Firewalls that include "WhoIs"

Hi Folks,

Here is an absurdly simple question. Probably been asked 1000 times.

Do some of the good Firewalls include a strong "WhoIs" with their alerts rather than simply an IP#. Why don't I find such in Sunbelt-Kerio (free) and some others i have tried ?

This is one of the most critical usability issues. Why should I have to go through multiple steps to research so many alerts ? I almost always want to know who and where.

Your thoughts on this. Am I missing something ? Or is just a question of which Firewall and which version (e.g. paid/free).

Thanks..

Shalom,
Steven

 

Not too many that I know of. One that does is Jetico Personal Firewall v.1.0 freeware. Maybe version 2 does also but I have not tried that.
http://www.jetico.com/jpfwall.exe

Good luck

 

Sygate can look up an IP in the Whois database.

Open Sygate Firewall => Logs (try traffic) => Right-click an entry => Back trace => Whois

thanatos

 

This firewall does not look up (Whois), it takes the info from the cache/application. (so no need to allow the firewall direct internet access)

After users requests, version2 does the same.

 

Aha - so that's how it does it. Thanks for the clarification!

 

Thanks for the info on all this.

However, question. Since our concern is mainly malware here what makes the application incapable of writing phoney information to its own cache, buffers, whatevers ? Don't we really want a true 'whois' even if it means a firewall visit to an external database ?

Shalom,
Steven

 

If you suspect a file to be malicious then block it (in the meantime). Confirm your suspicions by sending the file to AV experts for analysis. You can also scan it at Virus Total. Look at these two files,

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost32.exe

Both make outbound connections. An ordinary user will think that both are from Microsoft. However the latter is malware. If you get the destination IP of svchost32.exe and check it at Whois, you will know that it is not connecting to Microsoft servers. In this case, looking up the IP at the Whois database helped. However, this is not the case all the time. Sometimes you just need to use your common sense. For example:

C:\WINDOWS\system32\lsass.exe
C:\Documents and Settings\<User>\Local Settings\Application Data\lsass.exe

By just looking at the paths you will know which is the legitimate lsass. I am not saying that all can notice this.

Some firewalls can detect and block malware. Sygate has a Trojan Signature Library (outdated) that would automatically block Trojans from making outbound connections. Comodo Firewall Pro v3 has a new feature called heuristic analysis algorithm that would block suspicious files. Maybe Comodo got this new idea from Sygate.

thanatos

 

Not that it helps a whole lot, but I use IE7pro to search IP addresses and URL's. I can put the following in IE7pro-

http://whois.domaintools.com/{KW_UTF8}.com


highlight an IP address or URL --> right click the mouse---> and go down to "search with" Whois.

It just does not work when I try to search in my firewall.