About the separation of firewall and virus scanner

As probably everybody here is aware, at least a few companies have "recently" taken to telling users to uninstall incompatible software from their competitors.
Instead, they offer all-in-one packages that I guess you're supposed to use as a whole.

Now... since I always at least try to get the best reasonable setup regarding security, in the past I've looked at what firewalls are deemed the best and what virus scanners are deemed the best.
And it wasn't a problem to combine the best of competing (well... at some point, I suppose e.g. Kaspersky didn't even offer a firewall...) companies since I used to only scan for viruses on demand and the rest would be taken care of by my firewall.

But with the way malware often works these days, I finally decided to drop my "on-demand has to suffice" attitude and get me some realtime protection.
But now I'm in a bit of a pickle. Because the virus scanner I'd like to use (Kaspersky) tells me to get rid of my firewall (Outpost).

I suppose I could ignore the warning and see whether having both running really does screw up my system but I'm not big on taking chances with something like that.

So... how do you deal with this and what would your recommendation in this specific case be?

 

1. An AV without a firewall feature (like MSE, Avira Free, Avast Free, etc) combined with Windows built-in firewall and a router.
2. Kaspersky AV combined with Windows built-in firewall and a router.
3. An AV without a firewall feature combined with 3rd party firewall (like Comodo, OA, Jetico, keep your Outpost, etc) and a router.

 

Well... that's just the thing (your #3)... I did try to install just the Kaspersky AV. And I only have the Outpost Firewall, not the Security Suite. So theoretically, they should work along-side.

But I guess maybe because the Kaspersky AV has e.g. browser protection as well as Outpost, it still warns about incompatibility.
I of course could disable things like the web module and application control of Outpost and leave that to Kaspersky but... I don't know what the hell these things may still be doing to each other under the hood

 

My prior experience with Kaspersky is that they state incompatibilities with pretty much every 3rd party firewall ever created. You're probably ok to ignore the warning. Of course, if your system implodes on you, don't blame me!

 

Yeah, there's actually this official list here.
Reminded me about this one here.

Usually, this throwing their hands in the air and going "we're incompatible with basically everything - deal with it!", obviously not even trying, causes me to refuse to use their products (like I largely do with Steam).
But since at least Bitdefender even caused a BSOD during installation... *sigh*

 

Lol, they even ask you to remove video converters? Kaspersky sure hates everyone.

 

Hehe. Makes you ponder, doesn't it?
Especially considering the $55 (for 2 years).

Still... I had an experience the other day that makes me think that I simply need reliable realtime observation of what the hell programs on my machine are doing (Avira's on-demand scanner didn't detect anything in an install file. But that installer apparently unpacked a trojan (which Avira later on recognized as such) that tried to establish an outbound connection)

 

Companies generally aim to fill a particular niche in the market. When companies try to diversify they generally have mixed results. The company might do well developing a particular software component, but that success is not necessarily carried over to their other products. With software security suites, the user is not as concerned with compatibility, but they need to realize that their anti-virus might rank average/mediocre compared to more specialize solutions offered by other companies. Likewise, a mixed approach requires the user to continuously worry about compatibility following each update and configuration/settings change. In theory, software security suites are more vulnerable to attack. A diversified, layered approach to security makes it harder for an attacker to exploit software from a single developer. This is not to suggest a diversified, layered approach is without its own problems. What good does that layered approach do you, if component A interferes in component B's attempt to block or remove an infection? A lot of the pros and cons are hypothetical scenarios that will change depending on your setup. Companies recommend running a software suite because it is easier to troubleshoot problems when you can control the software and hardware your clients use. My internet service provider wants me to use their hardware and they provide security solutions for their customers to use. Finding a ideal balance is key, but more importantly; you need to known your limits. If you are uncertain about how to go about doing a layered security approach, then I'd advise you consult a professional to design a solution for you or you stick with a reputable security suite. Make sure the company has a reputation for good customer service, expedient problem resolution, and a history of strong, continuous development.

 

Hm... thanks for that elaborate reply! (But obviously thanks to everyone before as well!)

Those are exactly the things I was curious about. And something you mentioned reminded me... even IF one program blocks the other from removing an infection (which should be unlikely in the first place if I disable everything but Outpost's actual firewall feature) - for one thing, I would probably still get notified about Outpost preventing Kaspersky to do something. And after that, I STILL would have the actual firewall as a last line of defense.
So compared to my previous situation (on-demand scanning + firewall), it seems I only stand to gain a lot in security. And probably shouldn't worry so much about possible incompatibility, as long as I pay attention to having Outpost truly only function as a firewall...

 

My thoughts exactly. Not to mention that others have probably run setups similar or identical to yours. I'd contact some of them if you run into any unforeseeable issues, but I'd image many of these problems have been addressed already and you seem fairly capable based on my impression from your post.

 

That's true if the Windows desktop has loaded. What if it happens prior to login? I typically whitelist my other security applications as far as HIPS goes and allow them to do whatever they want. This is to hopefully prevent any issues where a prompt would be generated, but Windows hasn't loaded to the point that I can respond to it. Have you given any thought to giving KAV the same treatment you are giving Steam? ESET is running a beta right now which would give you a longer time period to trial their AV. Just a suggestion.

 

You'll need to make a lot of allowances for the AV in the firewall configuration, especially those with HIPS components. One of the bigger ones is allowing every component to be changed/replaced/updated without interference or figure on doing all updating manually. This is especially true if the HIPS component uses file hashes instead of signatures. It's been years since I ran both an AV and HIPS (separate or part of a firewall) and AVs have become more complex since then. It was nearly impossible then to make tight rules for the HIPS without disabling the auto-updating of the AV. In the end, I decided that the firewall and HIPS were more important as a front line defense than the AV was, and stopped using a resident AV entirely.

 

The free ZoneAlarm a/v uses Kaspersky with no conflict.

 

It may not be such a task to combine the programmes. Here is an older post with instructions on how to combine Kaspersky and Outpost Firewall. Most likely there are newer instructions available. This was just a cursory search.
http://www.agnitum.com/support/kb/article.php?id=1000273&lang=en

It seems the more difficult task would be to decide which HIPS (if both have one) is the better choice to use.

Have you tried the Agnitum Forum yet?

 

That's how some company's are they want to add everything including the kitchen sink and then they become bloatware, an AV should be an AV

I'll decide if and what other programs to add to my setup

 

@ 0stradamus:

Well yeah, white-listing the AV would be an obvious thing - at least IMO.
While I've been thinking about it, I don't feel that I should act quite as principled as with Steam. After all, it's not just about entertainment here. And at least in the real-world protection test here, ESET didn't do so well (see page 9).
Oh, I just realized that's the whole security suite. And damn, I just realized that those guys as well as matousec (who I know isn't particularly popular around here IIRC) only test security suites as a whole. Guess I can't rely on Kaspersky/Outpost providing the same protection if I use them in combination...

@ noone_particular:

But the way I'm planning it, I wouldn't use the HIPS portions of Outpost anyway. Observing running programs and checking whether their behavior is malicious would be the AV's job. And Outpost's only to monitor the actual traffic.

@ Q Section:

As you can see in the list that I've posted a couple of posts above, they deem the recent Kaspersky as incompatible, period.
I haven't tried the Agnitum forums because it seems to me when you talk about competing products, it's better to go to a neutral source. Plus, I'm not confident that users on any given company's forum are on average more knowledgeable when it comes to security compared to the users here.

 

With no HIPS component involved, all you should have to do is allow internet access to each AV component that requires it. In order for the AV to be able to update components as needed, the firewall will have to either accept a file hash that changes or allow the updated components based on a signature. I can't comment on whether Outpost does this or not.

 

On behalf of all the above-average knowledgeable users on this forum, allow a big THANK YOU for the complement!

Also a number of years ago (maybe somewhere between about 2002-2005?) there was someone doing strictly firewall testing but the site cannot be located now. This was before there were add-ons to the firewall programme like a HIPS etc. It seems there were some firewalls that performed better than others. The testing seemed to be throwing a number (about 11?) of tests specifically made for firewalls and possibly more of a leak-type testing. The tests were done one by one and at that time there were some firewalls that could stand up to most of the tests and some that failed greatly most of the tests. The results were similar to AV test results now where the products were spread out between poor to very good. It seemed there was one leak test that was particularly difficult to pass. Eventually the two(?) top firewalls at that time passed within a few months of improvement. The two best at that time could be mentioned here but that was so long ago the results from back then would most likely be very invalid today but those two are still on the market currently.

Perhaps LowWaterMark or some other member who was reading Wilders from back then can remember more.

 

Hahaha, you're welcome

I gotta say though - all of this is starting to annoy the hell out of me...
Because since most testing these days is done with whole suites, I'm not sure it's wise to stick with single components if you want to have similarly good results as the ones who tested the software.

So I had my heart set on installing the trial of Kaspersky. Especially since the many prompts Outpost throws at you can be problematic.
As in: "How the hell am I supposed to know what the registry key HKEY_LOCAL_MACHINE\{234348227} does?!" (that's not an actual key... unless I just randomly described one that does exist...)
And if it's an installer that I think is trustworthy, of course I'll click allow. It's nothing unusual for installers to edit the registry after all. And I may already be screwed.
Allegedly, Kaspersky is intelligent enough to block a lot of stuff without many false positives and without prompting the user.

But then... well... I made the mistake of checking out Kasperksy reviews... there are way too many people reporting issues (crashes, slowdowns, filling their HDDs with crash dumps, etc.) for my liking.
Then I made another mistake of checking out reviews on pcmag.com. I don't know what kind of malware collection they have but their results are quite different from av-comparatives and matousec.

My current state of mind:
Maybe I should just unplug the cable of my modem and go underground - old school

 

These days things are changing.

My router/modem combo has a in/out firewall so I may not need a sw fw at all!

If I run hardened browsers inside Sandboxie I'm not sure I even need an AV anymore

 

Yeah, I could enable the firewall of both my modem and a router I have behind the modem too. But since I have no reviews for those, I don't know how well they really shield from attacks.
Also... how much traffic they may block wrongly. Could very well be that one day, I wonder about something not working and think that maybe the server is down. Having forgotten about my modem/router firewalls, since I don't see some pop up window there.

But... theoretically, what you describe would of course be nice.

 

Yes, and good luck getting any assistance at their forum.

 

Was the site leaktest.com? If I recall, they had about a dozen tests you could run. They rated firewalls with default settings and completely neglected how much the configuration and ruleset affected the results. Some of the tests were specifically for HIPS components. I probably still have most of those tests stored somewhere, pointless as they were.

 

Honestly, I haven't run anything outside of Windows firewall since I installed Win7, as I'm behind a DD-WRT based router with the firewall turned on. Never had an issue, never a second thought. The only software firewall I use is on my laptop, which I sometimes use on public wifi.

 

Don't put too much faith in tests of AVs or security suites. With AVs the results will change with every update, aka daily or faster. The tests of security suites seldom take configuration into account. How you configure a firewall or HIPS can completely change its effectiveness. Some of these "tests" are little more than purchased endorsements.

The most important thing you can do here is make a full system backup before you start trying different security packages. Don't use Windows built in backup. Use an app designed for this, preferably one that has its own operating system. Store the backups on a separate hard drive or removeable media. It would also be a good idea to separate your operating system and data files to different drives or partitions. It makes system backups much smaller. Don't rely on an apps uninstaller or separate uninstall software to remove security suites. If you try a security package or a combination of separate apps and don't like it or they don't work together well, just restore the backup image you made and you're right back where you started from. On my PCs, each operating system has its own partition. There's also several for data. Restoring my XP system for instance takes about 6 minutes. My stripped down primary system can be restored in less than 3 minutes.

Unless I missed it, you never mentioned what operating system you're using.