New build needs new firewall.

I'm hoping to be finished with my first 'from scratch' new build.
It'll be using XP Pro w/SP3 for the OS.
I use a D-Link DIR655N router, which has NAT and some sort of SPI.
I plan on using Threatfire, Defensewall and Antivir AV for full time protection and Sandboxie and SAS for on demand.
I need a good easy to use firewall that will give us above average protection w/out having to write rules or wrestle with more HIPS.
Free would be nice.
Suggestions, please.
Thanks.
Hugger

 

you can try Online Armor is free and easy to use.

 

jmonge,
Thanks. But I'll pass.
I'm less worried about leaktests and more interested in keeping the garbage out.
And OA has HIPS.
Tried it and Commodo.
Got tired of wrestling with them.
Hugger

 

PC Tools 3 is not bad- based on Look 'n' Stop.

 

You can disable comodo's and OA's hips and have them operate purely as a firewall.

 

Hi,

I have this combo (nearly identical to your initital idea), see
https://www.wilderssecurity.com/showpost.php?p=1249089&postcount=2528
TF custom rule: see pic

I think it is more usefull to combine a partition virtualisatin application ShadowServer/PowerShadow or the freebie (Returnil) with DW than an application virtualisation sandboxe (like SBIE), note SafeSPace offers beside application also partition like virtualisation, SO my freebie preference would be Returnil -> SafeSpace -> SBIE to combine with DW see post for argumentation: https://www.wilderssecurity.com/showpost.php?p=1248922&postcount=21

Note: The nework module of Avast and its inbound data check (AV + AS) sort of replaces SAS on demand

Regards Kees

 

I prefer the simplicity but yet security of SafeSpace and Malwarebytes.

 

Kees 1958,
Thanks for the help. I was thinking about similar while I was out today.

All,
Thanks to you too.
Hugger

 

Just one important question. Do you realize what do you need firewall for ? It may be you don't need it ? What does mean "to keep garbage out" ?

 

I think he meant that monitoring inbound communications is more important than outbound communications.

 

What I mean is that in my opinion it's more important to prevent problems rather than try to prevent leaks after the fact.
I think too much emphasis is placed on leak test/prevention and not enough on just producing a high quality reliable inbound firewall that's easy to use for the non geeks yet can be played with your hearts content if that's what you prefer.
Sorry if I didn't say it correctly.
Hugger.

 

Hm .. From his words "I plan on using Threatfire, Defensewall and Antivir AV for full time protection and Sandboxie and SAS for on demand."

 

OK. I know a lot of modern malware that uses the holes in outbound protection. Most of them are used to distribute a spam. But I didn't hear about modern malware or virus or whatever that eploited the holes in inbound. Yes, they were many some 5-6 years ago, but not recently. So Windows XP build in firewall is pretty enough, I think. And, BTW, at least a half of the leaktests actually deals with what you call "inbound". Memory tampering, dll inject, hooks setting, enty point infection etc etc ..

 

Thanks for the info Kees.

I have a few questions-

1. Would you have a screen shot of what the info box for a particular outbound attempt looks like? Is it pretty generic or does it contain detailed info?

2. Also, if the outbound connection attempt is turned on and I am also behind a high speed modem/hardware firewall should I disable the Vista firewall?

3. Have you heard of any conflicts with the latest build of Threatfire and Avira Personal Premium?

4. On install of the latest build of Threatfire is there an option to not install the PC Tools av?

5. Is anyone aware of how Threatfire does in leaktests when configured to notify about outbound connection attempts?

thanks

 

acr1965 ,
I'm using what I believe to be the latest versions of Avira Premium and Threatfire with no problems on my old pc.
I don't anticipate any problems using them on the new pc.
Regards.
Hugger

 

Thanks for the info, I may give it a try.

 

Excellent concept that you have here, and I wish more people would follow it. In all honestly (unless your a malware tester) once malware reaches your system and installed, than your system is already compromised. I believe that prevention is the key as well.

About your question about Threatfire, to my understanding Threatfire monitors or can be configured to monitor outbound silent connections, which can determine leaks or silents connections from legitimate or illegitimate programs.

Looking at your original Post and Requirements, I would suggest the Firewall PC Tools Firewall being that you don't care about leak test performance (although pc tools can prevent some leaks), and easy rule making. It's very light and fast well and also includes powerful SPI filtering capabilities.

 

Just a message screen with blue warning level, meaning
a) It is checked against the virus data base and not a know malware
b) Only the process is mentioned, with click to learn more, you can google with this information for this proecess
c) The warning message is what you enter yourself

When you have a old fashoined cable connection no, when on wire less between router and PC yes (but Vista FW is integrated in OS, so very fast)

No

No, when an intrusion occurs TF first checks the Antivirus data base. This is so much more efficient than a classic AV-kernel does (checking when reading/writing a file, loading a program)

On Vista only 4 leaktests will come through, when you run LUA (use TweakUAC to set in quiet mode) you also have IE in protected mode, besides DefenseWall or GeSWall would prevent you coming in such a situation, so phhffff who cares?

See post above
- leak test = worrying on how to prevent thiefs from running, when they broke in your house
- policy sandbox (internet facing aps) + LUA (for rest of the programs) + behavior control = prevention to break in

 

Thanks for the info Kees, good stuff as always.

 

@ arc1965

With Avira Premium you are close to realising a digital fortknox security setup

Level1: your Router (plus Vista FW when using wireless)
Level2: LUA + DefenseWall policy mitigation (reducing the attack surface)
Level3: Avira Premium AV/AS check (I would set it to check only at writes, so all incoming data streams are checked before writing to disk)
Level4: Behaviour blocking of TF (with custom rule for outbound) plus AV-data base check at intrusion and Avira's heuristics at program execution

Occasional on demand check of Avira before backup and TF on rootkits and bad guys have a hard time beating your set up.

(AD 3: Because DW keeps downloaded file in its enforced limited rights environment, you can set Avira to check at writes only, in stead of read and writes, speeds up your system a little).

Regards Kees