Can I prevent some unrecognized network communications which are originated
from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are making
outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Ideally, if I set an option to block all outgoing traffic, whenever there is
a software that wants to make outgoing traffice, the blocker will raise an
alarm and let me know so I will be able to know where do these programs
hide...

cfman wrote:
Not innately.

cfman wrote:

Yes, but not with the built-in Windows firewall. That it can not do this is
probably its biggest disadvantage.

Almost any third-party can do this, and is therefore a better choice.

Show quoteHide quote

On Sun, 6 Aug 2006 17:12:32 -0700, "Ken Blake, MVP"
<kbl***@this.is.an.invalid.domain> wrote:

Show quoteHide quoteStaying with the windows firewall has some solid advantages. And
installing a third-party firewall provides both advantages and
disadvantages, so you cannot just conclude like you did.

Show quote Hide quote Use Leaktest to test your firewall program (and don't use windows
firewall) http://www.grc.com/lt/leaktest.htm

Just a small file that phones home - see if your firewall can stop it.

On Sun, 06 Aug 2006 17:40:40 -0700, Pennyw***@DerryMaine.Gov wrote:

Show quoteHide quoteYou can also take a look at
http://www.firewallleaktester.com/tests_overview.php - press the "view
results" button  at the bottom to see how personal firewalls in
general perform as far as controlling outbound connections is
concerned. It's not very reliable.

It's better to install a good anti-virus software to stop the malware
before it is allowed to run. Trying to control a malware that is
already allowed to run does not work.

B. Nice <b__n***@hotmail.com> wrote:

Show quoteHide quoteNice link to various leaktesters
http://www.firewallleaktester.com/leaktest9.htm

Windows Firewall kinda sucks huh :)

NOD32, it's got a thing called IMON (internet monitor) going for it.
I can't download any malware files from http://vx.netlux.org/ (my
virus checker checking site); NOD32 catches them still zip'd

On Mon, 07 Aug 2006 00:08:55 -0700, Pennyw***@DerryMaine.Gov wrote:

Actually not. The XP SP2 firewall does a very good job at controlling
inbound traffic. At least as good or even better than any personal
firewall. And outbound checking was left out intentionally - knowing
that it cannot be done reliably within a windows environment anyway.
There are simply too many ways for malware to circumvent it.

I agree. NOD32 is among the best. But again, antivirus software is'nt
something you should rely too much on either. The best hard-/software
appliance available is your brain ;-)

Good :-)

That's what I hate about those "leak test" sites.  People who don't know
what the results mean conclude that good firewall products are not good.

Leak test sites test what happens once malware is on the computer.  But
malware on a computer [with System or Administrator privileges] can do just
about anything it wants to, including disable just about every firewall out
there.  Also, once malware is on your computer, you've usually got bigger
problems than whether your personal firewall software is blocking outbound
traffic.  So then what good is a leak test?  I think leak tests are more
useful to security experts, by demonstrating largely academic security
issues, and less useful to the general public.

On Mon, 7 Aug 2006 07:19:18 -0400, "karl levinson, mvp"
<levinso***@securityadmin.info> wrote:

Show quoteHide quoteWhich would be the correct conclusion (as far as outbound control is
concerned).

Very true. But still the vendors claim to be able to provide complete
internet protection - and to be able to stop malware from connecting,
right? :-)

You must however also realise that some of the leaktests also work
perfectly even when run under restricted rights. And malware needs
only one possible way to get out to do so. Therefore you cannot even
look at which ones block most leak tests. In the end that does'nt make
much difference for clever malware.

Precisely. That's one of the reasons why "controlling outbound" is a
broken concept.

Hopefully leaktests can help people realise that outbound protection
is unreliable and should not be considered a security meassure.

Furthermore the so-called "phoning home" issue is highly overrated and
lead to users preventing legitimate programs from checking for updates
- thereby leaving them vulnerable instead of more secure.

Wrong. It's about time users start to realise that "outbound
connection control" is a broken concept. Just look at the leak test
site. Would you accept if your software got a similar rating at
ShieldsUp"? - No. You would be screaming and yealling and posting to
newsgroups until you got each and every little dot turned green :-)

I agree with you, sort of.  Like almost all security countermeasures,
"controlling outbound" [via personal firewall software] is never going to be
100% effective.  That doesn't make it useless or broken.  "Controlling
outbound" raises the bar, by blocking at least some bad things, and making
you aware of the existence of some other bad things.  The opposite of
"controlling outbound" is to allow all traffic out without any monitoring or
logging.  Given a choice, I'd take a security countermeasure with some
vulnerabilities over no countermeasure at all, especially if the
countermeasure is inexpensive.  And throwing in an external firewall device,
proxy server, etc., makes "controlling outbound" alerting and blocking not
so broken.

Unfortunately, most leak test sites are part of the problem, not part of the
solution.  Correct me if I'm wrong, but instead of suggesting that
"controlling outbound" is a broken concept, I think most leak test sites
suggest that "controlling outbound" is an important concept.  Those sites
suggest that you can and should 1) buy the right firewall or 2) complain to
your firewall vendor, and then you'll be secure.  I think that could lead
the user to having a false sense of security, which is a dangerous thing.
Most people reading those web sites are going to conclude that "controlling
outbound" is an important test and that it is an important factor they
should consider when choosing a product.  As a result, some otherwise good
products might not be purchased.

On Tue, 8 Aug 2006 08:40:20 -0400, "karl levinson, mvp"
<levinso***@securityadmin.info> wrote:

Show quoteHide quoteRight. Not even close. Controlling inbound has proven to be possible
and reliable to a certain high degree. Controlling outbound (with a
personal firewall) has'nt - and never will. And therefore should'nt be
considered a security meassure.

The idea itself is silly (if meant as a security meassure against
malware trying to make outbound connecion) since you are trying to
control malware that is already allowed to run. Malware is something
you stop at the gate (for example with a good anti-virus product or
simply by using your own common sense), not something you allow in and
try to control. It's not called malware for nothing :-)

By being able to stop a few things that don't mind being stopped leads
to users believing that it works reliably and therefore poses a false
sense of security on them. And users should NOT feel secure. Only
providers of security software want users to feel secure. Well, a user
should'nt feel unsecure either. But a user should be constantly aware
of what he/she is doing.

That's your choice. And you are free to do that, as long as you
understand the limitations. But for reasons mentioned before, I find
it a bad idea in most cases.

I fully agree. I am only objecting to outbound control of "firewalls"
running on the same machine as it is supposed to protect.

I disagree. It is important that users know what the real capabilities
of the products they are using are. Especially since the topic is
security. Normal users have no other possibilities than to believe
what consultants or even worse, the software vendors, tell them. And
that info is, to be polite, very unreliable.

I agree that a false sense of security is a dangerous thing. But I'm
not sure I fully understand what you are trying to say here.

That's true to some extent. For example, one may be lead to believe
that the windows firewall is crap, while it is actually quite good.

But in the end, it does'nt make much difference how many leaktests a
firewall product can pass. Clever malware needs only one hole to get
through. Therefore my point is that it should be used to get an idea
of how personal firewalls in general perform - not for making
descisions on which one to use. If that was also the point you were
trying to make, then we agree.

I believe most leak test sites lead the user to believe that you should buy
the firewall that does the best at "blocking outbound."  Leak test sites
often don't make it clear that once malware is on the computer, your
personal firewall is toast.  Personal firewalls can't block malware on your
system, but leak test sites tend to make users think that the right ones
can.

On the other hand, personal firewalls can alert you to the existence of
spyware, adware and some malware like viruses.  Things like antivirus,
network IDS, SSL, SSH, PGP, DEP execution prevention, etc. aren't 100%
foolproof, they can be evaded and fooled.  And yet they are frequently used,
because they help reduce your risk.  Most security countermeasures only
reduce risk, not eliminate risk.  That doesn't make them worthless.

On Wed, 9 Aug 2006 09:42:07 -0400, "karl levinson, mvp"
<levinso***@securityadmin.info> wrote:

Show quoteHide quoteAgreed. As we also agree that this is not a correct conclusion.

Ack.

Yes, that's bad.

It can detect a few non-clever ones, yes. But as you also said: "Once
malware is in, your computer is toast". And catching these few ones
lead to a false sense of security for novices - and that's dangerous.

Yes, but well knowing that things like IDS and anti-virus products are
also not too reliable, at least they are trying to stop things before
they do any harm. Trying to control malware that is already running is
just plain stupid. And users should know that.

True to some extent. There is however something about security. One
can gain 100% security against a specific threat. Let's say a
vulnerability is found in a specific network service. If you stop
running that service you are 100% protected against that threat. And
IMO for something to be considered a security meassure it has to at
least be reliable to a certain high degree (like inbound control can
be for example). Outbound control is not worthy of being considered a
security meassure, IMHO.

Nearly. And dangerous, because novices are led to believe they are
protected - fooled by the product vendors marketing departments.

Some products are even dangerous because they add new vulnerabilities
to your computer that you would not have without them.

Examples:

* The witty worm - targeting only computers running a specific PFW.

* The SelfDoS attack - targeting only computers running specific PFW's
with a faulty IDS implementation.

* Bad design - some PFW's have severe design errors by not following
MS's most basic recommendations for windows security - thereby
allowing restricted users to gain administrative rights. And since
this is by design, it is not something that can be fixed without
rewriting. Specific PFW's have, for example had this error for several
years - making it completely useless within a coorporate environment.
And, in principle, allowing malware to gain administrative rights by
itself, leading to a complete compromise - even though I am not aware
of any actual reports about that - yet.

There are many other examples. Just go google for personal firewall
vulnerability - you may be surprised.

If these were just ordinary applications I would'nt make much fuss
about it, but these companies claim to be in the security business.
They better start proving themselves worthy.

I agree that a false sense of security is dangerous, I also think that
novices are just often going to be uninformed and largely untrainable about
security issues.  Novices are also prone to the opposite problem, an
unnecessary panic when warned about security issues, which can lead them to
make rash or unnecessary decisions, which should also be avoided.  Security
awareness and training programs for home and corporate users generally pick
just a few of the most important take-home points and really dumb them down,
hoping they'll stick.  We still haven't succeeded in getting all home users
to patch, use an AV, and use a firewall.  The technical vulnerabilities of
firewalls is useful for some more moderately technical users to know, but is
too much info for other users.

Yes, but the Witty worm was not that widespread or common an occurrence, and
people who were affected had neither the firewall update nor the antivirus
update that would have prevented Witty infections.  You'd want to compare
the risk of using a firewall versus the risk of not using one, and choose
the better of the two.  In most environments, you usually have less risk by
using some form of TCP/IP filtering on the workstation than not.  I'm not a
fan of Windows IPSec filtering rules on workstations, because the logging is
not really good enough.  So that pretty much leaves you with the Windows XP
firewall, a third party software firewall, or a firewall device of some
sort.

On Wed, 9 Aug 2006 20:32:53 -0400, "karl levinson, mvp"
<levinso***@securityadmin.info> wrote:

I don't think so. At least I will give it a try :-)

True. "A false sense of insecurity".

Way better than nothing. Simple things like "install the updates",
"use a good anti-virus product",  "use another browser than IE",
"don't use Outlook or Outlook Express for e-mails" and "control your
curiousity" make a big difference if followed IMHO.

I'm not sure I would agree to that. My experience is, that users are
starting to be aware that they need to consider security. That does'nt
mean they know how to manage a firewall though.

Vulnerabilities, yes. But if users can interpret the colourful ratings
at ShieldsUp they can also understand the colourful ratings at
firewallleaktester.com.

It was just one of many examples of vulnerabilities of firewalls.
Google is your friend.

Not fully correct. You'd need to consider the pros as well as the cons
of both options.

Then there is something like this http://wipfw.sourceforge.net/ -
small, simple and reliable - as an alternative to IPSec rules. Or if
you want something bigger (and more IPSec rules alike) with a nice GUI
there is something like CHX-I from http://www.idrci.net/
Both alternatives come with stateful inspection / dynamic rules - and
logging.

Or: The windows firewall (or another good packet filter), a good
anti-virus product and common sense.

cfman wrote:
    Certainly.  Simply install and properly configure a personal firewall.

    Again, simply install and properly configure a persoanl firewall.


    To answer the question misplaced in the subject line:

     WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes.  What WinXP SP2's firewall does not
do, is provide an important additional layer of protection by informing
  you about any Trojans or spyware that you (or someone else using your
computer) might download and install inadvertently.  It doesn't monitor
out-going network traffic at all, other than to check for IP-spoofing,
much less block (or at even ask you about) the bad or the questionable
out-going signals.  It assumes that any application you have on your
hard drive is there because you want it there, and therefore has your
"permission" to access the Internet.  Further, because the Windows
Firewall is a "stateful" firewall, it will also assume that any incoming
traffic that's a direct response to a Trojan's or spyware's out-going
signal is also authorized.

     ZoneAlarm or Kerio are much better than WinXP's built-in firewall,
in that they do provide that extra layer of protection, are much more
easily configured, and have free versions readily available for
downloading.  Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.

     Firewalls and anti-virus applications, which should always be used
and should always be running, are important components of "safe hex,"
but they cannot, and should not be expected to, protect the computer
user from him/herself.  Ultimately, it is incumbent upon each and every
computer user to learn how to secure his/her own computer.

Bruce Chambers wrote:
Ah, but here's the rub, Bruce, 'simply' and 'properly configured'
should not be used in the same sentence when discussing ZoneAlarm, or
any of the other personal firewalls.

Given all of the XP and other app's processes (most with unrecognizable
titles and unfathomable function) that insist on communicating with
something in the great beyond to function, the average user (I am one
of them) doesn't have a clue about how to properly configure a
firewall, which processes to Allow and which ones to Block.  For us, it
is not simple.

After wrestling with ZoneAlarm alerts for several months, and getting
no help from the ZA User Forums, Google searches or anything else as to
what's good and what's bad, I just gave up, removed ZA and live, albeit
with a good deal of paranoia, with the XP firewall, meticulously
running various scans, sweeps and using a divining rod on a weekly
basis to detect and remove any scumware that slid in past that
firewall.

If there were a cookbook solution for properly configuring ZoneAlarm,
Kerio or any of the other personal firewalls, I think we average users
would be more amenable to using one of those two-way firewall.

If you, or anyone else knows of such a cookbook, point us in the right
direction.

Just one man's opinion, Bruce.

Show quote Hide quote Precisely.

Precisely.

It's very unlikely that something "slid in past the firewall". The
scumware most likely sneaked in by you surfing the internet in an
unsecure way (by using Internet Explorer for example)  or by you
installing and/or running questionable software.

It's better to skip these so-called "two-way" firewalls and replace
them with "brainware" :-)

I have looked closely at different personal firewalls, and they simply
don't live up to the vendors claims.

For example I find it very funny that the Kerio Personal Firewall when
installed in "simple" mode (which they recommend for novices) actually
allows most if not all outbound connections by default. At the same
time, at their web-site, they claim that the windows firewall is "half
asleep" for not doing the same thing.

Another funny example is the Outpost firewall which is almost a
security risk in itself because it violates microsofts most basic
recommendations regarding windows security, thereby allowing
restricted users to gain administrative priviliges.

Instead, don't trust too much in such security products (and certainly
not the vendors) and instead take responsibility for what you do.

Feel free to visit my site for some ground rules. Read them -
understand them - and follow them.
http://home20.inet.tele.dk/b_nice/

You can start here to find out why personal firewalls may not be the
best solution:
http://home20.inet.tele.dk/b_nice/PFW.htm

Show quoteHide quote

B. Nice wrote:

Dear Mr (or Ms) Nice (whichever the case may be),

I appreciate your sage comments and candid advice regarding the
inadequacies of all personal firewalls.  I do use FireFox, have
McAfee's SiteAdvisor in place to warn me about unsafe websites and the
only 'questionable' software I'm running, that's given me any pause, is
MicroSoft's.  Seems every time I do an XP or Office update, I get this
frenzied activity that wants to change the Browser's Home Page, both
IE's and FireFox's, to the MSN website.


Agreed, and I also agree with the subsequent poster that ZA is easy to
install, and, if every access Alert is approved, it generally doesn't
cause any problems.  But that's kind of like using door-stops to prop
open the front and back doors of your house.  Not much risk if you live
out in the country, terribly risky in the inner-cities, and the
Internet is the worst of every city in the world's, inner-city.

Gman wrote:
Show quoteHide quoteWhat's to configure? You just install it, and let it do its job. There
is no need to tweak it at all! If something is suspicious it will ask
you what to do, and will then remember what you decided. I've not used
Kerio, but when I used ZoneAlarm it was simple to install and simple to
use. Just right for beginners.

Cheers,

Cliff

Show quote Hide quote I concur with Gman

SPAM ME wrote:
Show quoteHide quote    Why not?  I haven't come across one yet that wasn't mind-numbingly
simple to use.


    It's not WinXP's processes that are the problem, nor have I seen an
alert from a personal firewwall that did not make it quite clear what
application was trying to send outbound signals.


    Your choice, of course.



    How could there be?  How would anyone else know what applications *you*
have installed on *your* computer, and which of those applications *you*
want accessing the Internet?  This is something only *you* can
determine.  If you don't know what you have installed on your own
computer, and don't know what each application is supposed to be doing,
please do us all a favor and disconnect the computer from the Internet.

On Tue, 08 Aug 2006 20:31:23 -0600, Bruce Chambers
<bchambers@cable0ne.n3t> wrote:

That's just ridiculous. If you know exactly what applications are
running on your computer you have absolutely no need for a personal
firewall at all.

The OP stated that he suspected some hidden programs in his PC making
outgoing connections. And you threw in your usual "install and
properly configure a personal firewall" magic bullet completely
ignoring the fact that outbound control is highly unreliable.

If you cannot provide better advice than that, please do us all a
favour and disconnect your computer from the internet.

B. Nice wrote:
Show quoteHide quoteWay to go B. Nice!!!!!! (Sorry Bruce, got carried away there.)

Bruce 'normally' gives good advice and I am 'usually' more informed
after reading his posts, so I will forgive him for jabbing me (and all
us average users), this time.

For your info, Bruce, I do know all of the programs I've installed,
know which ones need to call home and which ones don't.  What I don't
know, but what techie-folks like you claim to know, is what all the MS
alphabet-soup processes do or what they need to call home about.

Googling those hieroglyphic processes gets generic info, with the
proviso to 'Beware', that at some time in the past (or perhaps in the
future), some scumbag has (or will) cleverly disguise a piece of
malware to use that processes' name to wreck havoc.

Then there are the demands from known legitimate MS processes, like
Windows Explorer and others, to access the Internet.  I have not found
a good explanation as to why any of these processes 'have' to access
the Internet, without the same proviso, 'Beware', scumbags have found a
way to infiltrate those hallowed processes with malware also.

Wish there were a simple, easily configured solution to block the work
of those malware scumbags, but if there were, there would probably be a
lot of geeks standing in soup lines around the world.  Those who create
malware, and those who create malware defenses.

I wonder, is it possible that many of them are one in the same?

Keep your computer connected Bruce, we need all of your expert advise
and some of your flawed opinions.

p.s.  I finally found the culprit that was wrecking havoc with my Home
Page.  Turned out to be an app the computer mfgr. magnanimously threw
in to their pre-install brew.

Oh yeah, thankfully, gmail's SPAM filters do work.

SPAM ME wrote:
    That's very good.  All computer users should have that same level of
knowledge.


Show quoteHide quote    That's easy to handle.  First of all, only allow outbound access to
named applications, such as iexplore.exe (Internet Explorer), msmin.exe
(Outlook Express), and any other applications that you know need
Internet access.  For the anonymous processes, simply block them all.
If that causes some application to stop working properly, it'll tell
you.  If an application or process asks to "act as a server," deny it.



    ... A common and so far unsubstantiated conspiracy theory.  (Although I
wouldn't be awfully surprised if some security firms have subsequently
hired particularly creative hackers, on the premise that it takes a
thief to catch a thief.)


    And I apologize for coming off as rudely as I did.  You managed,
through no fault of your own, to hit one of my pet peeves.  I have
little to no tolerance for people who steadfastly refuse to learn how to
safely use their computers, and then whine when they have problems.
While you didn't whine, you did seem (to me) to be playing the "I don't
know, and I shouldn't have to learn" card.

     My position:

    A computer is a tool, just like any other.  A user who doesn't know how
to safely use his computer (and perform basic maintenance on) is no
better than a carpenter who can't safely use and maintain his power
tools.  Both are as dangerous to others as they are to themselves.

    There are five essential components to computer security:  a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.

     The weakest link in this "equation" is, of course, the computer
user. No software manufacturer can -- nor should they be expected
to -- protect the computer user from him/herself.  All too many people
have bought into the various PC/software manufacturers marketing
claims of easy computing.  They believe that their computer should be
no harder to use than a toaster oven; they have neither the
inclination or desire to learn how to safely use their computer.  All
too few people keep their antivirus software current, install patches
in a timely manner, or stop to really think about that cutesy link
they're about to click.

     Firewalls and anti-virus applications, which should always be used
and should always be running, are important components of "safe hex,"
but they cannot, and should not be expected to, protect the computer
user from him/herself.  Ultimately, it is incumbent upon each and
every computer user to learn how to secure his/her own computer.

Bruce Chambers wrote:

Just an old, and I do mean 'old', penchant of mine when trying to learn
something new or solve a pesky problem, getting a number of smart
people to tell me how much they know about a subject, versus my telling
them how much I do or don't know.  I've found out I learn a whole lot
more by listening to smart people, than talking to them.  These NGs
have a lot of bright people with a wealth of knowledge and information,
who are interesting, as well as entertaining, to read.  There are also
some here whose parents must have done a bellyflop in to the gene pool.

BTW, I do have an older version of ZA protecting a Win98 machine (setup
exactly the way you suggested), and it's on-line 24/7, going to a lot
of weird places, with no problems what-so-ever.  However, the recent
version of ZA, combined with the myriad of XP processes, caused me to
back-off ZA and seek some wisdom.  Thank you for taking the time to
respond.

That said, B. Nice does make a good point about the futile effort of
trying to 'control' malware with an outbound firewall, and the false
sense of security that can give naive users.  I look at an outbound
firewall as an alert mechanism, it may not block a persistent malware
app from communicating, but it does let me know that something slipped
past my best efforts to stop it, it is now inside, trying to get out,
and I've got S&D work to do, immediately.  Not all bad.

SPAM ME wrote:

In fact, Bruce, that's what you said.  See, I was listening.

How would you know that if your firewall does'nt tell you? ;-)

Show quoteHide quote

B. Nice wrote:
Hopefully, my updated AV, Spyware Blaster and Spy Sweeper would keep
them out, but if not, my weekly sweeps with SS&D, AdAware, Spy Sweeper
and AVG would find them.  If not, my PC will probably be toast.

Got any suggestions?

On 11 Aug 2006 10:43:03 -0700, "No More Spam?"
<spambaitmeister@gmail.com> wrote:

Show quoteHide quoteOkay, but you were explicitely saying that you looked at an outbound
firewall as an alert mechanism that would let you know if something
slipped past your best efforts to stop it - and now you are pointing
to all other kinds of products instead. That confuses me.

For what?

B. Nice wrote:
Show quoteHide quoteIt must be me, B. Nice, because you don't seem to be the variety that
would be easily confused.

As I know you must know, the other kinds of products I was pointing to
are just the ordinary layers of malware defense and detection apps that
any prudent user employees, updates and has in place to protect their
system.

Also, as I think you would agree, none of these apps are perfect, so,
there is always the possability that some scum will get in.  When it
does, hopefully, an outbound-blocking firewall would warn me, OR, if
things are running poorly, a scan of the FW log will show that
something else besides my trusted apps are talking about me with others
on the Internet.  That would prompt me to take action to find and quiet
that nasty thing.  If I can't find it by myself, I would probably be
back here asking for guidance from the experts, like Elephant Boy.
That reminds me of Bubba's response when the cop asked him if had any
ID, "Bout wut?"

Any suggestions as to other measures I should take, other apps I should
use to improve my malware defenses, in addition to practicing Safe Hex.

Now, I'm sure you had another point you wanted to make, other than to
attempt to show me up as a novice, what was it?  I'm always eager to
learn new stuff.

Show quote Hide quote Yes, I know that's kind of like the "mainstream" way users are adviced
to be working. I don't know if the word mainstream is the right one to
use. English is not my native language, so sometimes I make mistakes.
I hope you understand the meaning.

My position is this: If you need all these extra "protective layers"
it is basically because you are working in an unsecure way. In which
case security apps won't be able to protect you properly. I normally
refer to it as "driving the highway like a madman surrounded by
airbags". It' does'nt really solve the basic problem. And it is just a
question of time until you will get hurt.

Security requires you to take responsibility of what you are doing and
how you are using your computer. In that sense, I'm in line with
people like Bruce. But it's a way too serious issue to leave to
questionable software vendors to solve for you.

Yes, if you are not aware of what you are doing, I agree.

And that is where you are wrong. Malware is just using your already
trusted apps to get out. Furthermore, I would'nt base a security
concept on hope ;-)

Good one :-)

It was'nt my intention to show you up as a novice. If I left that
impression, I apologize. Normally my "try your best to be polite"
filter is turned on. Only towards overselling security software
vendors and "smart ass" consultants do I deliberately turn that off
That's a good basis.

Now, there are a few things I think you should know about computer
security.

* Small is beautiful
Within computer security, simplicity is generally good and complexity
is generally bad. That's for example why I don't like these big
"all-in-one" security suites. They really are awful - filled with all
kinds of unnescessary features, instead of concentrating on doing one
thing - and doing that reliably.

* Code is buggy
All computer software is buggy. Bugs lead to vulnerabilities that bad
guys can use to exploit.

* The more code - the more bugs - and the more vulnerabilities
It's very simple. If no code is running on your computer, there is
_nothing_ to attack. The more code is running, the more there is to
attack. Therefore one should strive for reducing what is running
instead of adding to it.

An example:
Your computer is providing network services (well known to be attack
vectors). Your computer is not on a network, so you don't need those.
To protect yourself, you then install a personal firewall.

Now, what you have done is to keep your existing vulnerabilities
running and adding further ones to it.
If you had instead disabled these services, you would be 100%
protected against attacks for these services.
That's why reducing stuff (reducing complexity) is better than adding
new stuff to protect existing stuff (increasing complexity).

If you have no services running, that are listening for network
traffic you can connect your computer directly to the internet just as
safely as if you were running a firewall offering inbound protection.
Then you would only be vulnerable to attacks fro the outside that
would attack the lower levels like the TCP/IP stack itself - attacks
that one should not expect personal firewalls to block either.

Now this will not protect you from running other app's (iincluding
malware) that starts to listen. But that´s where things like a good
anti-virus product AND most importantly, your brain, comes into play.

* Use the least buggy software
When dealing with the internet you need apps that can stand the heat.
One of the main reasons for getting infected with stuff like ad-ware
is surfing with Internet Explorer in an unsecure way. Internet Eplorer
has a bad history of being buggy - and still have some serious issues.
An easy way to strengthen your security is to use another browser that
does not by default come with client-side scripting possibilities like
Microsofts ActiveX. The same goes for using Outlook or Outlook Express
for e-mailing.

Now feel free to visit my web-site to get a broader idea of what I'm
saying. Read my rules. Understand them - and follow then. And if you
find it interresting, feel free to ask further questions. But in the
end do what fits your own habits the best.

http://home20.inet.tele.dk/b_nice/

As you of course also know, you should'nt trust anybody on the
internet (including myself ;-) - you will find many people offering
good advice - but at the same time they might well be somehow in it
for the money. So the advice they give is'nt always that neutral.

/B. Nice

SPAM ME wrote:
    Not an entirely bad approach, but I'd think you'd have to sift through
a lot of repetition....


    A truism, if ever I heard one.  (One I need to practice a bit more,
sometimes.)


    Here, I'd have to vehemently disagree.  In the first place, the purpose
of an outbound firewall isn't to control malware; it's to control what
your computer sends to the outside world.  One of the beneficial side
affects is that it can alert one to the presence of certain types of
malware.  Secondly, even partial protection is better than none at all.


    As I've repeatedly said, the most important component of computer
security is a knowledgeable and pro-active user.  *NO* software product
should ever be expected to make up for a user's intellectual laziness.
If a user wants to practice "security by faith," he pretty much deserves
whatever malware he gets.


    Which has been precisely my point, all along.

On Fri, 11 Aug 2006 18:24:21 -0600, Bruce Chambers
<bchambers@cable0ne.n3t> wrote:

Wrong. One of the main selling points of personal firewalls is exactly
the ability to stop malware from "phoning home", yes. (Please see
footnote [1]). And that means exactly "controlling what malware does".

Which precisely covers primarily malware issues, but does'nt work
reliably. As soon as you have allowed e.g. your browser to connect,
you have provided a variety of ways for malware to connect without
being caught.

Agreed. So now please start educating them instead of throwing
personal firewalls at them.

But please look at what vendors claim to provide. Arguments like
"complete security" and "total invisibility to hackers" is what I see
on vendors web-sites. They are simply taking advantage of peoples lack
of knowledge and are blowing smoke at them. Under normal
circumstances, I would'nt bother too much. But this is about security,
g.. d.....

Furthermore you continue to neglect that there are a many ways for
malware to connect out without the user being warned about it. That
has *nothing* to do with the intellectual laziness of users. It has to
do with unreliable or defective software. Software which does'nt do
what the vendor claims it does.

You cannot expect every computer user to be a techie who knows how to
"properly configure a firewall" - that's unfair. They don't know what
a firewall does - and have no itention to learn. They just want to be
protected while doing other, to them, more important things.

Sorry, but you really are arrogant. You sound exactly like many IT
supporters who are convinced that users are wrong by default and that
every problem is a PEBKAC issue until proven otherwise.

/B. Nice


----
[1] Pasted from ZoneLabs web-site (the feature comparison chart).
About the features available in ZA free:

* Guards the network perimeter from inbound and outbound threats with
the world's #1 firewall

* Prevents spyware and other malicious programs from sending your
personal information across the Internet

* Automatically makes your computer invisible to anyone on the
Internet

* Protects your programs from malware

B. Nice wrote:
    I see that reading comprehension isn't one of your strong suits.  I
said "If *you* don't know what *you* have installed...."  Where did I
even imply that unknown software couldn't get into the system without
the OP's knowledge.  That's precisely why a firewall that checks
outbound traffic is so essential.


    It's no "magic bullet."  It's best means of detecting unwanted outbound
network traffic there is.  How would you recommend the OP do it?  A
packet sniffer, perhaps?  A hardware firewall appliance on his home
LAN's perimeter?

    Oh, and one cannot ignore a "fact" that isn't a fact at all, but just
your unsubstantiated opinion.  Sure, personal firewalls are imperfect,
but the good ones, when properly used, most definitely aren't "highly
unreliable."  Not even close.


    And your "Software firewalls the monitor outbound traffic aren't 100%
perfect so don't bother" is better advice?  Get real.  Even imperfect
detection is better than none whatsoever.

In article <uM#OfeOvGHA.3***@TK2MSFTNGP03.phx.gbl>,
bchambers@cable0ne.n3t says...
Bruce, B.Nice is part of the VB/SG group that believes nothing is good
for security and the only solution is to not use a computer, just read
their posts in the security groups some time.

Anyone that suggests anything running on the host PC is crucified on the
spot.

On Fri, 11 Aug 2006 02:04:07 GMT, Leythos <v***@nowhere.lan> wrote:

Thank you, Leythos - for giving me so many good laughs :-)

First of all, I'm not a part of any "group". My opinion was formed
long before I even knew about the ones you are referring to. My very
first posting to c.s.f. proves that - and is there for everyone to
find. But since you seem to be resistant to facts, I don't expect you
to bother go looking.

BTW, talking about "groups" - you seem to belong to the group of
people refusing to provide references for your claims. The proof of
that is freely available in the same group too for everyone to check.
That leaves you with no credibility.

I think we should just let people decide for themselves who they want
to listen to.

Show quoteHide quote

Leythos wrote:
    Then they should probably follow their own advice.

On Fri, 11 Aug 2006 18:28:42 -0600, Bruce Chambers
<bchambers@cable0ne.n3t> wrote:

These "guys" never indicate anything like "not use a computer"- What
they are saying is: "Run only programs you trust". Which is actually
very good advice. Leythos just does'nt understand or does'nt want to
understand why that makes perfect sense.

On Thu, 10 Aug 2006 19:44:03 -0600, Bruce Chambers
<bchambers@cable0ne.n3t> wrote:

Show quoteHide quoteYup. Offensive talk and no arguments is what I get from you. That
does'nt surprise me.

Impressive spin attempt. I must applaude you on that :-)

And unreliable.

If you were serious you would know that malware is not something you
try to control. Therefore your first advice should have been about how
to get rid of it. Completely. Your next advice should have been about
how to prevent something similar to happen again.
Controlling malware that is already running is simply a silly idea.

It certainly is'nt. But you repeatedly use it as one.

No.

A packet sniffer on a known clean machine in the network neighbourhood
is probably the only foolproof method. But of course that is no good
advice for the average user.

A good anti-malware product (a few maybe) is what should be
recommended for the average user. That is'nt foolproof. But if such
programs cannot spot and clean it, don't expect that personal
firewalls will be able to spot its outgoing connection attempts.
If afterwards you still suspect something to be wrong, there really is
just one option: Flatten and rebuild.

That's your opinion then. One only needs to visit
http://www.firewallleaktester.com/tests_overview.php and press the
"view results" button at the botom to get an idea about how personal
firewalls in general perform as far as outbound connection control is
concerned. And remember, malware needs only one hole (therefore you
cannot use these results to make decisions about which one to choose
either). And what about the possibilities that leaktests have not yet
been written for?

What clever malware does is either check which firewall is running to
figure out the right way to get out, or simply try different methods
until it finds one that works. In the meantime your user feels safe,
because a connection attempt was blocked. What really happend was that
3 seconds later the malware succeeded using a different approach.

To make a clear statement: If you need outbound control, it is already
too late.

Where did I say that?

Actually you cannot argue like that. You are saying that adding a
detection method is good by definition. That's not nescessarily true.
You have to consider all pros and cons of both options.

You can also check out a handy utility built into XP called netstat.

Go to start, run, cmd
netstat /? and hit enter

More information here...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true



Show quoteHide quote

cfman wrote:
The new Windows Live OneCare blocks outgoing traffic. It's very chatty tho,
which I don't care for.
MikeR

Network Problems with a PC and Laptop Workgroup
Working LAN, but no client Internet
Windows loses connection often
How to increase network utilisation
Two Ethernet Adapters - One Null
Win XP Prof Networking
Internet sharing
Networking... To a comp 3 miles away
XP Home Network: Name resolution problem?
DNS Error