Black Ice 3.6

FastGame:
I would stay with ZA for now. I have tried BlackICe out and I just can't feel comforable with it. For instance by default ICMP is not stealth they tell you this right up front, however they give you the workround to make it stealth, tried 4 times by the book did'nt work. Now when you firest install BI it will run a baseline on all applications on your puter. Great....but you have no control on what make leak out!!!! BI is what is states a "Intrustion Detection Software"...... Again only from my standpoint I am not comfortable with it.

 

BI should always be installed on a clean system. During install, it scans for all your existing apps, so if you already have some malware on your system then BI will allow it out. It's best used on a freshly formatted or known clean system.

I believe you can change the response to incoming pings via one of the config or ini files, but it has to be done properly or the changes won't take effect..

 

In case you missed it musicman, I'm using BI (application protection disabled) as an IDS in conjunction with Outpost Pro - and they seem to work very well together.

 

Here's a link to my post on changing ICMP for BID 2.9, which will (likely) work
on 3.6. It stealths ICMP on my system.

https://www.wilderssecurity.com/showthread.php?t=82774

 

Just a question. I don't allow any ICMP in Outpost and seem to not notice any difference. Is this wrong?

http://img9.echo.cx/img9/1193/ic1mw.png

 

Here's how I usually handle ICMP with firewalls on standalone PC (I need the first 2 rules so I can ping and traceroute)...

Permit outbound icmp type 8 (echo request)
Permit inbound icmp type 0 (echo reply) type 11 (time exceeded)
Permit outbound ICMP type 3 (destination unreachable) to your DNS servers only
Permit inbound ICMP type 3 (destination unreachable)
Block all other ICMP

 

If you do not use ping or traceroute and everything works as expected it should be fine.

Regards,

CrazyM

 

BlackIce is a cool application, but I could never get it to work with another firewall. It always disables itself.

 

Thanks noway, I did see that thread also...

 

I'm wondering what these scans are about - destination port is "0"

http://img112.echo.cx/img112/1052/bi7cm.png
One is from Korea and the other Poland

 

Lynchknot - Couldn't you leave BI's app protection enabled for extra protection beyond what Outpost offers?

 

I don't think it would give any extra protection as it doesn't function like an antivirus app. (picking up slack or detection functions from other applications or lack of definitions) Either the app changes or it doesn't. I think only one would be sufficient. I guess i'll try it anyway out of curiosity

 

Ebuyer (UK) are selling BlackIce 3.5 for £15. Is it worth purchasing?

I am currently running Zonealarm Pro (although I am tempted to change to something else), BOClean, NOD32 and a NEtgear 834G router (with SPI detection).

I also have a TDS3 licence but I went off it after having some problems updating.....

 

latest update 3.6.com

IssueID SecChkID ProductCheckName Event Type Risk Level
------- -------- -------------------------------------- --------------------------- ----------
2113212 19320 BrightStor_Discovery_Overflow Unauthorized Access Attempt High
2113209 20042 HTTP_Lotus_Domino_Date_Overflow Unauthorized Access Attempt High
2116021 20185 SIP_Version_Not2 Suspicious Activity Low
2110095 20305 Email_Executable_Content Suspicious Activity Medium
2113207 20617 XML_IE_InfoBar_Bypass Unauthorized Access Attempt High
2113208 21194 XML_RPC_PHP_CmdExec Unauthorized Access Attempt High
2118040 21195 HTTP_Smuggling_Apache_Chunked Unauthorized Access Attempt High
2106197 21346 Zlib_Inflate_Table_BO Unauthorized Access Attempt High
2121027 21407 RDP_Login_Read_Overflow Denial of Service Low
2118042 21416 FTP_Reatle_Backdoor Unauthorized Access Attempt High
2119015 21534 SIP_Long_Method_Name Protocol Signature Low
2119016 21545 SIP_Unknown_Method_Name Protocol Signature Low
3118013 21573 Scada_DNP_BroadcastRequest Denial of Service Medium
3118010 21574 Scada_DNP_ColdRestart Denial of Service Low
3118009 21575 Scada_DNP_DisableUnsolResponses Denial of Service Low
3118012 21577 Scada_DNP_StopApplication Denial of Service Low
3118011 21578 Scada_DNP_WarmRestart Denial of Service Low
2103036 21593 IOS_Shell_Enable Unauthorized Access Attempt High
2119020 21604 MSRPC_Spoolss_Overflow Unauthorized Access Attempt High
2113211 21656 BrightStor_BackupAgent_Overflow Unauthorized Access Attempt High
2106198 21701 Image_JPEG_IE_Size_Overflow Unauthorized Access Attempt High
2106199 21701 Image_JPEG_IE_Component_Overflow Unauthorized Access Attempt High


2. Security Content Updates in 3.6.com
---------------------------------------------------------------
- A false positive in HTTP_Proxy_Cache_Poisoning was removed.
- A false positive in HTTP_PHP_Addslashes_ViewFiles was removed.
- An ESF rule issue was removed wherein a non-sequiter event with no adapterID present cause a rule to falsely match.
- More detection logic for mime type \'application/x-zip-compressed\' was added.
- An issue wherein adatper ID and VLAN information was missing for certian events has been removed.
- Added new channel names to IRC_Generic_Trojan (for the Mytob worm).
- Signal handling processing performance enhancements were added.
- Added new spyware detection logic to Suspicious_ActiveX_Installer.
- Added detetection of new phone home methods to Spyware_PH_HotBar
- Added response-side reporting to HTTP_Unknown_Protocol.
- A loop error in conjunction with the userdefined event DNS_Query and the G2K was removed.
- An issue wherein IP addresses of some HTTP signature were reported as 0.0.0.0 has been removed.
- CLSID's were added to HTML_IE_ActiveX_Loader_Heap_Corruption.
- A false negative in SQL_SSRP_Slammer_Worm was removed.



3. Event Blocking Notes
---------------------------------------------------------------
3.1 Blocking was added for the following events:

SecChkID ProductCheckName
------------------------------
21604 MSRPC_Spoolss_Overflow
21593 IOS_Shell_Enable


3.2 Blocking was removed for the following events:

SecChkID ProductCheckName
-------------------------------



4. Other updates
---------------------------------------------------------------
- Statistic reports were added for SIP and H.323 protocols.
- Exclusion logic was added to the HTML parser to make it reject non-HTML traffic.

 

I'm not sure I understand the packet filtering part of Black Ice completely, I'm looking at SoftPerfect personal firewall and it indicates packet filtering, so I'm wondering if SP offers the same features of BI or what the differences are.

 

I don't know if this is a know Addon for Blackice for you people. I use it since years for better understanding of the log files of Blackice. It is called VisualIce. Nice Tool with a lot of options. Freeware.
http://www.visualizesoftware.com/visualice/visualice.htm