How to create very restrictive security with Kerio?

Hi,

I think something might have slipped onto my computer that several anti-virus and anti-trojan computers have failed to detect. So I am going to wipe the HDD and do a clean install of Windows as soon as I have time (which may not be soon). Until then, I'd like to create some highly restrictive rules in Kerio PF (2.1.5), to hopefully limit the ability of any malware to "phone home." Basically, what I'd like to do is set up a filter or filters that will block all traffic except outbound traffic to a small number of IP addresses (e.g., ISP mail server, Yahoo! Mail, Gmail). If possible, I'd also like to have Kerio set up so that only certain programs can access those IPs, but that's not as important.

I already started to set this up, but I wasn't sure I was doing it right. I was concerned that I might accidently decrease my security, so I didn't save the changes I made. BTW, I am using BlitzenZeus' standard ruleset which I have configured to work with my ISP.


Phil

 

Kerio will automatically alert or block if a trojan attempts to connect outbound using an application for which you don't have a permit rule.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi Rich,

That's good. But what if the trojan is smart (or just lucky), and uses some application for which I have a permit rule? By expliciting allowing outbound connections to only a select list of IP addresses, the trojan won't be able to connect to the trojan creator's site, and I will be alerted to the unauthorized connection attempt.

Phil

 

Yes, if your rules are set up that way, Kerio would alert if otherwise.

-rich

 

That's one way trojans will defeat a firewall. You'll need another program like ProcessGuard or AppDefend which will detect and/or prevent changes to trusted apps.

 

Or just use a firewall like Sygate that has anti-application hijacking and will protect you against such things.