8Signs/CHX-1/GhostWall - Adding Appliction Control to the mix?

These look like 3 great resource friendly firewalls. My only "problem" with them is that there is no real form of Appliction Control, only allow/disallow traffic through port x. Is there any way, through 3rd party software, to find out what application is trying to send data out through this port, and allow/disallow it?

Would snortsam be able to do this (i noticed it can plugin to chx-1 and 8signs), or am i better off looking at using another firewall where inbound filtering can be disabled? this seems very rare, and possibly unworkable in the current climate of kitchen-sink protection suites.

 

prevx1, safe 'n' sec, and appdefend are all HIPS that offer application control. u can also try zonealarm, blackice, or wyvern firewall and disable their firewall function. i personally prefer look n stop. it has packet rules as well as app control.

 

I'm not entirely sold on this hips idea. I tried Prevx on another pc, and just seemed to slow it down, maybe things have changed now though. Can look'n'stop be used just for its application control? I just can't see its packet filtering being better than 8signs.
i hope it doesn't turn into a resource-munching bloat monster.

hhmm.. wasn't prevx free before? i wonder what's changed...

 

yes u can use look n stop for app control only. however, after the trial, looknstop will revert to its free version and disable app control. itd be better to switch to looknstop all together. also i see its been a while seen u tried prevx. now its called prevx1 and there's still a free version called prevx1r. its "forever" beta so be prepared for bugs.

 

well after reading some old articles, it appears that jammer and alertwall are dead and buried.
the other option is/was look'n'stop with only the application control enabled. is this still possible in the current version? any other alternative?

 

Another option that people mention a lot is to use ZA Free with internet filtering turned off, just app control on. Let CHX or 8Signs etc do the inbound and use ZA for outbound. Seems to work..

 

Forget about outbound app control. Just block all ports associated with IRC wih a hardware FW. Most of the new malware uses IRC to phone home. It gives the malware a fixed location to call that can not be shut down when it is discovered or be easily traced to the owner. There has only been one virus so far that was a lot more sophisticated than this. It used a scheme where the location it called was generated from the date. It took researchers a while to break the encryption so the next location could be predicted and closed ahead of time.

Besides, the thing is going to instal a rootkit to make it invisible to your AV and a comm driver to defeat your software FW.

 

Hey Diver... what's up...

Sounds like the best solution is to keep away from the 'thing' to begin with.

 

would an earlier less bloated version of zone alarm be ok for this?
actualy i'm nervous to try this, last time i tried zone alarm, way back when, i remember it conflicting, spitting up error, bsod even. i quickly switched to tiny/kerio and didn't look back.

i suppose this would be cheaper (free) and less wasteful than getting look'n'stop and not really using it. i still can't believe there isn't a simple (free) application control/software restriction program out there.

 

yes any free version of zonealarm should work fine.

 

i know outbound control isn't ging to do much good if a sophisticted virus/trojan somehow manages to find it's way onto my system. the best way is to avoid getting into tht sitution entirely though. don't open dodgy email, or visit dodgy sites. isn't that it? how else do they end up on your system?

but surely, some sort of outbound connection protection is better than none?

as for a hardware firewall? how much do these cost?
can't irc be set up to run on a "normal" port?

 

Any of the older ZA versions should be ok I guess. I have used ones as old as 2.6.362 and got basic on/off app control. I can't testify to how effective it is, but it would work I think.

As for dedicated apps like that, the only one ever made that I know of is Jammer by Agnitum, but they've removed it from their site and you can't buy it anymore.

 

I've been using a-Wall from Sphinx, and it appears to be strictly application control. They have a series of firewalls, each with additional features, but "a-Wall" is the free one with no features other than application control. The website does a rather poor job of explaining it, however.