Avast WEBforum
Other => General Topics => Topic started by: J J on November 18, 2006, 06:38:29 PM
-
Currently i am using windows firewall, but i have been told that i should use a better one for example comodo. Is windows firewall good enough or should i change? Personally i'm happy with windows firewall but i would like some views on the subject before i make a final decision.
-
This question has been asked and addressed many times here in the forum. ;)
If you use the search function the forum has here, type in "firewall" you will get quite a few opinions that may answer your question. :)
-
That is a Myth. The XP SP2 firewall is excellent: XP Myths (http://mywebpages.comcast.net/SupportCD/XPMyths.html)
-
Unfortunately it's not a myth that the Windows Firewall only protects incoming traffic unless
you're already using Vista.
-
***
Hi JJ,
Please read my post at the link below for a better understanding of why you need a firewall with both inbound & outbound control.
http://forum.avast.com/index.php?topic=20921.msg175125#msg175125
Unfortunately, Windows XP firewall only gives inbound control. There are several ways for a computer to get infected. Inbound from the Internet is only one of those ways.
***
-
JJ;
You always have ZA Free which I use and have always used with no problems. ;)
Light on resources, too. This is true for my version which is not the last one.
-
It is impossible to guarantee outbound protection on any Windows XP computer. One a file has administrative access it can get around any "outbound" protection at will.
Windows Firewall: the best new security feature in Vista? (http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx)
Promoting that users need outbound protection so they do not get infected is nothing but FUD.
-
It is impossible to guarantee outbound protection on any Windows XP computer. One a file has administrative access it can get around any "outbound" protection at will.
That depends on the sophistication of the firewall, and how well it protects itself and blocks outbound connections. Modern third party firewalls attempt to do both. Empirical results show some success:
An interesting point from the recent review of anti-virus software. One AV running with Windows firewall missed a Trojan which was able to disable the firewall:
It ignored several Trojans, one of which successfully disabled the Windows firewall, allowing potential attackers remote control of the system.
http://www.computershopper.co.uk/labs/220/anti-virus-exposed/products.html
Zone Alarm AV also missed some Trojans, but as it includes ZA firewall the story was different:
The anti-virus scanner missed four of our Trojans. But when one tried to contact the internet the firewall stopped it.
http://www.computershopper.co.uk/labs/220/anti-virus-exposed/products.html
http://forum.avast.com/index.php?topic=20986.msg176258#msg176258
Windows firewall makes no attempt to protect itself, storing settings in the registry where they are easily altered by malware:
http://www.spywareinfo.com/newsletter/archives/2005/oct27.php#winfirewall
There is no guarantee that a third party firewall will guarantee outbound protection. However there is a 100% guarantee that Windows firewall won't protect from outbound protection.
Promoting that users need outbound protection so they do not get infected is nothing but FUD.
Ha! This from the FUD Meister himself.
http://www.google.co.uk/search?q=fud+mastertech&ie=utf-8&oe=utf-8&rls=org.mozilla:en-GB:official&client=firefox-a
-
It is impossible to guarantee outbound protection on any Windows XP computer. One a file has administrative access it can get around any "outbound" protection at will.
Agreed, but that's no reason for not using outbound protection.
Analogy is using an antivirus, it's no guarantee againt viruses at all.
This is another layer of defence and the most impotant tool is still your brain. ;)
I regularly take a 'known to be good' image of C to another partition.
In addition I hide that partition from me and windows. Yes, I have imaged back
a lot of times to completely undo things I have done.
But guarantee... no, just another level of protection.
-
You are doing people a disservice irrationally recommending a Firewall with "outbound" protection. Once you are infected you are infected and a well written virus or malware can circumvent ANY Firewall on XP running as an administrator. That is an irrefutable FACT. No matter how much you want to believe that your "outbound" protection is keeping you safe it is NOT!
People need REAL security advice like making sure all Windows Security Updates are applied and they are running an updated Anti-Virus program and Anti-Spyware program.
I have been doing this for over 15 years and deal with this daily, outbound protection hasn't protected anybody from anything. Don't get me wrong power users may enjoy the application control and advanced logging but the average user doesn't need anything more than the built-in Firewall.
-
There is a lot of poorly written and unsophisticated malware out there and a good firewall will offer protection against that.
My car seatbelt won't save my life if I drive my car off a cliff, but it will help me in most fender-bending situations so I still wear it.
-
How does the outbound protection help you here? You are already infected! Windows Defender is a better solution for "poorly" written Spyware by PREVENTING you from getting infected in the first place!
-
Unfortunately, there isn't any software out there that will totally prevent you from
getting infected. Since the cure is always written after a new malware appears, protection or
prevention always lags behind a new outbreak.
All the user can really do is to plan ahead by creating a reliable recovery strategy and by practicing safe surfing
in the first place. IMHO
-
If i was to download another firewall like zone alarm would i have to uninstall the windows one?
-
Mastertech is right or course - I'm going to uninstall my firewall immediately.
I'm also going to stop taking the antibiotics that have been fighting my chest infection. It was irrational of my doctor to suggest that they could at least stop the infection getting any worse.
Are Microsoft moving into healthcare anytime soon?
-
I'm also going to stop taking the antibiotics that have been fighting my chest infection. It was irrational of my doctor to suggest that they could at least stop the infection getting any worse.
Are Microsoft moving into healthcare anytime soon?
What does this have to do with the firewall discussion ???
-
If i was to download another firewall like zone alarm would i have to uninstall the windows one?
No you can't but you can disable it. Now you need to ask why you are installing it. Because if you are trying to stop from getting hacked than Windows XP SP2's Firewall will do that. If you think it will stop you from getting infected, no more than Windows XP SP2's firewall. All it will do is provide better logging and more application control over what programs access the Internet, when and how. It will slow down your internet and PC performance.
The fact is everyone should use a Firewall and the XP SP2 Firewall is more than sufficient for the average user.
-
If i was to download another firewall like zone alarm would i have to uninstall the windows one?
No. Zone Alarm and most other firewalls will disable Windows firewall when installed.
(http://donaldbroatch.users.btopenworld.com/za1.jpg)
(http://donaldbroatch.users.btopenworld.com/za2.jpg)
If you install a firewall which doesn't automatically disable Windows firewall, the normal advice is to disable it yourself. In XP SP2 this is done from the security centre. In pre SP2 XP, the firewall is found here:
http://www.geocities.com/dontsurfinthenude/firetut.htm
-
Hi malware fighters,
In a sense part of the discussion is true, not the part that you can do without outbound protection, but the assumption that a firewall offers the same sort of protection it did a couple of years ago. In that respect and only in that respect MasterTech has a point, but in a different way as he presents it.
There is a lot of things just passing beyond your firewall's radar, because it was not designed to block this, Whereas a good firewall protected against the majority of attacks a couple of years ago, to-day a large part of attacks circumvents the firewall or passes right through it. Content scanning of port 80 protects against
the majority of these kind of attacks. A good firewall could once ward off 95%
of all attacks , now a good 30% of malware vectors use a different way to infect.
Port 80, the main carrier port of all webtraffick is notorious in this
respect. Via the webmail interface an attack on the internal mail server
can be achieved. Inside a mail a weblink can be sent, where a click-through
can lead to a lot of trouble.
A good firewall is a must, but actually we have gone back to day 0 again to the days before firewalls were available.
Today whereas all sort of applications have a web interface for the future all sort of distributed applications based on web services will use port 80. (Now you know why you have the avast webshield installed inside your browser). Even p2p-ing programs that are not supported by firewall proxies have a fall-back option for the web protocol.
Craig Hicks-Frazer, Managing Director van Blue Coat, measures that 50 to 70%
of all the traffic for his clients runs via port 80, and that percentage is only growing.
Checking web traffic for dangerous and undesired content is more difficult
than scanning in-coming mail. Simple in-line scanning, where webcontent is
being examined directly, does not offer a good solution. It means that the user
sits waiting for the next screen all the time. Using content scanning on demand
(DrWeb's hyperlink scanning) is better. But when things fail, one even could
get a time-out of the application. It is also difficult to apply on a larger
scale in a commercial surroundings.
Caching appears to be the solution to these problems.
By saving all of the webcache (for all of the firm) and loading this even pro-actively, the scanner can perform on an acceptable scale. Even better so the web-cache can enhance performance as a whole and lower the bandwidth used.
First the cache is checked before new content is brought in, if that takes a
while the user is served up with "patience-page". According to Hicks-Frazer
this was the reason that user started clicking again and again, while the
background system was busy scanning so it almost collapsed under the
enormous load.
That is why Blue Coat as a vendor of web cache and proxy systems applications is
now heavily into web content scanning. Their port 80 Security Appliances
do mainly consist of a web cache together with a security engine, that looks
after the implementation of set policies for URL and MIME type filtering, virus
scanning and bandwidth management.
Scanning and filtering is done via the Internet Content Adaptation Protocol
(ICAP) intertwined with content scanners. Supported here are applications like
WebWasher, Finjan SurfinGate, SmartFilter van Secure Computing, Websense,
Symantec CarrierScan Server en TrendMicro InterScan Server.
Setting policies for port 80 scanners is like setting management interfaces of
firewall systems. It looks lite setting the rules for let us say Check Point
VPN-1/FireWall-1.
The protocols can be set for a user or for a group of users, the same as what
content can be approached, what content can be viewed and at what moment this
is allowed. So you can filter out abusive language, religious or fundamentalist
content, pr0n, but also sports and private stock, what could be allowed during
lunch hour could be a subject of debate. Then you could be free to do your
shopping, download your e-books etc. etc. So people would not linger on e-Bay.
For this reasonm time-outs and content limits could be implimented.
From a security point of view filtering outgoing content is much more interesting.
Sop instant messaging may be allowed on the firms Intranet but not on the
Internet. Sometimes only file-sharing is blocked, usb sharing is blocked,
and outgoing content is checked for certain terms to secure certain
documents or information to be leaked.
For the users everything should be as transparent as possible, first you get
a policy survey inside the browser, you have to agree with that before you
can go on the Internet. If you are in confict with the policy you will get
a pop-up. Easiest is to block this, but better to use a form of social
engineering seeing to it that applications of this sort are being counted,
and no-one want to be "top of the list". This works, the same as "all your
attempts are going to be logged". The management has to be shown only
general surveys, because full reports would take too much of their time.
How you implement these policies as a home-user is interesting to know,
I think a form of hips and layered protection with in-browser security will grant you a way of securing your machine.
polonus
-
The fact is everyone should use a Firewall and the XP SP2 Firewall is more than sufficient for the average user.
I guess it's a case of 'do as I say' not 'do as I do' as Mastertech is a Zone Alarm user:
http://forum.zonelabs.org/zonelabs/tracker?user.id=42221
-
The fact is everyone should use a Firewall and the XP SP2 Firewall is more than sufficient for the average user.
Not if you have got WGA NOTIFICATION tool on your machine and want to stop
it from calling home to Microsoft now and then. The average user, as you said,
will not be able to stop this calling home without ZA or another FW with outbound
protection. ;D
-
The fact is everyone should use a Firewall and the XP SP2 Firewall is more than sufficient for the average user.
I guess it's a case of 'do as I say' not 'do as I do' as Mastertech is a Zone Alarm user:
http://forum.zonelabs.org/zonelabs/tracker?user.id=42221
To me, all this proves is that he's a memeber of the ZA forum unless one of his post state
that he actually uses ZA.
I certeinly don't intend to read them all.
If you search for bob3160, you'll also find posts from me but, currently I'm not using ZA either. :)
-
Regardless I am VERY concerned ZA is screwing up NTFS file system level issues. I want a Firewall not modifications to the core of the Operating System's File System.
http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=12009#M12009
Despite coming her to tell us to use Windows firewall, Mastertech is a Zone Alarm firewall user.
-
FWF,
All that proves is that he's tested the program.
Something a lot of us on here do with lots of programs.
Guess he can answer it by himself.
-
Thanks for everyones views. i think i will download another firewall just to be on the safe side. i will also keep the windows one.
-
Your welcome J J. But now, maybe you can see why I was glad I responded first to your question with the answer I did here in this post.All of these answers you got here have already been cussed and discussed before here in the forum. So, now you see that events and things do repeat themselves. ;)
-
I certainly don't intend to read them all.
That's O.K. Bob, I'll read them for you. It took me less than a minute to find his signature on one of his posts:
http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=11999#M11999
Or, how about this one?
http://forum.zonelabs.org/zonelabs/board/message?board.id=Antivirus&message.id=11998#M11998
You are right, that posting doesn't necessarily mean that the person is using the product now, but it doesn't take a great leap of faith to think that they were, at the time that they were posting on the forum.
Like you here, though you don't use their products anymore:
http://forum.zonelabs.org/zonelabs/board/message?board.id=gen&message.id=37480
Or here, (coincidentally in a conversation with me):
http://forum.zonelabs.org/zonelabs/board/message?board.id=inst&message.id=44297
I believe I would give this round to Frank, in his never ending battle with Mastertech. Can't wait for the next chapter... ;D (F-u-n-n-y!)
However, I wholeheartedly agree with Neal. Every time one of them casts a fly, the other one rises to grab it (trout fishing terms). :P
-
i think i will download another firewall just to be on the safe side.
Though there are several fine products out there, I would highly recommend the Zone Alarm version in my signature. Since I installed it, it has blocked 42,934 intrusions, with 1394 of those being "high rated".
There are several comments on their forum, that this was the last best one. I tend to agree, particularly since it doesn't exhibit the vsmon problems of the newer versions.
If you want to try it, you can find the download here:
http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html
I think you've made a wise decision.
-
I believe I would give this round to Frank, in his never ending battle with Mastertech. Can't wait for the next chapter... (F-u-n-n-y!)
Hi OrangeCrate,
Unfortunately in this type of a battle, there aren't any winners.
What's even worse is that there needs to be a battle in the first place.
The forum and it's members are the losers each time one of these confrontations breaks out.
-
[The forum and it's members are the losers each time one of these confrontations breaks out.
I absolutely agree with you. The comment you quoted was tongue in cheek. It was followed by the additional thought that referenced Neal's comment.
Mine:
I believe I would give this round to Frank, in his never ending battle with Mastertech. Can't wait for the next chapter... ;D (F-u-n-n-y!)
However, I wholeheartedly agree with Neal. Every time one of them casts a fly, the other one rises to grab it (trout fishing terms). :P
Neal's:
...All of these answers you got here have already been cussed and discussed before here in the forum. So, now you see that events and things do repeat themselves. ;)
-
I guess it's a case of 'do as I say' not 'do as I do' as Mastertech is a Zone Alarm user:
More like I have clients who use ZoneAlarm. I have never installed a third party Firewall on any client's computer since XP came out. Some of the most frustrating connectivity problems I've run into have been related to third party Firewalls.
Actually Frank should know better than this since I recommend ZoneAlarm on my Secure XP page for advanced users seeking more application control and logging. But I do not recommend it to make you more secure which it cannot.
-
Hi MT,
Question one:
So would you say that if you for instance combine Win XP firewall and for instance SafeXP settings, you have a similar protection as with ZA on a restricted user account?
Question two:
Is it still so that data can pass through the firewall, underneath the socket level, without the product (ZA) blocking or alerting users?
polonus
-
1. Yes, though "Safe XP settings" are still required with ZA.
2. Once you have administrative access anything is possible.
There is a difference between recommending that people use a third party firewall to get more information about Firewall activity as opposed to irresponsibly saying the XP Firewall is insecure and they have to use a third party firewall to be secure. Especially when everyone knows that the XP Firewall provides excellent protection.
-
Some of the most frustrating connectivity problems I've run into have been related to third party Firewalls.
Isn't it a problem of configuration? ???
-
Once you have administrative access anything is possible.
That's what Microsoft want you to believe, since they were obliged to allow third-party firewall producers to turn off Windows firewall, this also means malware can turn it off.
Once you have administrative access anything is possible.
Firewalls like Zone Alarm at least make some attempt to protect themselves against being shut down. The results from the AV test I quoted earlier showed that ZA blocked some Trojans that Windows firewall did not. There's no guarantee that a third-party firewall will prevent malware connecting out, but it may well do so- an extra layer of protection for those who feel they want it.
Faced with somebody on the forum with an unidentified Trojan downloader, I'm never going to recommend trying to get Windows firewall back up- it's going to be a third-party firewall.
"It still isn't as robust as many third-party host-based firewalls," writes Jeff Fellinge, information security officer at media company aQuantive, in a recent analysis of the firewall.
More seriously, rival firewall makers claim that the API used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Major firewall makers, including Zone Labs, McAfee, and Symantec are preparing SP2-compatible versions of their applications which disable Windows Firewall when they are installed, and enable it again when they are uninstalled.
But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company says its own products are locked down in such a way that third-party applications can't disable firewall protection without uninstalling the software.
Defining Roles
Microsoft admits that, in some cases, malicious code could indeed switch the firewall off. However, this isn't so much a flaw as a limitation on the role firewalls should play in a company's security system, according to Microsoft.
"An attacker could misuse that (administrative) capability," says David Overton, a Microsoft technical specialist. "But you're already in a compromised state, if you're at that point." He says Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it's been infected.
If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, Overton adds. Likewise, it is not the firewall's place to stop malicious code from sending outbound packets--Microsoft contends that companies should use perimeter technologies to examine outbound traffic.
http://www.pcworld.com/article/id,117380-page,1/article.html
-
Any Firewall can be turned off if you have adminstrator access. Even with it running all Malware has to do is wait for some trusted application to access the Internet and simply hijack the connection or process. This article explains it as clearly and logically as you can:
Windows Firewall: the best new security feature in Vista? (http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx)
...any outbound host-based firewall filtering in Windows XP is really just meaningless as a security feature in my opinion. True, it stops some malware, today, but only because current malware has not been written to circumvent it. There simply are not enough environments that implement outbound rules for the mass market malware authors to need to worry about it. In an interactive attack the attacker can circumvent outbound filters at will. To see how, consider this.
Circumventing outbound host-based firewall filters can be accomplished in several ways, depending on the scenario of the actual attack. First, the vast majority of Windows XP users run as administrators, and any malware running as an administrator can disable the firewall entirely. Of course, even if the outbound filter requires interaction from the user to open a port, the malware can cause the user to be presented with a sufficiently enticing and comprehensible dialog, like this one, that explains that without clicking "Yes" they will not ever get to see the dancing pigs:
See, the problem is that when the user is running as an administrator, or the evil code runs as an administrator, there is a very good chance that either the user or the code will simply disable the protection. Of course, the user does not really see that dialog, because it is utterly meaningless to users. What the user actually processes is a dialog that looks more like this:
That is problem number one with outbound filtering. Given the choice between security and sufficiently enticing rewards, like dancing pigs, the dancing pigs will win every time. If the malware can either directly or indirectly turn of the protection, it will do so.
The second problem is that even if the user, for some inexplicable reason clicked "No. Bug me again" or if the evil code is running in using a low-privileged account, such as NetworkService, the malware can easily step right around the firewall other ways. As long as the account the code is running as can open outbound connections on any port the evil code can simply use that port. Aah, but outbound firewalls can limit outbound traffic on a particular port to specific process. Not a problem, we just piggy back on an existing process that is allowed. Only if the recipient of the traffic filters based on both source and destination port, and extremely few services do that, is this technique for bypassing the firewall meaningful.
The key problem is that most people think outbound host-based firewall filtering will keep a compromised asset from attacking other assets. This is impossible. Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work. Protection belongs on the asset you are trying to protect, not the one you are trying to protect against! Asking the bad guys not to steal stuff after they have already broken into your house is unlikely to be nearly as effective as keeping them from breaking into the house in the first place.
In addition, as the dialogs above suggest, the vast majority of users are unable to make intelligent security decisions based on the information presented. Presenting information that does allow them to make intelligent decisions is much harder than it sounds because it would require the firewall to not just understand ports, protocols, and the application that is making the request, but also to understand what it is the request really is trying to do and what that means to the user. This information is very difficult to obtain programmatically. For instance, the fact that Microsoft Word is attempting to make an outbound connection is not nearly as interesting as what exactly Word is trying to do with that connection. A plethora of dialogs, particularly ones devoid of any information that helps an ordinary mortal make a security decision, are simply another fast clicking exercise. We need to reduce the number of meaningless dialogs, not increase them, and outbound filtering firewalls do not particularly help there. While writing this article I went and looked at the sales documentation for a major host-based firewall vendor. They tout their firewall's outbound filtering capacity and advising capability with a screen shot that says "Advice is not yet available for this program. Choose below or click More Info for assistance." Below are two buttons with the texts "Allow" and "Deny." Well, that clarifies things tremendously! My mom will surely understand what that means: "Unless you click 'Allow' below you won't get to see the naked dancing pigs that you just spent 8 minutes downloading." I rest my case.
Fundamentally, it is incumbent on the administrator to configure all outbound filtering because the end user will not be able to, and once the administrator does that, if there are enough systems using the same protection mechanism, automated malware will just adapt and exploit the weaknesses mentioned above.
Conclusion:
Without the ability to keep a compromised process from hijacking another process outbound host-based firewall filtering provides no protection from a compromised host. Because of the fact that Service SIDs were added in Windows Vista the firewall can actually provide meaningful protection with outbound filtering, but because Windows XP inherently lacks this ability having outbound filtering on Windows XP is meaningless from a security perspective.
Now you can choose to stick your fingers in yours ears and yell as loud as Frank does running around waving his arms and calling it a big Microsoft Conspiracy or simply read and understand the information in that article.
-
From the same source:
any outbound host-based firewall filtering in Windows XP is really just meaningless as a security feature in my opinion.
(emphasis added)
Isn't that all we have on this topic Mastertech? Opinion and personal preference.
More than once I've witnessed Zone Alarm block a trojan's outbound connection attempt. That didn't make the computer more secure. That doesn't mean ZA will block all malware seeking an outbound connection. It did tell tell me there was a problem I needed to address.
But because I saw those connection attempts my personal preference is to take to a small (in my opinion) performance hit to get a some outbound protection. Many people seem to share this sentiment but there are certainly those that share your opinion as well. No sense letting it turn into an argument that won't change anyone's mind.
-
When/if a piece of malware were to hijack a software program to bypass the firewall and get internet access a decent firewall would detect that something in the application has changed and ask the user. Firewalls such as Comodo do this.
-
But there is no guarantee. Firewalls simply do simple things like path verification and process identification they have no way to know if a process has been hijacked. How hard is it for a Trojan to simply call itself Firefox.exe? It makes more sense to detect the problem BEFORE it infects you.
My problem is with people screaming that you are insecure unless you use a third party firewall and that the Windows XP firewall is not a good solution. When in reality it has excellent inbound protection, equivalent if not better than most third party firewalls.
Do I want people to uninstall their third party firewall and start using the Windows XP one? Not if you are happy with what you have. I want people to stop acting like the people who use the XP Firewall are insecure, which is nonsense.
I see security fanatics tell peope to load their systems down with so much redundant or irrelevant security software their machines run like they are infected with the Malware they are trying to prevent.
-
I'm closing this, another Mastertech's-opinions-and-wishes-presented-as-facts thread. ::)