Security Question

Discussion in 'other security issues & news' started by John Bull, Sep 7, 2010.

Thread Status:
Not open for further replies.
  1. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    With the PC just showing the Desktop, many programs have a direct Internet connection that is usually needed for automatic updates and in some rare cases to provide a constant connection for functional needs.

    Most of us have many such programs represented by icons on our Desktop.
    The only time we know they have made an Internet connection is when a panel is displayed to signify the action. This is optional.

    In the absence of a panel, we do not know a connection has been made and any bugs lurking in our system do exactly the same.

    Question ? I have Comodo Firewall Pro and the tray icon is animated. It shows red for blocking and green for analysis when traffic activity is detected.

    If all legitimate programs are positively dormant and the FW shows red/green, does this mean that some bug is active ?

    John B
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    Your computer is bug free surely. Comodo should show you, on summary page?, what is active and usually there will be always some traffic
     
  3. katio

    katio Guest

    Do you trust the software you install on your system?
    Yes.
    Then don't worry about outbound connections, inbound is already blocked if you have a router.

    No.
    Game over. Sandbox/virtualise them, then outbound doesn't matter either.

    If you are only worried about vulnerabilities in trusted software install psi from secunia.com


    There are a lot of programs and services running on a Windows system, many by the operating system itself. Not all of them have Desktop or tray icons ;) It's only natural there's network activity as long as wifi is on or ehternet plugged in.
    If you *really* want to know what's going on you need to plug in another system between your computer and the network which runs wireshark or similar. You'll see most network activity if you are not doing anything on the computer comes from stuff like DHCP and ARP which is required for the basic functioning of a network and periodically broadcast packets essentially saying "Hi I'm alive, you can find me at this IP".
     
  4. ALookingInView

    ALookingInView Registered Member

    Joined:
    Sep 14, 2009
    Posts:
    365
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Exactly. If you're on broadband and leave everything plugged in, the network activity won't ever stop. Your computer (if clean), is just being a computer.
     
  6. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    And when something has sent my account and log-in information from my bank's website 'outbound', exactly how is it that that "doesn't matter", and how is it that my 'sandboxed/virtualised' environment has made any difference?
     
  7. katio

    katio Guest

    Now that's easy. One doesn't run untrusted exes and do online banking in the same security context. Simply use the host for that, create a separate sandbox/VM or restore to a known clean snapshot between these activities.
     
  8. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
    I'll grant that point.

    I hear ya.
    The only point I was attempting to make is that once personally compromising information is in the hands of the bad guys it remains there, and restoring to a 'clean snapshot' or any other action won't magically remove that information from their possession.

    But true enough-- Doing sensitive things online only from a known clean environment will drastically reduce the odds of something like that happening.
     
  9. katio

    katio Guest

    Right. It's yet another layer of defense. But with outbound software firewalls I have the feeling people don't really know how to response to those nagging dialogs. Either they get scared by false positives or set "allow all" after a while.
    If an attacker really knows what he's doing he'll obscure and hide traffic in legitimate and allowed network activity or use a rootkit/kernel level exploit to hide malicious activity from the firewall or simply disable all protections.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You might have grossly understated that and forgotten to include about every other security tool with the AV being the only possible exception. Oh, and we can't put UAC in that category because there are only two options: do it or don't do it. I think we could only use one button on UAC really, as there is only one that ever gets used.

    Sul.
     
  11. katio

    katio Guest

    Well I think what makes Firewalls stand out is that it's not only hard for the general population but also for moderately educated users (and up, I'd tend to include myself) to make the right guesses, erm decisions. Of course this depends a lot on what software we are talking about, the coarser the control (e.g. application level as in OS X) the easier it gets, at the cost of security, the usual trade-offs really.
    Two button binary choices hare manageable if you know a bit about how all this computer wizardry works, firewalls usually give you several options and ask questions that require sometimes substantial networking knowledge.
    And finally as stated above, they aren't really all that useful to begin with, running detection technology in the same ring/with the same privilege as attacker code is bound to end in pwnage, i.e. why bother?
    AVs and HIPS run in the same ring too but are in the prevention business so if they do their job properly malware can't even execute to attack them.
     
  12. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I apologise if my question is unclear. I am well aware of how FW`s function, but simply wanted to know the answer to this :-

    "If all legitimate programs are positively dormant and the FW shows red/green, does this mean that some bug is active ?"

    All my programs show a panel when they connect with the Internet, including Windows - if not a panel, an icon.

    So if none of these programs are active and my FW shows traffic, what is it ?

    John B
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    There is no such thing as positively dormant on the machine. Down load Sysinternals Procmon.exe from the Microsoft sight, and watch. You will get an education. You also might get a port monitoring program, which I believe they have and watch that.

    Pete
     
  14. katio

    katio Guest

    I thought I answered that already, but again: No.
    ARP (as an example) is sent across your local network no matter what programs you have running, that's just how IPv4 works.
     
  15. wat0114

    wat0114 Guest

    John, the attached .txt file (linked below the screenshot of System process) is ~ 1.5 mins network activity with all applications closed, with my desktop open. You can see just how busy the System process (4) is when I'm not even doing anything. My fw rules block most of these unnecessary (for me) attempts.
     

    Attached Files:

  16. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I sincerely thank every one of you including a kind PM from PROROOTECT for taking the time to answer what must seem a daft question at your level.
    You must have thought " Oh no, he`s not trying to wind us all up again is he ?"

    Your explanations are more than enough for me, I now understand why the Firewall shows traffic when "I" think all programs are asleep.

    I will explore everything you said especially the interesting activity monitoring programs proposed.

    Sorry to trouble you all, but it was a puzzle to me.
    OK ! I`ll try my best to come up with some other stupid questions - a skill at which I am becoming the World`s greatest living expert.

    Kind regards to you all
    John

    PS - I know what you`re thinking - " I bet he bought that Engineering Degree of his at some Far Eastern bazaar for a couple of bucks"
     
    Last edited: Sep 8, 2010
  17. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    When I used CIS 3.1 about a year ago the tray icon animated RED for Incoming and GREEN for Outgoing Traffic.

    Or vice versa I don't remember exactly:doubt:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.