NETCHINA S3 as FIREWALL with INTRUSION DETECTION

Hi,

I was bored so gave Netchina S3 a try, use these steps to make it an strong FireWall with intrusion detection (but quiet, very few pop-ups)

Paranoids can disable auto acceptance of signed executables.

I have enabled enabled IP - MAC binding (against ARP man in the middel attacks, together with my routers setting).

No long explanation, English help is still not available

As always handle with care (make image backup and have your rescue CD at hand, it is a Beta)

 

First navigate to the objects part of the application control (objects to protect, subjects are the triggering application)

 

Make Netchina quiet (throw away cookies, and recyle paranoic objects)

 

Now change from block and allow to QUERY (richt click) and make sure you only have left these objects for FILE and REGISTRY PROTECTION.

Good news is that I left those objects default (they are okay out of the box)

 

When you do not like execution control (like me), because pop-ups drive you nuts, then also add the green entries at SUBJECTS

Fast and steady until now

 

Play with the rules and you will be surprised what it protects against

 

cool kees is this a firewall with hips?

 

When you set it up like this, it is a FW with Intrusion Detection (HIPS). It is in fact a HIPS with FW

Matousec score http://www.matousec.com/projects/firewall-challenge/results.php (veyy good, same rating as Zone Alarm Pro). Also in teh way I have set it up (only teh HIPS is more quiet)

 

thanks for the link and value info

 

Good stuff, Kees. But -- since you are bored -- PLEASE do this same sort of thing for Malware Defender.

 

Excellent thread as usual Kees. But I do have a question about post #5 in this thread. What is the meaning of allowing "Run" and "Launch" objects?

 

That would be an interesting read if Kees would be so kind as to give it a shot.

 

NetChina has 4 levels of application protection. The most usefull (balance useability - security) is "Querrying"

This means
a) File protection as specified in SUBJECT
b) Registry protection as specified in Subject
c) All protection of see attachement for any unspecified Object
d) Network protection as specified in network control mode (I have set this to High Availability, meaning default deny in and out, with pop up when this happens).

I do not want execution control on, so I allowed all programs to RUN and LAUNCH a process with the green entries shown on post 5. More security savvy users can change the ? to C, meaning you would only allow execution (without pop-up)of your C drive. Any code execution of your D drive (not signed, but you can turn this off) would cause a pop-up.

Hoe this explains

 

Well I normally only 'do' freeware, but with christmas holiday coming on I might find the time. Also I break with this rule when the producers (Mike and Ilya are nice chaps, eager to serve their customers , I noticed the programmer of Malware Defender is very active on Wilders, so he qualifies )

I like to tweak both security and useability level of software (increase both), sometimes vendors (like OA, TF, DW) take over these suggestions (only Mike implemented one suggestion in the paid version, in stead of the free version).



Cheers

 

I look forward to the fruit of your efforts. Have a glorious and peaceful Christmas.

Yes, Xiaolin is active here, & is very very friendly. He is quite open to suggestions, and has implemented some ideas recommended by Wilders denizens.

 

Dear Bellgamin,

Xiaolin has contacted me, to assure I will have a go between Christmas and New Year. He seems as eager as Ilya (of DW), so that is a value which will reflect in the quality of his product and customer service.


Cheers Kees

 

If Xiaolin is anywhere near to being as capable, industrious, & dedicated as Ilya, then he will be a probable success.

 

He is

 

Here are my extra rules for S3 rename them to .RLS and import them.

Now running Network in high security (all Internet facuing programs allowed) and high availability with tweaks as posted

Quiet and somehow a little mysterious in its protection:
- seems to trust signed programs at install
- same behaviour when running application protection (can be set off, in Click Risk in left panel and select or deselect "Digital Signature Based decision"), community based Bayesian logic only available in Chinese version (?)
- You can not select all the rules within Object which are available in Subject (?)

Cheers

 

Really good finds & in-depth checking for solving a boredom. Thanks Kees1958 for all those screens and details and also this ruleset you prepared for us.

One question though i have since i been busy with a couple of our other HIPS lately, has this particular NetChina S3 still as it was when it was first introduced here in beta or do you know if it's been at all updated, even a little since then?

All in all you pointed out some real significance in the way it handles different coverages. Thanks for those tips and your testings.

EASTER

 

No it is the same version. Only the setup is a little hard to understand at first (not the easy way EQSecure works for instance).

Network
First you have to run Network on High Availability, then you can switch to high security. It has some nice extras like DDos and ARP protection/

Application
Application control should be set to Querrying, then it will check

Access control matrix based HIPS, provide:

--Process control
----Process run
----Launch another process
----Inject process
----Open thread of other process
----Create thread of other process
----Set thread context of other process
----Debug active process
----Suspend process

--File access control
----Modify file


--Registry control
----Modify registry

--Loading and invoking control
----Load driver control
----Set window hook
----Load OLE component
----Invoke API function
----Load DLL
----Anti keylogger
----System call control

--Memory control
----Access physical memory
----Allocate virtual memory
----Write virtual memory
----Protect virtual memory

--System control
----Adjust privilege token
----System debug control
----Query system information
----Shutdown system

All these functions are checked by default (auto allowing the signed programs). In Subject you will find your per application exceptions on this (general protection level).

In Object you can specify a subset out of the above listed protection (do not understand why).


Cheers Kees

 

Thanks again Kees for the feedback.

One i suppose at this point in time can only imagine if they had or would of released at least a couple or so more versions what extra interesting security surprises which might been laid out waiting to be discovered with equal satisfaction in this HIPS.

I'll have to switch drives sometime soon and re-evaluate Netchina again because i know i haven't applied as much interest in this one as the others yet.

EASTER

 

Easter,

Netchina S3 is an akward hybride HIPS/FW. With it preset functions, it provides some playing to get used to. Compared to EQS or Malware Defender (first one has a nice and easy to use rule hierarchy, second one seems like the new born child of SSM and Antihook, with incredible surgeon's granularity) the PC enthousiasts will problably find tools which give them more wheels to turn.

I think Netchina S3 is more in the league of Comodo/D+ and OA. For comparison, the way I have set it up it is a tad less easy to setup than OA, but a lot more quiet than Comodo/D+ with the same level of protection (not the clean PC state, but its higher pop-up puking security levels).

Still S3 is good Freeware (Comodo D+ protection with OA low chattyness), in my view.

It will play with it for some more time.

 

10x a lot Kees1958 for this review

i got this problem , i did like in post 5 of yours with the c:\ instead the ? , and when i install software from drive d:\ no popup appear ...

any idea why?

10x

 

Yep: uncheck see picture. That is also a smart intermediate solution

A) Approve programs to start from your C (program partition) and
b) Ask fo rpermission from Data Partition (D)