McAfee Desktop Firewall Concerns

Since McAfee Desktop Firewall seems to be the topic of the week around here, I just wanted to mention that it COULD have some issues that might not make it suitable for some users. Some of the things I have noticed when I tested it today (for fun) but you should try for yourself if necessary because I only tested for couple hours and I could be wrong and I won't be the one using it:

I think it may have the same local proxy issue that Sygate has. If you run a local proxy and have the proxy enabled in Internet Explorer, for example,
and a firewall rule to allow the proxy (ie. Proxomitron), any application can also use the proxy unhindered, even if firewall rules exist denying the application. Tested using Windows XP Search (uses explorer.exe to access internet) and also with NetInfo 5.5 (accesses internet when first opened).

IF you don't use the Application Creation Monitor/Application Hooking Monitor, you can try this. Pick an app that already has a firewall rule created for it.
Flashget, for example. Then download Leaktest, rename it flashget.exe and copy it to Flashget folder (make a backup of original first) and run it. It uses
the rule you've already got that permits Flashget, not recognizing it as a different application!

I also wonder about the PC Flank stealth tests. TCP FIN/XMAS/NULL/PING weren't stealthed when I had intrusion detection disabled. When I enabled intrusion detection the site wouldn't finish loading to give me the results. I may be wrong here, but I would like to see results of TCP FIN/PING/XMAS/NULL done without the UDP going with it (not using PC Flank)...something is not right if you can't stealth your computer from these packets when the intrusion detection is disabled, when your firewall has block rules at the bottom blocking inbound TCP/UDP/IP. I wonder if maybe the intrusion detection blocks the PC Flank ip address when it sees the UDP packets but would otherwise allow the TCP packets to go through undetected. You could also experiment with the intrusion detection "block until removed/block for xx minutes" settings, and see what this means exactly. ie. If you block for 1 minute while PART of the PC Flank test is being done but isn't complete, what happens when the minute is up and the intruder's ip address disappears from the policy? etc. etc.

I tested this firewall's predecessor a long time ago when I was using AtGuard and some of the things I didn't like about it at the time are still there, almost like somebody from McAfee has added a module or two without doing a complete redesign. The way the Application Creation Monitor/Application Hooking Monitor works reminds me of the "update" Blackice did in moving beyond v.2.9. (something old/something new/something borrowed/something blue). Personally, I don't want a firewall to prompt me whenever non-internet applications run, like Notepad or a card game or something. I just want to know when the hash of an internet application changes so that I will know if it has been altered.

I don't want to make anyone mad if this was their favorite firewall, since there are issues that bother some people for ALL the personal firewalls...just if these things affect you you might want to test them further in case I missed something (which wouldn't surprise me).

 

I think you might be right about the proxy issue. I tested it with Avast (which uses a proxy approach to filtering port 80 traffic in the Web Shield), and then ran both IE and Firefox and Opera. It allowed all of them, only asking for permission for Avast's Web Shield. Of course if IE or Opera or Firefox or whatever uses say 443 or another port aside from 80, then it asks since Avast isn't doing proxy on anything but port 80. At any rate, from what I can tell, you are correct there.

You can turn off the part that checks for app execution and just have it pop up for apps using internet access only. If that's what you want, then just turn off the Enable Application Creation Monitor, and it should then stop bugging you about app execution and only prompt for apps connecting out.

I can't comment on the IDS features and inbound since I'm behind a router and that renders those features fairly useless here..

 

Strange, it asked permisson for web shield and Opera as well as IE on my system.

 

Wow, actually I did get mixed results here.. First time after install, I ran IE and it did ask for IE on port 80, made a rule etc. Then it immediately asked for Avast web shield after that, also on port 80. Then later, I ran Firefox and it failed to ask at all for that, since it already had the web shield permission on port 80 I guess. Then I ran Opera, and it didn't ask for that either. But the very first time I ran IE, it did ask. So I'm not sure what, if anything, to make of all that.

 

It does sound as if any access granted to local proxies is then automatically applied to other applications (improving usability at the cost of security). Does McAfee provide any logging to give the details of what is allowed or blocked (plus the reason) to confirm this?

 

Well, to be sure, I removed it and then reinstalled fresh. This time it did indeed only ask for Avast's Web Shield. It did not ask for internet access for any browser. This is the same situation as Sygate.

It *does* however ask for permission to execute for each browser. I am not too concerned about it. I assume the "problem" would be if malware tried to hijack one of the browsers on Avast's approved list (IE, Opera, Firefox, etc). But if this indeed did happen, I assume that the antihooking features would kick in and catch it. Same with Sygate and it's component control and anti application hijacking features.

There is logging in McAfee, however, I had the allowed traffic logging turned off so didn't see anything there.

I will not lose any sleep over it at any rate..

 

I used Proxomitron as local proxy which listens on port 8080, so in IE6 I have it checked to use Proxomitron as proxy for HTTP. I unchecked all the firewall rules I had created except DNS/DHCP/ICMP and Proxomitron (allowed outbound) and my Proxomitron rule had "~treat as an intrusion" "and "~enable logging"
checked so when I opened XP Search from start menu, I saw in the firewall log that it had connected to Microsoft, also when I opened Netinfo which
connected to Tsarfin. I had no other rules at the time, and no new ones were created for these apps. So bottom line was that any app could hitch a ride with the proxy, undetected.

 

In my case, it's not so dangerous, since Avast with it's proxy only allows a small select few browsers to work with it, so other port 80 traffic would be caught by the firewall and not proxied. So no real concern here.

 

Yes it does have seem to have that loopback issue.I use admuncher but the "avoid binding to the loopback interface" option in it seems to work ok with MDF and stop the piggbacking (of admuncher at least).I seem to get differing results at shields up site though regarding closed ,stealthed and open.After much messing i decided to install kerio 2.15 again and performed the same test ,which was all stealth.I then rebooted shut down kerio and tried it without a firewall at all.All ports (on quick scan) were closed and not responding which i expected but port 445 was stealthed?.I gave up after that,
ellison