I received a free copy of BlackIce Pc Security and would like to know if anyone uses this program or knows if it is any good at what it does. I appreciate any responses you may post about this app.







- removed unnecessary attachment.

It's reporteclly an excellent IDS (Intrusion Detection System) and particularly good for those who run servers. As far as outbound monitoring and blocking, although BI has program component control some users indicate it's still less than an ideal implementation and other software firewalls are preferable for the outbound stuff. It depends on your needs.

I appreciate your response on this . I installed BI but I could not get it to stealth so I took it out. I wanted to know if maybe I was doing something wrong, but I beleive there are better apps for my needs. Thanks sig for your input , it is appreciated. ;)

Is it ok to use it with ZA Pro? Ususally BlackICE will explain in more detail something that ZA stopped.

I wouldn't think it would be a good idea to run two firewalls at the same time. They usually don't play nice together.

mvdu: Both BI and ZAP have changed so much I don't know how it is running them together. In the past ZA and BID frequently were used together without problems. I don't know how both "get along" with each other now. It they work OK together and you don't mind the additional resources used I'd figure it's up to you if you want to use them both.

bigc: The stealth thing may just be a matter of tweaking the settings. Although for those running servers stealth is not that big of a deal since the whole point is to be visible and reachable. An actual user could provide much more helpful info and assistance for anyone considering BI or just giving it a try. A number of BI users occasionally post at the Security Forum at dslr.com, but don't recall if some post here also or if ISS (BI's vendor) has a forum of their own.

While BI is considered a very good IDS the average user might just prefer a regular software firewall like ZA, Outpost, etc. YMMV :)

sorry for just popping in here... but is kerio2X ok...?? i am only using that though i hav ZA pro and Ez firewall in kitty but notusing more than one firewall at a time... so i din install them... i am ok with kerio??

That is the reason I didn't keep it. I prefer to have a firewall that is less of a chore to config, I use this comp. for fun the one at work is enough trouble without having it at home to.Since ISS bought Black Ice I under stood that it had changed the program is why I didn't think it would run with another firewall. But it wouldn't hurt to try. Now my only problem is trying to figure out who to give the BlackIce to ???





- removed unnecessary attachment.

Thanks - yes, they seem to be working fine together, but sometimes you don't notice a conflict. That's why I want feedback.

mvdu: yeah that's why you're often told not to run two firewalls together, but that's also the only way you'll find out if it works out ok or not on your specific set up. ;)

subratam: this is a thread about Black Ice, not Kerio. You really should not just drop into someone else's thread and ask about off topic issues. That's considered rude and is the kind of thing that moderators discourage in order to keep discussions on track. Manners aside, looking at it from a practical perspective, let's say someone is looking for a Kerio discussion: logically they would look for a Kerio thread, not a Black Ice thread. It's considered bad form to "hijack" a thread to another issue entirely.

As for your question, as I seem to recall you've already have had at least two discussions, certainly at least one thread specifically regarding the Kerio firewall. If you have any more questions, consider posting them on those preexisting threads since your question is not new material. But I will respond here for expediency's sake:

Kerio 2 is a good rules based firewall but, as BlitzenZeus I believe told you before, it is not for people who are newbies and don't understand how rules based firewalls work. It takes more than just casual study to learn, understand and apply what one has learned to bulid a secure rules set. I concur with Blitz's previous recommendation that you instead use ZA or ZAP rather than a rules based firewall like Kerio. But you evidently did not care to take the considered advice Blitz gave you.

So I will add that when using a rules based firewall like Kerio the question should be not how good is the firewall, but how skilled and capable is the user at setting up a secure rules set? Since it is the user who determines how well the rules based firewall is able to protect the PC it is on.

After actually having used Kerio, if you still think that your protection primarily is provided by the firewall software, then IMO you've missed the point of a rules based firewall. You really should then use software that is designed to protect you without much if any effort on your part. And that would be a primarily application based firewall such as ZA or others, but not Kerio.

-{ Quote: " quoting: bigc73542 link=board=23;threadid=16632;start=0#msg103168 date=1069459007]I installed BI but I could not get it to stealth so I took it out. I wanted to know if maybe I was doing something wrong, but I beleive there are better apps for my needs. Thanks sig for your input , it is appreciated. ;)
" }-

Just out of curiosity, what was not stealth with BI?
As sig mentions, it could be just a configuration issue. I have not looked at BI in some time, but in the past changing some settings involved modifying some files. The backtracing options selected could also affect your system being stealth (if stealth is what you are after).

Regards,

CrazyM

So would you recommend I keep using BlackICE with it and just be attentive? I have a router, so I don't really need an IDS for inbound very much if at all - but IDSs give more detail as to what is affecting you. That's why I like it. I have a license for NPF 2004, and that has an IDS integrated, but I like ZAP more as a firewall. So I've been running BI with it.

BTW, BlackICE does not block pings. But you can learn how to block them here:

KB Article: How do I tell BlackICE to block Pings (ICMP)? (https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_sid=J3RVuYYg&p_lva=&p_faqid=1259&p_created=1025532299&p_sp=cF9zcmNoPSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTExJnBfcHJvZF9sdmwxPTMzJnBfcGFnZT0x&p_li=)

Edit: edited link/tags

I tested BI at grc and PcFlank and it had quite a few ports open Not closed or stealth I tried a few settings but It didn't change much. It is probably just my inexperiance with BI. I will probably never know if it was me or the program because I don't plan to try it anymore. I am very happy with EZ armor Av and firewall that I am useing now. It has a lot of settings if I really want to get that deep in it :) The best part is that it didn't cost anything to try it anyway.






- removed unnecessary attachment.

would just want to say....
i am sorry for posting off-track topic... and i would have liked to answer sig for his questions... but again i dont want to carry it on.. and moreover this isnt the thread to go on... cya frm here...
take care yall

subatram,

-{ Quote: "would just want to say....
i am sorry for posting off-track topic..." }-

It's not that big a deal - happens to many on ocassion. Let's conclude "lesson learned"and go on with life as usual ;)

regards.

paul

BI will give you complete stealth on nervous and paranoid settings except ping icmp which can also be stealthed by editing the firewall.ini file (with notepad)...with this line
This statement will block all ICMP Echo traffic for all IP addresses.put underneath [MANUAL ICMP ACCEPT]


REJECT, 8:0, ICMP, 2001-10-15 00:01:00, PERPETUAL, 1000, unknown

Forgot to mention that port 113 ident is enabled by default but can be stealthed by opening advanced firewall settings and modyfying the rule to reject rather than accept.

I have used BlackICE for several years as my only firewall and love it.

Set it to paranoid and make the modifications to port 113 and you will be safe.

Even if you set it to trusting or cautious you should be OK as on these settings it closes the ports with any services running on them - and if it detects any hacker activity on other ports it will detect it and close them also.

Note: even if you modify the ini file as detailed earlier to reject pings, it will fail the test at pcflank - as the request for ping will have come from your PC - but if you get someone else to ping you it will be stealthed.

I personally dont care about stealth.

I love BlackICE as it is easy to configure and works well with windows messenger - set it to trusting (you are safe in this setting) - and you can send and recieve files and video etc.

You can also set trusted IPs - but if it detects any hacker activity in this trusted port range it wil block it also. Cool!

Have a look at the usenet group for firewalls. A guy who posts there "Duane Arnold" knows loads about BlackICE and will help you out with any problems - a nice guy.

Hope this helps

ChrisP

Thanks for the info. ChrisP :)

I ran BI for a couple of weeks and removed it. I can't say that anything was wrong with it; I just didn't feel comfortable with it. I know that isn't much of a reason, but it's all I can give.

It was stealth on all the tests I ran and seemed to do the job. I guess it's a case of, the product just isn't for me.

Don't intend 2 wreak any havoc here among BID fans, but I reckon they should be made aware of a most interesting (and alarming) piece of news by following this link (http://grc.com/lt/leaktest.htm).

I know, this must have occurred aeons ago, but the point is, if they could do this once to their customers, they could do it again... >:(

I use BID once and a while when I get ticked at ZAP on my XP machine. Believe me, version 3.6cbz will drive you nuts if the aplication that wants out has'nt been okayed. Just don't have a trojan on board when you do a baseline scan.

Well it has been a while since My last reply on this post. But I did some research on BlackIce and went ahead and installed it again. This time I was a little more prepared to tweak it. I am sure it is stealth now but I really can't confirm that because since the last time I had it installed I have added a wireless router and that alone has a one hundred percent stealth hardware firewall. But I wanted the protection of the application protection app and the intrusion detection system. It seems to be working better with the right tweaks this time.

Well I tried to give BlackIce a fair test. But in just three days it cut it's own throat with me. It started by not allowing trusted apps. to run. Then the next day it was blocking the resident av scanner from working. I uninstalled mcafee thinking maybe they don't like each other. I tried Panda, PC-Cillin,AVK,nod,And finally kav. In each case it would refuse to let the av's connect to the internet for updates.I shut down the application control and it still refused to allow any connections.Next I shut down the firewall along with the application control.To be able to update any av or spywareblaster or spywareguard and A2 I actually had to uninstall BlackIce.I have a hardware firewall so I don't need A program that really sucks. For a personal firewall just to look for out bound malware I will just use Kerio 2.1.5, You just can't go wrong with it. I have a really shiney BlackIce cd with a year and a half of def updates if someone wants to do a little skeet shooting ;D

When you installed it did you let it do a baseline scan? I never had problems like you are talking about. When I install a new app I will put it in install mode or something like that and then after what I am installing is installed it comes out of that mode and then I let it update. Then it never asked about that app again unless it is updated. Every once in awhile it will stop the BOClean update but that is about all the trouble I have with it.

It did a scan I manually did the scan at least eight times uninstalled and installed three times but it is still a turkey and it has taken up all of my time I intend to let it.I appreciate the help but I am not going to mess around with it anymore.


Kerio 2.1.5

I can understand your flustration. I get that way with ZAP on my XP computer. I think I have it fixed and then all of a sudden I am back to those TrueVector errors and constant reboots. ZAP never acts up on the 2k computer. Never.

I hope whatever firewall you decide to use serves you well with no problems.

Fortunatlly there are a couple of good free ones that I have tried over the years that work well. I really like kerio2.1.5 I have never had a problem with it on any windows os. ;)

Last month I installed ZoneAlarm Pro to run along with my BlackICE PC Protection. They get along very well. But with one unique thing I noticed... ZAP was SO effective nothing got through to BI.
I mean NOTHING. I believe ZAP somehow set itself up as the outer layer defense, and BI the inner. Therefore nothing got through layer 1 for layer 2 to 'see'.
So, I uninstalled BI, and have been happily running ZAP since.
;D ;D ;D ;D

That is the way I felt when I got a router with a hardware firewall It didn't leave my software firewall much to do. I just kept it to filter outgoing, didn't want it to fell left out ;)

If you run ZA with BI, ZA picks up alarms / blocks things first - as will any firewall other than Sygate (which blocks about 50% before BI does). I believe this is to do with the way BI and its IDS work - and the fact that BI picks things up after ZA does not in any way mean it is less effective.

As for the GRC reports on BI - Gibson has never liked BI and has never ever tested the latest version of it (he always uses a version which is several releases out of date) and he never configures it properly.

If you set BI to paranoid, run a baseline and block port 113 - it passes ALL leaktests, monitors all outgoing data for activity which is known to be dangerous (you can turn on packet logging to examine data later) and will alert you if a new application tries to execute, connect to the network or send any data. it also alerts you if any application has changed.

BI looks for activity which is dodgy and will not waste your time asking you if it is Ok for each app to connect to the net. (it has even notified me when i have had a "dummy worm" emailed to me to test my email security) - cool eh!

As I said in my earlier post, I have used BI for ages now and Im happy with it as it does its job silently and does not irritate me asking me questions all the time. Having said that, Im not naieve enough to think any software firewall is 100% secure - since the OS it sits on and interfaces with is itself insecure. If security was that important to me I would plumb in a nat router to work with BI - but Im not that bothered.

Security for me is a cost/benifit or risk analysis problem - Im fairly sure my BI and other security measures are tough enough to keep the vast majority of hackers out - since Im just your average bloke on the net and not some corporation.

-{ Quote: " quoting: ChrisP link=board=23;threadid=16632;start=30#msg122367 date=1074694513]As for the GRC reports on BI - Gibson has never liked BI ..." }-

Actually there was a time when BID was one of the greatest things since sliced bread on the GRC site. That was before ZA and most of the current software firewalls that are available today.

Regards,

CrazyM

Possibly, but now he has stated that he has no interest in hearing anyones point of view on BI if it is different from his - particuarly when it has been pointed out that he always tests an old version and never configures it properly.

Anyhow, the leaktest business was the reason I made my previous comment. I have tested BI and it passes all leaktests when application protection / comunication protection is turned on.

I can't get BlackICE to pass the PCAudit leaktests - link is http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html

Does it make a difference is the setting is on Paranoid?

All you need do is have a clean system and run a baseline and ensure application protection is turned on.

I have tested the leaktest you mention and it is detected by BI.

Once a baseline has been run BI will detect ANY (including trojans) new application which tries to run. It will detect any modifications to any application also.

On my system, I do a fresh OS install etc. I then delete any junk files etc, then do an adaware, f-secure, spycop & tauscan scan - which should mean my PC is clean - then I do a baseline with BI and turn on application protection / communication protection. After I have done this, any new programme which even tries to run is picked up by BI. BI will then ask you what you want to do. If you allow it to run there is a good chance BI will also then detect it trying to connect to the network and ask you if you want it to do this. BI uses "fingerprints" of what it knows to be dangerous communication - a bit like an AV uses a database to scan for viruses. It looks at the packets of data entering and leaving your PC and if it detects anything which it thinks looks dangerous, it will block it. In some cases if you tell BI to let a new app run (ie a leaktest) it wont always alert you to it sending data - for 2 reasons - firstly, it will look at the data being sent and if il does not fit its definition of being dangerous then it will allow it to be transmitted. Secondly, if you have told BI that the application is trusted - it will trust it as any information it sends will not be classed as unsolicited -(BI will block any unsolicited request for info etc from outside the PC - this is why - even after modifying the firewall.ini file to reject pings, BI fails the Ping stealth test at PC Flank - as the request for the ping came from the PC itself (if you get someone else to ping you you will be stealthed - as in that case the request for ping was unsolicited and from an unknown external location).

Anyhow, since these leaktests are harmless, BI will not have their signature added to ita "fingerprint" database (however, they did add the fingerprint of Gibsons first leaktest so it blocked it - he got all upset and tried to slag BI off) - but it will pick up other nasties.

For example - BI even picks up nasty code on websites - which is designed to comprimise a system - as, like I say it looks at every single packet of data entering and leaving your PC - so will detect things like that.

I feel the main advantage of the way BI behaves is that it is like a doorman/bouncer - it examines what is coming in and going out - even on a port which is open or application which is allowed. It will detect most behaviour which is dangerous - whereas other basic firewalls like ZA etc will allow any communication with a trusted port or app - these firewalls dont have the ability to see what is dangerous. EG - I use windows messenger lots as i have family all over the world. In order to use video etc, I can "allow" say my sisters IP address via BI. Even on this allowed address BI will block any hacker activity.

Anyhow, I know people seem to get attached to their firewalls, so I guess you may as well stick to the one you use etc. I have used BI for years and have found it to be so easy to use, it never fails me, never wastes my time by asking me stupid questions and alerting me to thing of no importance.

I ran the leaktest with what you said on, and BI recognizes the launching, but won't stop the test. What could I be doing wrong? I don't want to have to do a clean install just for the Leaktest.

I honestly dont know if you are doing something wrong.

The point is that as I said, if you have a clean system BI detects any new app when it runs - so you are safe.

When I ran it BI first alerted me to the new application, so I allowed it to run, then BI popped up with several alerts asking me if I wanted (I dont remember their names) various other applications to access the network. I guess this is because the test uses dll injection or whatever it is called and was using these apps to try and sneek out.

Are you using the latest version of BI? Version 3.6 cbz is the latest.

Ensure on the "Application Protection" tab, you have both "Enable Application Protection" and "Protect Agent Files" boxes ticked. On the "Communication Control" tab tick the box for Application Control.

Anyhow, the truth of the matter is that BI will protect you from any trojan etc if you run a baseline on a fresh clean system.

With any firewall, once you trust an application you cant be sure what it is sending - but at least with BI you can turn on packet logging and see exactly what any app has sent and to where.

If you look under "Advanced Application Protection Settings" you will see a list of all the known apps on your system. Here (the black triangles) you can block any app from running and/or from communicating with the network.

These leaktests should be taken with a pinch of salt I feel. If you are a home user with a good AV, adaware scanner , AT etc you should be 99.9% safe. The truth of the matter is that if someone out there wants to hack you they will do it via some trojan or bit of spyware. So a firewall is just part of the solution.

Hope this helps.

I have the latest version, so I guess I need a fresh system - and I can't do that right now. I still feel better when the LeakTests are stopped. I have a router, so my software firewall mainly blocks outbound.

BTW, I'm running BlackICE with ZAPro, because BlackICE covers some of ZAP's weaknesses. Should BI's application control be turned off?

BI, as well as System Safety Monitor and Abstrusion Protector is a kind of sandboxe with IDS in addition, in no way it passes leaktests, it simply block
them.

The day you will mistakenlly allow something to run and that your firewall will be bypassed, you will see the difference between to "pass" and to "block" a leaktest.

Anyway i don't say BI is bad, it is probably fairly good, but personally i like SSM. Oups ok, this thread is about BI only sorry :)

The advantage BI has over other software firewalls is that it looks inside the packets being sent - whereas other firewalls dont.

I have tried many software firewalls but felt unsafe with them Eg- they all seem to ask that a user gives an application "truseted" status etc - thereafter that application will be able to communicate with the network - so how do you know that at some point that application wont try to send something bad or be used by a trojan to send data? - the answer is you dont - and your firewall wont save you as it will just let that app do what it wants. BI would save you as it does not just blindly trust any app - it will still look in detail at what each application is actualy sending and recieving - and if it thinks it is dodgy it will block it.

I usew kazaa lite and when that is running BI blocks hundreds of hacks every hour - whereas a normal firewall will not as it does not know what is going on.

This demo at the BI website explains what Im talking about.
http://blackice.iss.net/demo.php

A firewall is a firewall.

A software watching inside packet isn't a firewall but an IDS.

-{ Quote: "
I have tried many software firewalls but felt unsafe with them Eg- they all seem to ask that a user gives an application "truseted" status etc - thereafter that application will be able to communicate with the network - so how do you know that at some point that application wont try to send something bad or be used by a trojan to send data? - the answer is you dont
" }-

don't talk about something you don't know.

I can.

Many firewall detects and block the software _hijacking_, apprently you can't imagine that, but fortunaly it exists and is common among firewalls. For instance many firewall block "Tooleaky" leaktests while this trying to use a fully trusted IE.

May be you should stay focus on BI.

-{ Quote: "A firewall is a firewall." }-

Agreed!

-{ Quote: "A software watching inside packet isn't a firewall but an IDS.
" }-

Again, I agree. BI however, as most people know, has an IDS combined with a firewall.

-{ Quote: "don't talk about something you don't know.

I can.
" }-

That is self eviednt!

-{ Quote: "Many firewall detects and block the software _hijacking_, apprently you can't imagine that." }-

Nothing I have said here can justify your statement. What I have said is that in addition to offering the usual firewall opperations, BI will continually inspect the data being sent by a trusted app/IP asddress/IP range/port range, looking for known hacking activity, worm like activity etc - most firewalls do not.

-{ Quote: "but fortunaly it exists and is common among firewalls. For instance many firewall block "Tooleaky" leaktests while this trying to use a fully trusted IE.
" }-

My point earlier in my reply to mvdu was that BI blocked the leaktest he mentioned as it picked up the fact that it was trying to comunicate via other apps.

-{ Quote: "May be you should stay focus on BI." }-

And perhaps you should be less arrogant and rude. This forum is here so that people can exchange ideas, offer advice and give support. It is not here for people to be insulting and try to start arguments, simply because someone says something you dont agree with.

Gents,

In order to keep this board a friendly place for all, please pick your wording carefully. One can express an opinion in a respectful way - and disagree on the contents at the same time.

regards.

paul

I am not rude, but try to understand me :

each time i say that leaktests are meant to show vulnerabilities of firewalls, each time people answer me that their sandboxe "pass" them.

That was my main point, and i am sorry if you thought that i am against any idea sharing, i am fully for that, i think that many post on this forum show that.
But should it mean that each time i see an idea not fully true i should say nothing ?

Again sorry if you take it for you, i just wanted to distinguish a firewall from an IDS and a sandboxe (that BI seems to be all of that).

No worries.

This link provides an explanation as to what BlackICE is.

http://www.iss.net/security_center/advice/Support/KB/q000025/default.htm

I have used BI for many years now and therefore Im comfortable with the way it works - however, I can fully understand that the users of normal software firewalls will find BI strange when they try it (if a trial is available? - I think one is somewhere). The link above will help non BI users see how it works.

Anyhow. as I have said before, I personally dont think any software firewall would stand up against a real serious hacker with serious backup. However, I would be interested to see some serious tests done on a bunch of the main firewalls to see how they stand up to hack attempts - and I mean a complex set of attacks that a hacker may use - any takers for this - or any links to tests which have been done?

-{ Quote: "
Anyhow. as I have said before, I personally dont think any software firewall would stand up against a real serious hacker with serious backup.
" }-

totally agree :)

-{ Quote: "
However, I would be interested to see some serious tests done on a bunch of the main firewalls to see how they stand up to hack attempts - and I mean a complex set of attacks that a hacker may use - any takers for this - or any links to tests which have been done?
" }-

If you want a very simple thing to bypass sandboxe and firewalls (may be IDS too i don't know), just read this
http://www.wilderssecurity.com/showthread.php?t=20437

I have tried it and it is really scary i think.

If you want a set of tests of "firewalls against leaktests" the link on my sig has many.

I am writing something i hope to publish soon on my website, but as a quick answser i would just say that a firewall is just a security tool among others, and like you said, alone it can't fight and win against everything.

I think I tried the test you mean. I downloaded it and opened it - and it tried to activate - but BI pipped up its application protection with the message "ntvdm.exe (my pics.folder.malware.exe) You can either terminate the programme or allow it to continue" I allowed it to run and then it stuck some flames up within ie. I guess it did not try to connect to the network?

I didn't do this exploit so i don't know all his details, but i know that when you try to open the folder which in fact isn't a folder, an executable code can execute and can be all that you can imagine, as well as network connection.
This exploit normally display a black html page within explorer.

EDIT : the following line in the vulnerability description :

-{ Quote: "
If the 'folder' is an HTML-based file, Windows Explorer (on XP) will execute the file when viewed, extracted, or opened.
" }-

let us supposed that depending on the OS the behaviour isn't the same.

(it works well, unfortunaly, on my XP)