Ditching the software firewall?

[wabbit]

I do agree that NOD32 does a great job. I could see paying if it was 10%, 20% better, but for such a small difference in protection, I just don't think it's worth it. I can think of better things to spend my money on.

And if you were infected, wouldn't you want to have a way to know that you let malware in instead of going along merrily thinking you're ok?  I'd rather know I was owned as soon as possible, so I could fix the problem as soon as possible. I agree with MrRipley on that.

And most people know a user can ignore a warning from their protection software, thinking it's a false positive or whatever the reason, and let a virus in.

Using a software firewall on top of a hardware firewall is just added protection. It doesn't use up system resources,(hardly so), or not play well with other programs, and if you use a free one, it doesn't cost you anything.

It really boils down to how much of a risk do you want to take. If you feel comfortable with your ability to stop or fix a malware problem, then don't run a software firewall on top of your hardware firewall. If you like to have a handle on what's trying to connect to the internet, and have the ability to say yes or no instead of blindly allowing a program to connect without knowing why, then you'll want to run one.


Wabbit

[Vulcan]

Umm.. wrong. Your hardware firewall will only detect known malware which have been coded in the firmware. Every other packet goes freely out of your box since your hardware firewall has no way of knowing who/what initiated the connection. With a good soft fw every connection attempt has to be approved by you and approved again if a dll version or md5 changes. That's astronomically higher level of detection than a hardware wall can ever give - simply because you the user will verify the legitiness of the traffic.

And if something so bad gets on the machine that it can actually pass comodo detection AND slip through your antivirus of choice .. then you're pwned. At least untill you manually sniff your packets and analyze them.

Err my hardware firewall has around 3000 malware signatures plus heuristics (not to mention its virus signatures). It checks for updates hourly. It also detects tunneling apps and performs realtime web filtering (blocks adverts, the most common malware vector, and anything that might phone home).

Malware would have to get past my firewalls Content filter, AV/AS, my desktop AV/AS, and then try and get out again.

FYI on sites were Content Filtering is enabled (and stuff like advertising is blocked) malware hits drop to almost zero. On most its zero, though on the bigger sites (>500 users) I see 1 or 2 hits a month at most.

[DustyR]

Try down loading SPY BOT search & destroy.  Works for me.

 

[MrRiplEy[H]]

Err my hardware firewall has around 3000 malware signatures plus heuristics (not to mention its virus signatures). It checks for updates hourly. It also detects tunneling apps and performs realtime web filtering (blocks adverts, the most common malware vector, and anything that might phone home).

Malware would have to get past my firewalls Content filter, AV/AS, my desktop AV/AS, and then try and get out again.

FYI on sites were Content Filtering is enabled (and stuff like advertising is blocked) malware hits drop to almost zero. On most its zero, though on the bigger sites (>500 users) I see 1 or 2 hits a month at most.

Yes but it's still limited to analyzing the traffic. The software wall will alert you of any new connection attempt which in itself is invaluable tool. If you know you didn't start any software that should call out, it's better off blocked and investigated.

The difference is like being next to the guy who throws the rock to see where it's aimed instead of observing only the rock that's flying and trying to determine if it's thrown to hurt you or not.

[Vulcan]

Yes but it's still limited to analyzing the traffic. The software wall will alert you of any new connection attempt which in itself is invaluable tool. If you know you didn't start any software that should call out, it's better off blocked and investigated.

google "personal firewall leak tests"

[MrRiplEy[H]]

google "personal firewall leak tests"

Ive tested them all and comodo passed with flying colors. One such site reports:

[Vulcan]

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Note that even comodo missed some stuff in it's default config. Then later the product scored a 100% because it was 'updated'. So PW FW's can be beaten, and there is a gap between them detecting stuff and their updates. New malware is going to be able to drill through for a while.

And lets be really honest, most users tune down PW FW to let apps do stuff to the point they become leaky again.

[Spatula]

FYI: I'm trialling NOD32 anti virus, after seeing that their whole security 'suite' scores very low on FW leak tests. Im also trialling online armour for a bit too.
Have ditched windows defender altogether as it seems NOD32 will replace that. Is that a good assumption?

[Masherbrum]

I was using Sygate's Free FW until two days ago.   Went to Comodo's free one.   I like it alot more.   

[MrRiplEy[H]]

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Note that even comodo missed some stuff in it's default config. Then later the product scored a 100% because it was 'updated'. So PW FW's can be beaten, and there is a gap between them detecting stuff and their updates. New malware is going to be able to drill through for a while.

And lets be really honest, most users tune down PW FW to let apps do stuff to the point they become leaky again.

But what's the point? Your hardware wall leaks worse than that 100% garanteed. You know statistically a condom will give you only 99.9% protection. You're still way better off using it, on your person. 

[Vulcan]

But what's the point? Your hardware wall leaks worse than that 100% garanteed. You know statistically a condom will give you only 99.9% protection. You're still way better off using it, on your person. 

I have two layers of AV and AS running, content filtering also eliminates the most common vectors. My hardware firewall also detects and blocks outbound spyware communication (including tunneled), as well as blocking access to known malware sites.

Not forgeting my hardware firewall also presents a nice pretty automated weekly report on traffic patterns. I can tell at a glance if something is bad. So you're software firewall is not 100% guaranteed, neither is my hardware firewall, but if something unusual is going on I have historical data I can look at to identify potential problems. On top of that (for me) any malware would have to penetrate two layers of heuristic AV/AS.

If one of you're clients were infected last month by malware that tunnels out under SW FW's (or HW FW's) I doubt you could tell them exactly what kind of traffic went out of their system and where too... whereas I can. Plus my hardware firewall will alert me to things like excessive bandwidth utilization over a given period of time.

[Vulcan]

The actual difference between NOD32 and AVG is actually pretty minimal statistically, more problems come from not havng security updates or things like Iframe attacks where a user bypasses/circumvents his own system warnings etc. NOD does a very good job on the zeroday threats and broader malware (which AVG {free or otherwise} doesnt handle well). Threatfire is a suprisingly good product and fills this gap pretty nicely so your dealing with a "percentage of protection" issue of maybe 98.8% for the "freebee suite" and 99.5% for NOD or something similiar....but nobodys going to get you to 100% coverage...

I just noticed this. While AVG did ok in recent tests it's historical performance is, well, crap. Look at the historical tests and you see nod32 does well. If in a years time AVG remains consistant at the level it's hitting now maybe you're right, but until then I think AVG has a lot to prove before it is recommendable.

[MrRiplEy[H]]

I have two layers of AV and AS running, content filtering also eliminates the most common vectors. My hardware firewall also detects and blocks outbound spyware communication (including tunneled), as well as blocking access to known malware sites.

Not forgeting my hardware firewall also presents a nice pretty automated weekly report on traffic patterns. I can tell at a glance if something is bad. So you're software firewall is not 100% guaranteed, neither is my hardware firewall, but if something unusual is going on I have historical data I can look at to identify potential problems. On top of that (for me) any malware would have to penetrate two layers of heuristic AV/AS.

If one of you're clients were infected last month by malware that tunnels out under SW FW's (or HW FW's) I doubt you could tell them exactly what kind of traffic went out of their system and where too... whereas I can. Plus my hardware firewall will alert me to things like excessive bandwidth utilization over a given period of time.

One question: At which point, when your hardware firewall detects previously unknown connection attempt, it asks for your confirmation for the connection? It doesn't. Which means that by the time you get your weekly traffic report you could have been leaking out your banking information, keystrokes and whatnot for days. The hardware wall can only prevent _known_ threats as long as it doesn't confirm the legitiness of the traffic directly from the user.

[Vulcan]

One question: At which point, when your hardware firewall detects previously unknown connection attempt, it asks for your confirmation for the connection? It doesn't. Which means that by the time you get your weekly traffic report you could have been leaking out your banking information, keystrokes and whatnot for days. The hardware wall can only prevent _known_ threats as long as it doesn't confirm the legitiness of the traffic directly from the user.

Same can be said for the sw fw but you have no idea anything has been going on. Because the hardware firewall also blocks connection attempts to websites/servers pre-classifed as threats it also goes it bit further than your SW FW.

At the end of the day I've had this setup for near on 5 years now and no issues. And I can point to valid historical data that confirms no leakage.

[BaldEagl]

Well I run both a HW and SW firewall.  It can't hurt to run both.  The SW firewalls in general aren't too resource intensive and once you have them set-up the way you want they aren't much of a bother.