BlackICE Defender : Comments Please

I liked its component control where it identidies any new dl files associated with a program... But there my fondness stopped... A pain to configure (it does have autoconfiguration, but i rarely use it, and its compulsory in this one)
The interface is tacky at best... and I believe both pros and newbies have been put off by it at one point or another...
It's best for a newbie I guess... Light, free, comes with advanced features...
Any comments?

 

What version of BID are you using?

What's your OS?

What sort of internet connection do you have? (dial-up, DSL, cable, satellite)

Is this a stand-alone machine connected to the Internet or is it part of a private LAN using a router (hardware or software) or a hub to obtain Internet access?

Do you have a hardware-based firewall (even a NAT router) or a software firewall (other than BID) on the machine?

I ask these questions because I'm on dial-up, behind a router (yes, there really are routers that support dial-up! ) and use a software (host-based, if you prefer) firewall also. Consequently, BID really only functions in its initial form here -- i.e., as an Intrusion Detection System (IDS). I don't use the application or communication control features. My version is getting a bit long in the tooth at this point, and I must agree that both the application and communication control were also a bit more of a nuisance than I think they need to be. But that may have changed in the more recent releases.

 

Hi jvmorris,

Are you referring to those routers that allow you to hook up external dial up modems as a fallback to the primary broadband connection? Or are there actually routers that are only dial up? The only one I ever came across was the WebRamp. Could you provide a link to where these dial up only routers can be found?

Sorry if this strays from the thread a little.

Thanks

 

hi
jvmorris: latest version, WinXP, yes I have router+hardware firewall, ADSL, standalone, 3 software firewalls (don't say "conflict" 'coz they're all completely conflict free and it's been almost 45 days)
devinco: no probs (but i would like ur verdict on blackice)

 

Sorry, no experience with BlackIce.

 

Fellow Creatures,
I have also been wondering about this one? Would it be right for me? So if no one objects I will pretend to be no13 and answer some of jvmorris questions to further prompt discussion and then lay back as it is not my thread.

Lets assume Cable connection on a Wireless Router with Hardware firewall up and running stopping everything coming in on 2 XP Home systems. One hard wared to router the other wireless. Pretty sure I'm NAT as they call it. NetGear Router and linksys "wireless reciever" Sorry I'm not network savy (even more ). I do read that BlackIce (Inernet Security Systems Ticker symbol ISSX) are always getting valnerable to something and patching something based on some of those security watchdog groups that find stuff and report to companies for patch. Probably really no more then NPF though.

Sorry no13 we cross posted.

 

ya...NPF passes most tests... but I junked it because it was very VERY heavy on system requirements. And partly because it always wanted to talk to norton's servers... maybe it was homesick... i dunno what was so important that inspite of my best attempts, i couldn't stop it.
NOTE: blocking NPF or NIS processes is really not gonna work, because now it functions like a proxy server - maybe not the right terminology (even I'm not network savvy, but i shall be, soon enough with CCNA (yaaay!) ) - but you get the point, right? It channels ALL network access requests thru itself. So byebye other simultaneous firewall ...as good as useless, because norton's already allowed network activity by the time you step in. pfff...

 

Hi guys!

What BID version are we discussing here? BID 2.9cai and earlier are noted to be ineffective in filtering outbound packets (http://grc.com/lt/leaktest.htm) and didn't pass GRC's Leaktest.

No13, 3 FW's plus a router is hardly ever recommended unless one is exceptionally adept at configuring them. I guess you are to have gone 45 days with no conflict... Wow! Must have taken you days just to set up the rules!

Anyway, you asked for comments. IMO, I'd give up BID without hesitation and toss a coin to know whether I let go of ZA or Kerio.

 

I too tried BlackICE off and on for years, but always ended up with Kerio, Agnitum, or Sygate (until I found it can't control local proxies). Now that I'm offering services to friends (FTP), I wouldn't be without BI. Don't forget the IPS in addition to the IDS with BI. It prevents as well as alerts. If someone tries to access above their home FTP directory, I know about it, as even though I've allowed inbound FTP and told BI so, it still watches the connection. Going through the .ini files is an eye opener, as the IDS seems to cover everything, more than I've seen with Kerio and Outpost. The Advanced Administrtors Guide will show how to configure even more options than the GUI allows. If installed on a clean machine, the app protection works well. My belief is the outbound connection stuff (ie. I want Opera to connect only to port 80) is really a privacy thing.

That being said, I like outbound control. Luckily, Kerio 2.15 or 4.x has no problem running with BI. The one thing that could be better with BI is the app protection takes a while to kick in...nothing will get out, but it's just a delay before the warning box pops up. Kerio 4x or System Safety Monitor kick in much quicker. Other than that, I now love BI.

P

 

Yeah, if it wasn't for component control, I'd have ditched BlackICE (home users prefer good interfaces). Also, if you have time (and you know snort) you can mess around with Kerio's IDS too (it alerts occasionally and blocks when you've set it to).
err.. what's system safety monitor? how d'you use it?

 

System Safety Monitor can be found here:

http://maxcomputing.narod.ru/ssme.html?lang=en

Beware, the site is VERY slow, so it takes quite a long time to load the page. If you're patient, it'll eventually come up.

SSM is basically an "application firewall" of sorts. It will ask you to allow or deny apps to run. It also watches over parts of the registry and allows you to ok changes etc. It has nothing to do with internet access or anything, just whether or not an app can execute or change the registry.

I played with it for a while and found it interesting, but in the end I dumped it. I figured if I was running an app, then I was bound to give it permission to run since that's what I was trying to do... run the app. So what's the point in having a program ask you for permission? Seems like having a good AV was more important. But some might like it for catching execution of rogue programs I guess.. I just figured I'd probably say "ok" to anything I'm running anyway, so why bother with it.

It's worth looking at though, I guess...

 

For applications you run yourself, this is very true. However SSM will intercept calls between applications - I had a case of a Windows desktop theme bundled using Lycos' FileSubmit which tried to install three adware programs (BonziBuddy, the iGetNet browser hijacker and Lycos SideSearch) without asking permission - SSM however intercepted the calls to each individual installer and I (with some help from Google ) identified them as undesireables and stopped them running.

SSM will also intercept DLL-injection, memory injection, process termination and (with the latest version) driver installation. This can provide some valuable insights into how your system works but also provides warning of suspect programs (if a recently downloaded "picture viewer" starts trying to inject itself into your firewall, terminate your anti-virus scanner and plop a driver on your system, then you know something's fishy about it!).

Finally SSM's plugins alert you to alterations to many Registry keys, IE settings and .ini file settings - these are all targets for adware/spyware so this offers a further layer of protection and warning.

 

Hi Paranoid2000.. I remember you recently from the Outpost forums. Thanks for your comments and help. I may try SSM again and see how I like it. I do try to be very careful about what I install here though.

BTW, I just purchased Outpost Pro tonight and am very happy with it so far. I've tried them all and it seems like one of the best.

 

About SSM
kerio 4x pulls the app control the same way, and I have sundry apps to take care of the startup programs (wherever they wanna start up from, I can block them)
So I'm really satistfied right now.
Any one hazards a final word on BlackICE?