Uninstalled my firewall solution today...

...And a strange calm descended upon me!

Hello all, this is my first post

I had sygate installed for 4 years now...Few days ago, for some reason it allowed a process adobe_updater.exe downloading updates trouble free while i had blocked it, so decided it was the end of the line for it and started trying new firewalls but could not decide on anything; some too buggy n bloated (comodo), some with many restrictions (free versions like outpost)... in the end, dissatisfied, i just left my system firewall free, except xp firewall of course though i am also behind a router with NAT.

For some time i was weary of going online... but then after a few hours of use i was quite happy with nothing!

In the 4 yrs i've been using sygate (and comodo for a few months), i've disallowed a software (a virus of some kind which avira failed to detect) from accessing the internet only once and i dont even know whether it was successful in blocking it! What was usual though was of me constantly being worried about explorer.exe or lsass.exe accessing an ip 127.0.0.1, or me answering to allow access to software i have installed on my system.

My system is perfectly clean and i can spot when something's not right with it (malware) even if avira decides to play dead.

i'm just loving it with one less program starting up with the system. i can even check which process is accessing the internet with process explorer...

Do i really need an outbound firewall? Then i read an article today at http://ask-leo.com/is_an_outbound_firewall_needed.html which just confirms what i've been thinking.

 

Just out of curiosity.

How did you block adobe_updater.exe with Windows FW?
Did Leo block it?

Cheers

 

First, welcome to Wilders!

I have been without any security software for over six months now.
You need to take only an few precautions:

01)- In your Router Filter or Block the following:
Filter Proxy
Filter Cookies
Filter ActiveX
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT (Port 113)

02)- In your Web Browser Filter or Block the following:
Block First Party Cookies
Block Third Party Cookies
Block Session Cookies

Some Web Sites will not be accessible with these settings, but hey, then I have no business being there.
I would consider another try of Agnitum Outpost Firewall Pro or Agnitum Outpost Firewall Free.
It takes an little getting used to, however, I feel it is the best.

Agnitum Outpost Firewall Pro:
http://www.agnitum.com/products/outpost/index.php

Agnitum Outpost Firewall Free:
http://free.agnitum.com/


HKEY1952

 

I think it really depends on whether that's your approach to "security" or not (i.e., trying to catch possible outbound traffic). I have used nothing but a router now for over 5 years without any issues, and was happy the day I finally bought one and dumped all my software firewalls. I prefer to rely on my own common sense and smarts. I think that unless you are just almost completely clueless, worrying about outbound traffic is mostly just being paranoid. Some will argue with me on that, but that's my opinion.

I have images if necessary, and as a last resort if anything ever did happen (and it never has), then I don't mind, and actually prefer, a clean reformat.

Anyway, it's up to each individual, but I don't use one.

 

Well i don't know who "Leo" is but..

There's tons of programs like this nasty thing that don't infect your computer and can be made "FUD" or Fully Un-Detectable.

They are bound to legitimate applications, and when you double click to install the legit program it snatches all your passwords from your browser, Messengers, FTP's and other programs even your Windows serial number. It then shunts your data to some overseas server and the real program installs fine.

You don't even know it's happened, it typically leaves no trace. I had it happen to me when i installed some piece of freeware, i was lucky it left a C:\scan-report.txt file i found 24 hours later. It had logins from sites i had not even been to in years and was several thousand lines long.

Since that day, i wouldn't dream of running a net connected PC without an outbound firewall or some form of HIPS.

 

.
As 1boss1 pointed out the danger is not just damage to the local system, but the theft of data. That's a good reason for monitoring outbound traffic IMHO. These days your data can be stolen and you don't realize it until you discover your bank account is empty, etc. In my years of computer use I've only been (knowingly) infected once and I was alerted to the trojan by the software firewall blocking it's attempt to phone out.

 

Well, I guess that's what you get for installing that unknown freeware.... The only thing I'd worry about is doing online banking and keyloggers. But there is no way a keylogger is getting on my system because I don't download and install stuff I know nothing about. I also use a safe browser, either Chrome or Opera, so nothing is getting in that way either. It really all boils down to how you use the PC. If you're going to do stupid things, you're gonna get bitten, regardless. Not to mention that any really good piece of malware can get out past almost any firewall with ease. At best, your firewall can attempt to catch things, but of course there are no guarantees.

 

The program was linked from Snapfiles.com which is a fairly legitimate place to download from. I don't know if it was modified after being reviewed and listed or what, but heck what's to stop some script kiddy compromising the server where Sandboxie or Malwarebytes is hosted from and binding one of these pass stealers to it?

Don't think it can happen, i also got effected when the Wordpress package got backdoored on their servers and it's one of the top 20 sites on the net.

If legitimate sites are getting compromised with the latest javascript Flash/PDF exploit there's nothing stopping sites that host executables having their packages bound with these pass stealers either.

Maybe it's just me, but the though of executable's calling out without my knowledge is kind of frightening.

 

Yeah, the crap happening nowadays IS pretty frightening. Well, so far I have had good luck. Maybe I have just learned how to keep out of trouble after all these years online, and maybe it's part luck also. All I use here is router with AV and a decent browser. But I do understand there are dangers out there...

 

Microsoft Internet Explorer version 1.0 was debuted with Microsoft Windows 95 and I have never used any other Browser.
The Browser has never been compromised or allowed any Infections into the System.
If one keeps the System and the Browser up to date I do not understand why people condemn this Browser.
Who would know better how to protect Microsoft's Operating System and Browser better than Microsoft?


HKEY1952

 

Yes there are dangers out there, but they are controlled dangers, controlled by higher authorities and powers to generate revenue.
People all over the World bank and shop online, if the threats out there were as contagious as security venders grossly magnify they are,
people simply would not shop or bank online. The aftermath resulting in business loosing profit.....well that is not going to happen.
So, by releasing an certain degree of controlled and regulated Malware, everybody makes an profit.


HKEY1952

 

Totally agree


HKEY1952

 

.
It's naive to believe getting infected is always the result of bad choices. There are other ways that systems are attacked that have nothing to do with installing "unknown freeware". The common sense approach you follow is a necessary part of lowering one's attack profile, but it's not perfect. The fact that a firewall can sometimes be bypassed is a poor reason not to use one. The logical conclusion of that argument is there is no point in using any security software since they can all be defeated under some circumstances.

 

Exactly, well stated, the only reason that I am currently "going naked" without any firewall now is because I lost faith in the firewall solution that I was using and for the past six months have been unable to find an replacement firewall. My search lead me here to the Wilders Security Forums and I was fortunate enough to win an Lifetime license of Agnitum Outpost Security Suite Pro. I have used Agnitum before, an few years back, and the product has now matured into an solid Firewall and Security Suite. All that I need to do now is get off my but and get it installed. Meanwhile, on another test system I installed Agnitum Outpost Firewall Free and the product has definitely matured. It is now my firewall of choice and recommendation.


HKEY1952

 

My approach has worked for me for almost 15 years online now. It's not being naive, it's based on experience. Never once been bitten. I know many others with the same experience as well.

I believe in minimal software, common sense and some street smarts. Has yet to fail me. I don't know what else to say, except that I don't know what everyone else is doing that gets them into such dire straights.

Back to the original thread idea, there is a lot of merit to the argument that if your firewall is catching something, then it's too late already. The only value I see at all in an outbound firewall is to *attempt* to alert one to something going on. That's fine. So then you'd probably use something like Comodo, which covers the most ground in this respect. But then you get into the idiotic situation where you have no idea whether to allow Svchost.Exe to do something or not. Who knows when it's malware behind it, and when it's legit? I've used Comodo, and I confess, I haven't a clue how to answer the prompts. And I don't think anyone else really does either.

By far, the educated user/common sense approach is the best. You can eliminate 99% of the problems that way. How else can you explain why I have not used or needed a software firewall for 5 years now and no harm has come to me?

 

Partly because of the reasons in Post #12 of this Thread


HKEY1952

 

Difficulties will arise for most people if it's fully blocked. I have found that for my purposes, at least, I allow it ports 123 (time), 67/68 (DHCP), 53 (DNS), and UDP for Multicast. The one's I block most of the time are outbound to ports 80 & 443, allowing these only when I search for updates. I can't stand svchost constantly attempting to call the mothership even with auto updates disabled.

One can educate themselves if they want, although it does, of course, take some time. Eventually an accumulation of experience, some technical expertise, common sense and confidence will usually help to answer the questions.

Finally, to stay on topic and answer your question...probably not.

 

I've been using computers a very long time, i ran a 300baud BBS on the C64 for a few years around 1986 and remember playing Reversi that came with Windows 1.0

My online activities are low risk, i had one of the leading Antivirus programs installed, scanned with on demand scanners and was careful where i downloaded anything from. I got hit after 20+ years using computers, all my passwords and product keys got sent to Russia and i didn't even know it happened.

An outbound firewall would of stopped that, if you think you don't need one that's fine i just pray what happened to me doesn't happen to you. It's devastating and took weeks to repair the damage, not as simple as spending 10 minutes to rollback to a good image like regular malware.

Every day "script kiddies" are uploading 1,000's of exe's bound with things like this and it's nasty stuff. You have no idea what server it will be put on next.

Good luck.

 

That is one of the features that I like about the Agnitum Firewall, right out of the box one can leave it in an set-it-and-forget-it mode.
It also has excellent Firewall Rules for Scvhost.exe including tailored rules for the Windows Time Service.
I am not trying to force or push this product out to anyone, I am only making aware because of my experience.


HKEY1952

 

I agree - if a firewall helps you become aware that something bad is happening that is far better then remaining unaware of it. That is precisely why it's worth using one.

You are correct that enigmatic firewall alerts are close to useless. Some firewalls are smarter then others in this regard in that they understand code injection into legitimate processes. For instance you do have to be able to see the process calling svchost.exe to know whether or not to block it. I can't say from experience how Comodo Firewall works in this regard.

Again, we essentially agree. The use of security software is not a substitute for common sense, but it can help. Because I take seriously the possibility that the system can be compromised and data stolen in spite of good practices and reasonable precautions I never rule out any security tool.

 

Wow... so many responses!

I did not do so with the windows firewall, but i blocked the exe itself from group policies

Thanks for the welcome... i can see its a very happening place! I'l try to do all these... i've already blocked third party cookies..

Well this is what has happened with me at least, i can recall that every instance i've been infected, i was to blame. This was some time ago and thankfully doesn't happen anymore.
But i do somewhat agree with the latter part of the post.

You've got me thinking again That malware i talked about which i blocked in sygate was of the same type i guess, it launched, some secs of high cpu usage and then the internet access (which i blocked), then it disappeared!

I've tried it (free ver) what i hated was that all menu options were disabled for running processes.

 

The inability to view the Process Activity in the Agnitum Outpost Firewall Free version has no impact or influence on the protection offered.
IF one wants to view and control the Process Activity on their computer, try using Microsoft Sysinternals Process Explorer.

You can also try your luck at winning an Lifetime License for Agnitum Outpost Firewall Pro or the Agnitum Outpost Security Suite Pro at this Post on the Wilders Security Forums:
https://www.wilderssecurity.com/showthread.php?t=249154
Follow the instructions exactly, the contest ends at the end of this Week.

So Starsky, have you made any decisions after reading the results of your Post?


HKEY1952

 

I do use Process Explorer... its a nice piece of sw! Anyways i think i'm gonna go the Online Armor way It has plenty of options, and its HIPS is also quite unobtrusive (unlike Comodo). Sometime ago i wanted a HIPS which would only notify me when something wanted to run (only). Now i have it and i'm happy... Now to think of it, Sygate was really very old!

The only downside was that i was still feeling very unsafe while doing online transactions without a firewall... So now i think i'm good. Thanks guys!

 

Yes it doesn't affect the protection level offered, one thing that i did not like about Outpost were the confusing alert popups and the actions to take on them... But hey i don't care bout that anymore