Last line of defense

Hi all. I've been playing with some backdoors, spyware and trojans that are encrypted by packers and and undetected by most antiviruses. With all the firewall leaktesting, would you consider the firewall as the last line of defense? Or, maybe HIPS with a firewall background like DSA would be last in line because some malware piggybacks on trusted applications to find their way to the internet. Of all the products discussed in these forums, which one(s) would you consider the last line of defense?

For me, it would be a good HIPS.

 

No, exluding a router, a firewall is a first line of defense.
Then comes hips's and virtualization software.
An AV is not maybe even needed, but it is the last "line" of defense along with resident antispyware programs that I don't run.

 

If the malware is already on the computer, then software firewalls would be the last line of defense.

and btw I would consider HIPS as one the first lines of defense, not last.

 

Hi SourMilk

Firewall are irrelevant for that kind of threats. A firewall is a packet filter.

From the internal point of vue , an HIPS is the first line, from an external point of view , the firewall (and or the router) is the 1 st one... No discussion about that.

I agree with you for the importance of an HIPS to deal with the malware you're talking about. A protection layer behind the firewall is a must.

I'm presently using the free version of System Safety Monitor. The module for registry protection is not bad... By default the main registry key are protected against modifications and it's possible to add some other keys.

May be a good starting point here is to add the starting key founded by Sysinternals Autoruns and add these keys to the registry module of SSM...

Some other rules may be added in the programs, library and driver to increase the protection against some malware using the same procedure that the one used by the various firewall leak tests.

Here the links for the software and site I'm talking about:

SSM : http://www.syssafety.com/

Autoruns: http://www.microsoft.com/technet/sysinternals/Security/Autoruns.mspx

Firewall Leak Tests: http://www.firewallleaktester.com/

 

A traditional firewall can be described in this way, but most Windows personal firewalls go far beyond simple packet filtering and provide a good degree of process monitoring also. As such, a firewall that provides good leaktest performance should have a good chance of catching malware trying to send data out, making it a last line of defence.

Currently this does apply with most firewalls - however an increasing number are adding "HIPS-like" features (Self Defence, etc) so in the near future, it is likely that these areas will be combined into hybird "Security Suites" (there are a couple available now).

While the full version of SSM provides such protection, the free one does not - it only polls keys and if one changes it will try to change it back. This means that sophisticated malware can just keep redoing the change in order to "bypass" SSM, though it should be very obvious from the repeated alerts what is happening (Ghost Security's RegTest simulates this). Aside from that though, SSM can be an excellent security tool for those prepared to take the time to learn how it (and their system) functions.

 

Thanks for all the replies. I guess you could say that firewalls are the first and last line of defense. Keeping hackers away and keeping private info on your disk. Either way you look at it, having a good firewall is essential. Thanks again for your astute views.

SourMilk out

 

Hi, folks: OT of course, I am compelled to report this to the forum. Each time I click SourMilk's post, my download manager will pick a d/l command to d/l this: sourmilk.tif size 1.10kb Is this normal or some configuration of download mgr needs to adjusted ?

 

Hi, folks: It's gone now. Strange indeed. Now I can see his image(sour milk) in front of this user name.

 

You are seeing a stored image (attempted download) from wilders server, some filters/download managers see this and alert.



If your alert does not show similar to the file shown above, please advise

 

Some type of reboot-to-restore program.

It seems to me more useful to begin with a security strategy which identifies
known points of entry of malware, such as:

1) through a port (135, 139, 445, etc - worms, trojans)

2) remote code execution via a web browser exploit (embedded code, .ani, .wmf exploits, etc)

3) email attachment ("please click on me for a FREE laptop!")

4) infected file which you trustingly installed

Each entry point can be a "first line," so to speak, so that description is not useful in distinguishing between those categories.

If you choose solutions based on analysis of how each of the above types of exploits work,
then you can be confident that you have those attack points secured, and, you are Safe.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​