Black Ice 3.6

How does this "host IDS come firewall" stack up with the current "cream of the crop" popular firewalls? Thanks.

 

I was curious about BlackIce also and installed it about a week ago for a quick look. It's interesting, but I didn't care much for it compared to others.

When you first install it, it takes a baseline of your system for about 5 minutes, scanning your HD for apps and files. Then once installed, it allows any app you already have installed to run without any questions or prompts, internet access included. So it's quiet, no prompts and so on, and it allows internet access to any program you already have installed. It does however, prompt you about any new app you install, and about any changed app. If you're looking for the typical ways to restrict internet access of apps to specific remote addresses or ports, then I didn't see that capability. You can create general firewall rules with ports and addresses, but no ability to specify an app. Unless I missed something, I don't think it has the usual abilities to control how your apps connect to the internet then.

I did the usual scans at Grc.Com and managed to get stealth on all ports with the TCP scan, however, Grc says I failed the test because my system responded to their pings with replies. So if you want full stealth with no replies, then there's no way to achieve that, at least that I could see.

Overall, it seems like a pretty good system to control whether apps run and so on, and also incoming intrusions are logged pretty well I guess, but it's firewall capabilities seem pretty weak.

Sorry I can't provide more details. I only played with it for a short time, but it's not one that I would choose to run here for a firewall. I'm glad I looked at it though, because I've always been curious and it's one that I hadn't ever tried yet.

Maybe someone with more BlackIce experience can give more insights..

 

K- I had the same impression from a quick lookover. It's kind of like running any non app aware software firewall with something like abtrusion detector. Kind of a shotgun approach as it assumes anything that is new is bad. If you change your system frequently it gets back to the same olt problem, it is up to the user to give the correct response to all warnings the aplication issues. Of course if the user can give the right response all the time he/she will not click on the box that says "do you trust xxx search bar from shady software company." Any of these solutions is worthless unless it can focus on only those things that are a likely indication of malware and that are also rarely used by legitimate programs.

 

With this in mind BI should only be installed on known clean systems.

Not sure how much more configuration they have added via the GUI in the latest versions, but certain configuration options are also available by modifying the firewall .ini file. Response to outside echo requests can probably be modified there.

Regards,

CrazyM

 

A fellow member at another site states:

I just want to study both sides of opinions/facts because I want the best for my machine. Are the stated facts also a feature of the more popular firewalls/combinations or are they lacking what is stated and how important are these features. This seems like a combination firewall/antispyware/virus app. Thanks for your input guys.

 

Sounds like BI is doing a lot more than I thought regarding network traffic. I don't know of any other product that scans packets for that kind of info or intrusions. Tiny has an IDS which is probably pretty good, but not the same as that. Nowadays AVs are also scanning network traffic for viruses and malware.

 

Just remembered another thing.. BI didn't uninstall cleanly either. Had to search for and delete some registry keys to get Win2k to quit trying to load the non-existent service after the uninstall. So beware...

 

Used BI 3.6coa for a while.

I believe it opens a port 113 as a listening 'post', though that is stealthed. Tried blocking the port under Advanced Firewall Rules. Surfing was still ok but a lot more sluggish.

I also could not install it on my AMD64 machine on a wireless network connection. It hangs the system right before it starts the baseline scanning. No problems with installing it on an Intel machine on a wired LAN.

I had to delete certain apps from the baseline. FYI, here is how to do it using a text file:

"To delete any or all of the applications from the baseline, right click on the BI icon,
1) Stop the BI Application Protection
2) Stop the BI Engine (this takes 2 attempts on my system)
3) Exit the BI program.
4) Open the checksum.txt file with notepad in the Blackice folder and delete any/all application references.
5) Save the checksum.txt file and restart BI."

Can't remember where I copied this from.

As what Kerodo says, it does leave bits and pieces of itself. Even though ISS has actually provided a utility to get rid of it, I still find rapapp service in my services.cfg.

I also do know that the guys at grc didn't take too kindly to BI. If you read some of their earlier articles, they were poking at BI's firewall for their lack of outbound application filtering (which has since been implemented) and leaving some ports open (though protected, not too sure whether this has been resolved but port 113 was open but stealthed). However, as of version cnz, BI was stealthing my machine, according to grc's test.

As for a comparison between different firewalls, for the price you are paying, I would go with Outpost. But that is just my opinion.

Note: I have only used Kerio 2.15, Tiny 6, Outpost, Sygate and BI. There may be better firewalls out there.

 

Does Black stop ALL attacks?

 

What is exactly happening? I would think if there is an attack it would be rejected by a firewall with good stateful packet inspection simply on the basis that it is not requested traffic. If I am wrong, someone who really knows please say something. So, what I think is happening, is BI is identifying the attack in its log by comparison with a signature, and not letting it in based on either the signature or SPI, but a firewall with good SPI, would just not let it in. Or is there something else going on here, with attacks that can fool SPI?

Is BI really better than CHX-1 or 8Signs, forgetting the changed application signature thing, which I view as a headache anyway.

 

Diver - I think what BI is doing here is scanning legitimate network traffic for threats also, which a "normal" firewall won't do. For example, it will scan your traffic to remote port 80 for threats and deny if it detects something bad. Since another firewall would allow this port 80 traffic for browsers, they wouldn't catch any problems. That's my take on it, unless someone knows otherwise and can correct me?

PS - From what I've seen from the docs, it looks like Tiny does a version of this also. The impression I get is it's like what Avast does, scanning web traffic for viruses to catch them early, only in this case, BI and Tiny are scanning for IDS threats and denying traffic if they find something bad.

 

The opinions of BI have varied quite a bit on the GRC site over the years.

Open but stealthed, or do you mean it would respond closed? A closed response used to be the norm with BI, but could be changed in the firewall.ini file.

So no response/stealth (including port 113) is now the default?

Regards,

CrazyM

 

www.iss.net click on knowledge base and for product search Black Ice Pc Protection all questions will be answered. I been using Black Ice for 5 years and all my ports are stealthed. Its intrusion detection opens your eyes to all port scan attacks and displays who and where the attacks are originating. As far as Protection its a real secure firewall. Alot of people Say bad things about black Ice but its a good firewall Imho..........

 

Intruder Detection

Firewalls are not designed to detect attacks. Instead, they are designed to be an "On" or "Off" switch based on IP addresses, protocols, or UDP or TCP ports. Take an example of port 80, used for standard web servers. Let's say a home user wants to set up his/her own personal web server. To allow others to connect to this web server, he/she turns "ON" port 80 via the personal firewall. Thus, all port 80 traffic is allowed to traverse the firewall. This includes potential hacking traffic such as a buffer overflow attack on port 80. The personal firewall detects that the packet is on port 80, and allows it through. It does not log this potentially damaging traffic.

Our product adds an intrusion detection component. If it is configured to allow traffic on port 80, it will still monitor the traffic for exploits against the web-server. If it detects hostile traffic, it will block access to port 80 by the hacker. Note that our product is the only personal firewall that monitors allowed traffic for hostile activity.



Some personal firewalls will say they detect hacking attempts, but in reality they are simply detecting attempts to connect to known hacking ports. As an example, the default BackOrifice port is UDP port 31337. Many firewalls will "detect" a BackOrifice attempt if any computer attempts to talk to UDP port 31337. But, it could be a totally innocent program that uses this port because it was dynamically assigned by the operating system. Also, BackOrifice runs on port 31337 by default, but it is easy for someone to make BackOrifice run on a different UDP port. These simple personal firewalls will not call it a Back Orifice attempt if it is on a different port. We use a much more sophisticated algorithm. We detect Back Orifice attempts, regardless of the port number. If someone sends a Back Orifice packet at port 2000, we will detect it and call it a Back Orifice attempt.



The vast majority of detection in the standard personal firewall comes from "log file analysis". The firewall creates a log file of all TCP and UDP connection activity. Later, a log file analysis program will analyze the log file and notice hacking attempts. In our opinion, this is a little late. Our product is the first truly real-time intrusion detection for the consumer market. Because we are instantly analyzing the frames, we stop the hacker before he can do any damage.

 

CrazyM,

Yes, it probably would respond to pings as "Closed". Didn't know how to phrase it since it was "Open" in the advanced firewall rules but "Closed" when I run the grc scans ...

Beefcarver,

Yes, I would agree with you that BI is a good firewall. Surfing was smooth. Its something like 8signs with app control.

 

What I got here was stealth on all ports with the TCP scan, but my system responded to pings apparently (this from grc.com). However, I was using a slightly older copy of BI, 3.6cnq I believe, so perhaps that's changed...

 

Jay Tee, why do you keep saying it has app control. All it does is warn when there is a new or changed application. Sounds like abtrusion protector to me. Unless I am misunderstanding something, it is app control of a sort, but it does not tie any application to a group of firewall rules. Possibly a non application aware firewall with a nearly separate application control utility in the same box.

 

Diver - you're right. It doesn't have app control in the way we think of it. Once it does it's baseline scan, it allows ALL your existing apps full internet access without even asking you.

 

I decided to give this one another try tonight. I got to thinking, just what am I trying to protect myself against with my firewalls and av? Viruses I guess. And with the firewall, mostly incoming threats, whatever they may be. I'm not so concerned about rogue programs calling out. And perhaps I have a little concern about using IE sometimes.

So I thought, perhaps BlackIce IS a good solution. It takes a snapshot of everything on my system when it installs. It doesn't bother me with a lot of prompts about internet or network access, just when something new occurs. It checks out the data that's coming in and going out via the internet and takes appropriate action.

So I'm going to use Avast 4.6 and BlackIce for a while and see how it goes. Avast will use it's web scanner and watch for viruses, and BI will scan for other nasty threats. Maybe that's all I need... It probably won't let me restrict programs to specific ports or addresses, but do I really need that anyway?

 

K-

If you have a new or changed app, that is one what was not in the baseline scan, does Black Ice warn only when internet access is required, or when any new or changed program is run without regard to net access. The former is good, from my point of view, the later probably involves too much user intervention for someone that changes their system a lot.

 

Diver,

Opps. You got me there. Now I understand what app control is.

Cheers

 

Diver - You can have BlackIce warn you when an app changes and you can have it either terminate it automatically, or ask you if you want to terminate it or let it run. Also, you can do the same for an app that attempts internet access...i.e. you can have it terminate the app automatically without prompts, or you can have it ask you if it's ok to allow internet access. And I should also mention that you can turn either feature off completely too, if you like (app control or communication control or both, on or off). Very configurable..

I kinda like the way it works. Takes a baseline at install. I have a clean system freshly formatted, so all is well. Then, it doesn't bother me at all with prompts until there's a new program. If you do install a new program, it will prompt you at execution of the install program, and then you can also hit a button for Install Mode, where it won't prompt anymore and it adds that program to the baseline database.

I think it's a pretty cool approach actually.

I also like the fact that I don't have to look at every single ping and upd packet in the event viewer. It only logs events that might be interpreted as an attack or something fishy or unusual. When I think about it, who cares about seeing every little packet that comes in? I like the fact that BI just looks for harmful things, which is, after all, what I'm wanting to protect myself from in the first place.

I think they just might have the right idea here...

 

well I gave up on the baseline thing all together. I just set it and let it do its protecting. For Protection you cant beat it. and yes it works great with avast.
BI is really a Intrusion detecting Firewall thats where it differs from other firewalls. Plus it makes your Ports stealth isnt that what everybody wants to be stealth from the buggers

 

Can I partially allow apps as Outpost does? Can I pick and choose which apps are to be blocked permanently and which I want some access?
Can we disable the firewall and just use the intrusion module? Is there an intrusion app out there that is (very) similar without a firewall so that we can use it with our firewall of choice?

I wonder when/if this has been patched yet ~ http://secunia.com/product/1702/

 

I'm running ZoneAlarm now, would BI be worth a try or is ZA much better ?