I need your opinion!

For an old slow machine the built in Windows XP firewall is very low on memory usage. It will keep worms and various other bad stuff out, but has no outbound application control.

Outbound application control is a nice thing to have, but not critical. It only comes into play if your AV has missed something, and you have to have been not paying attention and installed the bad program as well. It is an extra line of defense, but it is the last line of defense and not the first one.

A good free firewall with application control and low resource usage is Kerio 2.15. I have tried Outpost on a slower machine around here and the result was a drastic performance hit.

As for an AV, F-Prot uses the least memory of any and has good detection rates. It runs well on old slow boxes around here.

As soon as you have application control the next thing you hear is that you will need some kind of process control or sandbox to prevent rare forms of malware from outsmarting the outbound application control of the firewall. Using these levels of control require a lot of extra user intervention as many things that are legitimate have characteristics that set off processs controls. It is likely that a non technical user will mistakenly allow malware to operate when faced with the barrage of pop-up warnings given by some of these products, some of which are built into firewalls. Furthermore, malware that requires these techniques to stop and that is also not detected by AV's is extremely rare.

This is problematic, as the best of these firewall and process regulating products would be unmanagable in a production enviornment. That is why corporate networks find other ways to lock down their workstations and rely on firewalls without application control, let alone process control.

For this level of protection with low memory usage try the free Jetico personal firewall. I am using it right now.

 

Would just like to add here that the most comprehensive AV out there today is Avast, it has modules for web scanning, email scanning P2P,unique network scanner module, IM module as well as resident module, it also features a very powerful boot time scanning to weed out infected system files, it is quite low on resources consuming 15.5mb with all modules enabled, for those using IE, I would advise the paid pro version as that features a script blocker as well but the basic free version in itself is truly competent. The best part is that updates are automatic and incremental and therefore for those poor souls which includes myself on measly dial up, it is heaven sent.

 

Avast is very nice, and I used it for a long time, until just recently when some of their newer versions began generating errors in my Event Viewer logs. That's when I parted company with Avast. It seemed to me that they were perhaps getting a little TOO complicated and comprehensive...

 

Bs259,

That question would be best posted in the anti-virus forum (in fact doing a search there first should turn up endless threads covering the pros and cons of every single av scanner), rather than taking this thread off-topic.

Diver,

Application filtering does have the advantage of "100% detection", picking up any new program requesting access. While it is a last line of defence, it is well worth having since an attacker can easily modify an existing trojan to evade detection by AV/AT scanners. The likelihood of this happen will of course depend on a user's "safe hexing" skills - but even mainsteam download sites can harbour trojans nowadays.

As for process protection, Process Guard and System Safety Monitor require very little adjustment once set up (and PG's setup is pretty simple, involving one or two reboots). Outpost's Component Control feature is another matter though...

Your recommendation of Jetico does seem somewhat ironic though, since this offers both application filtering and a level of process control! This does make it rather more complex to use, so perhaps not the best choice for someone new to firewalls?

 

P2K,

My recommendation of Jetico was conditional. If it is ironic, the irony is only minimal compared some larger issues than are on topic here.

Your paragraph on application filtering is on target. There is a balance between security and convenience. At one end of the spectrum is running windows under a limited account and adding kiosk browsing utilities like Deep Freeze. While I have not used processguard or SSM, my impression from reading numerous posts is that they require a lot of user input to set up and are not easily configured for a roll out into a work enviornment. Personally, I consider SSM a non-starter because it is a time limited beta.

I suppose that I can put anything on my PC at home and contend with it as it is mostly a "recreational" machine. However, it is the machines where actual work is done where protection is most needed, and where required user intervention is most undesirable unless there is an actual infection. To the average user a firewall or process control application's request for action is as bad as an AV false alarm. One should never minimize this factor even though many of the tech savy have a way of taking for granted their skills.

Many AV's and most non-application control firewalls have reached the state where no user invervention is required, or when it is required it is for a real incident. Until there is some real improvement in the inteligence of application control, process control and sandboxing, these items will not be used in a work enviornment and especially in a setting where there are a large number of machines. Running under a limited account will remain the method of choice, even though it is a pain in the neck for a home user who is always fooling around with his or her machine, and not as effective or easy as running under a limited account on a Linux box as opposed to root.

 

While I would agree with every other point you made in your reply, I would respectfully differ with this one, since an AV false alarm suggests a program is harmful when it is not, while firewall prompts offer no opinon about the legitimacy of the software involved.

Such prompts do require some user knowledge (at the very least, they need to know what software they have installed!) and may well be considered a problem on corporate networks - but this is a very different situation from a home user who is "master of their domain" and very likely the only person qualified to decide what software they have running.

 

P2K-

Your point is well taken, I should have said "nearly as bad". My reasoning is that either is an interuption requiring some form of user intervention. Belive it or not a lot of users have no idea of what is running on their machine, especially when kids or teenagers use the machine. At one relative's home they had 55 processes running on a one month old Dell with 2.4 gig P4/hyperthreading. The machine was so fast that all the spyware and crud barely slowed it down. First thing the teenage kids did was install Kazaa, Grokster et al. Fortunately, they had a NAT to share their cable modem connection, which is loads better than nothing.

OTOH, I have scored a few free old computers that would no longer run due to all the crapware on them. Again, most of it as user installed. Just read the posts that repairmen write. Most folks are totally clueless. The guys like you who actually know something, and can spread this knowledge to the folks at my tier are rare, and the ones who want to understand this stuff are almost as rare.

Perhaps I am "off", but I think some closing of the gap between the practices of the corporate user and the home user would be a good thing. Meanwhile, MS has created a huge market for security software, and now seeks to cash in on that as well with its recent, and not so recent acquisitons of AV and AT companies. Next thing you know they will buy a firewall vendor.

 

Whichever way we look at it, awareness is the first step in security. However teenagers may more savvy to the pitfalls so can be a useful ally - especially given the number of free security programs out there they can play with.

Corporate users have one big advantage - a dedicated IT department which benefits from a locked-down configuration. Home users would find many of the techniques used impractical

MS should be made to fix the source of the problems rather than trying to benefit from the symptoms, I'd agree. On the other hand, a decent firewall (with comprehensive help) could do a lot to reduce the number of spam zombies out there...

 

I just use AVG free had good detetection rate...never let me down..and firewall i use the SP2 one..i seem stealthed when i do a check so seems secure enuff 4 me..only one i cant stealth is UDP .check here..

http://www.pcflank.com/scanner1s.htm

 

P2K - A dedicated IT department... around here I am it. It is a nice deal for my significant other. Some teenagers are savy, but most of the ones I know cant wait to put "free" stuff bundled with spyware on their boxes. I guess we must know different people. It makes the world go round.

The worst thing is that today the proceedures that worked two years ago are not enough. There is a mad scramble going on to deal with it. Once the hackers found out there was money to be made, it all exploded.

No many would have thought we needed stuff like process guard two years ago, but today this "last line of defense" is a hot topic, like it or not. I am seriously considering heavy alternatives like running in a restricted mode instead of admin. The problem is balancing the actual probability of an infection against the effort needed to keep it out.

It is not just the availability of an IT staff that keeps corporate networks going. It is the policy that installing any unauthorized software is grounds for dismissal. Plus at work there is not much time to fool around and all of the testing and decission making has been done for you. It was not that long ago that corporate workstations did not have AV software on them. Scans were done from network servers. Life is change, how it differs from the rocks (Jefferson Airplane).

Keep us supplied with networking knowledge so we can help ourselves and others. Mix in a bit of wisdom about the human condition. We don't own this place, it is just leased until the next generation comes along.

 

WinXP SP2's firewall is OK at blocking incoming attacks, but of little use in stopping malware on your system from sending data back (see SP2's firewall is not good enough). I would also suggest looking at leaktest performance since this shows how easily malware can bypass firewalls. AVG can't be relied on to detect all kinds of malware, so getting a better firewall (there are several free ones around) is a security upgrade well worth considering.

Fortunately (?) the vast majority of malware exploits Internet Explorer/ActiveX, so a simple switch of browser can avoid most of the problems. I doubt that things will be as simple 2 years from now though...

I find it surprising (and rather depressing) how many people do use the Admin user for normal use, but this is pretty well covered elsewhere. However a fast, low-resource anti-trojan like BOClean may be worth checking out if you feel your existing AV scanner may not cover all the bases.

 

P2K- IE is definitely a major culprit, but i have seen so many machines messed up with user installed bundled spyware that it makes me sick (or laugh, depending on my mood).

How many millions of Kazaa downloads were there?

We definitely see the human factor differently.

 

Kazaa has ruined many machines I think..

I had been using IE here for a few months recently and was surprised when my AV suddenly popped up and reported a virus in a file in my IE cache. I was just jumping around various sites while searching in Google. So it appears that IE downloads stuff, even EXE's, to it's cache, even when you're just looking at a page and not downloading anything. I now use K-Meleon and Firefox mostly because of this, although I wouldn't be surprised if Firefox also prefetched stuff to the cache to speed things up. It amazes me the things that go on out there designed to harm users..

 

Teenagers (OK not just teens) + music + videos + P2P =

The last computer I looked at for a friend was a brand new laptop purchased for their daughter and university that was not working properly as the big day drew near. On examining it I determined it was infected the same day Kazza was installed.

Regards,

CrazyM