I have only one desktop computer that is used here.
I have looked at several software personal firewalls. They all for the
most part seem to be a joke.
Would I just be better off connecting this computer to a "NAT Router"
for its firewall protection.
Thanks for any and all help you can offer.
"Tony" wrote in message news:9cfi03178975b8clqjd61064ggoelj7huf@4ax.com...
>I have only one desktop computer that is used here.
>
> I have looked at several software personal firewalls. They all for the
> most part seem to be a joke.
>
> Would I just be better off connecting this computer to a "NAT Router"
> for its firewall protection.
>
> Thanks for any and all help you can offer.
You don't need to think in terms of "either/or". I have an inexpensive
D-Link router between my cable modem and PC, and it has a firewall built-in,
which I have enabled. I still use a software firewall on the PC because I
like to be more aware of the outgoing traffic. The only time I've had a
Trojan on my PC I became aware of it because Agnitum's Outpost Firewall
flagged and blocked it.
Why do you feel software firewalls are a joke? The biggest problem with
them is they require users to make decisions - it can sometimes be hard to
identify applications requesting outbound connections even when you pay
attention know what to look for. If the user just clicks "OK" every time
the firewall pops up a permissions request then the purpose is defeated, but
that's not the fault of the software.
Post removed (X-No-Archive: yes)
"Sebastian Gottschalk"
news:56t9elF2ahtjmU1@mid.dfncis.de...
> Victek wrote:
>
>> You don't need to think in terms of "either/or". I have an inexpensive
>> D-Link router between my cable modem and PC, and it has a firewall
>> built-in, which I have enabled. I still use a software firewall on the
>> PC because I like to be more aware of the outgoing traffic.
>
> Why don't you use an appropriate tool instead?
> BTW, what has the router to do with that anyway?
I use a router/switch on my cable modem because I'm sharing the connection
across multiple machines. It just happened to have a firewall feature as
well, so I'm utilizing it. I'm sure that dedicated firewall appliances
(such as sonicwall) are far more capable, but I haven't felt the need for
one so far. I expect electronic threats to continue to get worse and I may
opt for a firewall appliance down the road. I don't have a philosophy
getting in the way.
>
>> The only time I've had a Trojan on my PC I became aware of it because
>> Agnitum's Outpost Firewall flagged and blocked it.
>>
>> Why do you feel software firewalls are a joke?
>
> You already stated it. You only became aware of a trojan horse because it
> was too stupid to adequately circumvent this Outpost thing, just like the
> other trojans on your computer did.
The fact that some malware can defeat personal firewall software doesn't
invalidate the software. Any form of security can be defeated given time
and resources, and probably will be. That's why all forms of hardware and
software security continue to evolve and improve. Can you be absolutely
certain that no form of malware exists (or ever will exist) that can get
past whatever you consider to be a "real" firewall? I don't see how you
could. And if some malware gets past the firewall, what then? I don't see
how having a software firewall installed on the host hurts anything, and it
just might help identify a problem as I've already experienced.
>> The biggest problem with them is they require users to make decisions -
>> it can sometimes be hard to identify applications requesting outbound
>> connections even when you pay attention and know what to look for.
>
> This is utterly bullshit. Legitimate applications don't require such a
> control, and for illegitimate applications the term "control" simply
> doesn't apply.
Of course legitimate applications don't require such control. The firewall
software simply "takes attendance". We get to see who's in the room and
decide if something doesn't belong. It's possible for malware to be visible
to the firewall, but if the firewall cannot identify it as a threat then it
falls to the user who also may not have the skill to identify it. I think
at least part of the solution for this problem is for software firewalls to
rely on signatures, just like antivirus and antispyware apps, to identify
applications.
>> If the user just clicks "OK" every time the firewall pops up a
>> permissions request then the purpose is defeated, but that's not the
>> fault of the software.
> If the trojan horse can click "OK" on the popup, the purpose is obviously
> defeated by design.
Without a doubt that's true. Software firewalls need to be "hardened" over
time to make it more difficult for malware to circumvent, or manipulate or
shut them down. all IMHO, of course.
Post removed (X-No-Archive: yes)
Victek wrote:
> built-in, which I have enabled. I still use a software firewall on the
> PC because I like to be more aware of the outgoing traffic. The only
> time I've had a Trojan on my PC I became aware of it because Agnitum's
> Outpost Firewall flagged and blocked it.
And what did you do then? Did you reinstall the computer?
And why did you install the trojan in the first place, anyway?
Gerald
On Tue, 27 Mar 2007 11:53:42 -0400, Tony wrote:
> I have only one desktop computer that is used here.
>
> I have looked at several software personal firewalls. They all for the
> most part seem to be a joke.
>
> Would I just be better off connecting this computer to a "NAT Router"
> for its firewall protection.
>
> Thanks for any and all help you can offer.
The NAT Router is your first barrier and it's the best barrier, but, it's
the least of your needs. If you learn how to secure your computer the NAT
Router just helps when you make a mistake in security.
In most cases, the NAT router does a LOT better job than the Windows
firewall or the other firewalls because it's not going to allow you to
poke holes in it by accident and it won't allow applications running on
your computer to program it fir holes unless you setup that function
yourself.
Once you get the NAT router the personal firewall solutions become candy.
--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)
Tony wrote:
> I have only one desktop computer that is used here.
>
> I have looked at several software personal firewalls. They all for the
> most part seem to be a joke.
>
> Would I just be better off connecting this computer to a "NAT Router"
> for its firewall protection.
Well, in a way, because a NAT router, unlike a personal FW is not
running with the O/S. The PFW can be attacked just like the O/S can be
attacked.
http://www.wallwatcher.com/
>
> Thanks for any and all help you can offer.
You may want to spend a little more money and get a FW router that meets
the specs in the link for *What does a FW do?*
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
I use a PFW on my laptop when it's not connected to my network. I have
no PFW(s) running on the any MS machine or the Linux FW active on the
Linux machine, because I have a FW appliance that will meet those specs.
They have FW router's like Netgear's FR314 that's ICSA certified ,and
others vendors do too, that will meet those specs in the link above.
Look at it this way, you pay for a PFW and then you have to keep
renewing it, possibly paying for the renew.
It all washes out in the long run on money spent if you know what I mean.
http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
"Gerald Vogt"
news:4609c409$0$15971$44c9b20d@news3.asahi-net.or.jp...
> Victek wrote:
>> built-in, which I have enabled. I still use a software firewall on the
>> PC because I like to be more aware of the outgoing traffic. The only
>> time I've had a Trojan on my PC I became aware of it because Agnitum's
>> Outpost Firewall flagged and blocked it.
>
> And what did you do then? Did you reinstall the computer?
>
> And why did you install the trojan in the first place, anyway?
>
> Gerald
I didn't intentionally install the Trojan. I only discovered after the fact
that it was on my computer. All that was necessary to remove it was run a
scan with "anti-Trojan" software (I don't remember specifically which one I
used), the same way you would use antivirus or antispyware to remove those
kinds of malware.
Victek wrote:
> "Gerald Vogt"
> news:4609c409$0$15971$44c9b20d@news3.asahi-net.or.jp...
>> Victek wrote:
>>> built-in, which I have enabled. I still use a software firewall on
>>> the PC because I like to be more aware of the outgoing traffic. The
>>> only time I've had a Trojan on my PC I became aware of it because
>>> Agnitum's Outpost Firewall flagged and blocked it.
>>
>> And what did you do then? Did you reinstall the computer?
>>
>> And why did you install the trojan in the first place, anyway?
>>
>> Gerald
>
> I didn't intentionally install the Trojan. I only discovered after the
But you know how you got it? In most cases it is either something you
install or some updates you did not install.
> fact that it was on my computer. All that was necessary to remove it
> was run a scan with "anti-Trojan" software (I don't remember
> specifically which one I used), the same way you would use antivirus or
> antispyware to remove those kinds of malware.
What makes you think that it removed all malware from your computer? A
good malware comes in packages: the good stuff is well hidden somewhere
and knows how to circumvent the software firewall while it also some
primitive malware bundled which may be detected quickly. The user thinks
the firewall blocks everything and the malware removal tool reports
something removed.
I guess you are using an AV and PFW and the trojan still got past all
this. Either you know that you have installed it with some software or
it must be fairly good to get past AV and PFW. Malware designed to get
past AV and PFW onto the computer will not be that easy detected except
for some part for diversion. The only really secure thing to do would be
to reformat the drive and reinstall windows.
Gerald
Post removed (X-No-Archive: yes)
On Wed, 28 Mar 2007 02:50:28 GMT, "Mr. Arnold" <"Mr.
Arnold"@Arnold.COM> wrote:
Thanks to all who replied it is appreciated.
A special thank you to "Mr. Arnold" for his reply and great links.
Its off to the drawing board.
Thanks again.
>Tony wrote:
>> I have only one desktop computer that is used here.
>>
>> I have looked at several software personal firewalls. They all for the
>> most part seem to be a joke.
>>
>> Would I just be better off connecting this computer to a "NAT Router"
>> for its firewall protection.
>
>Well, in a way, because a NAT router, unlike a personal FW is not
>running with the O/S. The PFW can be attacked just like the O/S can be
>attacked.
>
>http://www.wallwatcher.com/
>
>>
>> Thanks for any and all help you can offer.
>
>
>You may want to spend a little more money and get a FW router that meets
>the specs in the link for *What does a FW do?*
>
>http://www.vicomsoft.com/knowledge/reference/firewalls1.htm l
>
>I use a PFW on my laptop when it's not connected to my network. I have
>no PFW(s) running on the any MS machine or the Linux FW active on the
>Linux machine, because I have a FW appliance that will meet those specs.
>
>They have FW router's like Netgear's FR314 that's ICSA certified ,and
>others vendors do too, that will meet those specs in the link above.
>
>Look at it this way, you pay for a PFW and then you have to keep
>renewing it, possibly paying for the renew.
>
>It all washes out in the long run on money spent if you know what I mean.
>
>http://labmice.techtarget.com/articles/winxpsecuritycheckli st.htm
> What makes you think that it removed all malware from your computer? A
> good malware comes in packages: the good stuff is well hidden somewhere
> and knows how to circumvent the software firewall while it also some
> primitive malware bundled which may be detected quickly. The user thinks
> the firewall blocks everything and the malware removal tool reports
> something removed.
>
> I guess you are using an AV and PFW and the trojan still got past all
> this. Either you know that you have installed it with some software or it
> must be fairly good to get past AV and PFW. Malware designed to get past
> AV and PFW onto the computer will not be that easy detected except for
> some part for diversion. The only really secure thing to do would be to
> reformat the drive and reinstall windows.
>
> Gerald
I continued to scan my system with different antivirus, antispyware and
anti-Trojan software and couldn't find additional problems. I also noted
that there were no more attempts by unknown software to establish outbound
connections. I guess it's possible that there was still malware on the
system, but I didn't think so for the above reasons, plus the computer
continued to be stable and normal in every perceivable way and that was good
enough for me.
As far as how the Trojan got on my computer, remember that firewall software
would not block it being downloaded. The only initial protection was
antivirus which apparently missed it, but that's not so unusual. It was a
few years ago when this happened and then it was the norm for antivirus
software to update only once or twice a week. That left a window of a few
days when new viruses (or Trojans) were invisible could easily infect
systems. There's also the fact that even the best antivirus software does
not detect 100% of all viruses. That's why a multilayered defense is
necessary(and I think personal firewall software is one of those layers).
In the course of doing my job I have often had to clean computers that have
been infected with viruses/Trojans/spyware. It's been my experience that
the computers can be restored to normal functioning in most cases. A
combination of multiple antivirus and antispyware scans does a very good job
of removing malware. I only remember one case where the computer was so
badly infected it was unrecoverable. It got that way because the user
neglected to update the subscription for his antivirus - it hadn't had new
"signatures" for many months.
Post removed (X-No-Archive: yes)
Victek wrote:
> I continued to scan my system with different antivirus, antispyware and
> anti-Trojan software and couldn't find additional problems. I also
Which only tells you that those programs don't know about any other
malware running on your computer. Any new malware is not detected by any
detection software until the software includes the signature for that
malware. If it is not a wide spread malware chances are it will never be
detected. Someone has to locate the malware, extract the details and
send it to a antivirus, antispyware, ... company for analysis. And even
if someone did it is not sure it is added as signatures for malware
which is hardly seen in the wild would only slow the whole thing further
down.
> noted that there were no more attempts by unknown software to establish
> outbound connections. I guess it's possible that there was still
The problem is no outbound connections detected by the PFW does not say
anything about whether some malware sends something out or not. Just
like before it just tells you that the PFW could not detect it.
> malware on the system, but I didn't think so for the above reasons, plus
> the computer continued to be stable and normal in every perceivable way
> and that was good enough for me.
That's what a good malware is supposed to do. A keylogger can silently
run in the background without distrupting the system and only send
something out when there is other network traffic on the system. You
will hardly ever notice.
> As far as how the Trojan got on my computer, remember that firewall
> software would not block it being downloaded. The only initial
Yes, but why did you download it in the first place?
> protection was antivirus which apparently missed it, but that's not so
> unusual. It was a few years ago when this happened and then it was the
Did you submit it then to your AV company?
> norm for antivirus software to update only once or twice a week. That
Does it detect the malware now?
> left a window of a few days when new viruses (or Trojans) were invisible
> could easily infect systems. There's also the fact that even the best
It is not "a few days". This is only true for the malware which spreads
quickly. For anything, that spreads slowly or strategically and is not
quickly noticed it can take weeks or months until someone found it and
submitted it for analysis.
> antivirus software does not detect 100% of all viruses. That's why a
> multilayered defense is necessary(and I think personal firewall software
> is one of those layers).
But no "layer" of this "multilayer defense" is able to protect the
computer against _you_! That's the problem. It is completely worthless
because you did install the malware in the first place, probably as
administrator on the computer. At the very moment it is running, in
particular as administrator user, all those "layers" collapse. A program
running on the computer can mess with the system in any way it likes. It
does not matter what kind of security software there is on the computer,
as the computer which is running the security software is compromised
thus you cannot tell whether or not the security software is still
running as intended even if it seems to be so.
> In the course of doing my job I have often had to clean computers that
> have been infected with viruses/Trojans/spyware. It's been my
> experience that the computers can be restored to normal functioning in
> most cases. A combination of multiple antivirus and antispyware scans
You said the malware must distrupt the system or the normal functioning
of a computer? A good malware, in particular a trojan, is only useful if
it is well hidden. But if someone is collecting some trojan computers
for a DDoS attack the trojan will just sit there and wait until the
signal comes. And something like a keylogger would not ever want to be
noticed if possible.
> does a very good job of removing malware. I only remember one case
> where the computer was so badly infected it was unrecoverable. It got
This should make you think! Why would it be unrecoverable? Why do you
think all the other computers were really recovered? The thing is: you
don't. All you know is that you did not use any tool which could find
something...
Gerald
Gerald,
Yes, I can see how it's possible for malware to be virtually undetectable.
In that case, what strategy do you recommend to protect against it?
Post removed (X-No-Archive: yes)
On Thu, 29 Mar 2007 15:28:23 +0000, Victek wrote:
>
> Gerald,
>
> Yes, I can see how it's possible for malware to be virtually undetectable.
> In that case, what strategy do you recommend to protect against it?
You have to follow security normal when using a computer, on or off the
net, and you need to make sure that you have apps/os patches that are
designed to secure your system.
Once a machine is compromised, the only true to to be sure it's cleaned of
malware is to wipe it completely and reinstall from known clean media in a
clean environment.
--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)
"Leythos"
news:1175186044_8311@sp6iad.superfeed.net...
> On Thu, 29 Mar 2007 15:28:23 +0000, Victek wrote:
>>
>> Gerald,
>>
>> Yes, I can see how it's possible for malware to be virtually
>> undetectable.
>> In that case, what strategy do you recommend to protect against it?
>
> You have to follow security normal when using a computer, on or off the
> net, and you need to make sure that you have apps/os patches that are
> designed to secure your system.
>
> Once a machine is compromised, the only true to to be sure it's cleaned of
> malware is to wipe it completely and reinstall from known clean media in a
> clean environment.
>
>
I agree, but how can you tell if the machine HAS been compromised by
undetectable malware?
On Thu, 29 Mar 2007 18:52:00 +0000, Victek wrote:
> "Leythos"
> news:1175186044_8311@sp6iad.superfeed.net...
>> On Thu, 29 Mar 2007 15:28:23 +0000, Victek wrote:
>>>
>>> Gerald,
>>>
>>> Yes, I can see how it's possible for malware to be virtually
>>> undetectable.
>>> In that case, what strategy do you recommend to protect against it?
>>
>> You have to follow security normal when using a computer, on or off the
>> net, and you need to make sure that you have apps/os patches that are
>> designed to secure your system.
>>
>> Once a machine is compromised, the only true to to be sure it's cleaned of
>> malware is to wipe it completely and reinstall from known clean media in a
>> clean environment.
>>
>>
> I agree, but how can you tell if the machine HAS been compromised by
> undetectable malware?
Do you ask questions that can't be answered?
How can you detect something that can't be detected???? Come on.
If you have a machine that is/was compromised you know, or you would not
have determined it was compromised. Now, the proper way to clean it is to
wipe it, and do it in a clean environment with known clean media.
If you can't deteremine if your media is clean then get clean media.
Do you always run around in circles?
--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)
"Leythos"
news:1175194594_8567@sp6iad.superfeed.net...
> On Thu, 29 Mar 2007 18:52:00 +0000, Victek wrote:
>
>> "Leythos"
>> news:1175186044_8311@sp6iad.superfeed.net...
>>> On Thu, 29 Mar 2007 15:28:23 +0000, Victek wrote:
>>>>
>>>> Gerald,
>>>>
>>>> Yes, I can see how it's possible for malware to be virtually
>>>> undetectable.
>>>> In that case, what strategy do you recommend to protect against it?
>>>
>>> You have to follow security normal when using a computer, on or off the
>>> net, and you need to make sure that you have apps/os patches that are
>>> designed to secure your system.
>>>
>>> Once a machine is compromised, the only true to to be sure it's cleaned
>>> of
>>> malware is to wipe it completely and reinstall from known clean media in
>>> a
>>> clean environment.
>>>
>>>
>> I agree, but how can you tell if the machine HAS been compromised by
>> undetectable malware?
>
> Do you ask questions that can't be answered?
>
> How can you detect something that can't be detected???? Come on.
>
> If you have a machine that is/was compromised you know, or you would not
> have determined it was compromised. Now, the proper way to clean it is to
> wipe it, and do it in a clean environment with known clean media.
>
> If you can't deteremine if your media is clean then get clean media.
>
> Do you always run around in circles?
I'm not asking the question frivolously, but only to point out what looks
like a "catch 22". It seems to me that when we acknowledge the possibility
of undetectable malware being present on the system we also have to
acknowledge the possibility of malware penetrating the system in an
undetectable manner. When we "follow security normal when using a computer"
(as you said) and take all reasonable precautions then it's very unlikely,
but it seems that we cannot be 100% certain. We can only do the best we can
and then not worry about it.
Victek wrote:
>
>
> I agree, but how can you tell if the machine HAS been compromised by
> undetectable malware?
You use the one tool that being talked about in all three links, you use
the tools in the last link.
You go look for yourself from time to time to see what is running on the
machine.
http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx