What Good...

Make sure to re-read my post, as I edited after you made this post.

How can anyone think that a HIPS cramps their style less than an outbound firewall. A HIPS is the ultimate in paranoia software. By contrast, there are many very light firewalls.

The main argument against an outbound firewall is that the program has already executed, so your system is no longer trusted. This argument applies equally to a HIPS. It makes zero sense (to me) to run an incredibly intrusive HIPS while objecting to a relatively light and simple outbound firewall. Anyone and his grandma can run a software firewall. Only the most paranoid run a HIPS. You calling me paranoid is like the pot calling the kettle black. You need to wake up if you think that you can call someone paranoid for running software that most people run while you personally run software that only the intrepid few would consider running.

Do you understand what a HIPS is? You're doing the exact same thing as me and calling me stupid in the same breath. This quote above applies just as much to a HIPS as it does to an outbound firewall. Both require that the malware be executed before they can do anything. Think about it for a second.

Yes, that is my primary, but not only, use for it. It's a completely valid reason for using it, even if you don't appreciate it. But, it's not the only reason.

Obviously, by using a HIPS, you believe that security software can protect you after you've allowed it to execute. So, you can't object to a firewall for this reason. Let's say this malware is a keylogger that is very stealthy and does little or no damage to your system that your HIPS can detect (or perhaps you made a mistake and allowed it). Let's say your HIPS allows it to continue keylogging, and now it tries to connect to the internet. Wouldn't an outbound firewall be of benefit here?

Obviously, you have a lot of security software, so you see a benefit to layered security. Why do you see no benefit to a second layer to stop a keylogger in case your HIPS fails for some reason? I doubt you would call the potential financial losses from a keylogger paranoia.

But now that I brought up layered security, why do you even have an antivirus? Doesn't that slow your system down? Shouldn't you drop the antivirus in the name of practicality because your HIPS should theoretically be able to catch any malicious activity on your system?

 

http://www.pcworld.com/article/119016-1/article.html

I've never been personally hit by something like this, so I can't comment specifically on what the attack would look like. I've downloaded media files that I've strongly suspected of being malicious (either malicious embedded script or possibly with the capability to connect to malicious sites through DRM mechanisms), however I have WMP set up to never connect to the internet for anything. And my firewall has WMP set up to completely deny internet access to WMP. And I've probably disabled some other "features" of WMP through xp-antispy and other hardeners, that would totally prevent this attack from occurring on my system. I don't really download DRM'd files, and I have no reason to allow WMP to connect out or run any scripts. If I want to find codecs, I just scan the media file with GSpot, and download the needed codecs through my browser.

The reason I even brought it up is because I had just recently read some guys story on another forum, and it just popped into my head when I was responding. I could have just as easily given some other example.

I would just take precautions when running WMVs and ASFs especially, because I believe they can contain malicious scripts and they can possibly connect to malicious sites while pretending to obtain licenses for DRM. I would turn off scripting in WMP and turn off anything that would allow for automatic internet access (i.e. make sure you get asked first). And, if you don't ever need for WMP to access the internet, I would just make a rule in the firewall to always deny access. Otherwise, you'll just have to use your best judgment.

By this statement, I assume you mean you watch WMV video in your browser through the WMP plug-in. To tell you the truth, I never use that plug-in. I just download the video and don't watch it in my browser at all.

To tell the truth, I'm not 100% clear on what you're asking. If you just open the file from your desktop and deny WMP any internet access, it shouldn't affect your browser at all. The media file and media player, as far as I understand, do not gain internet access through your browser. Rather, the media player should attempt to access the internet on its own. Maybe you can clarify what you're asking.


Edit: Okay, I think I got where you're coming from. You're probably concerned about sites like YouTube. My understanding is that these exploits I'm talking about are windows media specific (i.e. WMA, WMV, and ASF). I don't have a complete understanding of all of the possible exploits, but these are the types of files you should watch out for. Sites like YouTube use MP4 and FLV. I don't believe these exploits apply to these formats, and I don't believe there are many (if any) streaming video sites that stream windows media files. With windows media, I just generally download them and play them on WMP (windows media player). I hope that clarifies it somewhat.

 

Yeah, it's not really a very advanced exploit. I just gave it as a specific example of a general way in which a trusted program can be used to compromise a machine. Perhaps it wasn't the best example, since I haven't personally experienced it, but it was fresh on my mind after having recently read about it.

You have a very solid setup, so I don't think you have much to worry about.

Just to be clear, the WMF (Windows metafile) exploit was something entirely different. I'm talking about windows media (WMA, WMV, ASF) and their potential to use WMP (windows media player) to execute malicious script or download malware. It seems like every standard Microsoft comes up with can be exploited in some way. Look at all the other media formats (jpg, mp3, avi, mp4, mpg, etc.). I don't think they've ever had problems. But anything that starts with a WM..., look out!

Okay, it's sleepy time.

Edit: Could you further describe your setup and why you feel you no longer need a HIPS. Maybe I'll do the same thing as you. The simpler the better. And, also, feel free to explain what I didn't understand about your previous question. I'll read it in the morning when I can think straight.

 

Correction,

Only professionals or knowledgeable PC users do require a software firewall when the usage situation does not justify a hardware/software endpoint solution.

To obtain the filter standards they perceive as proper (meaning controll over packet filtering rules and deep packet inspection capabilities) they apply a software firewall in all other situations to obtain security levels simular to endpoint solutions.

Problably 5 percent maximum of the software firewall users consist of this 'true need' users, the other 95 percent believe in fake security and uses a software firewall (like Comodo) which has the packet analysis capabilities off by default.

NB. All horrified Comodo 'fake security' users who want to pretend they are 'true need' SW FW users, go to intrusion protection of the Comodo FW and enable all choice boxes, like protocol analysis etc. ]

Regards Kees

 

Likewise, if my system gets messed up i'll roll back to a prior image or wipe the slate clean with a fresh install. But if my passwords and personal data get sent out, i can't paddle across the ocean, knock on the hackers door and ask for them back.

I could change all the details, but i wouldn't know they were sent out until accounts and info started getting exploited.

So for me, having granular control over what's leaving my machine is essential.

 

Yeah, it's hard to imagine a simpler setup than yours. I added an edit to my last post. I wouldn't mind hearing more about your setup.

Let me also apologize to firzen771 if I was rude in my posts. I edited out some of the personal stuff.

Edit: I am slower than molasses today. I haven't had one post in this thread where I haven't been beaten to the punch.

 

i used HIPS as an example, but a HIPS can refer to several different types of programs, ur thinking of the popup intensive kind of HIPS but thats not the only kind, that is a classical HIPS. and a HIPS is much more versatile than a firewall that only throttles ur connection. and a HIPS usually gives u a means to look deep within ur system to find if something really malicious is already running and terminate it manually, never seen a firewall do that yet.

 

maybe not, but they could if they wanted to. they know your address, your middle name, and likely your wifes bra size....

Mike

 

I'll make a couple more points. I'm not your typical grandpa computer user that just does some banking and word processing. I'm not just paranoid, because there's actually a lot of risk to some of the things that I do. It would be unthinkable for me to actually not attempt to know what's leaving my computer. It's one thing for something to bypass my firewall without my knowledge. It's something entirely different to make no attempt to monitor my outbound.

I'm not saying I do any of this stuff, but I'll give some examples. Would anyone dream of advising a hacker or cracker to not have outbound protection? Even an outbound connection containing absolutely no data can be a huge threat. Sometimes you don't want certain people to even have your IP. How about a whistle blower or someone who generally makes a lot of enemies online? Someone gives you a "non-malicious" package, you execute it, and now they can then find you.

As a final example, anyone who downloads cracked software (or even copyrighted media) would be strongly advised to have outbound protection. Like I said above, even an IP address nails you. Media files may be less risky, but some types can certainly be modified to do interesting things. These companies may not be knocking on your door, but do you really want them to know who you are? And keep in mind that some people have a much higher risk profile than simply downloading copyrighted materials.

That's why I said if you're more boring than my grandparents, perhaps you can get away with no outbound protection. Although I will still argue that you're less protected against keyloggers, which I'm sure you also want to protect against.

A lot of people here like to pounce on Matousec, but I totally agree with his concepts, if not his execution. I think that a HIPS and outbound firewall are a natural fit, and neither alone is adequate protection. The only big problem with his methodology is including products that don't claim to offer both types of protection (i.e. including HIPS only or firewall only products).

 

see now with this post i can agree with you, privacy and identity protection i can agree with the use of a firewall, i just dont believe in it as an antimalware product, but for the copyrighted media part, an IP blocker like peerguardian or peerblock will do it very well with its blacklisting of large media corporations and tracking IP's.

 

To each his own. I'm not a big fan of blacklists personally.

Here's my take on malware. Anything that ONLY affects my system (i.e. doesn't send anything out) I only consider a minor inconvenience. I can fix it easily. I always make backups of important data. So what if I get an infection? If this was the case, I wouldn't even bother to have any security software.

There's one and only one reason I bother to run any security software. I don't want sensitive data leaving my computer. That's why the view that an outbound firewall is unnecessary is totally incomprehensible to me. It's the only aspect of my security package that directly tackles what I want to accomplish.

Really, if it weren't for the whole issue of information leakage, why would anyone even care about malware at all? You just run something like Returnil or Shadow Defender and restore a fresh image when something goes wrong. I mean, if there were no concern about information leakage, you just run your system until you notice things slowing down (or otherwise not working properly). Then you just restore a fresh image and don't even worry about scanning your system.

Information leakage is 99% of what I care about, and removing the only aspect of my security that directly tackles this is ridiculous. My 2 cents.

 

I have to disagree here as everyone situation going to be different. Some here run Windows 7 FW or Windows Vista FW or Windows SP3 XP Pro FW. But these FW might be enough for most here. If you feel you need more you can disable any Windows OS FW and use 3rd-party. The Internet Security Suites offer you extra protection if they're really up for the challenge to keep your safe?

Again there is nothing wrong running 3rd-party FW or Internet Security Suites. Most won't hog or bog down the system as most here say it will or will not do. If they do you have the choice to pick another firewall software.

Many here to choose from.

 

Hi Guys,

Remember me? Let's say the 'outgoing' FW alarm goes off, how do you know what's leaving & where it's going? Also it seems like keeping your password etc. in something like 'Roboform' makes them much less vulnerable to heading outbound, with some cryptic FW message occurring. HIPS & FW make computing not so much fun & arduous. Shadow Defender, or LUA + SRP, or Virtual Box, seem to offer superior protection & make the PC fun. With my wifes stay at home laptop, I uninstalled KAV, as all it did was complicate her experience, & SD was doing all the heavy lifting. How about linkscanner, then you can avoid the nasty places? Seems like the FW (software) complicates the experience, while adding little protection.

Rico

 

I know and understand what applications need outbound access and when, all applications that don't are in a default deny group which is most of them. Others like Office or my FTP software can only connect to my mail or FTP server IP's and only on the ports i specify.

It's pretty easy to spot unusual outbound requests when you know your system. I agree though, some Firewalls/HIPS have very "ordinary" alerts making it difficult to make an educated decision. One where many of your decisions are purely guesswork, and you click "Allow" just because you "think" that it's ok is no good. That's why i switched to MD, for example:



I can see Total Uninstall (Verified) is trying to connect out, clicking the Remote Host link takes me to DomainTools i can see here the software is connecting to the official site/IP i purchased the software from based on my action of clicking "Check for Updates" in the app. So i can allow it.

If i wanted, i could add a rule allowing this program to connect to only that IP/Port and alert to all others. If i get an alert, i know somethings up either the program author has a new Server/IP (2 seconds to verify) or it's connecting to something it shouldn't.

Is there a way to circumvent my outbound control? Sure. Is there a way to bypass my AV with an unknown malware? Sure.

With all the layers working together? It would be a very difficult task.

I don't get many alerts at all with everything configured right, so having this extra outbound layer is no burden on my daily activities.

 

I agree with 1boss1. After a month of using your HIPS and/or firewall, you begin to become familiar with what programs routinely ask for what permissions. Virtually every program that asks for internet access, I deny it without bothering to figure out why it's doing that. For instance, many media players, when you first install them will try to access the internet. Why? If you can't think of any purpose for this program to access the internet, just deny it.

Why does acrobat reader need internet access? I don't know, and I've never given it access. It's not hard at all for me. Internet access basically comes down to my browser, torrent application, and news reader. The thing all these programs have in common is that they need internet access to do their job. My media players don't need internet access to do their job.

I set my firewall to always ask me if a new program wants internet access. If I can't think of any reason for it to access the internet, I deny. If I'm wrong I just go back and allow. If you think about it, how many applications on your computer need internet access. You should already be familiar with all of them. Now, I will say that my job is a little easier because I turn off automatic updates and don't allow any Microsoft components (except for Generic Host Processes when it's needed) to access the internet. So, I can't advise you about these if you want to leave them on.

Edit: In contrast to a HIPS, an outbound firewall is relatively simple to deal with, in my opinion. Let's say you have Program X, acrobat reader for example. I trust this application not to damage my system. My HIPS gives me a cryptic message letting me know that it wants to access Resource Y. I don't know what it means, and I allow it because I trust the application. You can't possibly look up every program/resource combination that your HIPS alerts you about. But, this is where the firewall comes in handy. I know that Program X doesn't need internet access so I deny it. It's just simple. In fact, through my HIPS, I deny Program X access to any resource or program (e.g. Firefox) that has access to the internet as well.

Where a HIPS really comes in handy is with unknown programs. Then I become more interested in the alerts that my HIPS gives me. But with a firewall, I look at every application, trusted or not.

 

Why not secure your private info, so if you make a mistake and allow something out, they still get 0? Also I guess you live much more dangerously than me, as I've not been infected, with or without an FW. Like I said I've tried several FW's & several Hips, which seem way too complicated, prone to user error when used, & in the case of software FW way to annoying for the amount of protection it gives. Router with SPI + SD + Linkscanner + Image program, & on demand AS & AV, is all the non-daredevil user needs, to enjoy.

Take Care
Rico

 

To each his own. I use everything you use plus HIPS/firewall, such as Comodo or Online Armor. In the interests of simplicity, I would just use the AV that comes with Comodo or Online Armor, instead of a more highly rated one, such as Avira. I haven't found firewalls to be annoying at all. I just deny, deny, deny without thinking (and I usually set a rule to deny permanently). It almost never fails, and when it does, it's usually obvious what I did wrong and how to fix it. So what if my clock doesn't update automatically or some other minor thing. I can just fix the clock in 10 seconds. There's no thought involved because almost nothing that asks for internet access actually requires it. If you sum up the total amount of time in a day I spend answering firewall prompts, it's probably about 30 seconds.

What do you mean by securing your private info? If you mean encryption, I already do that, but this will do nothing to protect your data from keyloggers, etc. when the computer is networked. Encryption only protects your computer from physical access (e.g. if it's stolen).

 

Today's firewall don't prompt you like a mad dog for every application launching. These newer firewalls are smart enough to know what should be allowed and what should be blocked. If a malware is detected it would block it and also announce to you that it found want and has taken care of the problem.

If I go and install a program I don't want too have to tell the firewall to go into installation mode. Then later on get reminded to turn that feature off. The firewall should be smart enough to know that.

Key selling points Low impact on the system, very good to excellent protection.

Some now offer a shopping mode for extra protection online. Still encrypted keys typing on passwords can't be beat with keyscrambler. I know the pro offers more but that's overkill to me.

I say take the extra protection if you are going online so deep into the unknown where you don't know what's waiting for you there.

 

Yeah, I guess that's something better for a user like Rico than my solution. Fortunately, you can run most firewalls either way. You can use smart configuration features for users who want less alerts. Or you can ignore all the suggestions that the firewall gives and control everything (the way I like it).

 

Yes. All correct. There's no way to protect yourself if a site is compromised. Obviously the site has to receive all data unencrypted (even if using SSL).

You're correct about the way Keyscrambler is supposed to work. However, I wonder if it's actually been subject to any objective tests to determine if it actually does stop all keyloggers. I've seen stuff like this brought up on the TrueCrypt forums a lot (i.e. wanting the developers to implement something like this). The regulars usually consider the idea ridiculous. They usually spout the same line, "if your computer is compromised, there's nothing TrueCrypt can do to protect you." So, I can't help but wonder what scrutiny it's been put to.

 

I use Personal keyscrambler encrypts keystrokes you type in the browser well the free one is what I use. Banking an etc gets encrypted. I haven't seen any problems using it. I also have Open Source Stable copy of TrueCrypt feature to use Network Drive Manager. Everything works as they were programmed too.

 

From Leo Laporte

"Q Grant, San Diego, CA - free ways to speed up his computer

Grant is hearing about a software firewall that can speed up his system performance. Leo isn’t much of a fan of software firewalls. If a hacker gets into your computer, they can punch a hole in that firewall and control it fairly easily. Leo says your router acts as a hardware firewall which is extremely effective and can’t be punched into. And since it’s outside your system, it doesn’t affect performance. Also, a lightweight AVS like Nod32 is great for protecting you from all the bad guys out there. What about CC Cleaner? Leo says it’s a registry cleaner and he’s not much of a fan of them because you can do more harm than good. Spybot Search and Destroy? Spybot works great, but is also “long in the tooth.” Windows Defender is far more up to date and will work better. Also, work Firefox. Faster and more secure browser than Internet Explorer. "

 

I noticed earlier on in this thread, that Rico said he's ditched ZoneAlarm, and was looking for stealth.

Actually it's very easy to achieve 100% so called stealth, even with ZA free on - https://www.grc.com/x/ne.dll?bh0bkyd2 - if you configure it properly.



Not that the above is everything of course, just shows it can be done, if you want it !

Even if you don't ever get infected, you might want to control what is allowed out, rather than any old App etc having potentially free access out ! So that's why a bidirectional FW is useful.

I'm sure i've read that Leo Laporte, did, or uses a hardware bidirectional FW.

 

i dont need ZA free or any 3rd party firewall to achieve these same results: http://i101.photobucket.com/albums/m76/firzen771/GRC.png

 

I just dropped all security including Windows Firewall, and ran the test with just my ISP's free Thomson ADSL Router/Firewall in default config and it passed as fully stealth.