Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: DREDIOCK on March 29, 2007, 07:37:13 AM
-
Finally made the switch to NOD32. from Mcaffe
I am impressed by its small footprint.
Now I'd like to replace the Mcaffe firewall as well.
Any suggestions?
-
I use the windows XP firewall
-
I have had good results with COMODO I run it with Aceshigh and I use NOD 32 also.
Maybe you might like to have a look at it ...
COMODO
review link
http://www.pcmag.com/article2/0,1759,1969207,00.asp (http://www.pcmag.com/article2/0,1759,1969207,00.asp)
COMODO website
http://www.personalfirewall.comodo.com/ (http://www.personalfirewall.comodo.com/)
Bob/CHECKERS
-
Yep I use Comodo + Nod32 combo too.
The late Tiny personal firewall was better than Comodo though. Comodo has a tendency for false parent application notifications.
-
I have NOD32 and I use BlackICE Defender (ISS.net). However, I also installed a Linksys wireless router and since then Defender reports nothing; it's all caught by the routers firewall. Before that, Defender would report a depressing number of attacks.
Defender also prevents any new programs from running unless I tell it they're OK, so that stops malware from running in case it does get through. It's quite annoying if you write and compile your own code as Defender will pop up a window for each new executable you create, even if it's the same name (kinda like Vista?). It keeps a database of signatures and once you tell it a program is OK it doesn't ask again unless the program changes.
715
-
I use zone alarm with it. works well and is free.
-
Originally posted by 715
I have NOD32 and I use BlackICE Defender (ISS.net). However, I also installed a Linksys wireless router and since then Defender reports nothing; it's all caught by the routers firewall. Before that, Defender would report a depressing number of attacks.
Defender also prevents any new programs from running unless I tell it they're OK, so that stops malware from running in case it does get through. It's quite annoying if you write and compile your own code as Defender will pop up a window for each new executable you create, even if it's the same name (kinda like Vista?). It keeps a database of signatures and once you tell it a program is OK it doesn't ask again unless the program changes.
715
BlackIce has been reported to cause unnecessary fears in users by crying about every ping on the network even if they're not worth reporting. It also leaked.
Zonealarm.. well it's good if you have no other option left.
-
Firewalls can cause some bizarre almost otherworldy problems. Be sure you do all your normal things before you go from trial to paid.
-
Originally posted by MrRiplEy[H]
BlackIce has been reported to cause unnecessary fears in users by crying about every ping on the network even if they're not worth reporting. It also leaked.
Before installing the router, I checked BlackIce with that web page that checks for leaks, sorry can't remember the name, and it reported my machine as invisible to all tests. That was quite awhile ago however.
-
I have a normally configured router, so I have no need for any software firewall.
I have disabled ActiveX and scripting in IE (except for trusted sites such as Microsoft for updates and a few others), so I have never bought, used or needed any anti-virus software in the last 5 years.
-
Originally posted by Rolex
I have a normally configured router, so I have no need for any software firewall.
I have disabled ActiveX and scripting in IE (except for trusted sites such as Microsoft for updates and a few others), so I have never bought, used or needed any anti-virus software in the last 5 years.
How do you monitor traffic out of your box? :p Anything you install there can be calling home without you even knowing.
If you ever use any free app from the net, a personal firewall is a must. Heck, even a browser vulnerability is enough to get a trojan.
-
Originally posted by 715
Before installing the router, I checked BlackIce with that web page that checks for leaks, sorry can't remember the name, and it reported my machine as invisible to all tests. That was quite awhile ago however.
BlackIce leaked stuff out of the box i.e. if a trojan or adware installs to your box, BlackIce couldn't discern its traffic as illegal. At least back then it had no parent application or md5 checks.
-
Build a Linux Firewall with an old spare computer! That's what I use and can't say enough about it. Most flexible and customizable. But you'll need a space computer to use as the firewall. Anything from a Pentium 66mhz to whatever you have lying around can be used as one.
You can use monowall, clark connect, ip cop (which I recommend and use), and smoothwall (also I recommend. Just google to find them!
-
For the moment just running Wondows firewall till I make a final decision.
But I dont really have alot of trust in it.
As for running through a seperate machine. I do have an old P500, a P300 and a P100 laying around.
so that may be an option even as something to tinker with for chuckles
Also have an old Baseline Amiga 2000.
but dont think that will do it LOL
-
I use an old P3 550 IBM Aptiva, which is a micro atx case so its fairly small. I hide it in my closest with the modem and a UPS and its neatly tucked away. It allows me to customize access to my network (of more than 2 computers) easily. Assigning access to ports, tracking traffic graphs etc. for a P3 550, the most cpu power I've ever used was about 6%, mostly 1-2%. So power draw is very minimal.
-
Originally posted by MrRiplEy[H]
BlackIce leaked stuff out of the box i.e. if a trojan or adware installs to your box, BlackIce couldn't discern its traffic as illegal. At least back then it had no parent application or md5 checks.
The current version flags new executables when they run and then also if they attempt to connect to the internet. But it is true that if you give a general OK to the program, then it won't flag net connections by that program ever again. So you can't tell if a program that shouldn't be connecting to the net is doing so. However, if you want to get specific, you can go into the database and, say, flag a program as OK to run, but not OK to connect to the net. So it is possible to set up that kind of control if you want to take the extra step. It doesn't default that way. However, it is not like a virus or adware/malware program- it doesn't know naughty programs by name or signature.
-
The most advanced personal firewalls not only enable you to give programs access permissions, they also have ability to tell when an another program is attempting an illegal connection THROUGH the permitted program or disguised as one.
This is the reason why I like to keep a personal firewall. I download all kinds of freeware kiddie crap for my kids (free games, puzzles, game demos etc.) and I like to have some idea what's going on in the background.
Unbelievably many game demo's call home the first thing they do when they install.
-
For the most part Personal Firewalls are snake oil IMHO. Google firewall leak tests to see what I mean. GOOD AV with things like buffer overflow protection and program execution limits is what you need.
I use McAfee (corporate version NOT the retail product). But NOD32 probably ranks as the best product. McAfee 8.5i has the most comprehensive stuff I've seen for blocking virus vectors, the heuristics are not as good as NOD's though.
If you're really serious and want to throw some money at a solution I use a Sonicwall firewall with gives me gateway Antivirus, Antispyware, IPS, Content Filtering (also blocks any outbound spyware/proxy attempts), and of course logging/reports. Any entry level Sonicwall (TZ150) would do the job for most people.
-
Originally posted by Vulcan
For the most part Personal Firewalls are snake oil IMHO. Google firewall leak tests to see what I mean. GOOD AV with things like buffer overflow protection and program execution limits is what you need.
I use McAfee (corporate version NOT the retail product). But NOD32 probably ranks as the best product. McAfee 8.5i has the most comprehensive stuff I've seen for blocking virus vectors, the heuristics are not as good as NOD's though.
If you're really serious and want to throw some money at a solution I use a Sonicwall firewall with gives me gateway Antivirus, Antispyware, IPS, Content Filtering (also blocks any outbound spyware/proxy attempts), and of course logging/reports. Any entry level Sonicwall (TZ150) would do the job for most people.
I googled firewall tests and found that the information was outdated. Comodo for example catches all of the 'leaks' the sites cry about. I tried personally using the exploits on my box and none got through.
Unlike many programs, Comodo gets frequent updates which actually fix stuff.
The fact is that without a personal firewall you have and will not have any control whatsoever about what goes in or out your computer. You could have 10 trojans running without knowing, despite firewalling or virusshielding.
-
Originally posted by MrRiplEy[H]
IThe fact is that without a personal firewall you have and will not have any control whatsoever about what goes in or out your computer. You could have 10 trojans running without knowing, despite firewalling or virusshielding.
The problem is when the firewall coexists on the same machine as the infection you cannot be 100% sure. There are always new ways to beat the firewalls coming out. Personal Firewalls are not new technology and yet they still fail to properly protect.
I could have 10 trojans running but I would know because:
- my antivirus software prevents software from executing from within common places spyware pop up from (ie temp directories)
- my antivirus software prevents outbound communications on common spyware reporting vectors (eg port 25, irc etc)
- my antispyware would report them on its regular scans (and prevent execution on a signature basis)
- my edge (gateway) firewall prevents inbound spyware (and virus's) via either HTTP, FTP, or Email protocols
- my edge (gateway) firewall looks for outbound spyware traffic, blocks and reports it
- my edge (gateway) firewall looks for outbound proxy or http tunneling trafic, blocks and reports it
- my edge (gateway) firewall sends me weekly report summaries internet usage. Anything that slipped through the above would be picked up as anomolous traffic by either protocol or destination
-
Yeah but your box could be leaking your personal information out for a week before you catch it through a log.. ;)
A personal firewall is a good, free way to increase your awareness on what goes on inside the computer. Why not use it.
-
Check this one: http://www.agnitum.com/
I use Outpost Firewall for several years, in new versions they added spyware protection and other neat stuff.
It needs some configuring, but after spending half an hour I work pretty well and safe in my weird environment with several networks trusted/declined and with a real IP adress. A must have.
-
Originally posted by MrRiplEy[H]
Yeah but your box could be leaking your personal information out for a week before you catch it through a log.. ;)
A personal firewall is a good, free way to increase your awareness on what goes on inside the computer. Why not use it.
Because personal firewalls are not guaranteed to catchup stuff and have other issues (such as compatibility and performance). The log's are only my backup, the firewall is doing edge spyware detection at Layer7, as well as blocking of tunneling attempts, and other 'iffy' protocols (smtp direct, irc), and blocking to known hacking/proxy avoidance/spyware websites.
No personal firewall software does ANY of that (cept block smtp/irc but even then it is not guaranteed).
-
Originally posted by Vulcan
Because personal firewalls are not guaranteed to catchup stuff and have other issues (such as compatibility and performance). The log's are only my backup, the firewall is doing edge spyware detection at Layer7, as well as blocking of tunneling attempts, and other 'iffy' protocols (smtp direct, irc), and blocking to known hacking/proxy avoidance/spyware websites.
No personal firewall software does ANY of that (cept block smtp/irc but even then it is not guaranteed).
Question: How many of the programs you've recently installed have called home from your computer? Don't know? :D
Even if personal firewalls are not perfect, neither are virus shields. Yet many find using them a good idea. Something is better than nothing right? Comodos patched version caught all of the example exploits that were posted on the 'firewall leak test' site. I'd call that a hell of a lot better than not having protection at all.
As what goes for compatability and performance, I haven't noticed any problems whatsoever on that side. Every online game works a-ok. OTOH I have caught 1 trojan and a couple spywares with the PF. Without it, I'd never know my box was infected in the first place. Well, at least unless something obvious showed up on netstat at which time the information would have leaked a considerable time. I also like to block every piece of software that tries to call home from my computer unless a connection is needed for the operation.
-
Originally posted by MrRiplEy[H]
Question: How many of the programs you've recently installed have called home from your computer? Don't know? :D
One piece, some Broderbund kids software. I know exactly what goes on.
-
Originally posted by Vulcan
One piece, some Broderbund kids software. I know exactly what goes on.
Heh, you don't install much stuff then?
80% of all applications I've installed in the past 4 years have called home in one way or another. Right now I have 21 apps in the control list.
-
I use Windows XP's built in firewall.
I'm also behind a Linksys dsl/cablemodem router (so it's a firewall on its own).
I think I'd always want something like a router between my computer an the Internet, regardless of the firewall on my own PC.
-
Originally posted by MrRiplEy[H]
Heh, you don't install much stuff then?
80% of all applications I've installed in the past 4 years have called home in one way or another. Right now I have 21 apps in the control list.
I have plenty of apps. Although no Adobe stuff :)
Brooke turn off windows xp firewall. It's an absolute waste of CPU resource: http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
(notice Windows XP Firewall SP2 fails totally)
-
Originally posted by Vulcan
Brooke turn off windows xp firewall. It's an absolute waste of CPU resource: http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
(notice Windows XP Firewall SP2 fails totally)
Note: That web page tests for outgoing leaks only, i.e. you already have a Trojan or other nastyware on your machine and it is attempting to surreptitiously connect to the internet. It wasn't reviewing protection against incoming bad things.
-
Originally posted by Vulcan
I have plenty of apps. Although no Adobe stuff :)
Brooke turn off windows xp firewall. It's an absolute waste of CPU resource: http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
(notice Windows XP Firewall SP2 fails totally)
So then with all probability 80% of also your apps have called home - and are calling home with no knowledge from you. It might be as simple as automatic registration or update search, I don't want any of that happening without my approval.
-
Originally posted by 715
Note: That web page tests for outgoing leaks only, i.e. you already have a Trojan or other nastyware on your machine and it is attempting to surreptitiously connect to the internet. It wasn't reviewing protection against incoming bad things.
Windows firewall does nothing to protect you against incoming threats over and above what most AV software will do (ie buffer overflows).
-
Originally posted by MrRiplEy[H]
So then with all probability 80% of also your apps have called home - and are calling home with no knowledge from you. It might be as simple as automatic registration or update search, I don't want any of that happening without my approval.
Err no you do not get it do you? First I turn off autoupdates as a matter of habit with all apps. Second I can produce at any moment a complete run down of my PC activities for example, my gaming rigs web actitivies this month:
VULCAN 53 1.133
10/10 records are shown as detailed information
Site Hits MBytes Category
http://www.codepuppet.co... 14 0.952 N/A
CSC3-2004-crl.ver... 1 0.056 N/A
kaykahosting.com 12 0.047 N/A
abuse.teamspeak.o... 5 0.029 N/A
webpost.teamspeak... 4 0.023 N/A
oka.wwiiol.net 4 0.011 N/A
http://www.teamspeak.org 5 0.006 N/A
kaitak.coop.4play... 5 0.006 N/A
visit1.geo.vip.sc... 2 0.002 N/A
crl.verisign.com 1 0.002 N/
Tunneling? Tunneling is blocked and appears in my filtering reports. As are proxy's :)
-
Originally posted by Vulcan
Err no you do not get it do you? First I turn off autoupdates as a matter of habit with all apps. Second I can produce at any moment a complete run down of my PC activities for example, my gaming rigs web actitivies this month:
VULCAN 53 1.133
10/10 records are shown as detailed information
Site Hits MBytes Category
http://www.codepuppet.co... 14 0.952 N/A
CSC3-2004-crl.ver... 1 0.056 N/A
kaykahosting.com 12 0.047 N/A
abuse.teamspeak.o... 5 0.029 N/A
webpost.teamspeak... 4 0.023 N/A
oka.wwiiol.net 4 0.011 N/A
http://www.teamspeak.org 5 0.006 N/A
kaitak.coop.4play... 5 0.006 N/A
visit1.geo.vip.sc... 2 0.002 N/A
crl.verisign.com 1 0.002 N/
Tunneling? Tunneling is blocked and appears in my filtering reports. As are proxy's :)
Yep but that won't do diddly about a trojan downloader that sneaks into your box for one example. So instead of 1 you need to get rid of 20 bugs. :)
-
Originally posted by MrRiplEy[H]
Yep but that won't do diddly about a trojan downloader that sneaks into your box for one example. So instead of 1 you need to get rid of 20 bugs. :)
Oh really?
Well....
Top Spyware Categories for January 17, 2007 - April 17, 2007
No Data Available
As you can see it does edge spyware detection and blocking (it also detects and blocks spyware phoning home). I can get a report from a box that protects a 500 user network, that has a quite a few spyware hits :)
Maybe you should look here: http://www.sonicwall.com/us/4232.htm
-
Originally posted by Vulcan
Oh really?
Well....
Top Spyware Categories for January 17, 2007 - April 17, 2007
No Data Available
As you can see it does edge spyware detection and blocking (it also detects and blocks spyware phoning home). I can get a report from a box that protects a 500 user network, that has a quite a few spyware hits :)
Maybe you should look here: http://www.sonicwall.com/us/4232.htm
Hmm.. trojan downloader is hardly spyware.
-
The Trojan downloader would be blocked too. Heres some one of my clients logs, it does virus's as well (I've removed the juicy details):
Top Spyware Categories for 1 March 2007 - 17 April 2007
Category Attempts % of Attempts
1 SearchSquire 38 52.1%
2 Bundled-Software 28 38.4%
3 Comet-Cursor 3 4.1%
4 CoolWebSearch 2 2.7%
5 About-Blank 2 2.7%
Total 73 100.0%
Top Virus Attacks for 1 March 2007 - 17 April 2007
Virus Attempts % of Attempts
1 Netsky.P#fsg (Worm) 731 64.6%
2 Netsky.P.2 (Worm) 134 11.8%
3 Netsky.d (Worm) 77 6.8%
4 Suspicious.2#upack (Worm) 39 3.4%
5 Password-protected ZIP file 34 3.0%
6 Netsky.b (Worm) 27 2.4%
7 Suspicious#mew (Worm) 16 1.4%
8 Netsky.Z (Worm) 12 1.1%
9 Pay-16 (HTML.Phishing) 11 1.0%
10 Suspicious.4#upack (Worm) 7 0.6%
11 W32.Blackmal.E@mm_1 (Worm) 7 0.6%
12 Netsky.Q (Worm) 7 0.6%
13 Netsky.Z@m (Worm) 5 0.4%
14 Suspicious#nspack (Worm) 5 0.4%
15 Suspicious#petite (Worm) 5 0.4%
16 Mytob.AF@mm (Worm) 4 0.4%
17 Sality.Q-1 (W32) 3 0.3%
18 SubSeven.215 (Trojan) 3 0.3%
19 Mydoom.AD (Worm) 2 0.2%
20 Mydoom.M#upx (Worm) 2 0.2%
Total 1131 100.0%
Top Intrusions for 1 March 2007 - 17 April 2007
Category Intrusions % of Intrusions
1 IM 4875 34.0%
2 WEB-IIS 3674 25.7%
3 MISC 2366 16.5%
4 WEB-FRONTPAGE 1349 9.4%
5 MULTIMEDIA 1033 7.2%
6 WEB-MISC 300 2.1%
7 PROXY-ACCESS 234 1.6%
8 P2P 134 0.9%
9 EXPLOIT 99 0.7%
10 WEB-CLIENT 84 0.6%
11 DNS 71 0.5%
12 TELNET 35 0.2%
13 WEB-ATTACKS 18 0.1%
14 WEB-CGI 14 0.1%
16 VIRUS 8 0.1%
17 WEB-PHP 7 0.0%
18 DOS 5 0.0%
19 NETBIOS 2 0.0%
20 MS-SQL 1 0.0%
Total 14319 100.0%
-
So this isnt a software solution. this is a hardware solution?
BTW they lost any hope of me with this statement
"SonicWALLŽ Enforced Client Anti-Virus and Anti-Spyware provides comprehensive gateway-enforced virus and spyware protection for desktops and laptops using a single integrated client. Developed in partnership with McAfeeŽ, "
LOL I just got rid of Mcafee.
Rather not go back
-
Originally posted by DREDIOCK
So this isnt a software solution. this is a hardware solution?
BTW they lost any hope of me with this statement
"SonicWALLŽ Enforced Client Anti-Virus and Anti-Spyware provides comprehensive gateway-enforced virus and spyware protection for desktops and laptops using a single integrated client. Developed in partnership with McAfeeŽ, "
LOL I just got rid of Mcafee.
Rather not go back
Correct. Hardware, not software.
BTW the enforced AV is a different optional component. And yes it is the crappy .net mcafee version. The gateway AV is sonicwalls own.
The security service layers are:
- SPI Firewall
- Layer 7 Intrusion Prevention (detects worms, attacks, IM, P2P etc)
- Layer 7 Antivirus (propritery in the wild AV set)
- Layer 7 Antispyware (with inbound and outbound phone home detection)
- content filtering.
- AV Enforcement (using the above McAfee). It checks whether a client PC has up to date AV before letting it go to the net. I don't use this because the .net client sucks donkey balls.
-
Well Vulcan, what about applications pretending to be having legal traffic? Without dll injections monitoring and parent application leak detection your hardware firewall will think Skype is calling somewhere when in reality it's the worm loading data.
-
For anti malware apps I've sort of decided on "Prevx1". I ran scans with about 6 top spyware scanners (all updated). Prevx1 was only one which did not claim the test drive to be clean only to have one of the others find malware that was missed. When it said it was clean I found nothing, not so the other tools although some were better (more agressive) than others. It does antivirus too but they're easy compared to the more general category of stuff-you-don't-want.
For firewall I beleive it should be hardware, and stateful. Perfect price/performance/reliability/security quotient for SOHO use would be the PIX506E, thats what I use. I've run software firewalls and prefer ZoneAlarm for that but am dubious about a SW firewall running on the box it is supposed to protect. Generally speaking I leave the SW firewalls off unless I am suspecting or troubleshooting something.
-
Originally posted by Edbert
For anti malware apps I've sort of decided on "Prevx1". I ran scans with about 6 top spyware scanners (all updated). Prevx1 was only one which did not claim the test drive to be clean only to have one of the others find malware that was missed. When it said it was clean I found nothing, not so the other tools although some were better (more agressive) than others. It does antivirus too but they're easy compared to the more general category of stuff-you-don't-want.
For firewall I beleive it should be hardware, and stateful. Perfect price/performance/reliability/security quotient for SOHO use would be the PIX506E, thats what I use. I've run software firewalls and prefer ZoneAlarm for that but am dubious about a SW firewall running on the box it is supposed to protect. Generally speaking I leave the SW firewalls off unless I am suspecting or troubleshooting something.
Crappy solutions like zonealarm free are probably the reason why people think software firewalls are more of a nuisance. I thought so too when all I knew was ZA free.
-
Originally posted by MrRiplEy[H]
Well Vulcan, what about applications pretending to be having legal traffic? Without dll injections monitoring and parent application leak detection your hardware firewall will think Skype is calling somewhere when in reality it's the worm loading data.
Ohhh you mean looking at Layer 7 traffic for application specific exploits like say Instant Messaging traffic:
(http://renaissance.xtreme.net.nz/ms/imips.jpg)
:p
p.s. my McAfee AV would detect dll injections anyway.
-
How does your sonicwall differentiate illegal traffic from legal if they use same ports specifically designed to fool firewalls?
I'm 100% sure your box will leak like a rusty bucket if tested. Try to run a few of the exploits from the anti-firewall site and see what happens.
If they can't connect through the sonicwall, then I take my words back.
It also seems the content monitoring is limited to a certain list of applications known to the manufacturer. Which represents maybe 0.1% of the total amount of possible traffic.
-
Originally posted by MrRiplEy[H]
How does your sonicwall differentiate illegal traffic from legal if they use same ports specifically designed to fool firewalls?
I'm 100% sure your box will leak like a rusty bucket if tested. Try to run a few of the exploits from the anti-firewall site and see what happens.
If they can't connect through the sonicwall, then I take my words back.
It also seems the content monitoring is limited to a certain list of applications known to the manufacturer. Which represents maybe 0.1% of the total amount of possible traffic.
It is not port based. It is Layer 7 based. Do you know what Layer 7 is? The are roughly 5000 heuristic signatures in the IPS database. The database automatically checks for signature updates.
This is seperate from the Antispyware and Antivirus signature databases.
-
It's not able to read encrypted layer 7 info.
One one hand it would be cool to intercept and read some SSH, 3DES, or even SSL traffic, but then there's the reason for encrypted data anyhow.
-
Nod32 is the best move you'll ever make for an AV solution. The firewall? I just use the XP firewall & the one built into in my DSL modem. I actually have them shut off most of the time & just rely on my Nod32 & my Spyware Doctor to save me from the ills of the net; so far so good, quite a few years & counting.