Hi all! A question for you... what's a decent firewall for users that are not exactly tech-savvy? I've been fixing folks' PCs for years, and I'm a firm believer that a good HIPS used correctly can go a long way to keeping a Windows system protected. I've always gone the COMODO route because it's trusted, free, fairly lightweight and has extensive options. But I recently had to look at a PC which was "just running slow" - I remember working on this PC maybe 2-2.5 years ago, cleaned it, installed the usual security products (AV, firewall/HIPS, Secunia), and left detailed instructions (an illustrated PDF) on keeping it "clean". What I got back was riddled with Java exploits, droppers, and a slew of questionable "cleaner" and "optimizer" products. It's as if there were no AV or HIPS protecting the PC at all! I was very disappointed. And then the owner told me that she did exactly what I told her to: "I just click 'allow' whenever it pops up. Sometimes it keeps popping up and I get annoyed so I just keep clicking 'allow'." Yes, those were her words. So either a) HIPS doesn't work; or b) She just let all of those baddies in. I'm at an impasse now. Do I continue installing HIPS on people's PCs in hopes of keeping them safe? Or are my words of advice just falling on deaf ears? If folks really rageclick the HIPS alerts, what's the point? Is there a better solution?
If the browser is the major source of exploits fix the browser by installing adblock with all filters you can. If programs they install is the source, this is a bit though. I would suggest to teach them to use only Softpedia to download their programs. Teach them that if they don't find them there, they shouldn't install them and if they find the programs there to read carefully if Softpedia marks the program as adware and again not install them.
HIPS software is not suitable for end users. It provides no protection against the user being tricked. (An AV at least might warn you before you deliberately install a nasty.) Actually I take that back. Most HIPS software is not suitable for anyone, because it queries the user as a matter of course, even if you set it up as a strict policy sandbox. I wish I had more advice on protecting users from themselves, but yeah, putting the user in charge of realtime security decisions is a bad idea, especially when the user doesn't know computers.
One of the things I tell friends and relatives is to choose 'custom install'(advanced) instead of express install (recommended) when installing a downloaded program. Quite often inexperienced users think the custom install will be too hard for them. In reality quite often a custom install is where the ''offers'' are made for extras such as PC optomizers etc.
It is very difficult to recommend a HIPs solution for the novice user. If you wish you could try online armor or the paid outpost firewall in learning mode and tell them to switch learning mode on when they install something. It will not protect against optimisers but should do against browser exploits.
If a user is going to approve every single pop-up, there's no software in the world that can save them...
I have to disagree, if you´re an experienced or so called "expert user" it does make sense to use a HIPS. For normal users I would recommend tools like: MBAE, Sandboxie (with some extra configuration) + free AV.
Do not even bother with it and just leave Windows Firewall with an outbound protection off. The perfect security for common users has to be as non intrusive as possible. Use a free cloud AV (Bitdefender Free) with no renew subscription and set it to delete viruses silently. Install a browser, Chrome with sanboxed extensions and automatically updated flash is a great choice. Pre-install any free software, that they might possible need, like a media player, picture viewer, PDF viewer (anything but Adobe) and so on. Definitelly install some trustworthy optimizers like CCleaner and at least one more of your choice and tell them to use it regularly, if you do not, they will get something questionable for sure.
Free AV that silently removes viruses might be a problem when one day the AV issues a wrong bunch of instructions that delete svchost, or explorer ... there have been those silent computer-destroying instances in the past. It may happen again.
*placing my palm on my head* Although I understand your point, the Windows' firewall outbound protection shouldn't be intrusive. Why not leaving it to its default state?
Sounds like the Firewall did its job, it alerted. And the user did as she was told, and clicked 'allow.' From my perspective the user is the weak link in the chain. Since she is your client, how do you solve/address that?
Imaging & external data backups are the only options I have a 100% clear conscious in recommending. First it's what I implement & if done with multiple time varied copies is as close to 100% dependable as I know of. Second & this is the part I hate & love about this solution. Almost nobody I've consulted with has ever followed up & done this. So once again (this is an increasing theme as I age) my conscious is clear. Whenever I've recommended or installed certain software eventually the user will screw up. I am certain 95%+ people use their computers like toasters & fridges. So there is no hope for the average user, they are doomed. I stopped actively soliciting my pc repair & consulting services a long time ago because I found myself feeling like a car salesman. If I charged by the hour to fix rather than clean install for sure it's cheaper for them to buy new. So now I fix, upgrade & fine tune older laptops that others would junk. And pass them on to be used again.
I meant to leave it at default and by default it is off. The default state is to allow all outbound with no notifications, so basically it is off. http://sekharpadikkal.wordpress.com/2013/04/12/making-windows-firewall-complete-block-outgoing-connections-and-get-notified/ I would be actually a good idea to add something like Windows Firewall Control to control outbound, but users would allow everything anyway, so why bother.
Oh, right right. Sorry for that, It's been so long since the last time I looked at the firewall settings. I thought there was a switch to disable all outbound protection completely. Anyway, it'd be hard to recommend anything to allow-all mode users. Policy restriction HIPS perhaps can substitute Comodo's CHIPS. Might as well to throw her into LUA. In>out protection is not relevant in this case, so outbound FWs and the likes shouldn't be included into the consideration.
I do a lot of home user support too. Currently what I'm recommending is a subscription to MBAM because it is one of the few that will block and alert on PUPs (it doesn't ask for user interaction). I show the user how to scan with it and how to "Quarantine Everything". That's about as much interaction as the average user can deal with - forget about expecting them to evaluate HIPS notifications I have not found an AV that effectively either prevents or removes PUPs, so if cost is a concern I suggest they use a free AV and pay for MBAM instead. Note that Hitman Pro is also very good at removing PUPs.