About the separation of firewall and virus scanner

@ 0strodamus:

Haha well... who uses forums these days. Gotta call their hotline
Or better yet (sarcasm in the opposite direction): Post your question on facebook, dude!

@ noone_particular:

As I'm neither a hacker, nor a malware coder and I don't know all attacks that exist and how to protect myself from each specific one, all I can reasonably rely on are tests others conduct.
So whether some of the tests are purchased hardly matters because I have no way of knowing better. Of course - if you have evidence of bribes, by all means... please share. I always appreciate knowledge about which sources are most trustworthy.

My drive isn't that fast and/or OS not that small but that's what I've been doing for over a decade by now anyway.

With the talk about AV and Outpost, it's probably not going to be Linux or MacOS, is it?
It's Windows 7 x64.

 

Regarding Kaspersky products - It seems the average Kaspersky user is more astute than the average security programme user. Therefore they may post more detailed questions/complaints than the average security programme user. Remember for every negative post there are not posted many, many could be posts of a positive nature.

Regarding leaktest.com - it was either that or another one very similar to it. After a little more research it was found that the researcher who was doing those firewall leak tests soon got out of doing those tests. So....perhaps one idea may be to do some of your own testing. They are fairly easily done. They are usually in the form of leak testing and running one programme at a time seeing if any given firewall passes the test by preventing the leak or not. It would seem merely time intensive.

Leak tests - even though the following two links are from web pages over ten years old they still contain some interesting information regarding firewalls and leaks and testing.
https://windowssecrets.com/langalist-plus/new-firewall-leak-tests/
http://www.pcflank.com/art21.htm

Here is a link for a more detailed and technical treatise entitled Using leak tests to evaluate firewall effectiveness

Oh and for those who are not aware - the firewall included with Windows XP is a one-way firewall which does not attempt to stop any outbound traffic. This is not good for example if a computer gets a Trojan and that Trojan gathers some information (like a key logger or email contacts or credit card numbers etc.) and sends it home. The Windows firewall included with Vista and beyond are two-way firewalls.

 

I run Kaspersky Internet Security 2012 alongside outpost 7.5.2 firewall happily.

The only not so obvious thing that I did was take the ndis? out of network connections that kaspersky added.

I turned off most of kasperskys modules that outpost covers
ie web AV
application control
firewall
network attack blocker
anti banner

 

I do the same as you with Nod32 and Outpost FW Pro 8.1. These 2 run well in tandem OUTSIDE the Sandboxie.

My hardened IE 10 with active x and Smart screen filter on INSIDE the Sandboxie.

I also load my host file up from MVPs. Do Not Track Me (c) is on as well.

What I am trying to get a hold of is a clear user guide for the HW FW for the Router/Modem.

 

By default, the firewall in Vista and beyond doesn't block outbound; although you can configure it to. As for leak tests, seriously reconsider.

Once you execute a program (more so, malware) with admin rights, game's over. It has all the capabilities to tamper, disable or work around the firewall.
Firewall with HIPS have a better chance (because of the HIPS component) but then again, there's limitations.

I've mentioned more on this in this thread:

Windows 7 FW for inbound/outbound control

Basically, what I'm saying is this: depending on outbound firewall to protect your data is like letting a burglar in your house and putting guards (and all sorts of fancy high tech system) to stop him/her from going out. Sure, it might work but you're putting a leap of faith in such a setup.

 

I'm surprised no one ever packaged a trojan to look like a leaktest. IMO, they're flawed on several levels. On a default-deny system, you have to violate the core policy just to run the test at all.

Some of them have value for testing a configuration but most are a waste of time. The PCAudit leaktest was useful for evaluating a firewalls ability to control loopback traffic and the rules governing it. That was after you allowed the process itself and then allowed it to set a global hook, after which it tries to use every running process to establish an outbound connection. If localhost connections were allowed globally, you fail the test. It's useful if you use any kind of local proxy or are tightening firewall rules to prevent data leaks around Tor or a VPN.

 

A year or two ago I used PCAudit2 on Kerio and Sunbelt firewalls. One with Avast proxy port 12080 in use, the other was Avira proxy 44080.
Both firewalls are restricted access to the proxy port for most stuff.
Both firewalls defeated PCAudit2 while it tried to hook to Snagit, Acronis scheduler, ctfmon, FS viewer, explorer, and few other live processes at that time.
Sunbelt has a tiny HIPS section, nothing to brag about, but when I enabled that module, all code injections were blocked as well.
PCAudit2 was an amazing show to watch, and an interesting learning experience for me.

 

I don't know how relevant this is still going to be after all this discussion but...

I never should've bothered and adhered to the good old rule "Never ****ing change a running system!" (That expletive should really be in the original already. Because I have seen few cases where people were not very upset when something didn't go as planned)

So I installed Outpost Security Suite and cranked up all sorts of security. Figuring I'd rather click a couple of prompts than get screwed.
First minor annoyance: I have a tool called "Hard Disk Sentinel" monitoring my HDDs. It asked for direct disk access, so I said "fine" and of course created a rule for the future. A couple of minutes later... prompt for the same thing. "Didn't I click 'create rule'?". So I did it again. A couple of minutes later...
So I disable prompts about direct disk access...

Then I reboot for some reason or another and... desktop won't load. Can't launch task manager. But still can reboot from the "switch user screen".
Still nothing. Check boot logs in safe mode. Stuck somewhere around network drivers? Hm...
Uninstalling Outpost using Agnitum's clean tool.

Boots fine again. Alright... screw Outpost. Wasn't Comodo supposed to be decent? Let's check that out.
Wait, why do I not have internet access? Oh man, is Windows now still looking for some Agnitum network driver, even though it isn't there any more?!
(Can't remember how the hell I solved this but I did...)
Installing Comodo...
Some Asrock tool that I haven't used forever and I have disabled the automatic start for suddenly starts. OK...? Weird.
*Plop*. What the... man, how I hate sounds for firewall prompts. Let me just quickly disable those. Hm... where are the sound settings? Where are ANY settings?!
This could become interesting...
Another prompt. Where do I set that I only want to let it access localhost? Oh, I can't. Great. Moving on...
*Plop*
Gnah, I just accidentally clicked allow, even though I wanted to deny! Let me just edit those rules. What the... where are the damn rules?!
Uninstalling Comodo... (which I later discovered didn't uninstall the whole suite but just the firewall... because it makes sense to have the user uninstall all modules separately when they were installed as a package...)

What do I do now? Bitdefender caused BSOD, Kasperky would probably screw up my system (@ Q Section: while it may be true in general what you say about review - if many reviews complain about that thing filling up their SSD and you also use a small SSD for your OS yourself... I for one wouldn't and didn't take that chance.) and Comodo is simplified crap.

*Sigh* Back to Outpost then.
Setting it all up, this time making sure right away that my computer reboots just fine after installing it.
Yup. Everything fine.
So now let's just dial up those Anti-Malware and Anti-Leak settings.

Still gotta reboot one more time to get rid of Comodo leftovers.
WHAT THE F)/@:=?!
Desktop can't be loaded again!
Didn't somebody at Wilders at some point suggest that prompts may be "shown" even though you can't yet interact with them?
Damn you, Outpost!
Uninstalling in safe mode, blabla...

Now.. why "Damn you, Outpost"?
Because in my humble opinion, just cranking up the Anti-Leak shouldn't result in an unbootable system just because some startup program might ask for direct disk access (*cough*)!
Outpost should be smart enough to do "block once" on everything there are no rules for until the boot process has finished. And then maybe even pop up a log of what it blocked automatically during startup.
I mean seriously... I'm sure Outpost does a looot of things more complicated than that.

So now I'm running mostly with default settings and have to think about whether it's worth it adding exclusions and still increase the Anti-Leak. Because I may forget that I did that and may be dumbfounded as to why my computer doesn't boot all of a sudden after installing some new tool that requires privileges during startup.
I guess due to the added realtime Anti-Malware module as well as the Web control module, I may be a bit safer than before but man... those hours described above were damn annoying!
And... Agnitum just can be glad that the their main competitors suck even more.

 

You did turn auto learn on for an hour or a day to get rid of the first load of prompts?

I have in the past needed to reset via hardware as outpost caught too many programs loading and froze.
Second boot worked fine though.

 

I guess that would be a way to do it. However, I don't want Outpost to learn automatically. I want full control.
I suppose one could say "Well, then add those exclusions manually too". And it's a fair point to make. But I'm sticking with the suggestion I made above because even proficient users can forget about something. And having their system freeze because of it seems a bit harsh if it could be avoided that easily.

Never had an issue like that myself. I wonder how that would even work, seeing as both Windows and Outpost appear to do things in a purely sequential manner during startup...

 

Although this post has little to do with separation of FW and AV for the sake of those commenting on Outpost FW Pro a good link for questions answered by OP users and sometimes beta testers is:

http://www.outpostfirewall.com/forum


On the specifics of OP setup users should remove all other 3rd party FW's, do a cleanup , reboot then install the latest version of OP. On FW Pro it is at 8.1 at this time.

Then let OP run for at least a week under auto learning mode. At the end of that period go into the rules and other settings and tighten them up.

 

It is well known that at least some antivirus programmes run well in conjunction with Outpost Firewall. We know of some installations that are successfully doing it on some of their non-networked computers. They have not tried Kaspersky Antivirus and Outpost Firewall yet but will in the near future.

Another more helpful thread was located with some positive claims here at the Outpost Firewall forum concerning using Kaspersky and Outpost together. There and in a few other various posts in a few places it is said to first install the antivirus and then Outpost Firewall. In the settings it will be a good call to decide which HIPS to use if both the AV and FW have it (as Outpost does). We believe the HIPS supplied by Outpost Firewall is superior to many other HIPS including NOD32's.

One more consideration that perhaps many have thought but was not expressd in this thread is that it makes no sense to completely allow a programme's access to the web in the firewall's rules. For example some more complex programmes have several components that want to have web access such as a browser with accompanying plugins. Some of these plugins or even some of the components of the browser that are not used to operate the main functionality may not be merely checking for the latest version updates. We have not seen any testing by any independent party to see if those executables which are wanting outbound permission are actually only trying to check for updates or perhaps something additional like phoning home with some captured information. This is very plausible. Maxthon browser phoned home in the past trying to send further information. (It is unknown if it still does.) Also some programmes do not include an option to not check for updates and the user may not want this part of the programme to go outbound.

So to have fine-grained control is a very desirable ability of a firewall. Although it is a one-time task (that might take a week) to set all these rules and settings, afterwards, one can rest on having everything working well together. One programme that can be used to check on outbound traffic is called What Is Transferring? but this is an older programme that was built for Windows 2000 and XP but works also with Vista 64. We have not tested it to learn if it works on Windows 7 or 8 yet.

Lastly, if we get a report of a computer using Outpost Firewall and Kaspersky Antivirus 2014 (out now) successfully or not we will post about it.

Best wishes!

 

Who is we?

 

your post at our forum was labelled as suggestion (there is a suggestions sub-forum there), which may have caused the firewall users to ignore it. we are an all-user run forum, independent of Agnitum, tho they do fund it. OLE automation is also a topic most of us are not too up on. after looking at it, i think you are really asking a different question, so i answered your thread there. hopefully it will help. if you post and do not get a response in a reasonable amt. of time, you can always ask again by posting in the thread to bump it up the new posts list.

i personally use the all-in-one security suite to avoid conflict with third party AVs, and tend not to frequent the firewall only or AV only sub-fora.

as far as kaspersky is concerned, a search on our forum reveals a number of problems getting it to work, so i personally would not recommend it. a number of 3rd party AVs work as a proxy, redirecting all internet traffic thru themselves, thus bypassing all of the application and ip/port based rules of the firewall, only obeying rules set up for the AV apps itself. there are other AVs that work better with outpost, a search of our forum will bring up a number of threads discussing which one users find is best. (see also previous post no.37)

 

Thanks kronckew. I didn't realize that the forum wasn't Agnitum's official forum (although I'm sure it's clearly stated all over the place! ). I moved back to Jetico, but that is good info for the future if I go back to Outpost.

 

Windows 7 firewall is good but bothers me since I always want see things like where I connect. I know tcpview etc can help a bit. And it is possible to use good tools like Process Eplorer to find out what is running.

Still they are limited when you think your computer is had and maybe progs installed like sending things out about what you do in internet and stuff like that. And them HIPS are just paranoia raising. And compatibility is a problem with security software.

I like Sandboxie a lot. I trust it more than any other program for my security. Still it has Conflicts like even with Avast antivirus. You have to disable avast behavior shield for: Monitor the system for unauthorized modifications .

To make it start up fast and what ever.

Latest I have tried Comodo firewall and it definately makes Sandboxie start slower and with my Avast slower start and eventually a BSOD.

ZA did work better but messed also a bit. And ZA does not give any much about connections. I felt not trusting it.

Online Armor free after first installed gave a freeze soon with Sandboxie 4.04 and Avast. After a few reboots all seem working, OA webshield disabled. It gives me information about my connections better that the other 2. Still the logging sucks, there is a filter for that but it is not working as it should.
And there is definately the feeling it is not doing that well with Sandboxie. The browser starts slow and it would be a nightmare for me to get a BSOD. Installing software can also be most intimidating with a HIPS firewall.

So I guess I will at some time be back with just a windows 7 firewall. I miss those XP times when we had just good basic logging firewalls like Sygate and Kerio 2.1.5. With no HIPS. I mean Kerio 2.1.5 did not have any logging filter, except you could do your manual filtering like as you wished.

Nowadays we are stuck I guess with some VPN solutions if we are suspecting out privacy.

 

IMO, if your main concern is privacy I am afraid that the most effective solutions are VPNs and isolation including a different OS than Microsoft Windows.

For malware/security issues the key is to be selective in what to install. What gets in need full trust and permissions and what is out is out. Key to this approach is keeping eveything fully up-to-date. So, only software that you trust and a good security solution (firewall/HIPS/BB/etc) that will take care of keeping the untrusted out.

 

Hello,

Speaking as some who works for a developer of anti-malware software which includes firewall functionality, but not as someone involved in their coding, the general reason you see incompatibilities between anti-malware and firewall applications is because they perform functions using the same resources.

For example, an "antivirus" program might access the network interface for scanning downloaded files, and a "firewall" might intercept file I/O to look for modified applications and so forth.

Conflicts can occur when the two programs intercept the same action and attempt to perform some kind of exclusive action.

It's not an attempt by vendors to get you to use their all-inclusive suite or whatever, just a matter of limited points of interception that the security software can use and still be a "good neighbor" to other programs, let alone the operating system, on the computer. The days of doing things like in-memory patching of the operating system's kernel are long gone.

Fortunately, there are workarounds: As general solutions go, one can configured each program to exclude each others files/processes/objects/network activity from being monitored. Another option would be to disable duplicate or incompatible functionality in one of the programs. And, of course, one can always take the approach of choosing to replace incompatible software with programs which are compatible (the "I'll vote with my dollars" approach).

Regards,

Aryeh Goretsky

 

Had forgotten about another firewall testing from 2012-2013. Again - this can be used to learn a few things if the test methodology is studied but not sufficient to make a final judgement though:
http://www.matousec.com/projects/proactive-security-challenge-64/results.php#products-ratings

 

I got rid of kaspersky because it tried to tell me what programs to have on my pc

 

i dumped kaspersky for trying to tell me what programs to hav on my pc

 

Try Windows Firewall Control v4.0.42. It works just fine with KAV.

 

Thats not my experience with kaspersky.