Why are some not concerned with outbound, especially w/risk driveby downloads?

IMO, and reading your concerns and replies, look into GeSWall and DefenseWall as recommended, and choose one.
Then perhaps LinkScanner Pro (given the requirements from your wife's browsing) already suggested too.
Anti-virus, the paid ones that are regarded as the best - Avira Antivir, NOD32 or Kaspersky.

That's just software recommendations though. DEP configured in AlwaysOn, if it doesn't break anything important, is a good start. This thread was where i learned about it, from Ilya. Read from that page onwards and you'll see what's at stake.

Then the limited user account. If something doesn't work in lua, try reading here.

 

Another solution might be "shadow" softwares (Deep Freeze, Shadow Defender, Returnil, Power Shadow). They clean everything on reboot. Of course, they don't prevent data stealing between reboots and you need to save any document/file stored in the system partition before rebooting.

 

Not necessarily. Using a software firewall to block/alert to new or unexpected outbound connections is acknowleging the possibility that your primary defenses aren't foolproof, especially the user. No anti-whatever catches everything. No users judgement is perfect. Common sense doesn't always get it done, not when trusted sites can be compromised. The software firewall is another layer of defense that just might keep your data out of the wrong hands should your primary defenses (or the user) fail.

Todays theories and POCs are tomorrows exploits. The alternate browsers may have fewer vulnerabilities which get fixed much quicker, but the fact that they do get patched or updated demonstrates that they can be exploited. Firefox and Opera may be safer to use than IE, but no browser is invulnerable.
Rick

 

Personally I prefer the type of outbound firewall that has a large whitelist of applications and only asks the questions that are needed. When HIPs come into the situation (Comodo beta) I usually just turn it off. Too much noise really.

So yes I think a software firewall with outbound is necessary if your defenses are taking a nap. However I agree with the notion it cant hog system resources and it cant bug you to death.

I've always been under the impression that firewall developers drive themselves crazy balancing security with convenience.

 

As more & more leak tests were developed they showed that outbound
control by a firewall was, at best, well, leaky. From my point of
view, it's wiser to seek another defense than rely on a gun that is
half loaded with blanks. I think HIPS, IDS, whitelists, rollback
software, etc., are a better way to go. Needless to say, I gave up on
bi-directional firewalls in favor of in-bound only filtering. Better the devil
you know....

 

Well, I have been surfing the net for about 12 years now, going to good and bad places alike, using Firefox, Opera, K-Meleon in recent times, along with IE7 and prior versions, and I have never ever once been hit by a drive-by download, so I must just be lucky....

 

Ah - but perhaps you are a part of a botnet, and you're only not aware of it ...

Seriously: What you said is also true for me. The only difference is that I've been using Firefox exclusively for many years. (in the ole' days when I still used IE browsing wasn't as dangerous yet.)

Just my two cents: I agree with Mrk that browsing with Firefox is very safe and even safer with Noscript (although it's true that whitelisted sites can also be compromised) - all things considered, the probability of becoming infected is very small when using this browser. I also agree with sukarof that a limited account enhances security considerably. And I also use a HIPS but actually I don't need it.

As for outbound control: My opinion about this topic can read in this posting.

 

Yes, and perhaps this is the planet Zaphrod that I'm living on too...

 

The best protection on the market for drive-by downloads is Browser Defender in NIS2008. Here is why: NIS2008 is able to see through any kind of encryption of obfuscation used by drive-by downloads. Kaspersky and some others can only see what ever a document.write sees since thats what they hook. So they miss a lot of stuff. Some numbers on some other newsgroups indicate that KIS missed 1217 out of 13000 websites tested. Thats a lot. An I believe it cause I have seen it miss a few and the system gets infected.

One misconception is that if Windows Update runs and Windows is patched then you are protected. That is far from the truth. The reality is that the newer vulnerabilities are in 3rd ActiveX like Yahoo WebCam, Yahoo Widgets, Winzip, NCTAudio, Baidu Soba Search bar, WebThunder etc. These take time to patch and during that time you are exposed.

So here is what I would recommend:
- Keep your system fully patched INCLUDING 3rd party software
- Run a sophisticated Browser Exploit detection software like NIS2008 (07 and below dont have this)
- Run a sandboxing tool like Haute Secure (just as a safety measure).
- Finally, always terminate ALL instances of the browser and then launch a fresh one before doing ANY online financial transaction where a lot is at stake. The reason for this is simple. All these sandboxing software have many fundamental flaws: the most important of which is that the exploit occurs and malicious code is running int he browser process (it can't get out). But if you use that same process to visit bank of america, you could get creds stolen.

Btw.. if you find a URL that NIS2008 does not block, let me know.

Hope that helps.

 

This is an interesting discussion. I looked up a few of the HIPS products mentioned above. Their descriptions seem to be a lot like running in a limited user account.

You might want to try this resource for using an LUA:

http://nonadmin.editme.com/

His "easy" method is to use an administrative account with a blank password and fast user switching. One of the benefits of the LUA is things are blocked and there is no prompt to react to thus eliminating the possibility of making a bad choice. It is not possible install an active x control in IE while running LUA.

I am of the persuasion that outbound protection is overblown. Its popularity comes from the fact that it is easy to run these tests and rank firewalls accordingly.

There seems to be a general lack of evidence that outbound filtering is catching malware. Perhaps this is because the malware uses techniques to make outbound communication that are different from the leak tests such as disabling the firewall or bypassing it with a communications driver.

Although the OP has experienced an infection with Firefox, I none the less believe it is more secure than IE because it lacks active x, is not integrated into the operating system, and it is patched more frequently than IE. The point raised above about 3rd party browser add ons being a potential source of attacks is well taken. Any such software should be removed if it is not essential.

 

Unfortunately, Kerodo, I have been hit a few times. And I go to mostly the 'good' sites.
I prefer to be able to block unwanted inbound but I also recognize the need for strong outbound protection.

 

Hi spamyou,

I just want to ask something: assuming the latest version of Firefox was installed, has your wife ever been infected through Firefox when NOT using NoScript?

The reason many people (myself included) are not worried about outbound protection is because we know there is nothing inside our PCs that connect out maliciously, and that knowledge stems from the fact that we have the biggest vector malware can attack from, aka the internet browser, locked down. The easiest way to do this is to simply use a non-IE browser, or a sandboxing program. If you have some time to spend and are interested in learning further, there are programs that can monitor your internet browser for any suspicious activity, such as when it comes under a buffer overflow attack or when it tries to silently execute a new program without asking you.

All in all, driveby downloads are a smaller problem than you'd expect, especially when you learn why and how they can happen - the solutions and countermeasures become very obvious then.

 

@ Zombini,
I just looked at the NIS 2008 site.
If I am understanding this correctly Browser Defender only protects IE7. This would leave FF, Opera and others out of luck. And I prefer FF and Opera to IE7.
Am I understanding this correctly?
Thanks.

 

Spamyou,

GeSWall Pro or DefenseWall (as said earlier) might do the trick. I changed from IE7 to Opera on the PC of my wife. You can skin Opera in such a way you won't notice the difference. Other plus of Opera it loads way faster then IE or FireFox.

Regards Kees

 

I'd say that's because only IE7 needs this "Browser Defender" protection - an UNPATCHED copy of IE7, that is. Apparently when all patches are applied, IE7 is quite the secure browser, despite popular belief.

 

It only protects IE, both IE6 and IE7. Yes, there is no support for FF and Opera.

 

Thanks for all the suggestions.

I had what I thought was the ideal setup for her.
IE7 via LUA (dropmyrights) with sandboxie for browsing. Sandboxie was set to erase all, no saving, on closure.

She would close IE7 (erasing sandbox) and use firefox when visiting financial sites (she prefers IE7 for work and browsing, though will use firefox for just financial, and it helps her to mentally remember to close IE7).

I think this would have been very safe, but sandboxie slightly 10-15% on average slows browsing, and on sites with lot of content can hang for a second, and I get constant complaining.

So substituted Geswall which does not slow browsing at all. Only issue I have, I use sandboxie myself, I dont understand Geswall as well, and I dont believe it deletes all files auto on closure, and instead tries to specifically trap malware based on behavoir.

I actually like Defencewall's security best, but it too slowed browsing some, and even little more than sandboxie.

I tried forcefield, new beta browser sandbox from Zonealarm, but it corrupts links like old greenborder did, they are still working on it.

I have not tried opera, and if it has a skin similar to IE7, will look into that. Haute Secure I have not heard of, will try that as well. I have an allergy to symantec products from fixing several friends computers.

So basically still looking for ideal sandbox (for her) that virtualizes and erases all automatically when closed, and does not slow browser down at all. But for now using Geswall for her, and who knows maybe that is just as safe as sandboxie, I need to read more about it.

 

I suggest you try the anti-malware software forum if the discussion is going to veer towards the specifics of sandbox applications, and the like.

 

Depends what the original poster meant by "outbound". If all you want to do is see who is doing all those 'dial-outs' especially when one boots up there is a simple thingie that 'snitches' & prompts you: "so & so" program is trying to 'dial out'. Do you give Permission: YES - NO?

I don't remember the name of this little freebie firewall but the answer was posted up in this forum last year but I can't find it.