Outbound Application Filtering

but as a general rule, if you don't know what it is, you should always deny it. i would think this would give you a more than 50/50 chance at being right.

 

I know that....in fact I had a wierd one pop up this morning...I denied it..til
I had a chance to look it up.

I was just trying to make a point about app control...whether it was useful

Whenever I get a new app...I like to put it thru its paces until I learn what to

expect....then back off the settings.....so that when I do get an alert...I best

know I had better pay attention ...whether a...pigs squeal...alarm....etc.

When I'm in doubt ....I deny

 

ZA is a bit heavy on resources for me, but I do think it is a good product. At the moment I am looking at various means of improving security, but my main focus is preventing the installation of trojans, not waiting to finding them when they call out.

I have found that I can usually deal with the auto updating by using a hosts file. There are exceptions, but they are not important. I realize some folks feel there is a privacy issue with the publisher knowing every time you run the application, but usually it is not anything sinister. Usually I get rid of apps that do not let you turn off the update checking because if they think they are that important, I don't need them.

Server rights are easy to deal with. A proper firewall does not give server rights to any program unless you explicitly allow it. Even the minimalist XP SP2 firewall detects when a program wants server rights and asks for permission. The XP SP2 firewall is actually application aware with respect to server rights. The server ports will show as stealthed during a scan by shields up or the like, something you can not do with CHX-1 or 8Signs.

Good firewalls allow logging rules to detect which applications are communicating, in case you have any doubts. It is not as in your face as an app filtering firewall, but the information is there. Tcpview will tell you if anything is listening, a sure sign of a back door. Vee have our Vays...

 

i have gone with trying to prevent them from installing in the first place, as well as trying to locate them when they do call out. i don't think either way is 100% reliable, so i've chosen a combination of both for my security.

i have a few of these apps that right now, i have no choice but to keep. however, i can control what they do and how they act through outpost and pg.

it shouldn't. but i know some like sygate for example, that make you manually go in and uncheck 'allow server' rights for any application it detects.

interesting, i did not know that.

i do the same thing.

this had been a good thread for me, i have learned allot. those were some good posts by blue and s!x, and some interesting ones by diver!

 

On the 50/50 thing, Microsoft did some research and found that most users give up after a while and say yes to everything. IMO the problem gets worse with the sensitivity of the firewall or sand box. That is why I constantly complain that these utilities lack intelligence.

Consider where trojans come from. Unless we are talking about a system with no firewall at all user action is required to allow the crap to install, either by clicking on an email attachment or allowing an active-x or Java item to install. If you are smart enough to get it right when the firewall asks, you have got to be smart enough to get it right prior to infection. Furthermore, the user can develop a sort of numbness by being asked to respond to too many warnings that are, in effect, false alarms. That way when a real warning comes along, they are more likely to allow the wrong thing to happen.

Other strategies to consider for downloads are waiting several days to run suspect items or using an on line multi engine virus scan like Jotti's.

If this issue comes up again, I am just going to link to this thread

 

Again you missed my point on 50/50 chance.....what I've been trying to say
I feel it is far better to have a 50/50...then none at all.
Now what are all these alerts you seem to think I, and alot of other people
have....I've run behind FW's for years when I was on dial-up...ZA the old tiny
and kerio....and rarely had a alert...maybe an occasional port scan.
I'm now on DSL with an ISP Firewall ..with PG...prevx....and software FW.
The only time I get all those "Alerts" is when I first try out something...
to learn whats connected to what.....and learn what to expect.
About the only pop up I get is from PG because I have rundll set up to run once.
Other than that.....it is very very quiet here "On the western front."
Because I have learned what to expect from my security apps. I feel that if
one does alert me.....best deny it.....because it sure isn't the norm.

 

There is a lot of truth to that. Most people just don't want to fool with the alerts and stuff.

Speaking of intelligence, has anyone tried PCInternetPatrol? http://www.pcinternetpatrol.com/firewall

It sounds interesting, but the trial was crippled enough that I really couldn't test it to it's full capabilities.

 

you can check out this thread, and this thread, and this thread for a little more on pcinternet patrol. personally i trialed it but didn't really feel i needed it. if hollywoodpc was on, i'm sure he'd have something to say about it!

 

microsoft did some research? while there may be some truth in that, it sounds more like an excuse they made to defend the reason as to why their firewall has no outbound protection!

 

just wondering-

I don't miss any points, I just don't agree. I actually believe that for behavorial reasons rather than technilogical reasons your 50/50 argument does not work. It would be better than 50/50 if you only had to deal with a few warnings. As the number of warnings goes up, the percentages drop to where it is less than 50/50 due to user fatigue, and for some users the answer is permit every time. Why don't you register already?


Intoxsickated-

I just love your style "this and this and this". Well, actually for several years I only used a NAT because I got tired of tweaking various software firewalls. But, if you like to tinker, be my guest. I don't care if anyone changes brands, so to speak. All I want to point out is there are some important limitations to the whole app filtering/leak test thing.

 

maybe i should use some that's.

thats why i like what blue said earlier. if you do have someone to run through all the applications that would need Internet access immediately after the install to create all the needed application based rules for the machine, you would get allot fewer pop-ups. of course the key here being the 'someone to run through all the applications' part. i know not everybody has access to a person to help, but that's what forums like this are for.

 

Oh Brother ! Why would ANYONE make a statement like not needing outbound because ..... ? It is easy folks . There is always someone who is " out of the loop " and must stir the pot . Bottom line : Use it if you have it . It is nice to have . If you do not want it , don't use it . Pretty simple . There ya go . Time to move on I think . I will go cajole with my outbound filtering now .

 

i think you accomplished that. i don't totally agree with you, but i think you made your point.

hollywood, i was wondering when you were going to show up!

 

We all need to go out and get a drink together sometime.

 

Where you go , I TRY to go . It is more fun that way . And I hear you are heading up the new ZoneLabs fan club . What does it cost to join ?

 

I'll throw in my 2 cents here also.. I generally don't worry much about app control, but I do like to have it so that I am alerted when something wants to connect out to the internet, not because I'm worried about trojans or malware, but just because I prefer to know. I don't live that kind of computer lifestyle, so I don't worry about trojans and that kind of stuff. I've been at this for 3-4 years now and have NEVER had 1 trojan or malware on my machine. Never. But I have had respectable apps that want to connect out, and when that happens, I do like to know about it, just for my info, and so I can allow or deny it. So that's about it for me.

Actually, I should modify that a little. I have had a couple of viruses hit me, but they were caught by my AV in time, and they were extremely few and far between.

 

Check out my new signature. I found this on a site that deals with firewalls from the enterprise perspective. However, it describes my philosophy exactly, and not just within the context of this aspect of computer security.

Well, I am off to see the Emperor's new clothes. Loops go in circles, don't you know.

 

Creature Diver,
You are tech savy. Your posts prove this out. And I mean no disrespect. I just can not agree with your outbound opinion. Please allow me some of your time to consider this real life example. Your above post made me remember this. It may not have been malware like a trojan, but I do believe it was attempting to serve up a unhealthy dose of adware. My log book indicates that back in August of 2002. I was running ME OS then. I load up a program all know it here I am sure. REALONE NETWORK Free version. Within one day Zone Alarm went crazy constantly asking for outbound connection. Viewing what wanted out I constantly denied it. I dug a little deeper I realized that REALONE was a real pain.

I uninstalled it and almost broke my system. Got this TKBELLEXE problem. (Kevin creator of BoClean sent me a link to address this problem nothing to do with BoClean, took time to help me on nonBoClean issue just another reason I am such a fan).

When REALONE was gone Zone Alarm went back to normal. Sure it was not about a major malware, virus or trojan. But what it was about was ADS, spyware crap. IT WAS ABOUT WHOSE MACHINE IS IT. MINE. I CONTROL WHAT COMES IN AND GOES OUT NOT REALONE. THIS WAS A REAL LIFE EXAMPLE OF ONE USER WHO WAS ALERTED BY OUTBOUND CONTROL OF HIS FIREWALL "YOU HAVE A PROGRAM ON YOUR SYSTEM THAT YOU HAVE LOADED RECENTLY THAT WANTS OUT FOR SOME REASON AND YOU ARE NOT EVEN AT THE COMPUTER MUCH LESS USING ANYTHING. YOU MAY WANT TO INVESTIGATE." HMMM WHAT HAVE I DONE RECENTLY TO CAUSE A CHANGE. REALONE THAT'S WHAT!!

THE ARGUMENT THAT CREATURES DO NOT WANT TO BE BOTHERED, IS LIKE TELLING A DRIVER OF A CAR IGNORE THAT CHECK ENGINE LIGHT. DO NOT BOTHER ME WITH THE BLINKING OIL CAN ON THE DASH. I guess it is just me always wanting to make sure mY stuff is working and I am in control.

Thanks for your point of view Diver.

 

Diver's sig seems to sound better when he says it than when I did.

 

Mercurie-

Real Player is a known for being badly behaved. I don't use it around here. There are several other ways its behavior could be detected including start up entries, task monitor and firewall logs. Besides it is not a trojan, just an annoying program.

If the oil light in my car came on every day, and after about a week of checking the oil I found it to be full, I would correctly deduce that the sensor was broken and ignore it until I could get it fixed. Unfortunately, most advanced application controls are as broken as that oil warning light since they mostly warn about normal events and there is no fix other than to look at the problem in a different way.

By the way, I don't have a big problem with simple application control like what is found in Kerio 2.15, so long as the user does not regard it as a sure fire trojan catcher. However, for some users even that quantity of interaction is too much.

I have been asking quite a few computer users about their security practices, one on one, as a reality check against what I see in this and other forums. Generally, if they have a NAT, that is it.

 

At the moment I'm running ICF and sometimes I miss application control.

In my opinion, for my usage, the greatest need for outbound application control is to deal with situations like mercurie mentioned. That is:
"To stop outbound traffic from so-called "legitimate" applications with abusive phone-home policies, known bad privacy policies or completely unknown privacy policies."

What is the difference between a trojan which decides to connect outbound and a "legitimate" application which tries to connect outbound without explicit permission?
<<insert joke here>>

Don't laugh. Even firewall companies can have abusive policies. (For those that don't know a specific older ZA release did not obey the user-set settings to not send periodic data to Zone Labs - a programming bug or a deliberate action. This (I think) has been fixed in the newest versions).

The whole outbound application control thing probably began from Steve Gibson's Leaktest but it probably was a logical consequence of mainstream new user concepts. "Do you want ApplicationX to access the Internet?" is probably the easiest way to get input from a clueless user.

Regardless of application control or not, the most dangerous time of using the firewall is in the very early learning stages when the rulebase is empty and the user is clueless.

Do you want SVCHOST.EXE created by Microsoft Corp. to access the Internet? (Allow connections outbound) - since this particular request is needed for a DHCP Broadcast to get DNS server addresses the internet connection fails if they do not allow it. The user also sees Microsoft Corp. and that's a legitimate application so why not?

The next prompt is:

Do you want to allow SVCHOST.EXE to act as server?
Well it's a legitimate application - it says Microsoft after all. And if my connection fails if I did not allow it before why should I not allow it now?
Nevermind the fact that this is mostly likely the Blaster/Sasser worm not something as innocent as Updating the time through Windows Time Service.

I have to say I more or less agree with Diver's opinion all the way. That sig is spot on; I'm almost tempted to steal it. I thought the purpose of early security products was to let the user have definite control over their machine, not malware or malicious users. Now this has shifted so much that I would say that it is usually the security product that has complete control over the computer with little input from the user. With this shift is it any wonder that spyware producers are appearing as computer security related, or that security vendors are increasingly turning to unethical practices, maybe using collected data improperly? Computer security products are almost in class of their own - no-one asks questions about their capabilities, they are always trusted without blinking and giving these companies' AI-like logic full control over machines is the norm. This is unheard of for absolutely any type of product in the software or physical world.

So who has ultimate control over your PC - you or your computer product?
Often it's impossible to tell because the internal operations are poorly documented or not clearly documented at all.

What's the difference between a remote administered trojan and and a program which makes great changes to your PC from decisions determined by a security company, with little user input or full information about what is about to be performed?
<<insert joke here>>

Something to think about....
/rant

 

In the grand scheme of things I can understand this. Given an option to have either a software firewall or a NAT/SPI router, I'd direct the person to go with the router for a number of reasons, the main one being that it's an independent piece of hardware and load balances against anything subsequently installed on a PC. All one needs to do is examine the load on a software firewall with and without a NAT router to understand that for most people a router should come first. Why? Once it's plugged in and set-up, there is nothing else for a user to do. No popups. No decisions. Unsolicited inbound communications are dealt with cleanly and completely. This is the route to follow even for users with a single PC, a fact which escapes many.

Whether it is wise for a user to take things to the next level is a debatable point. Each of use make these decisions in every facet of our PC configuration. For example, I own current licenses for NOD32 and KAV WS. The bulk of my surfing is performed with NOD32 as my AV since I've made the choice that the resource drain of KAV WS is a little dear for my tastes most of the time. Objectively reading any AV/AT performance test, in some respects I have incurred a minor increase in potential malware exposed by doing this. I know that, but I've weighed the pragmatic consequences and, in my estimation, they are operationally nil.

The same type of analysis can be applied to the question of this thread. While I believe the incremental exposure is greater than I view the NOD32/KAV WS trade-off, it is not a whole lot greater. In a coherently constructed layered defensive scheme, there is a hierarchical priority in the components. Outbound communication control is at the lower end of that priority schedule. Like many here, I do prefer to have that level of control.

If a user were to ask me if they need this feature in their set-up, I'd probably advise them that it is in the nice-to-have category, but also try to assess whether they had the experience, and wished to acquire the knowledge, to intelligently deal with the configuration and use of this component. As someone who uses a software firewall purely as a measure of application based outbound communication control, I've already made a significant decision regarding the level to which I want to learn PC communication protocols. I made the active decision that I really do not wish to learn what is required to effectively configure and use a rules based firewall. My choice has been to use Outpost Pro in a purely application based mode. Naturally, the next step back would be to skip this activity altogether. My experience is that the incremental impact on the total risk of malware exposure is small if one decides to skip outbound control via application filtering.

Readers of this thread should carefully assess Diver's points. They do have merit. Informed usage is what it is all about.

Blue

 

I have said it before and will again. YOU, the USER does. It is up to what YOU install, what YOU run, what you download etc etc. Not only does that count,
but also knowing HOW to use what you download/install/run.

Outbound APP filtering should be made easier for those "teen users" that I always go on about. THEY are the ones that need it the most, that and porn surfers.

Don't mind me I talk out my butt.

 

Ghost's and BlueZanetti's posts are two good ones and make an interesting contrast, side by side.

What caused me to make such a strong statement on this topic was that I have been seeing a lot of knee jerk recommendations to beginners regarding the use of firewalls with advanced application control when I thought the obvious answer was either a NAT or the Windows built in ICF. People have a way of not understanding the problems of other users when they give advice.

One member of this forum has on occasion in PM's to me wondered how some of the members can keep their machines running with so many security applications installed at once.

I found the sig here: http://www.wilyhacker.com/1e/

Down near the bottom in appendice A.

 

Diver ....You still haven't addressed this part of my arguement

Now what are all these alerts you seem to think I, and alot of other people
have....I've run behind FW's for years when I was on dial-up...ZA the old tiny
and kerio....and rarely had a alert...maybe an occasional port scan.
I'm now on DSL with an ISP Firewall ..with PG...prevx....and software FW.
The only time I get all those "Alerts" is when I first try out something...
to learn whats connected to what.....and learn what to expect.
About the only pop up I get is from PG because I have rundll set up to run once.
Other than that.....it is very very quiet here "On the western front."
Because I have learned what to expect from my security apps. I feel that if
one does alert me.....best deny it.....BECAUSE IT IS SURE NOT THE NORM.

Where and what ....are all these alerts.

p.s. I forgot to add....at home G/Fs PC still on a dial-up...she mainly
uses it along with her son....she says she has no alerts.