address, ping it then delete the exception rule
You may want to block all outbound connection requests except for well known to you programs. This will prevent unwanted programs, that may have passed security walls until they are able to run, from sending your data over internet
If you are trying a program that came from a non-trusted source and its functionality known to you doesn't include network communication, you may want to temporarily disable any network access via any protocol. If the program unexpectedly fails or reports failing a access to network access it was not supposed to attempt then it's a good indication that the specific program is not safe to run
Use patterns in order to filter received and sent contents. E.g. if you don't want to run annoying Javascript from a specific site, specify "text/javascript" as a pattern. You may also block specific pages within a site by specifying their names as pattern for inbound or even outbound traffic (e.g. "index\.html") Use patterns in order to drop specific attachments (pattern variation on its name), prevent download of specific files (block outbound packets with pattern "[Gg][Ee][Tt]*. specific-file-name")

Test-Driving

DDACS provides efficient means to test-drive programs that were recently downloaded and can't be yet trusted.

Pay more attention to Alert pop-ups when the test-driven program causes them. Consider if the attempted access is something that the program is supposed to do
Create Alert rules for Connect and Send access in Application Firewall. Again, consider if the attempted access is something that the program is supposed to do
Create Alert rules for Write, Create and Delete access in Registry Filter. Consider if the attempted access is something that the program is supposed to do
When the program slowly gains trust, you may remove the special restricting rules for it. If the program's behavior looks suspicious, you may at some point Suspend and Block it, and further delete it from disk

Parental, Guest and Employee Controls

DDACS offers several features suitable for parental controls.

Website blocker allows easily and efficiently block any access to inapropriate sites.

Programs blocker allows controlling when particular programs cannot be run. Controls are provided to prevent use of programs during certain period (between start and end time), during particular days of week in that period, or completely.

TCP Clients Rules allows controlling when particular programs can access specific websites or other web services. Controls are provided to prevent use of programs during certain period (between start and end time), during particular days of week in that period, or completely.

Process Killer allows suspending or terminating inappropriate programs

System Performance Considerations

Security filters add processing to your system in order to match patterns, compare rules etc. Naturally, the more rules there are the more processing is added. Some security suites are so overloaded with monitoring, informational and other services that they become main performance killers. It should be understood that the more sophisticated and complex features are provided, the more CPU time and memory resources they take. DDACS pays special attention to minimizing system extra load. During normal operation there are no user-mode services or background applications running - only two kernel filters. DDACS control panel and command-line tools are started when you need them and when you close them, they don't stay. A single rule uploaded to kernel filter takes only a few hundreds of bytes, with reasonable rules load their affect on memory use is not noticeable.

It should be understood that the biggest effect on performance have patterns specified for matching for Network Filter. The reason is that it must scan all relevant packets payloads. Relevant packets are the once that match the rule's source and destination addresses and ports. Apparently, it's preferable to always define patterns into more specific rules - then on-matching addresses will not do pattern matching. In traffic that consists of relevant packets exactly healthy packets (the ones that don't contain the pattern) take the most to process - the entire packet must be checked for relatively small pattern. Use patterns for Network Filter cleverly and carefully.

Files Access Control patterns present far less "performance threat". The reason is that opening a file is normally a less frequent operation than receiving a network packet. However, you should remember that all file names are patterns that are sought in actual accessor's path name. We can only suggest using Files Access Control cleverly and carefully,

Default Configuration

Default configuration is stored in Rules files and may be loaded at system start-up or reloaded from disk at any time. DDACS comes with default rules set that may be modified at any time later.

Recommendations

Access control rules are so different that it's hard to offer specific recommendations. We will attempt however, to provide general recommendation without claiming that we know the user's needs better.

In most cases a simple strategy "block everything" / "allow specific exceptions" is suitable. DDACS filters provide aggregate rules where almost all paramters may be specified as any. This includes "any protocol", "any destination port" in Network Filter and "any accessor program" in Files Access Filter
A general rule may be created along with a single exception, with the help of decision inversion options. Decision inversion is applied to any specific rule and the meaning is turned to "any BUT this parameter will match". E.g. Network Filter rule: "Protocol:TCP" with option "any but this" checked, "any" source and destination address and action "block" will actually block any non-TCP traffic. Decision inversion rules are used on specific rules; don't use them with aggregate rules. E.g. despite specification of "any" protocol and "any but this" is legal, it creates a senseless rule that matches no possible packet.
Use patterns moderately and think well relevant policies and affect on system performance and communications
It is generally recommended to start DDACS at system startup and apply automatic rules at startup. It is convenient, since use of the same computer will not change frequently, the basic rules set needs not to also. Automatic rules upload offers protection from that point on.
If you don't find it easy to find optimal rules set, you may change rules and save them frequently at first. In this case it is also beneficial to start rules at startup, that will give to the best picture on how they protect and how they affect performance.

Interoperability

Platforms Support

DDACS 2.0.1 supports Windows 7, 8 and 10. There are no special system requirements, any system that can run the OS can run the suite.

System Requirements

There are no specific requirements other than running Windows 7 or newer Windows operating system.

Interoperability with Other Security Software

DDACS is based on its kernel-mode and user-mode filters, and their rules-based policy enforcement. It doesn't register within the OS as security solution, so it doesn't have any interoperability issues with other software, including security packages.

You should remember however, that rules enforcement actually adds a tiny bit of additional processing on every file or network access. Other security packages in many aspects do the same, some adding more heavy processing, some less. Consequently, every security package adds toll on system performance, depending on its functionality and optimization. In order to get the best performance on a protected system you should design protection schemes from different packages so that you don't run the same task several times.

DDACS 2.0.1 Reference User Manual

Product Features Outline

Features

Understanding DDACS

Filters and Rules

Network Filter (Packet Firewall)

Files Access Filter

Application Firewall

Registry Filter

Process Killer

Licenses and Editions

Installing DDACS

Using DDACS

DDACS Control Panel

Command-line Tools

Pattern Matching

Features and Editions

Network Filter

Purpose

Rules

Website Blocker

UDP Blocker

General Firewall

Files Access Filter

Purpose

Rules

Programs Blocker

General Files Access Control

Application Firewall

Purpose

Rules

Clients

Servers

Full Application Firewall

Registry Filter

Purpose

Rules

Registry Access Control

Special Features

Process Killer

Violation Log

Administration Management

Defining Your Protection Strategy

Objectives

User Access Strategy

Files Access Strategy

Network Access Strategy

Test-Driving

Parental, Guest and Employee Controls

System Performance Considerations

Default Configuration

Recommendations

Interoperability

Platforms Support

System Requirements

Interoperability with Other Security Software

References