A CIPS like "community" firewall?

Sorry im making a new thread again. I tried to add the question in my other thread but it just got to long. So just here the question:

I need for a "noob" user a system setup. Typical casual pc user. Kinda knows his way around the PC but thats about it. So I installed a security suite on the PC. First reaction after the Firewall promted for programs that they want to connect to the Internet was: "Nah this firewall thing is nothing for me. I don't wanna learn computer. I just want to use it". Tried with explainin that processes should be googled to see if they are safe or not. So now im reconsidering. I thougth about giving the person a combination a install and forget programs. My guess was an AV (again KAV or Antivir), Prevx1 (as its does most of the job by itself) and a Firewall. Now my question was is there a firewall that also has the concept of Prevx but not for IPS but for the actuall firewall service. So instead that the user gets prompted often the program just looks it up if its allowed to connect or not.

 

Never heard of a firewall that does similar to Prevx. My suggestion is to set up the user to run the windows firewall for inbound and Prevx can take care of outbound connection's. You can set Prevx up so that it will deny anything that is not known to it. No prompts. I've never used the windows firewall but i've heard it's very quiet. You'd need confirmation on this though.

muf

 

perhaps the new Outpost v4. u can have it automatically apply rules for known programs.

 

You may want to PM Mike Nash about the development of Online Armor's firewall.

 

The problem is not really the to known programs. Like if firefox.exe tries to connect even that user knows its ok. But if some more system program tries to connect the problems start. Like even things like real update manager or adobe update. Something that had a big list of knows even more obscure programs would be what im looking for.

/edit:
vikorr you posted just when i was typing this post. Thanks for the tip. Ill contact him

 

Well Prevx I suspect has the biggest whitelist. I'm always 'playing' with new software and most of time Prevx doesn't toot. There have been a few occasion's it has and in those instances it was because it was a very new version of something I use. For example Ad Muncher brought out a new version a couple of days ago and Prevx queried it. Give it a few days and that version will be updated into Prevx's whitelist. So future users of Prevx won't get prompted when they install Ad Muncher. I don't think there's anything out there with a whitelist as large as Prevx's. Ive run some very obscure software and Prevx 99% of the time had it in it's database.

muf

 

But prevx is not really a firewall. Its a HIPS.

 

Ok, if you are looking for a firewall that has a massive(Prevx size) whitelist/blacklist then you are out of luck. There isn't one. Firewalls like Outpost and Zonealarm have a whitelist of common files. Things like Internet Explorer, svchost, alg etc which they have default rules for. But it's not a very extensive list and using these firewalls will result in prompts whenever you install an application that uses outbound connection. I mentioned using the windows firewall in conjunction with Prevx because the windows firewall doesn't filter outgoing connection's. Prevx does. But because of Prevx's extensive whitlelist/blacklist and the option to have Prevx 'deny' anything not known to it, I thought this combination would be the quietest for your novice friend.

wir.sing,
I know you don't like the idea of CIPS but please note that you are asking for a setup for a(in your words) 'noob'. Prevx in ABC mode is perfect for 'noobs'.

muf

 

Yea not the bigged fan of the CIPS concept, but as I said in the first post (or maybe I forgot to) for this person it would be ideal. So yea I wanted to get the following setup for him: KAV + PrevX + "a community firewall".

But as far as I understand until know PrevX hasn't all the capabilities a Firewall has? Or am I wrong there? And I don't think its sufficant to just put on an Antivirus + PrevX. Or do you think differently?

And as far as the windows firewall is concerned, I don't feel secure with a product of which the vendor puts only a code sample to disable it: http://windowssdk.msdn.microsoft.com/en-us/library/ms688774(VS.80).aspx

 

Many here have stated Prevx will do the job as far as outbound protection. While I do not use it for that reason it is nice to know I have a secondary line of defense along with my software firewall. However, my first line of defense for in coming protection is a router between the DSL modem and multi-port switch. It was pretty much plug & play and every port scan I have done comes back as the equivalent of stealth.

 

Prevx1 was actually made specifically to move away from being a HIPS. It's an all-in-one anti-malware that uses the behavior blocking technology for purposes of automated malware analysis.. the idea is that if malware has already infected someone's machine, it's better to see what it already did than to hunt down the file and try to reproduce the scenario- which also carries other advantages with it. Prevx1 does offer some behavior blocking as well, made much easier with the community database, but that is not the focus of the software.

As far as the firewall goes, Prevx1 is made to work with the Windows Firewall to give you full featured protection, but without prompting you on known good or bad files. Basically just what you're asking about. I can understand if you want something else, but this is something to consider as this is the intended function. If you would rather have a real packet filter instead of the Windows Firewall, you can always use something like GhostWall, Look'n'Stop (the application filtering disables after the trial ends and leaves you with the packet filtering for free), or CHX-I.

 

Ah actually its good that someone took up the case of actually explaining a bit more indepth what excatly Prevx does. But im not completly happy yet. So what your saying is that Prevx has a huge database for the HIPS like program part of it, but its not actually a HIPS. So what is it then exactly? Or what does it excatly do? Its nots really a firewall not is it able to replace an Antivirus scanner. Or is it? Because as far as I understand until its main goal and purpose is preventing malware from installing/initializin. This is also what the picture on the Homepage suggests (http://info.prevx.com/onetutorial.asp?st=2). But this doesn cover the capabilities of an AV Scanner or a Firewall? wouldn't mind a clarification here.

 

Prevx1 is made to prevent malware from installing (on execution). It is possible to replace your malware scanners with Prevx1 but thats up to you. and keep in mind that unlike an antivirus, it doesnt scan files on access or on modify. prevx1 does have a file scanner though.

Also it does not block inbound attacks, so you will still need a firewall (either hardware or software). and btw, a firewall isnt meant to stop malware, just hackers.

 

Ah thanks for the clarification. Thats what I thougth, though Notoks post confused me a bit. And yes of course a Firewall isn't meant to stop malware, although Outpost has an Spyware Scanner integrated.

Just did some more searching and found that Online Armor offers a version with an integrated AV based on the Kaspersky engine. Its not the "full/standart" AV setup, as it only scans unknown programs on execution but it still uses the Kaspersky engine and its signatures. Besides that it offeres full OnDemand capabilities. I tried looking but I didn't find any reports if this setting in practice was enough or if still a seperate AV Scanner was needed. Anyone running only OnlineArmor AV+? Or would you say you should add another Scanner.

As Vikorr mentioned in one of the posts here there is development on a version of OnlineArmor with an integrated Firewall. So thinking about if the whole combination of "Online Armor Av+ Firewall" (what a product name ) would be sufficient.

 

Prevx1 is a general anti-malware, it's just different at it's core than other anti-malware software (but then, aren't they all?). Using it is similar to using Ewido or SpySweeper, but it doesn't focus on any particular group of malware (it detects all kinds), and it offers a completely different set of tools from any other anti-malware, including some behavior blocking. The community database with the live lookups and reporting are designed to close the zero-day gap, rather than just making behavior blocking easy to use.. since it reports the behaviors it sees in realtime, and Prevx1 looks up the determination for a file before allowing it to run, the community database can provide detection of a new piece of malware very shortly after it hits the very first desktop running Prevx1. It does have real memory scanning (more like BOClean than Ewido or others), but the file scanner is understated because it will automatically check for updates for anything that's unknown until it's determined either good or bad (so scanning is not really necessary). Now since it does have the technical aspects of a behavior blocker, some behavior blocking is offered to allow you the opportunity to stop or contain an infection if you choose to (ie, you use Pro mode), as well as flat out stop some behaviors that malware uses to infect. Some antivirus programs do this kind of thing as well, they just don't tell you. Unlike a behavior blocker, Prevx1 has more sophisticated detection routines that can detect things like polymorphic malware and can tell the difference between a legitimate process and a legitimate process that has had a malware DLL injected into it, and also has extensive heuristics (the overwhelming majority of the malware that Prevx1 detects is done so by the heuristics).

For a more detailed explanation of how Prevx1 works, you can read this thread from our forum.

Edit: A more technical official explanation of the product is also available on the corporate website: http://corporate.prevx.com/

It's true, however, that it doesn't do things like scan your email, so you can use it alongside an antivirus or other anti-malware if you wish, but that's not absolutely necessary to keep your system from being infected. Some use a free on-demand scanner like ClamWin, BitDefender Free, etc., to scan email and other files as they are downloaded. Another option to consider is to use generic content filters to neutralize any threats (Firetrust Benign or an email client like PocoMail for email, spam filter like MailWasher that exposes malware and scams and lets you delete it on the server, Proxo with Kye-U's filter, SocketShield, other kinds of ad and script blocking for web, other kinds of Firefox extensions like the Dr.Web Antivirus Link Scanner, etc.), tighten up your firewall rules and/or use a firewall with [network] intrusion prevention (which generally filter exploits and detects malware by the kind of network traffic being used), using more secure software, intelligence tools like SiteAdvisor, OpenDNS, and so on. This is my personal choice as it keeps malware off your system to begin with. There's any number of different kinds of tools in this vein that don't require updates to keep you secure, don't get bypassed because they control it before it has the opportunity to do anything, and offers control without requiring constant interaction and specialized knowledge. (I know that's a lot, but I'm rattling off different options, not suggesting that you use all of them.)

 

If I remember correctly, coreforce actually has community based profiles for certain applications. Coreforce is a firewall based on openbsd's pf, and also has an extensive sandboxing, file control, registry control, HIPS functions so it may be pretty hard to get up and running, but its control is extremely granular.

Alphalutra1