Firewalls that include "WhoIs"

Discussion in 'other firewalls' started by Steven Avery, Nov 23, 2007.

Thread Status:
Not open for further replies.
  1. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Hi Folks,

    Here is an absurdly simple question. Probably been asked 1000 times.

    Do some of the good Firewalls include a strong "WhoIs" with their alerts rather than simply an IP#. Why don't I find such in Sunbelt-Kerio (free) and some others i have tried ?

    This is one of the most critical usability issues. Why should I have to go through multiple steps to research so many alerts ? I almost always want to know who and where.

    Your thoughts on this. Am I missing something ? Or is just a question of which Firewall and which version (e.g. paid/free).

    Thanks..

    Shalom,
    Steven
     
  2. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    37
    Not too many that I know of. One that does is Jetico Personal Firewall v.1.0 freeware. Maybe version 2 does also but I have not tried that.
    http://www.jetico.com/jpfwall.exe

    Good luck
     
  3. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Sygate can look up an IP in the Whois database.

    Open Sygate Firewall => Logs (try traffic) => Right-click an entry => Back trace => Whois

    thanatos
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This firewall does not look up (Whois), it takes the info from the cache/application. (so no need to allow the firewall direct internet access)
    After users requests, version2 does the same.
     
  5. Sealord

    Sealord Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    37
    Aha - so that's how it does it. Thanks for the clarification!
     
  6. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Thanks for the info on all this.

    However, question. Since our concern is mainly malware here what makes the application incapable of writing phoney information to its own cache, buffers, whatevers ? Don't we really want a true 'whois' even if it means a firewall visit to an external database ?

    Shalom,
    Steven
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    If you suspect a file to be malicious then block it (in the meantime). Confirm your suspicions by sending the file to AV experts for analysis. You can also scan it at Virus Total. Look at these two files,

    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost32.exe

    Both make outbound connections. An ordinary user will think that both are from Microsoft. However the latter is malware. If you get the destination IP of svchost32.exe and check it at Whois, you will know that it is not connecting to Microsoft servers. In this case, looking up the IP at the Whois database helped. However, this is not the case all the time. Sometimes you just need to use your common sense. For example:

    C:\WINDOWS\system32\lsass.exe
    C:\Documents and Settings\<User>\Local Settings\Application Data\lsass.exe

    By just looking at the paths you will know which is the legitimate lsass. I am not saying that all can notice this.

    Some firewalls can detect and block malware. Sygate has a Trojan Signature Library (outdated) that would automatically block Trojans from making outbound connections. Comodo Firewall Pro v3 has a new feature called heuristic analysis algorithm that would block suspicious files. Maybe Comodo got this new idea from Sygate.

    thanatos
     
  8. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Not that it helps a whole lot, but I use IE7pro to search IP addresses and URL's. I can put the following in IE7pro-

    http://whois.domaintools.com/{KW_UTF8}.com


    highlight an IP address or URL --> right click the mouse---> and go down to "search with" Whois.

    It just does not work when I try to search in my firewall.
     
Loading...
Thread Status:
Not open for further replies.