Software FIREWALLS : inbound protection or just “leak test” protection ?

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Just out of interest, what did make you think NIS is excellent in blocking real malware from phoning home ? How many real malware did you test with it ?

 

Please, check the reviews from various PC Magazines.
Sure, I'll bet you'll say that Norton is alaways the favorite there, but I don't think any tester would allow to himself/herself to cheat on tests.

 

Just to back up my opinion, here is what Sunbelt Kerio Personal Firewall vendor wrote in response to Matousec.com:

Sunbelt Software is committed to providing the strongest possible security products to its customers, and we will be working to correct demonstrable issues in the Sunbelt Personal Firewall. Users can expect these and other continuing enhancements for the Sunbelt Personal Firewall in the near future.

However, we have some reservations about personal firewall "leak testing" in general. While we appreciate and support the unique value of independent security testing, we are admittedly skeptical as to just how meaningful these leak tests really are, especially as they reflect real-world environments.

The key assumption of "leak testing" -- namely, that it is somehow useful to measure the outbound protection provided by personal firewalls in cases where malware has already executed on the test box -- strikes us as a questionable basis on which to build a security assessment. Today's malware is so malicious and cleverly designed that it is often safest to regard PCs as so thoroughly compromised that nothing on the box can be trusted once the malware executes. In short, "leak testing" starts after the game is already lost, as the malware has already gotten past the inbound firewall protection.

Moreover, "leak testing" is predicated on the further assumption that personal firewalls should warn users about outbound connections even when the involved code components are not demonstrably malicious or suspicious (as is the case with the simulator programs used for "leak testing"). In fact, this kind of program design risks pop-up fatigue in users, effectively lowering the overall security of the system -- the reason developers are increasingly shunning this design for security applications.

Finally, leak testing typically relies on simulator programs, the use of which is widely discredited among respected anti-malware researchers -- and for good reason. Simulators simply cannot approximate the actual behavior of real malware in real world conditions. Furthermore, when simulators are used for anti-malware testing, the testing process is almost unavoidably tailored to fit the limitations of simulator instead of the complexity of real world conditions. What gets lost is a sense for how the tested products actually perform against live, kicking malware that exhibits behavior too complex to be captured in narrowly designed simulators.

 

I agree. Leak tests are POC and most malware don't bother to be so sophisticated. Why spend time going after the security conscious when theres so many other clueless people (the low hanging fruit).

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

I do not trust PC magazines. Yup, they hardly cheat on selected tests, but selection itself is more important. In case they select from the latest Norton virusbase, then the result is quite predictable. But it is more interesting to test it without virusbase. I took old cpilsuite and the latest NIS failed it (just purchased new laptop with preinstalled NIS). Then I started old good PCAudit, which is completely harmless, and NIS removed it without a question claiming it was very dangerous malware. This was enough for me to uninstall it. Such a signature based security is not for me, and I hate when I'm not asked about do I really wish that the "malware" was removed.

Edit: To say nothing that "C:\ProgramData\Symantec" directory takes 313 MB. Which is completely beyond my understanding comparing to such a poor behaviour.

 

Well, I don't trust to PC Magazines too much either, simply because they have
too small number of malware samples they test firewalls against, about 20 of them.
Because of this fact readers might get the wrong picture that the firewall is weak against malware. 20 malware samples is too small number to be taken seriously. That's why I usually visit www.anti-malware-test.com

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Interesting reading. But I have got a feeling anti-malware.com follows Matousec. I mean those endless wars "who pays whom". But in general I didn't notice that Symantec performed very well there. And in any case I do not trust in signature-based security. This kind of security fails as a rule against zero-day threats.

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

I guess you are referring to Threatfire and the likes

 

Heuristics go a long way though. Also risk of being caught between the window of vulnerability a new virus (not detected by heuristics) being released and signature updates tend to be low.

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Yep, "In HIPS I trust"

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Heuristic might be OK in case it reported what code and on what basis it decided is dangerous. But all I saw from heuristic is just a verdict without explanation. So the only choice I have is to trust the verdict. Then I have a feeling they tret me like an idiot On the opposite side behaviour based security reports as a rule what action was taken and allows me to be more informed on what does happen. Though, I agree, this approach needs some technical basis.

 

Have a look at shadowserver.org. Most new virus are variants of the same basic one. Most of them are detected by heuristics.

I'm getting a little disillusioned with behavior based blocking though, either smart behavior blocker such as Threatfire, Mamutu etc as well as the classical ones such as D+ SSM. Smart blockers had too many FPs for me. Classical was too tiresome. Neither cover all your bases. Of course neither does AV but it is less intrusive.

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Tastes differ

I have only OA AV+ and this pack covers eveything I need (some advanced missing things are coming, though). I don't see it to be too intrusive, but I have a very safe feeling doing anything.

 

Registry and file protection are coming up?
I use OA on my PC for daily use, surfing and gaming.

But I would be surprised, if you really mean OA covers all areas for malware testing.
For example, you start a trojan and this drops a dll and writes a reg key to load this dll with the windows explorer.
I had exactly this particular case.
Does OA warn about the dll? Does OA warn about the new explorer component?
If you really test malware with OA, you miss very much.

Cheers

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Yes, it warns about new executable files creation (including dll, sys, cmd, bat, vbs etc) and it warns about dll injection and it warns about drivers installation. I tested all the malware examples I could get and OA didn't fail even once. If you have one, please, provide me with the example.

 

Personally, I don't care how good OA with HIPS is. What I prefer is the inbound protection. Sure, CFP 3.0 with Defense+ activated has blocked malwares, but itcan't delete them and besides there are alawys going to be new ways from malwares to find the way to spread through the computer undetected.
NIPS, HIPS (for inbound protection) and full SPI, that's what any firewall should really have.

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Could you clarify what do you mean by "inbound protection" ? There is such a variety of views and definitions that this definitely needs clarification in every particular case

 

This question was brought on ZoneAlarm's forums, here is the copy of an answer.
The AV will stop most of these (like the 99%) and the extra HIPS. virtualization is not really needed for prevention of the malware infection.
Really the easiest method for security is use the antivirus and a software firewall with a hardware firewall (router) and always use the PC in the limited user account (not the admin account).
This way there are no attacks on the lan seen by the PC as these are stopped by the router; virus/troyans/worms are stopped by the antivirus; the software firewall is a second line of defense for the incoming and provides outgoing control; limited user account stop malware infections (almost all spyware, adware, cws, some rootkits, etc) and any changes to the operating system.

What many people seem not to understand that once malware is installed (and allowed by the user), the windows kernel is no longer the same and does not resemble the previous system. The operating system is usually that radically changed/altered that the previous concepts and ideas of prevention do not always apply any longer. Once windows has a new kernel from the malware, the previous rules have changed to a new area that is often unknown or unseen.

 

Re: Software FIREWALLS : inbound protection or just “leak test” protection ?

Quote !

 

With software firewalls (and AV's) there's always that chance that they can become corrupted by malware, or just not load properly at start-up for whatever reason. It's happened to me before. And a few seconds of being naked on a public IP can be more than enough to be compromised.

That's a rare occurrence though. Another advantage is that the physical box itself takes care of it's own load. No resource hit to your computer.

Still I prefer to have both. As someone else pointed out it's easier and quicker to make rules via a software firewall. Most routers don't have the same fine detail options available and the ones that do are confusing to configure. I also like having total control of my computer and everything going both in and out, which means outbound control. I just like to know what's going on.

I do agree totally though that inbound protection is by far the most important aspect of a firewall, and furthermore the fundamental purpose of having one in the first place. Everything else (HIPS) is just extra and optional.