BlackIce Pc Security.

Discussion in 'other firewalls' started by bigc73542, Nov 20, 2003.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,932
    Location:
    SW. Oklahoma
    Well I tried to give BlackIce a fair test. But in just three days it cut it's own throat with me. It started by not allowing trusted apps. to run. Then the next day it was blocking the resident av scanner from working. I uninstalled mcafee thinking maybe they don't like each other. I tried Panda, PC-Cillin,AVK,nod,And finally kav. In each case it would refuse to let the av's connect to the internet for updates.I shut down the application control and it still refused to allow any connections.Next I shut down the firewall along with the application control.To be able to update any av or spywareblaster or spywareguard and A2 I actually had to uninstall BlackIce.I have a hardware firewall so I don't need A program that really sucks. For a personal firewall just to look for out bound malware I will just use Kerio 2.1.5, You just can't go wrong with it. I have a really shiney BlackIce cd with a year and a half of def updates if someone wants to do a little skeet shooting :D
     
  2. dom424

    dom424 Registered Member

    Joined:
    Aug 19, 2002
    Posts:
    41
    Location:
    Enid, OK.
    When you installed it did you let it do a baseline scan? I never had problems like you are talking about. When I install a new app I will put it in install mode or something like that and then after what I am installing is installed it comes out of that mode and then I let it update. Then it never asked about that app again unless it is updated. Every once in awhile it will stop the BOClean update but that is about all the trouble I have with it.
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,932
    Location:
    SW. Oklahoma
    It did a scan I manually did the scan at least eight times uninstalled and installed three times but it is still a turkey and it has taken up all of my time I intend to let it.I appreciate the help but I am not going to mess around with it anymore.


    [move]Kerio 2.1.5[/move]
     
  4. dom424

    dom424 Registered Member

    Joined:
    Aug 19, 2002
    Posts:
    41
    Location:
    Enid, OK.
    I can understand your flustration. I get that way with ZAP on my XP computer. I think I have it fixed and then all of a sudden I am back to those TrueVector errors and constant reboots. ZAP never acts up on the 2k computer. Never.

    I hope whatever firewall you decide to use serves you well with no problems.
     
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,932
    Location:
    SW. Oklahoma
    Fortunatlly there are a couple of good free ones that I have tried over the years that work well. I really like kerio2.1.5 I have never had a problem with it on any windows os. ;)
     
  6. lycanusmaximus

    lycanusmaximus Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    4
    Last month I installed ZoneAlarm Pro to run along with my BlackICE PC Protection. They get along very well. But with one unique thing I noticed... ZAP was SO effective nothing got through to BI.
    I mean NOTHING. I believe ZAP somehow set itself up as the outer layer defense, and BI the inner. Therefore nothing got through layer 1 for layer 2 to 'see'.
    So, I uninstalled BI, and have been happily running ZAP since.
    :D :D :D :D
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,932
    Location:
    SW. Oklahoma
    That is the way I felt when I got a router with a hardware firewall It didn't leave my software firewall much to do. I just kept it to filter outgoing, didn't want it to fell left out ;)
     
  8. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    If you run ZA with BI, ZA picks up alarms / blocks things first - as will any firewall other than Sygate (which blocks about 50% before BI does). I believe this is to do with the way BI and its IDS work - and the fact that BI picks things up after ZA does not in any way mean it is less effective.

    As for the GRC reports on BI - Gibson has never liked BI and has never ever tested the latest version of it (he always uses a version which is several releases out of date) and he never configures it properly.

    If you set BI to paranoid, run a baseline and block port 113 - it passes ALL leaktests, monitors all outgoing data for activity which is known to be dangerous (you can turn on packet logging to examine data later) and will alert you if a new application tries to execute, connect to the network or send any data. it also alerts you if any application has changed.

    BI looks for activity which is dodgy and will not waste your time asking you if it is Ok for each app to connect to the net. (it has even notified me when i have had a "dummy worm" emailed to me to test my email security) - cool eh!

    As I said in my earlier post, I have used BI for ages now and Im happy with it as it does its job silently and does not irritate me asking me questions all the time. Having said that, Im not naieve enough to think any software firewall is 100% secure - since the OS it sits on and interfaces with is itself insecure. If security was that important to me I would plumb in a nat router to work with BI - but Im not that bothered.

    Security for me is a cost/benifit or risk analysis problem - Im fairly sure my BI and other security measures are tough enough to keep the vast majority of hackers out - since Im just your average bloke on the net and not some corporation.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Actually there was a time when BID was one of the greatest things since sliced bread on the GRC site. That was before ZA and most of the current software firewalls that are available today.

    Regards,

    CrazyM
     
  10. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Possibly, but now he has stated that he has no interest in hearing anyones point of view on BI if it is different from his - particuarly when it has been pointed out that he always tests an old version and never configures it properly.

    Anyhow, the leaktest business was the reason I made my previous comment. I have tested BI and it passes all leaktests when application protection / comunication protection is turned on.
     
  11. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
  12. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    All you need do is have a clean system and run a baseline and ensure application protection is turned on.

    I have tested the leaktest you mention and it is detected by BI.

    Once a baseline has been run BI will detect ANY (including trojans) new application which tries to run. It will detect any modifications to any application also.

    On my system, I do a fresh OS install etc. I then delete any junk files etc, then do an adaware, f-secure, spycop & tauscan scan - which should mean my PC is clean - then I do a baseline with BI and turn on application protection / communication protection. After I have done this, any new programme which even tries to run is picked up by BI. BI will then ask you what you want to do. If you allow it to run there is a good chance BI will also then detect it trying to connect to the network and ask you if you want it to do this. BI uses "fingerprints" of what it knows to be dangerous communication - a bit like an AV uses a database to scan for viruses. It looks at the packets of data entering and leaving your PC and if it detects anything which it thinks looks dangerous, it will block it. In some cases if you tell BI to let a new app run (ie a leaktest) it wont always alert you to it sending data - for 2 reasons - firstly, it will look at the data being sent and if il does not fit its definition of being dangerous then it will allow it to be transmitted. Secondly, if you have told BI that the application is trusted - it will trust it as any information it sends will not be classed as unsolicited -(BI will block any unsolicited request for info etc from outside the PC - this is why - even after modifying the firewall.ini file to reject pings, BI fails the Ping stealth test at PC Flank - as the request for the ping came from the PC itself (if you get someone else to ping you you will be stealthed - as in that case the request for ping was unsolicited and from an unknown external location).

    Anyhow, since these leaktests are harmless, BI will not have their signature added to ita "fingerprint" database (however, they did add the fingerprint of Gibsons first leaktest so it blocked it - he got all upset and tried to slag BI off) - but it will pick up other nasties.

    For example - BI even picks up nasty code on websites - which is designed to comprimise a system - as, like I say it looks at every single packet of data entering and leaving your PC - so will detect things like that.

    I feel the main advantage of the way BI behaves is that it is like a doorman/bouncer - it examines what is coming in and going out - even on a port which is open or application which is allowed. It will detect most behaviour which is dangerous - whereas other basic firewalls like ZA etc will allow any communication with a trusted port or app - these firewalls dont have the ability to see what is dangerous. EG - I use windows messenger lots as i have family all over the world. In order to use video etc, I can "allow" say my sisters IP address via BI. Even on this allowed address BI will block any hacker activity.

    Anyhow, I know people seem to get attached to their firewalls, so I guess you may as well stick to the one you use etc. I have used BI for years and have found it to be so easy to use, it never fails me, never wastes my time by asking me stupid questions and alerting me to thing of no importance.
     
  13. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    I ran the leaktest with what you said on, and BI recognizes the launching, but won't stop the test. What could I be doing wrong? I don't want to have to do a clean install just for the Leaktest.
     
  14. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I honestly dont know if you are doing something wrong.

    The point is that as I said, if you have a clean system BI detects any new app when it runs - so you are safe.

    When I ran it BI first alerted me to the new application, so I allowed it to run, then BI popped up with several alerts asking me if I wanted (I dont remember their names) various other applications to access the network. I guess this is because the test uses dll injection or whatever it is called and was using these apps to try and sneek out.

    Are you using the latest version of BI? Version 3.6 cbz is the latest.

    Ensure on the "Application Protection" tab, you have both "Enable Application Protection" and "Protect Agent Files" boxes ticked. On the "Communication Control" tab tick the box for Application Control.

    Anyhow, the truth of the matter is that BI will protect you from any trojan etc if you run a baseline on a fresh clean system.

    With any firewall, once you trust an application you cant be sure what it is sending - but at least with BI you can turn on packet logging and see exactly what any app has sent and to where.

    If you look under "Advanced Application Protection Settings" you will see a list of all the known apps on your system. Here (the black triangles) you can block any app from running and/or from communicating with the network.

    These leaktests should be taken with a pinch of salt I feel. If you are a home user with a good AV, adaware scanner , AT etc you should be 99.9% safe. The truth of the matter is that if someone out there wants to hack you they will do it via some trojan or bit of spyware. So a firewall is just part of the solution.

    Hope this helps.
     
  15. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    I have the latest version, so I guess I need a fresh system - and I can't do that right now. I still feel better when the LeakTests are stopped. I have a router, so my software firewall mainly blocks outbound.
     
  16. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,166
    Location:
    PA
    BTW, I'm running BlackICE with ZAPro, because BlackICE covers some of ZAP's weaknesses. Should BI's application control be turned off?
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    BI, as well as System Safety Monitor and Abstrusion Protector is a kind of sandboxe with IDS in addition, in no way it passes leaktests, it simply block
    them.

    The day you will mistakenlly allow something to run and that your firewall will be bypassed, you will see the difference between to "pass" and to "block" a leaktest.

    Anyway i don't say BI is bad, it is probably fairly good, but personally i like SSM. Oups ok, this thread is about BI only sorry :)
     
  18. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    The advantage BI has over other software firewalls is that it looks inside the packets being sent - whereas other firewalls dont.

    I have tried many software firewalls but felt unsafe with them Eg- they all seem to ask that a user gives an application "truseted" status etc - thereafter that application will be able to communicate with the network - so how do you know that at some point that application wont try to send something bad or be used by a trojan to send data? - the answer is you dont - and your firewall wont save you as it will just let that app do what it wants. BI would save you as it does not just blindly trust any app - it will still look in detail at what each application is actualy sending and recieving - and if it thinks it is dodgy it will block it.

    I usew kazaa lite and when that is running BI blocks hundreds of hacks every hour - whereas a normal firewall will not as it does not know what is going on.

    This demo at the BI website explains what Im talking about.
    http://blackice.iss.net/demo.php
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    A firewall is a firewall.

    A software watching inside packet isn't a firewall but an IDS.

    don't talk about something you don't know.

    I can.

    Many firewall detects and block the software _hijacking_, apprently you can't imagine that, but fortunaly it exists and is common among firewalls. For instance many firewall block "Tooleaky" leaktests while this trying to use a fully trusted IE.

    May be you should stay focus on BI.
     
  20. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Agreed!

    Again, I agree. BI however, as most people know, has an IDS combined with a firewall.

    That is self eviednt!

    Nothing I have said here can justify your statement. What I have said is that in addition to offering the usual firewall opperations, BI will continually inspect the data being sent by a trusted app/IP asddress/IP range/port range, looking for known hacking activity, worm like activity etc - most firewalls do not.

    My point earlier in my reply to mvdu was that BI blocked the leaktest he mentioned as it picked up the fact that it was trying to comunicate via other apps.

    And perhaps you should be less arrogant and rude. This forum is here so that people can exchange ideas, offer advice and give support. It is not here for people to be insulting and try to start arguments, simply because someone says something you dont agree with.
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Gents,

    In order to keep this board a friendly place for all, please pick your wording carefully. One can express an opinion in a respectful way - and disagree on the contents at the same time.

    regards.

    paul
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I am not rude, but try to understand me :

    each time i say that leaktests are meant to show vulnerabilities of firewalls, each time people answer me that their sandboxe "pass" them.

    That was my main point, and i am sorry if you thought that i am against any idea sharing, i am fully for that, i think that many post on this forum show that.
    But should it mean that each time i see an idea not fully true i should say nothing ?

    Again sorry if you take it for you, i just wanted to distinguish a firewall from an IDS and a sandboxe (that BI seems to be all of that).
     
  23. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    No worries.

    This link provides an explanation as to what BlackICE is.

    http://www.iss.net/security_center/advice/Support/KB/q000025/default.htm

    I have used BI for many years now and therefore Im comfortable with the way it works - however, I can fully understand that the users of normal software firewalls will find BI strange when they try it (if a trial is available? - I think one is somewhere). The link above will help non BI users see how it works.

    Anyhow. as I have said before, I personally dont think any software firewall would stand up against a real serious hacker with serious backup. However, I would be interested to see some serious tests done on a bunch of the main firewalls to see how they stand up to hack attempts - and I mean a complex set of attacks that a hacker may use - any takers for this - or any links to tests which have been done?
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    totally agree :)

    If you want a very simple thing to bypass sandboxe and firewalls (may be IDS too i don't know), just read this
    http://www.wilderssecurity.com/showthread.php?t=20437

    I have tried it and it is really scary i think.

    If you want a set of tests of "firewalls against leaktests" the link on my sig has many.

    I am writing something i hope to publish soon on my website, but as a quick answser i would just say that a firewall is just a security tool among others, and like you said, alone it can't fight and win against everything.
     
  25. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I think I tried the test you mean. I downloaded it and opened it - and it tried to activate - but BI pipped up its application protection with the message "ntvdm.exe (my pics.folder.malware.exe) You can either terminate the programme or allow it to continue" I allowed it to run and then it stuck some flames up within ie. I guess it did not try to connect to the network?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.