NETCHINA S3 as FIREWALL with INTRUSION DETECTION

Discussion in 'other anti-malware software' started by Kees1958, Nov 27, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I was bored so gave Netchina S3 a try, use these steps to make it an strong FireWall with intrusion detection (but quiet, very few pop-ups)

    Paranoids can disable auto acceptance of signed executables.

    I have enabled enabled IP - MAC binding (against ARP man in the middel attacks, together with my routers setting).

    No long explanation, English help is still not available

    As always handle with care (make image backup and have your rescue CD at hand, it is a Beta)
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    First navigate to the objects part of the application control (objects to protect, subjects are the triggering application)
     

    Attached Files:

    • S3  1.JPG
      S3 1.JPG
      File size:
      77 KB
      Views:
      2,538
    Last edited: Nov 27, 2008
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Make Netchina quiet (throw away cookies, and recyle paranoic objects)
     

    Attached Files:

    • S3  2.JPG
      S3 2.JPG
      File size:
      46.7 KB
      Views:
      2,531
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Now change from block and allow to QUERY (richt click) and make sure you only have left these objects for FILE and REGISTRY PROTECTION.

    Good news is that I left those objects default (they are okay out of the box)
     

    Attached Files:

    • S4 3.JPG
      S4 3.JPG
      File size:
      126.1 KB
      Views:
      30
    Last edited: Nov 27, 2008
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    When you do not like execution control (like me), because pop-ups drive you nuts, then also add the green entries at SUBJECTS

    Fast and steady until now
     

    Attached Files:

    • S4 4.JPG
      S4 4.JPG
      File size:
      124.5 KB
      Views:
      29
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Play with the rules and you will be surprised what it protects against
     

    Attached Files:

    • S3 5.JPG
      S3 5.JPG
      File size:
      70.6 KB
      Views:
      2,546
  7. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool kees:thumb: is this a firewall with hips?
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for the link and value info
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Good stuff, Kees. But -- since you are bored -- PLEASE do this same sort of thing for Malware Defender.
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Excellent thread as usual Kees. But I do have a question about post #5 in this thread. What is the meaning of allowing "Run" and "Launch" objects?
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    That would be an interesting read if Kees would be so kind as to give it a shot.
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    NetChina has 4 levels of application protection. The most usefull (balance useability - security) is "Querrying"

    This means
    a) File protection as specified in SUBJECT
    b) Registry protection as specified in Subject
    c) All protection of see attachement for any unspecified Object
    d) Network protection as specified in network control mode (I have set this to High Availability, meaning default deny in and out, with pop up when this happens).

    I do not want execution control on, so I allowed all programs to RUN and LAUNCH a process with the green entries shown on post 5. More security savvy users can change the ? to C, meaning you would only allow execution (without pop-up)of your C drive. Any code execution of your D drive (not signed, but you can turn this off) would cause a pop-up.

    Hoe this explains
     

    Attached Files:

    Last edited: Nov 29, 2008
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well I normally only 'do' freeware, but with christmas holiday coming on I might find the time. Also I break with this rule when the producers (Mike and Ilya are nice chaps, eager to serve their customers :thumb: :thumb: :thumb: , I noticed the programmer of Malware Defender is very active on Wilders, so he qualifies :thumb: )

    I like to tweak both security and useability level of software (increase both), sometimes vendors (like OA, TF, DW) take over these suggestions (only Mike implemented one suggestion in the paid version, in stead of the free version).



    Cheers
     
    Last edited: Nov 29, 2008
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I look forward to the fruit of your efforts. Have a glorious and peaceful Christmas.

    Yes, Xiaolin is active here, & is very very friendly. He is quite open to suggestions, and has implemented some ideas recommended by Wilders denizens.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Dear Bellgamin,

    Xiaolin has contacted me, to assure I will have a go between Christmas and New Year. He seems as eager as Ilya (of DW), so that is a value which will reflect in the quality of his product and customer service.


    Cheers Kees
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    If Xiaolin is anywhere near to being as capable, industrious, & dedicated as Ilya, then he will be a probable success.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    He is :thumb:
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Here are my extra rules for S3 rename them to .RLS and import them.

    Now running Network in high security (all Internet facuing programs allowed) and high availability with tweaks as posted

    Quiet and somehow a little mysterious in its protection:
    - seems to trust signed programs at install
    - same behaviour when running application protection (can be set off, in Click Risk in left panel and select or deselect "Digital Signature Based decision"), community based Bayesian logic only available in Chinese version (?)
    - You can not select all the rules within Object which are available in Subject (?)

    Cheers
     

    Attached Files:

    Last edited: Dec 1, 2008
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Really good finds & in-depth checking for solving a boredom. Thanks Kees1958 for all those screens and details and also this ruleset you prepared for us.

    One question though i have since i been busy with a couple of our other HIPS lately, has this particular NetChina S3 still as it was when it was first introduced here in beta or do you know if it's been at all updated, even a little since then?

    All in all you pointed out some real significance in the way it handles different coverages. Thanks for those tips and your testings.

    EASTER
     
  21. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No it is the same version. Only the setup is a little hard to understand at first (not the easy way EQSecure works for instance).

    Network
    First you have to run Network on High Availability, then you can switch to high security. It has some nice extras like DDos and ARP protection/

    Application
    Application control should be set to Querrying, then it will check

    Access control matrix based HIPS, provide:

    --Process control
    ----Process run
    ----Launch another process
    ----Inject process
    ----Open thread of other process
    ----Create thread of other process
    ----Set thread context of other process
    ----Debug active process
    ----Suspend process

    --File access control
    ----Modify file


    --Registry control
    ----Modify registry

    --Loading and invoking control
    ----Load driver control
    ----Set window hook
    ----Load OLE component
    ----Invoke API function
    ----Load DLL
    ----Anti keylogger
    ----System call control

    --Memory control
    ----Access physical memory
    ----Allocate virtual memory
    ----Write virtual memory
    ----Protect virtual memory

    --System control
    ----Adjust privilege token
    ----System debug control
    ----Query system information
    ----Shutdown system

    All these functions are checked by default (auto allowing the signed programs). In Subject you will find your per application exceptions on this (general protection level).

    In Object you can specify a subset out of the above listed protection (do not understand why).


    Cheers Kees
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thanks again Kees for the feedback.

    One i suppose at this point in time can only imagine if they had or would of released at least a couple or so more versions what extra interesting security surprises which might been laid out waiting to be discovered with equal satisfaction in this HIPS.

    I'll have to switch drives sometime soon and re-evaluate Netchina again because i know i haven't applied as much interest in this one as the others yet.

    EASTER
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Easter,

    Netchina S3 is an akward hybride HIPS/FW. With it preset functions, it provides some playing to get used to. Compared to EQS or Malware Defender (first one has a nice and easy to use rule hierarchy, second one seems like the new born child of SSM and Antihook, with incredible surgeon's granularity) the PC enthousiasts will problably find tools which give them more wheels to turn.

    I think Netchina S3 is more in the league of Comodo/D+ and OA. For comparison, the way I have set it up it is a tad less easy to setup than OA, but a lot more quiet than Comodo/D+ with the same level of protection (not the clean PC state, but its higher pop-up puking security levels).

    Still S3 is good Freeware (Comodo D+ protection with OA low chattyness), in my view.

    It will play with it for some more time.
     
  24. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    10x a lot Kees1958 for this review

    i got this problem , i did like in post 5 of yours with the c:\ instead the ? , and when i install software from drive d:\ no popup appear ...

    any idea why?

    10x
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep: uncheck see picture. That is also a smart intermediate solution

    A) Approve programs to start from your C (program partition) and
    b) Ask fo rpermission from Data Partition (D)
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.