New to Firewalls Questions?

Just started using PrivateFirewall on XP SP3 a few months ago. I'm kind of new to firewalls, but I did go through 2 short stints with Comodo. I like PrivateFirewall much better, and the design of the program seems to me to hint at some real, solid thinking in the program. However, PF is the first firewall I have really stuck with.

I need a firewall that will primarily protect against identity theft. In this light, I guess this means protecting against keylogging and rogue screenshot apps and the like. Actually, I don't know all the angles on this. Also, I am assuming that it is basically impossible to guarantee that no rogue program could ever be downloaded to the PC because of the vulnerabilities browsers create.

All this in mind, what as a new user can I do to stop data from being transmitted through an outgoing connection? Specifically, if anyone has any experience with PF, I would like to know what to do in it. Every once in awhile I get a message that an outgoing connection has been blocked. It's always been Google or something I could explain so far. So how can I lock down all outgoing connections?

One thought...is there a firewall that gives a user the ability to declare open browser connections as safe and then all others unsafe, so they can be blocked? This seems like a fairly sure fire way to stop unwanted outgoing data transmissions.

Again new at this, so I am all over the place. Any help appreciated...

 

If I were you I would try Keepass2 with two channel auto-type obfuscation for passwords, IDs, credit card numbers etc. Or some of those keyscrambler applications, but I don't know much about them because I don't use any.

http://keepass.info/help/v2/autotype_obfuscation.html

 

Using leak tests to evaluate firewall effectiveness

Best Keystroke Encryption Software to Protect Against Keyloggers

 

Yes, this is great information from both of you guys...and what I was hoping to find. Thanks, I learned alot this evening. First I learned that PrivateFirewall doesn't pass Gibson's leak test. Got some thinking to do on this subject...

 

Correct me if I make an error here, but my understanding is, if your using PF & have a router. It will be your router that gets tested. Hence in order to truly test PF, you would need to remove the router to test PF

 

For inbound, yes, that's basically it. The router will take all the inbound hits before they reach the PF.

 

The knowledge has helped. Much appreciation.

I do have a question about the router. I was in a discussion with someone who used to be in IT, and he said I should look into the router firewall. I tried, but the page that contained the router settings is missing. What kinds of traffic should I expect the router to shut down? Is it based on multiple connections for a web page or something similar or is this completely wrong?

Sounds like it's mostly focused on inbound connections based on your comment Kerodo...

 

The router will (or should) block all unsolicited inbound traffic, nothing more, nothing less. If you're concerned about outbound traffic, you should realize that it is probably virtually impossible to fully control outbound without the chance of some piece of malware finding a way out. It just isn't 100% foolproof. The best thing you can do is keep the bad stuff off your machine to begin with, and to do this, you, as the user must be educated and smart enough to keep things clean. You can use all the usual security apps and such, but the bottom line is, it's up to you. Don't ever rely 100% on ANY piece of security software to protect you. That's about the best I can sum it up.

 

For traffic from internet, yes. But you should also test protection from traffic from your other devices/computers that are behind the same router.

 

I tried some behavior type programs to monitor keyboard reading, unsolicited screen capture, unsolicited web cam capture, clipboard capture, and auto-fill capture. I like the ideas in some of the programs, but there appears at least to me to be holes in each of them. There were conflicts that I think were with the firewall too. PF monitors for key capture, unsolicited screen capture, and clipboard capture, so I wondered if that could be the problem.

Being new to firewalls I am just content for now to learn as much as I can and see where it goes. There are probably some great firewalls that cost $$$, and I will likely pay for one after I get a real chance to look into the capabilities of a great firewall.

I think the one thing I have learned is that I would like to see a firewall that makes it possible to search processes by activated protection element, so that a protection could be deactivated across multiple processes quickly. Maybe this is already present in PF. I need to look more carefully, but I have run across a couple of times when I would have liked to deactivate a protection for all processes with it activated, these during the testing of the behavior walls or whatever they should be called.

Thanks for helping out.

 

Hi AtlBo:

When using a router:
If you do a port scan for example at "shields up" you will be scanning your router and not
PF for open ports. I would recommend looking at the default router settings. You'll find
info here at Wilders or just do a search on changing router settings.
Also check the router firmware for updates.


Comodo put out a leaktest (zip file) that simulates different exploits.
Gibson's leak test you said you have already tried.

Don't know how effective or accurate these tests are. Ocassionally I watch videos
of people who test AV/Firewall/Hips/ online, but some just don't know enough about configuring
and how the program actually works. It's always good to know the potential and the
limitations of the product your using.

I've used both Online Armor firewall and PrivateFirewall.

Online Armor firewall will probably run heavier (more memory usage) than PrivateFirewall.
That was my experience. Both firewalls claim Anti-logger protection.


Note: I always do my testing in a virtual system just in case something happens.
Also good to have reliable image/clone backups in place for restoring OS and important files.

 

Compu KTed

Alot to look into, but I know I should. At least it's a topic that interests me.

On a side issue, I was looking around at toys for added protection on various download sites, and I noticed a program I hadn't seen before from MS called TCPView. I downloaded it from MS and installed, and I found that there were a significant number of connections listed in TCPView that don't appear in PF . The ones that concerned me the most were designated System Process connections. I found some very interesting information in these connections such as one that goes by this http:

snt-re2-8c.sjc.dropbox.com

I right clicked and checked the whois properties for the connection and found that this domain is actually registered to/managed by a company called MarkMonitor.com (Mark Monitor). Turns out this company represents companies by protecting their brands and trademarks. I will test later, but it appears that, the registrant being DropBox, this is something associated with DB...I allow DB connections for file sharing, so maybe I will examine that closer.

There is another connection registered to enom.com, a company that sells net domains. This appears as an avast connection. I have no idea why. I would like to do some trial and error to see if I can find the source of these connections where it isn't listed. There is another MarkMonitor.com connection that has to do with Amazon and another for Google. These two connections puzzle me a little bit. There are 2 or 3 three more of these like a web host service called AKAMAI.COM and one for which the whois contains only one line, whois.corporatedomains.com.

Are these the result of of sleaziness from developers? I can understand a company looking after its brand, and the whois data is complete for the MarkMonitor connections, but these others concern me a little bit. I would like to know why MM is watching over Amazon on this PC and over Google. I have the Google toolbar in IE8 and in Firefox, so maybe that's it, but no Amazon apps. Anyway, the whois information in the right click menu of TCPView is helpful for sure. This would be a big improvement for PF if it offered this kind of investigative tool. Deciding to blacklist a connection would be easier.

Well, at least can I say that the LocalHost connections are safe?

Just noticed another strange connection. GoDaddy.com is apparently snooping for LogMeIn, Inc.? The longer I watch this, the more of these seem to be popping up...

 

@AtlBo:

As your primary concern seems to be securing outbound connections against keylogging and identity theft, you could consider Webroot SecureAnywhere. WSA is an antimalware that can either be used as a standalone application or can be used as a supplement to an existing antivirus. On most systems, it runs very light.

WSA has an outbound only firewall (it is intended to be used alongside the Windows firewall for inbound connections) that is linked to the antimalware component. Outbound connections from known good applications are allowed and known bad applications are blocked. Unknown processes are monitored and restricted until their status can be determined. The Identity Shield takes care of keylogging, screen grabbing, etc.

Not only do you get outbound protection without needing to know about firewall technology, you also get enhanced protection against anything malicious getting onto the system in the first place. All actions by unknown processes are journalled so they can be reversed if the processs is later determined to be malicious.

You can read more about WSA here: http://live.webrootanywhere.com/wsapchelp

Although an antimalware, rather than a dedicated firewall, WSA might meet your needs and could be worth considering.

 

To say I couldn't agree more is a huge understatement. And for the individual who is squeamish about the way WSA works, add a conventional AV. You don't need it, but you can add it. The combo of WSA and Windows FW is so light it's ridiculous! Actually, you are seeing more companies like Panda and Avira for example, that allow you to install their security suites and use their front-end to control Windows FW outbound traffic.

 

@AtlBo: Domain registration records can be confusing when multiple parties are involved. Some companies offer domain management/privacy services and thus are administratively involved on the domain records side of things. Normally, what's of most importance is who has technical control over the network/machine associated with the remote IP Address. This too can be confusing due to scenarios like:

Company A uses Company B for hosting/services
Company B's platform uses Company C's content delivery network for some things

By observing a URL and/or associated forward DNS lookup, it may appear that IP Address X is assigned to Company A. However, when performing a reverse DNS lookup or IP Address assignment lookup (http://whois.arin.net/) it may appear that IP Address X is assigned to Company B or Company C.

Understanding who is involved, and in what way, requires some investigative work and stitching the pieces of information together to form a picture. This may include forward and reverse DNS lookups, IP Address assignment lookups, traceroutes, examining domain registration records, and sometimes other steps including general searches for information about a host/address/URL in order to identify relationships between companies. At first it will be confusing, but the more you do it the easier it will become to recognize the players and how things fit together.

 

OK...great information thanks all of you.

At this point, I would like to know why TCPView detects so many connections that PrivateFirewall apparently cannot detect. In Port Tracking in PF, I count at this time (as an example) 5 System connections and 2 svchost connections. In TCPView, however, there are 13-15 System connections and 3 svchost connections.

PF appears to be missing altogether some connections. I have no idea how these have been established and don't have any way to block them. Stopping them only stops them once. Is this the result of tracking cookies? Whatever is causing the connections, will WSA detect and give me the ability to block these connections?

I really would like to know how these connections are established. PF seems to be saying that I have not approved them, since they don't show up in PortTracking...