Xp's icf is not much better than nothing in my opinion for the simple reason that i don't think a firewall that doesn't filter outbound info is worth having on my machine. It is like having a car that the brakes only work in reverse. Zonealarm free would be a good start for a firewall, if they don't like it they can always change it later.

bigc

-{ Quote: "Xp's icf is not much better than nothing in my opinion for the simple reason that i don't think a firewall that doesn't filter outbound info is worth having on my machine." }-
my point exactly.

I totally disagree with this emphasis on outbound filtering. It isn't even a mainstream concept. It is one thing to have fun and experiment with firewalls and security applications. It is completely another to be making recommendations based on this outlook. Ask yourself if you were an IT professional responsible for 2000 workstations and your job depended on it, would you give this advice?

-{ Quote: "I totally disagree with this emphasis on outbound filtering. It isn't even a mainstream concept." }-
so, your whole basis of firewall security is to block anything from getting through in the first place? furthermore, you're trusting microsoft to do this for you? ::) what about viruses and malware that get through to your computer using legitimate programs? once they get there, you're screwed if you aren't running other third party programs to stop them from dialing out. and not that i know for sure, but i get the feeling that trbot's auntie isn't running processguard or something else that could prevent this from happening.

sorry diver; either you been under water too long with lack of oxygen, or you been sniffin' glue.

Diver your thoughts on not needing out bound protection and detection is a strange way of thinking for anyone that wants internet security to the best of their ability. but it is your computer and you can do as you wish with it. But I have been in computer repair and security for many years and I would never suggest your way of thinking on firewalls to one of my customers.

bigc

-{ Quote: "I totally disagree with this emphasis on outbound filtering. It isn't even a mainstream concept. It is one thing to have fun and experiment with firewalls and security applications. It is completely another to be making recommendations based on this outlook. Ask yourself if you were an IT professional responsible for 2000 workstations and your job depended on it, would you give this advice?" }-We are talking Auntie not an IT professional in charge of 2000 workstations....Good grief Diver... it is one more heads up...why is this application asking for access to the net...no, request denied. Let me do an Asquared scan or whatever (free scanner)...and so on. Outbound alerts are another layer or method of protection. And as you learn you can set the things up more to your liking or move on to more advanced setups. Sorry to disagree, but thats what makes the world go around I guess. :(

-{ Quote: "I totally disagree with this emphasis on outbound filtering. It isn't even a mainstream concept. It is one thing to have fun and experiment with firewalls and security applications. It is completely another to be making recommendations based on this outlook. Ask yourself if you were an IT professional responsible for 2000 workstations and your job depended on it, would you give this advice?" }-Diver,

The simple answer is no for a couple of reasons. The primary ones being: The personnel at those 2000 workstations really shouldn't be freely surfing the net going who knows where.
IT has likely implemented some domain level measures which enforce policies on these workstations to limit some of the more serious issues
IT should have implemented a site level content filter or url blocking system to inhibit the less inhibited surfers
These workstations are for work. The range of applications on them and their need to access the internet are rather limited.
The fact of the matter is that a properly administered commercial LAN is a rather civilized cyber-environment with domain level protections and people trained to properly configure them. A single or handful of home PC's are akin to naive city dwellers wandering around the seediest frontier towns in the American wild west days of the 1800's. They might need an extra hand to notify and control who they're talking to and what they're saying.

It doesn't seem to be a difficult concept to me. By the way, on the commercial LAN the I reside on at work - which has well over 2k workstations - mobile laptops which can go off domain and connect through a broadband based VPN are configured precisely this way. They always have a local firewall. Most of the users probably don't have a clue regarding outbound communication control, but it there in that selected case for rather obvious reasons.

If I asked an IT professional for advice, I'd hope that they consider the target environment and needs and not necessarily provide the specifications for the solution they've implemented at work.

I do agree with one aspect of your perspective, outbound filtering is generally not required in general usage. However, it can provide early diagnostic signals of something going astray and can be used during detailed diagnosis of system problems arising from malware infections. In this context, it is much easier if it is already present and running. Under circumstances where this possibility is heightened, a software firewall with outbound filtering capabilities is a very desireable (though I'll grant, not absolutely required) measure.

Blue

-{ Quote: "Diver your thoughts on not needing out bound protection and detection is a strange way of thinking for anyone that wants internet security to the best of their ability. but it is your computer and you can do as you wish with it. But I have been in computer repair and security for many years and I would never suggest your way of thinking on firewalls to one of my customers.

bigc" }-

Actually, the concept that you must put a lot of effort into catching a trojan by its outbound communication after it has installed itself oon your computer is a strange way of looking at internet security. I just guess that I am as strange as James Grant (developer of Conseal and 8Signs) and Stephan from CHX-1 and every enterprise firewall out there, and Microsoft. MS, decided to do their firewall the way they did because they wanted everyone to use it. Anyone that thinks outbound filtering is for the masses has lost touch with the average guy. Once someone has some technical ability it is very easy to forget the state of mind of those who do not.

Put your self in the place of the other guy. Imagine you have 5000 workstations to look after and 4950 of them are being used with persons who have no idea of what to do when they get a firewall pop-up that says should I allow xyx to do...

Hoy do they roll this out? Do they sit there at each computer and respond to the firewall alerts? Do they do it on one machine for a few days and roll out an imate with that config and hope they tried everything? What happens when some secretary or lawyer or executive gets a firewall warning and everything stops while they call the help desk? Who get fired?

It is very nice to play with outpost pro or Tiny as a hobbyist, but none of this stuff flies in the real world.

BTW, what do you mean by strange, or serious? You know, all this outbound filtering is easily defeated by a trojan that installs a communications driver to get around the firewall. See the post by Stephan on this, and he discussed it with James Grant. Either that, or the firewall could be terminated.

Outbound app control is just part of a big marketing machine started by Zone Labs and and enhanced by Steve Gibson.

Ant my fial word, your AV has to miss it for any of this to make a wit of difference. You can say that is easy, but I have not seen it happen around here except once since the days of the 8086, and it was so obvious what had happened that application filtering would have made no difference.

Anyone who can answer all of those firewall pop-up warnings correctly, is smart enough to avoid installing the trojan in the first place. I am getting tired of making this same argument over and over again. This application filtering thing has become a mantra and nobody even wants to think for themselves anymore.

But if there is a piece of malware that gets through my firewall along with a legediment message or what ever and has the ability to send my private info out and if there is any chance that a firewall with outgoing filtering might stop it it is worth every bit of the minimal effort it takes to configure it or respond to a pop up or two. And when we talk firewalls her on this forum it is almost always a single comp or possibly a home network with two or three comps on it. which is a lot different than a corporate environment with thousands of workstations that are usually maintained by the IT personal anyways.

bigc

I give up... based on Diver's last post I am not average and I might be a genius

I don't think you can make blanket statements about whether app control is needed or not. It all depends and boils down to your individual needs.. Some need it desperately, and some can do without it. Simple as that...

I have run Kerio 2.15 for years without app control but I have always emphasized on using good anti virus, till now,my system security remains to be breached. Maybe I am just plain lucky but I feel app controls take all the pleasure out of PC, don't need pop ups when I am busy doing C++.

I believe that this thread has led to the conclusion that outbound filtering is and probably will always be a personal preference. Some people like the idea and some don't so It all boils down to the one thing we all have and that is the right to believe in what we think is right for our selfs. At least we had an active disscusion and hopefully someone has learned something they didn't know at the start of the thread.

bigc

That's right BigC. And I did learn something...there is no way I could head up an an IT department, it would not matter if it had 2000 or 5000 workstations. I have a hard enough time Being IT "professional" for two simple machines here. But if I got one machine working I got help right here at the Wilders 24/7 to fix the one not working and I am sure most of you know more then the IT people at my place of business. ;) :) ;D

Although the discussion may seem a bit polarized, it's useful to have. Although I've come to a different conclusion than Diver, Diver's underlying message is one that is important to appreciate in advising or helping anyone.

There are two extreme possibilities - a user is completely frozen as to what to do with a firewall based pop-up, or they blithely click away with abandon, effectively rendering the firewall inoperative. Both extremes are obviously bad end results for any support staff.

Real users do lie between these two extremes. When I installed a firewall on my family PC's (Outpost Pro), I did do a few things that may make other Outpost users shudder. I disabled the component control feature - too many pop-ups that casual users wouldn't be able to intelligently handle. I simply assumed that they would approve any of these. I also ran through all the applications that would need Internet access immediately after the install to create all the needed application based rules for their machines. These machines have now been in use with Outpost for about 18 months. In that time the total number of pop-ups that have required my input been in the single digits for 4 machines. On each new application install that requires internet access (generally game or music applications), I helped with the install and made sure the application rule was created immediately. This occurred maybe a eight times in that period.

If something unusual occurs they can either call me or allow/disallow the connection. Let's say they simply allow everything and this leads to problems. I still maintain that I'm going to have an easier time correcting that problem and understanding the issues with a outbound control firewall in place. It doesn't necessarily limit damage - it may - but it aids in the resolution.

In the best case one has good preventive communication control. In the worst case, the post-mortem following a problem is aided. Is that worth the trouble incurred? Reasonable people can disagree on that answer.

Blue

Most of rhe members are more than willing to jump in and give a hand if they can and if they don't have the answer to a problem we have some very proficent search engine geeks here that can find almost anything.


bigc

Now Blue there is a real good suggestion for helping set up a newbie. I will do just that when setting up Moms.

"I also ran through all the applications that would need Internet access immediately after the install to create all the needed application based rules for their machines." ;)

i just think outbound protection can be useful, especially for a newb. most people who are unfamiliar with computers and how they work, are more likely to open email attachments and respond to e-mail's directing them to download something they have no business messing with. this can also be the case with children or teens who may be searching the internet 'for a good time' or downloading files from kazzaa. a firewall with only inbound protection would miss stuff that could be downloaded from a trusted application, like program registration hacks that are full of viruses and malware. in my thinking, i would imagine outbound protection would be more important than ever for a new or unfamiliar user. with a firewall like outpost running, at least u may have the option to prevent malware from dialing out. as for pop-ups, the standard saying is to usually deny it if you're not sure what it is, and see what happens.

-{ Quote: "this can also be the case with children or teens who may be searching the internet 'for a good time' or downloading files from kazzaa. a firewall with only inbound protection would miss stuff that could be downloaded from a trusted application, like program registration hacks that are full of viruses and malware. " }-

INTOX, That was a REALLY good post and I agree with you entirely. I am taking you for a few beers.

And I do agree, A kid goes to look for cracks, and searches google. It will bring up a terrible site called ]www.seri*ll.com (a removed due to site being a live trojan), which infects the Surfer with a Trojan ISTbar upon loading of the page. :(

Intoxicated rules.

-{ Quote: "I am taking you for a few beers." }-
sweeeeeeeeeeeeeet! ;D

Outbound protection does nothing more then tell you something is trying to access the internet. It does not tell you if it is a trojan. It may give a hint in that a method of indirectly starting an application is being used, but that is not enough for a newb. All they have to do is click yes on the pop up warning. By the way, that is the same way that trojans get on your machine. Do you want to install...? There lies the crux of the problem. None of these firewalls or sand box utilities are smart enough to tell you when there is a problem. They just take a dumb look at certain types of system behavior and ask the user what he/she wants to do. For the user that knows what to do, the process will not ever reach that stage.

When the firewall or sandbox can tell me "this is a trojan your AV missed" and be right 90% of the time, then I would be interested. The problem now is it is wrong 98% of the time, only fans of these programs say it is just doing its job.

Just for clarity, I don't buy the newb/kid argument at all. If you are worried about those who are even one bit irresponsible, nothing short of something like Deep Freeze will work. DF lets you mess up and restores your system on the next boot. It is effective enough to use for kiosk browsing. In fact, I discovered DF using a kiosk machine at a hotel.

Yes, home systems are different from corporate networks. A home user can spend all day Sunday fooling around with security applications, never get anything done, and not have to answer to anyone. That is why I say it is OK to have fun experinenting with this stuff, but think twice before giving anyone advice.

i understand where you're coming from, but for the cost of $0, why not use a free version of za or some other free 3rd party firewall that cannot hurt you and only help you? i think the outbound application filtering has more benefits than just stopping malware and trojans from accessng the web. for example: there are some programs with auto updaters or help files that access the internet when launched. some that cannot be turned off from inside the application itself. there are also programs that request server rights, like yahoo messenger, that i have found no reason to need server rights to access the web. i believe it is more reassuring to know what programs on my computer are accessing the web and why. for the cost of nothing, at least za can offer you some control over this and is simple enuff that even a newb can understand it. hope this makes sense, been a long night! ::)

Diver:
-{ Quote: "Actually, the concept that you must put a lot of effort into catching a trojan by its outbound communication after it has installed itself oon your computer is a strange way of looking at internet security. I just guess that I am as strange as James Grant (developer of Conseal and 8Signs) and Stephan from CHX-1 and every enterprise firewall out there, and Microsoft." }-
First off home users arent running Enterprise Servers and were talking desktop firewalls not commercial business class firewalls. Secondly for your theory to be correct would rely on a firewall that is 100% effective against outside attacks which one doesn't exist. (Ill spare posting all the Cisco router and the like vulnerability's)
As far as websites go (business class) - most still allow unrestricted modem access. if unrestricted modem access is still permitted into a site protected by a firewall, attackers could effectively jump around the firewall. Modem speeds are now fast enough to make running SLIP (Serial Line IP) and PPP (Point-to-Point Protocol) practical; a SLIP or PPP connection inside a protected subnet is in essence another network connection and a potential backdoor. Why have a firewall at all if unrestricted modem access is permitted?

And for every security expert you mention i can rebuff with one who has the opposite opinion:

National Institute of Standards and Technology
John P Wack
Lisa J. Carnahan
http://csrc.nist.gov/publications/nistpubs/800-10/

http://www.hideaway.net/home/public_html/pc/firewalls.php

But they are all long reads (at least i provide links where are yours?) and really don't prove anything in the end. I surely wouldn't include Microsoft as any type of security expert.

-{ Quote: "It is very nice to play with outpost pro or Tiny as a hobbyist, but none of this stuff flies in the real world. Outbound app control is just part of a big marketing machine started by Zone Labs and and enhanced by Steve Gibson." }-
Are we back from business class to desktop firewalls? ... you can't compare business class and desktop firewalls (thus the different names)
OK ... Desktop it is -So what do you do about Keyloggers and trojans ALOT of which are downloaded as legit applications? What do you do about DNS poisioning?, Hijacked URL's, etc ...For instance once your DNS cache is poisoned. All requests to .com hosts are redirected to malicious sites. A malicious DNS server can poison the entire .COM domain. (But we don't need no stinking outbound filtering)

The above statements hold no water and provide no proof other than the mere fact that you uttered the words.

-{ Quote: "And my fial word, your AV has to miss it for any of this to make a wit of difference. You can say that is easy, but I have not seen it happen around here except once since the days of the 8086, and it was so obvious what had happened that application filtering would have made no difference." }-

More and more client-side hijackings slide past most AV engines and even desktop firewalls; they are considered "authorized" applications by most controls, therefore appear to be benign (when they really are not). Continuing the trend is to see trojan delivery models that leverage existing applications and are a huge threat going into the future. http://isc.sans.org/
http://i.cmpnet.com/nc/1605/graphics/1605f4_file.pdf

AV's are not trojan scanners with maybe the exception of Kaspersky ... if your relying on your AV to fend off all malicious programs your dead already. And the idea that it is a marketing tool shows what what little you actually know. I guess it can't be a good idea who's time has come?
I suppose you could say that about the first person to do anything security related ... even the improvements made to the first home burgular alarm such as the addition of motion detection. (we dont need that we have an alarm ... motion detection is just a marketing tool)

Keep your Inbound only protection i could really care less (youll get what you deserve eventually) but to come on the forum with a few quotes from people who are only trying to make a name for themselves by bucking whatever the current trend is just to stand out and influencing non educated users is not cool.

These are all "Real World" examples not just somebody's opinion that at the same time is also aggressively marketing a product against those whom he/she bashes.

Unwarranted personal comments excised - BlueZannetti 3/4/05

BRAVO......BRAVO.........BRAVO ......S!x

Granted I'm far far from a FW guru

But it seems to me if you get an alert from from any security app...and it

gives you a choice to deny or accept.....you may choose wrong....but at

least you have a 50/50 chance...of being right....I think that is far better

than have no chance at all.

To all:

Let's keep the discussion focused on the technical question at hand and please refrain from comments of a personal nature. They're always uncalled for and generally wrong.

Blue

-{ Quote: "But it seems to me if you get an alert from from any security app...and it gives you a choice to deny or accept.....you may choose wrong....but atleast you have a 50/50 chance...of being right....I think that is far better than have no chance at all." }-
but as a general rule, if you don't know what it is, you should always deny it. i would think this would give you a more than 50/50 chance at being right.

I know that....in fact I had a wierd one pop up this morning...I denied it..til
I had a chance to look it up.

I was just trying to make a point about app control...whether it was useful

Whenever I get a new app...I like to put it thru its paces until I learn what to

expect....then back off the settings.....so that when I do get an alert...I best

know I had better pay attention ...whether a...pigs squeal...alarm....etc.

When I'm in doubt ....I deny

-{ Quote: "i understand where you're coming from, but for the cost of $0, why not use a free version of za or some other free 3rd party firewall that cannot hurt you and only help you? i think the outbound application filtering has more benefits than just stopping malware and trojans from accessng the web. for example: there are some programs with auto updaters or help files that access the internet when launched. some that cannot be turned off from inside the application itself. there are also programs that request server rights, like yahoo messenger, that i have found no reason to need server rights to access the web. i believe it is more reassuring to know what programs on my computer are accessing the web and why. for the cost of nothing, at least za can offer you some control over this and is simple enuff that even a newb can understand it. hope this makes sense, been a long night! ::)" }-

ZA is a bit heavy on resources for me, but I do think it is a good product. At the moment I am looking at various means of improving security, but my main focus is preventing the installation of trojans, not waiting to finding them when they call out.

I have found that I can usually deal with the auto updating by using a hosts file. There are exceptions, but they are not important. I realize some folks feel there is a privacy issue with the publisher knowing every time you run the application, but usually it is not anything sinister. Usually I get rid of apps that do not let you turn off the update checking because if they think they are that important, I don't need them.

Server rights are easy to deal with. A proper firewall does not give server rights to any program unless you explicitly allow it. Even the minimalist XP SP2 firewall detects when a program wants server rights and asks for permission. The XP SP2 firewall is actually application aware with respect to server rights. The server ports will show as stealthed during a scan by shields up or the like, something you can not do with CHX-1 or 8Signs.

Good firewalls allow logging rules to detect which applications are communicating, in case you have any doubts. It is not as in your face as an app filtering firewall, but the information is there. Tcpview will tell you if anything is listening, a sure sign of a back door. Vee have our Vays...:)

-{ Quote: "At the moment I am looking at various means of improving security, but my main focus is preventing the installation of trojans, not finding them when the call out." }-
i have gone with trying to prevent them from installing in the first place, as well as trying to locate them when they do call out. i don't think either way is 100% reliable, so i've chosen a combination of both for my security.
-{ Quote: "Usually I get rid of apps that do not let you turn off the update checking because if they think they are that important, I don't need them." }-
i have a few of these apps that right now, i have no choice but to keep. however, i can control what they do and how they act through outpost and pg.
-{ Quote: "Server rights are easy to deal with. A proper firewall does not give server rights to any program unless you explicitly allow it." }-
it shouldn't. but i know some like sygate for example, that make you manually go in and uncheck 'allow server' rights for any application it detects.
-{ Quote: "Even the minimalist XP SP2 firewall detects when a program wants server rights and asks for permission. The XP SP2 firewall is actually application aware with respect to server rights. The server ports will show as stealthed during a scan by shields up or the like, something you can not do with CHX-1 or 8Signs." }-
interesting, i did not know that.
-{ Quote: "I know that....in fact I had a wierd one pop up this morning...I denied it..til
I had a chance to look it up. I was just trying to make a point about app control...whether it was useful
Whenever I get a new app...I like to put it thru its paces until I learn what to
expect....then back off the settings.....so that when I do get an alert...I best
know I had better pay attention ...whether a...pigs squeal...alarm....etc.

When I'm in doubt ....I deny" }-
i do the same thing.

this had been a good thread for me, i have learned allot. those were some good posts by blue and s!x, and some interesting ones by diver! ;)

On the 50/50 thing, Microsoft did some research and found that most users give up after a while and say yes to everything. IMO the problem gets worse with the sensitivity of the firewall or sand box. That is why I constantly complain that these utilities lack intelligence.

Consider where trojans come from. Unless we are talking about a system with no firewall at all user action is required to allow the crap to install, either by clicking on an email attachment or allowing an active-x or Java item to install. If you are smart enough to get it right when the firewall asks, you have got to be smart enough to get it right prior to infection. Furthermore, the user can develop a sort of numbness by being asked to respond to too many warnings that are, in effect, false alarms. That way when a real warning comes along, they are more likely to allow the wrong thing to happen.

Other strategies to consider for downloads are waiting several days to run suspect items or using an on line multi engine virus scan like Jotti's.

If this issue comes up again, I am just going to link to this thread:)

Again you missed my point on 50/50 chance.....what I've been trying to say
I feel it is far better to have a 50/50...then none at all.
Now what are all these alerts you seem to think I, and alot of other people
have....I've run behind FW's for years when I was on dial-up...ZA the old tiny
and kerio....and rarely had a alert...maybe an occasional port scan.
I'm now on DSL with an ISP Firewall ..with PG...prevx....and software FW.
The only time I get all those "Alerts" is when I first try out something...
to learn whats connected to what.....and learn what to expect.
About the only pop up I get is from PG because I have rundll set up to run once.
Other than that.....it is very very quiet here "On the western front."
Because I have learned what to expect from my security apps. I feel that if
one does alert me.....best deny it.....because it sure isn't the norm.

-{ Quote: "On the 50/50 thing, Microsoft did some research and found that most users give up after a while and say yes to everything. IMO the problem gets worse with the sensitivity of the firewall or sand box. That is why I constantly complain that these utilities lack intelligence." }-

There is a lot of truth to that. Most people just don't want to fool with the alerts and stuff.

Speaking of intelligence, has anyone tried PCInternetPatrol? http://www.pcinternetpatrol.com/firewall

It sounds interesting, but the trial was crippled enough that I really couldn't test it to it's full capabilities.

-{ Quote: "Speaking of intelligence, has anyone tried PCInternetPatrol? http://www.pcinternetpatrol.com/firewall
It sounds interesting, but the trial was crippled enough that I really couldn't test it to it's full capabilities." }-
you can check out this (http://www.wilderssecurity.com/showthread.php?t=70579) thread, and this (http://www.wilderssecurity.com/showthread.php?t=4556&highlight=pcinternet+patrol) thread, and this (http://www.wilderssecurity.com/showthread.php?t=32936&highlight=pcinternet+patrol) thread for a little more on pcinternet patrol. personally i trialed it but didn't really feel i needed it. if hollywoodpc was on, i'm sure he'd have something to say about it! ;D

-{ Quote: "On the 50/50 thing, Microsoft did some research and found that most users give up after a while and say yes to everything." }-
microsoft did some research? while there may be some truth in that, it sounds more like an excuse they made to defend the reason as to why their firewall has no outbound protection! ;D

just wondering-

I don't miss any points, I just don't agree. I actually believe that for behavorial reasons rather than technilogical reasons your 50/50 argument does not work. It would be better than 50/50 if you only had to deal with a few warnings. As the number of warnings goes up, the percentages drop to where it is less than 50/50 due to user fatigue, and for some users the answer is permit every time. Why don't you register already?


Intoxsickated-

I just love your style "this and this and this". Well, actually for several years I only used a NAT because I got tired of tweaking various software firewalls. But, if you like to tinker, be my guest. I don't care if anyone changes brands, so to speak. All I want to point out is there are some important limitations to the whole app filtering/leak test thing.

-{ Quote: "Intoxsickated-
I just love your style "this and this and this"." }-
maybe i should use some that's. ;)

-{ Quote: "It would be better than 50/50 if you only had to deal with a few warnings." }-
thats why i like what blue said earlier. if you do have someone to run through all the applications that would need Internet access immediately after the install to create all the needed application based rules for the machine, you would get allot fewer pop-ups. of course the key here being the 'someone to run through all the applications' part. i know not everybody has access to a person to help, but that's what forums like this are for.

Oh Brother ! Why would ANYONE make a statement like not needing outbound because ..... ? It is easy folks . There is always someone who is " out of the loop " and must stir the pot . Bottom line : Use it if you have it . It is nice to have . If you do not want it , don't use it . Pretty simple . There ya go . Time to move on I think . I will go cajole with my outbound filtering now .

-{ Quote: "All I want to point out is there are some important limitations to the whole app filtering/leak test thing." }-
i think you accomplished that. i don't totally agree with you, but i think you made your point. ;)

hollywood, i was wondering when you were going to show up! ;D

We all need to go out and get a drink together sometime.

Where you go , I TRY to go . It is more fun that way . And I hear you are heading up the new ZoneLabs fan club . What does it cost to join ?

I'll throw in my 2 cents here also.. I generally don't worry much about app control, but I do like to have it so that I am alerted when something wants to connect out to the internet, not because I'm worried about trojans or malware, but just because I prefer to know. I don't live that kind of computer lifestyle, so I don't worry about trojans and that kind of stuff. I've been at this for 3-4 years now and have NEVER had 1 trojan or malware on my machine. Never. But I have had respectable apps that want to connect out, and when that happens, I do like to know about it, just for my info, and so I can allow or deny it. So that's about it for me.

Actually, I should modify that a little. I have had a couple of viruses hit me, but they were caught by my AV in time, and they were extremely few and far between.

Check out my new signature. I found this on a site that deals with firewalls from the enterprise perspective. However, it describes my philosophy exactly, and not just within the context of this aspect of computer security.

Well, I am off to see the Emperor's new clothes. Loops go in circles, don't you know.

-{ Quote: "Outbound protection does nothing more then tell you something is trying to access the internet. It does not tell you if it is a trojan. It may give a hint in that a method of indirectly starting an application is being used, but that is not enough for a newb. All they have to do is click yes on the pop up warning. By the way, that is the same way that trojans get on your machine. Do you want to install...? There lies the crux of the problem. None of these firewalls or sand box utilities are smart enough to tell you when there is a problem. They just take a dumb look at certain types of system behavior and ask the user what he/she wants to do. For the user that knows what to do, the process will not ever reach that stage.

When the firewall or sandbox can tell me "this is a trojan your AV missed" and be right 90% of the time, then I would be interested. The problem now is it is wrong 98% of the time, only fans of these programs say it is just doing its job.

Just for clarity, I don't buy the newb/kid argument at all. If you are worried about those who are even one bit irresponsible, nothing short of something like Deep Freeze will work. DF lets you mess up and restores your system on the next boot. It is effective enough to use for kiosk browsing. In fact, I discovered DF using a kiosk machine at a hotel.

Yes, home systems are different from corporate networks. A home user can spend all day Sunday fooling around with security applications, never get anything done, and not have to answer to anyone. That is why I say it is OK to have fun experinenting with this stuff, but think twice before giving anyone advice." }-
Creature Diver,
You are tech savy. Your posts prove this out. And I mean no disrespect. I just can not agree with your outbound opinion. Please allow me some of your time to consider this real life example. Your above post made me remember this. It may not have been malware like a trojan, but I do believe it was attempting to serve up a unhealthy dose of adware. My log book indicates that back in August of 2002. I was running ME OS then. I load up a program all know it here I am sure. REALONE NETWORK Free version. Within one day Zone Alarm went crazy constantly asking for outbound connection. Viewing what wanted out I constantly denied it. I dug a little deeper I realized that REALONE was a real pain.

I uninstalled it and almost broke my system. Got this TKBELLEXE problem. (Kevin creator of BoClean sent me a link to address this problem nothing to do with BoClean, took time to help me on nonBoClean issue just another reason I am such a fan).

When REALONE was gone Zone Alarm went back to normal. Sure it was not about a major malware, virus or trojan. But what it was about was ADS, spyware crap. IT WAS ABOUT WHOSE MACHINE IS IT. MINE. I CONTROL WHAT COMES IN AND GOES OUT NOT REALONE. THIS WAS A REAL LIFE EXAMPLE OF ONE USER WHO WAS ALERTED BY OUTBOUND CONTROL OF HIS FIREWALL "YOU HAVE A PROGRAM ON YOUR SYSTEM THAT YOU HAVE LOADED RECENTLY THAT WANTS OUT FOR SOME REASON AND YOU ARE NOT EVEN AT THE COMPUTER MUCH LESS USING ANYTHING. YOU MAY WANT TO INVESTIGATE." HMMM WHAT HAVE I DONE RECENTLY TO CAUSE A CHANGE. REALONE THAT'S WHAT!! >:(

THE ARGUMENT THAT CREATURES DO NOT WANT TO BE BOTHERED, IS LIKE TELLING A DRIVER OF A CAR IGNORE THAT CHECK ENGINE LIGHT. DO NOT BOTHER ME WITH THE BLINKING OIL CAN ON THE DASH. I guess it is just me always wanting to make sure mY stuff is working and I am in control.

Thanks for your point of view Diver. ;)

Diver's sig seems to sound better when he says it than when I did.

Mercurie-

Real Player is a known for being badly behaved. I don't use it around here. There are several other ways its behavior could be detected including start up entries, task monitor and firewall logs. Besides it is not a trojan, just an annoying program.

If the oil light in my car came on every day, and after about a week of checking the oil I found it to be full, I would correctly deduce that the sensor was broken and ignore it until I could get it fixed. Unfortunately, most advanced application controls are as broken as that oil warning light since they mostly warn about normal events and there is no fix other than to look at the problem in a different way.

By the way, I don't have a big problem with simple application control like what is found in Kerio 2.15, so long as the user does not regard it as a sure fire trojan catcher. However, for some users even that quantity of interaction is too much.

I have been asking quite a few computer users about their security practices, one on one, as a reality check against what I see in this and other forums. Generally, if they have a NAT, that is it.

At the moment I'm running ICF and sometimes I miss application control.

In my opinion, for my usage, the greatest need for outbound application control is to deal with situations like mercurie mentioned. That is:
"To stop outbound traffic from so-called "legitimate" applications with abusive phone-home policies, known bad privacy policies or completely unknown privacy policies."

What is the difference between a trojan which decides to connect outbound and a "legitimate" application which tries to connect outbound without explicit permission?
<<insert joke here>>

Don't laugh. Even firewall companies can have abusive policies. (For those that don't know a specific older ZA release did not obey the user-set settings to not send periodic data to Zone Labs - a programming bug or a deliberate action. This (I think) has been fixed in the newest versions).

The whole outbound application control thing probably began from Steve Gibson's Leaktest but it probably was a logical consequence of mainstream new user concepts. "Do you want ApplicationX to access the Internet?" is probably the easiest way to get input from a clueless user.

Regardless of application control or not, the most dangerous time of using the firewall is in the very early learning stages when the rulebase is empty and the user is clueless.

Do you want SVCHOST.EXE created by Microsoft Corp. to access the Internet? (Allow connections outbound) - since this particular request is needed for a DHCP Broadcast to get DNS server addresses the internet connection fails if they do not allow it. The user also sees Microsoft Corp. and that's a legitimate application so why not?

The next prompt is:

Do you want to allow SVCHOST.EXE to act as server?
Well it's a legitimate application - it says Microsoft after all. And if my connection fails if I did not allow it before why should I not allow it now?
Nevermind the fact that this is mostly likely the Blaster/Sasser worm not something as innocent as Updating the time through Windows Time Service.

I have to say I more or less agree with Diver's opinion all the way. That sig is spot on; I'm almost tempted to steal it. I thought the purpose of early security products was to let the user have definite control over their machine, not malware or malicious users. Now this has shifted so much that I would say that it is usually the security product that has complete control over the computer with little input from the user. With this shift is it any wonder that spyware producers are appearing as computer security related, or that security vendors are increasingly turning to unethical practices, maybe using collected data improperly? Computer security products are almost in class of their own - no-one asks questions about their capabilities, they are always trusted without blinking and giving these companies' AI-like logic full control over machines is the norm. This is unheard of for absolutely any type of product in the software or physical world.

So who has ultimate control over your PC - you or your computer product?
Often it's impossible to tell because the internal operations are poorly documented or not clearly documented at all.

What's the difference between a remote administered trojan and and a program which makes great changes to your PC from decisions determined by a security company, with little user input or full information about what is about to be performed?
<<insert joke here>>

Something to think about....
/rant

-{ Quote: "I have been asking quite a few computer users about their security practices, one on one, as a reality check against what I see in this and other forums. Generally, if they have a NAT, that is it." }-In the grand scheme of things I can understand this. Given an option to have either a software firewall or a NAT/SPI router, I'd direct the person to go with the router for a number of reasons, the main one being that it's an independent piece of hardware and load balances against anything subsequently installed on a PC. All one needs to do is examine the load on a software firewall with and without a NAT router to understand that for most people a router should come first. Why? Once it's plugged in and set-up, there is nothing else for a user to do. No popups. No decisions. Unsolicited inbound communications are dealt with cleanly and completely. This is the route to follow even for users with a single PC, a fact which escapes many.

Whether it is wise for a user to take things to the next level is a debatable point. Each of use make these decisions in every facet of our PC configuration. For example, I own current licenses for NOD32 and KAV WS. The bulk of my surfing is performed with NOD32 as my AV since I've made the choice that the resource drain of KAV WS is a little dear for my tastes most of the time. Objectively reading any AV/AT performance test, in some respects I have incurred a minor increase in potential malware exposed by doing this. I know that, but I've weighed the pragmatic consequences and, in my estimation, they are operationally nil.

The same type of analysis can be applied to the question of this thread. While I believe the incremental exposure is greater than I view the NOD32/KAV WS trade-off, it is not a whole lot greater. In a coherently constructed layered defensive scheme, there is a hierarchical priority in the components. Outbound communication control is at the lower end of that priority schedule. Like many here, I do prefer to have that level of control.

If a user were to ask me if they need this feature in their set-up, I'd probably advise them that it is in the nice-to-have category, but also try to assess whether they had the experience, and wished to acquire the knowledge, to intelligently deal with the configuration and use of this component. As someone who uses a software firewall purely as a measure of application based outbound communication control, I've already made a significant decision regarding the level to which I want to learn PC communication protocols. I made the active decision that I really do not wish to learn what is required to effectively configure and use a rules based firewall. My choice has been to use Outpost Pro in a purely application based mode. Naturally, the next step back would be to skip this activity altogether. My experience is that the incremental impact on the total risk of malware exposure is small if one decides to skip outbound control via application filtering.

Readers of this thread should carefully assess Diver's points. They do have merit. Informed usage is what it is all about.

Blue

-{ Quote: "
So who has ultimate control over your PC
" }-

I have said it before and will again. YOU, the USER does. It is up to what YOU install, what YOU run, what you download etc etc. Not only does that count,
but also knowing HOW to use what you download/install/run.

Outbound APP filtering should be made easier for those "teen users" that I always go on about. THEY are the ones that need it the most, that and porn surfers.

Don't mind me I talk out my butt.

Ghost's and BlueZanetti's posts are two good ones and make an interesting contrast, side by side.

What caused me to make such a strong statement on this topic was that I have been seeing a lot of knee jerk recommendations to beginners regarding the use of firewalls with advanced application control when I thought the obvious answer was either a NAT or the Windows built in ICF. People have a way of not understanding the problems of other users when they give advice.

One member of this forum has on occasion in PM's to me wondered how some of the members can keep their machines running with so many security applications installed at once.

I found the sig here: http://www.wilyhacker.com/1e/

Down near the bottom in appendice A.

Diver ....You still haven't addressed this part of my arguement

Now what are all these alerts you seem to think I, and alot of other people
have....I've run behind FW's for years when I was on dial-up...ZA the old tiny
and kerio....and rarely had a alert...maybe an occasional port scan.
I'm now on DSL with an ISP Firewall ..with PG...prevx....and software FW.
The only time I get all those "Alerts" is when I first try out something...
to learn whats connected to what.....and learn what to expect.
About the only pop up I get is from PG because I have rundll set up to run once.
Other than that.....it is very very quiet here "On the western front."
Because I have learned what to expect from my security apps. I feel that if
one does alert me.....best deny it.....BECAUSE IT IS SURE NOT THE NORM.

Where and what ....are all these alerts.

p.s. I forgot to add....at home G/Fs PC still on a dial-up...she mainly
uses it along with her son....she says she has no alerts.

I dont get alot of alerts either. BUT! when i set up a program for the first time i do try to run through all the program features and set them up when i install it. As a result i only get alerts when something strange happens. (almost never)

That said. When i have set up friends computers i sometimes miss things because i dont spend the time necessary to catch all the alerts. This leaves them with alot of confusing alerts to look at.
So i suppose its all in the initial setup. Taking the time to configure it properly.

Michael

Personally, the only time I feel app-filtering is useful is when legitimate apps want to phone-home for no good reason (what the hell does my photo editor need to talk about anyway :) ). As mentioned already, there are other ways to disable outbound communication for most apps.
I use Visnetic fw and I have enough application and back-end security in place where I don't worry about outbound trojan communication. If a trojan is able to install itself on my pc, I've screwed up pretty bad, as it has multiple layers to get through.

The part I enjoy the most about running Visnetic is I'm able to view and analyze every packet processed by the fw in realtime. I have granular control over my ruleset and if I see any suspicious traffic I have the power to shut it down, ban it, and tarpit unwanted connection attempts. By only allowing what I specify it also eliminates a lot of junk-packets and internet back-talk that can get by other firewalls.

Of course the topic of app-filtering or no app-filtering is not about right or wrong, it's about what works for each person and what is comfortable for the user.

One more thing, I see the terms outbound-filtering and app-filtering used interchangeably here, but there is a difference. For example, Visnetic can filter all outbound UDP requests on port 6666 but it can't do this specifically for one application.

Very good post Se7

I see you're not guilty of "selective reading" and not trying to foist off your
favorite pet theory or your brand of FW on everyone else.

You stated very clearly what you didn't like about "call home" apps. and I
think very objectivly what you like about your firewall...and why you use it.

Also very well done...stating what a person is comfortable with...and his/her
level of knowledge.

How to setup Jetico firewall working only for application filtering and have another tool for packet filtering?

This is just the answer from Jetico Inc. and it works fine for me.

"You can turn off the packet filtering in JP Firewall and probably the most simple way is to remove JP Firewall packet filtering driver bc_filter.sys from Windows system directory (for example, for Windows 2000/XP it is WINDOWS/System32/Drivers)."

Joter,

That is an interesting observation for those who want some app filtering with Jetico. You could pretty much dispense with detailed rules in that case and set up a couple of tables to take care of just about everything. However, I found Jetico to require way too much interaction for my tastes. In fact, it is the firewall that caused me to start thinking this way.

Just Wondering,

I believe that I have addressed your point. With the more advanced firewalls it takes quite a while until they shut up, and it seems like it is never completely over. There is always some link in the help file or a little used check for updates that is going to pop up. Don't forget this is argument is behavioral as well as technical, so individual perceptions are involved. Also, take note that not everyone would have your level of patience in dealing with advanced application control. One of my big complaints about forums of all sorts is that persons with experience or aptitude completely forget what everyone else is like.

By the way, I have not been pitching any particular firewall. The ones mentioned are the better known firewalls lacking outbound application filtering. Visnetic is the same as 8Signs, sold under a different name. But, in case anyone has any doubts, I do like CHX-1, 8Signs, Visnetic and the SP2 ICF.

Hello All,
Just wanted all creatures to know how I feel about this too:

Blue said:

"In the grand scheme of things I can understand this. Given an option to have either a software firewall or a NAT/SPI router, I'd direct the person to go with the router for a number of reasons, the main one being that it's an independent piece of hardware and load balances against anything subsequently installed on a PC. All one needs to do is examine the load on a software firewall with and without a NAT router to understand that for most people a router should come first. Why? Once it's plugged in and set-up, there is nothing else for a user to do. No popups. No decisions. Unsolicited inbound communications are dealt with cleanly and completely. This is the route to follow even for users with a single PC, a fact which escapes many"

Well Said BLUE!! I totally agree with this. I have been behind one for almost a year now. Your machines operate a lot more silently then with software firewalls alone, constantly blocking and logging stuff. The nice thing is if some how something were to creep through that hardware. Then the software firewall will catch it and log the attempt to boot. I can not imagine the conditions that would occur for this to happen. ;) ;)

I also agree Divers points do have merit, yes they certainly do. I continue to read this thread with much interest as so many have weighed in. :)

-{ Quote: "Joter,

That is an interesting observation for those who want some app filtering with Jetico. You could pretty much dispense with detailed rules in that case and set up a couple of tables to take care of just about everything. However, I found Jetico to require way too much interaction for my tastes. In fact, it is the firewall that caused me to start thinking this way.
" }-
If I wanted some app filtering to go with, for instance, CHX-I, I don't think Jetico is the one I'd pick. Too many prompts, as you mention, and with the lack of hash updating when upgrading an app, it's more of a nuisance than anything else IMO. I'd probably go with ZA or LnS with CHX-I. But it is interesting to note that it's possible with JPF as well...