Discussion in 'other anti-malware software' started by merlot_1, Nov 14, 2006.
Hi, I just downloaded the 30 day trial of SSM. Do I still need a firewall?
It depends on how much control you want. I would say yes because the SSM firewall doesn't give me the complete control I am looking for ATM. But that's just me.
The SSM firewall might be enough for you. Like I said, it all comes down to the amount of control you want over incoming/outgoing connections.
You should also run an internet firewall. Having control over the traffic entering and exiting your PC is a major part of securing it. Although the newest versions of SSM have a firewall component, you can gain much more control over internet traffic with an actual firewall. A rule based firewall complements SSM very well since SSM itself is rule based. I use Kerio 2.1.5 with SSM on my system and have installed these 2 on several others. Your firewall doesn't need to include any form of HIPS, process control, registry monitoring, etc as SSM will take care of these tasks.
u do need a firewall (or at least a router) because SSM only controls outbound connections iirc.
OK. Thanks for the info , everyone I had been leaving my firewall disabled..because I know you should never run two firewalls, and I wasn't quite sure if SSM was considered a firewall or a HIPS. Now, question two, after the 30 day trial should I purchase SSM, or maybe try DefenseWall? Which is better? Or can I run both?
In fact, you may try both together- there is no compatibility issues there.
Hi, Ilya Rabinovich Do you prefer one over the other? I'm not sure I want to run both. I think in their learning mode it might drive me crazy with all the popup questions comming from both of them. I am not a normal pc user. I am a download junkie and like to try about 5-10 software products a day, especially beta releases. So I am looking for the best protection.
It's up to you, in fact. Also, if you love new soft testing process, I would advize you use VMWare/VirtualPC for this purpous.
I haven't been using VMWare, but I do have my hard disk partitioned, and have been doing all the testing on my "F" drive. So my "C" drive is safe(I think), if I screw up
Well, do your registry save your registry at F: drive too ? Some programs leave it's tracks at file system and registry because their uninstallers are not complete.
As about HIPS systems- its ability to stop malware inside installation packages is a little bit limited. Classical ones will flood you with tons of popup windows, sandbox ones may have some compatibility issues because of restrictions, expert ones may gives you false positives and false negatives.
That is why, if you really need try tons of software at your computer, I would advize you use virtual machines. It's safe, reliable, made for software testing. VirtualPC is free, VMWare too.
I've been lurking for some time and I'm impressed with your knowleage about SSM. I've found you googling for kerio 2.1.5 and fragmented packet vulnerability.
I've been using kerio 2.* since 2003 and love the control, speed and lightweight of this application.
I'm wondering if it is possible to use SSM Free 2.0.* to stop an application from phoning home at the level of the communication between applications, by no allowing the interaction with netaware applications. If it is possible, could you please show how to do it for acrobat reader version seven, who phones home?
I know that kerio 2.* handles this easily, but would kerio notice the communication if malware used fragmented packets to phone home?
I hope Rick answers you in time. But I think he runs SSM free version same as me.
My comments. Those fragmented packets passing through is for incoming connections as far as I know and also it has been told it is some sort of theoretical thing they can do. Myself I have no router. And I do thus trust my security for inbound attacks with kerio 2.1.5.
I do doubt if Rick or anyone else can give you an answer cause your question is kind of a deep one
My answer is that SSM should take care of any unknown app/exe parent/child permissions etc. phoning home without your permission, asking you I mean.
But running hips is is not so easy. Most time I just run my browser inside Sandboxie to take care of not installing malware to my system and SSM is not running, so excuse my post in here. Keeping SSM only for diagnostic purposes.
One can get a little paranoid in reading these forums. Most people are just fine with win XP SP2 firewall.
I got paranoid when watching mark russinovich's video for Process Explorer verifying my processes running when almost none of them could be verified actually with my system
The free version of SSM doesn't directly control internet traffic. If the app tries to send data by hooking or injecting data into another app that does have internet access, SSM will detect the hook. Many apps "call home" with a separate updater component. SSM will alert to the attempt to start the updater.
I can't directly address version 7 of Acrobat reader. I don't have an XP unit to install it on. Looking at version 8 on a friends XP unit, the updater component wants to connect out looking for updates. You could prevent the updater from connecting out with Kerio. You can also use SSM to prevent Acrord32.exe (the main executable of adobe reader) from starting AdobeUpdater.exe. Here you have choices. You can:
1, BlockAdobeUpdater.exe completely, which will prevent any updating of acrobat reader.
2, You can block Acrord32.exe from being a parent process of AdobeUpdater.exe. This will stop Adobe from updating itself while still allowing you to run the updater manually.
I can't say for sure if other components of Adobe reader try to connect out. So far, they haven't on this PC (a friends) but it's rarely used.
It's extremely unlikely that you'll find malware that tries to call home using fragmented packets. Malware isn't generally sophisticated enough to make them. Most firewalls don't have a problem handling fragmented packets which would make it pointless to try to connect out using them. You're basically describing a custom made malware designed to try an exploit a theoretical vulnerability in the wrong direction. It would be hard to do, and wouldn't work on any other firewall but kerio 2.1.5, if it worked at all. No one will go thru that to try to exploit a single older version of one firewall.
Since on suggestion and reviews courtesy herbalist, now years ago, dropped Zone Alarm for K.2.15 and don't regret not one moment. That was when all i had was 98SE. I use nothing else on my XP Pro and it continues to serve VERY well. Excellent Firewall IMHO. Always will be as far as i am concerned.
As concerns Acrobat, i have only used ACROBAT 5.0 version and i read all the PDF's i want, always did. No need for all that ridiculous bloat from so-called newer updated versions, they change nothing except to slow down loading and who needs to wait chewing their nails just to read a PDF.
Indeed, it is
You might like Foxit even better.
Thank You for the alternative choice. Reviewed that site and read up on it. Looks OK to me and i'm sure it is.
Originally Posted by merlot_1
Merlot: You probably know this by now: IR is author of Defence Wall. Very even handed, yes?
thanks for your answer.
I know. I thought that right clicking on Application Rules' window > Add rule for file > Application... Ins for all system's exes and dlls who communicate with the web would do the trick, but I don't know neither the names of those executables nor where are they located. Using parent control on those executables, I thought it would cover the *** of kerio 2.1.5
Your suggestions make sense, but at least in version 7, according to kerio, it is acrord32.exe who tries to connect to the web. On the other hand SSM doesn't give any pop up for AcroRd32.exe's rule:
Advanced Properties AcroRd32.exe > Applications > Default actions > Child: Ask user / Parent: Ask user (4 Parents allowed: explorer.exe, firefox.exe, opera.exe, 7zFM.exe) Everything else ask.
Advanced Properties AcroRd32.exe > Libraries > Default actions > Child: Ask user (ask everything).
Advanced Properties AcroRd32.exe > Drivers > Default actions > Child: Ask user (ask everything).
Special permissions: all default.
When acrobat tries to phone home. Does this mean that AcroRd32.exe can phone home and SSM can't do anything apart from blocking AcroRd32.exe completely? (I know that there are alternatives to acrobat, that's not the point).
I beg to differ, in this case the malware would be targeting who do not have a firewall (for this attack kerio 2.*'s users are included in this category) and firewalls who do not filter outbound connections by application such as: windows firewall, CHX, etc. I think that this large user base makes malware writers salivate.
We run Antivir free + SSM free + DefenseWall paid on the stable machine of my wife and on the PC of my son we use CyberHawk free in stead of SSM free (because he tries out software too, like you).
I agree with Ilya both OS + File virtualisation (e.g. VM ware) is the strongest defense when trying out a lot of software.
Both setups have proven their strength in the last 9 months (have not changed security set up, both behind an inbound hardware Fire Wall, no outbound software firewall, no anti spyware aps).
With the SSM free + DW combo I have tried the nastiest sites and did not had to recover from backup. I even won some bets with colleques who said when you visit that specific site your PC will get infected. The SSM free + DW paid combo could handle even those sites.
I don't know how much difference there is between versions 7 and 8 of Acrobat Reader, and at the moment I don't have access to the XP unit I used yesterday. If Acrord32.exe is the component that is connecting out, SSM free will not prevent it. Kerio should handle this task with no problems. You don't have to block all internet access for Acrord32.exe. If you deny each connection attempt without actually creating a rule, it will probably try to use several IPs, usually all part of a specific IP range owned by the company. Take the IP(s) it's trying to connect to and run it thru a whois. It will identify who the IP belongs to and should return the IP range they use. Sam Spade is an excellent tool for this type of work. Once you know the IP range, make a blocking rule for Acrord32.exe for this IP range. Put this rule above the one that permits Acrord32.exe internet access. This way, it'll be usable on the net anywhere except the range it's trying to call home on.
Malware that targets users with either XPs or no firewall would have no need to use fragmented packets. Standard packets would work fine. Conventional trojans and most adware fit this description. Kerio 2 controls these with no problem.
The only reason someone would code malware to use fragmented packets would be to try to bypass a firewall that doesn't control them properly. Under certain conditions, fragmented packets from the internet will get thru Kerio. This does not mean that it works in both directions. Even if kerio will pass outbound fragmented packets in a manner consistent enough to send data, it would be much more difficult than trying to assemble a fragmented inbound packets into a usable exploit. To my knowlege, this "vulnerability" hasn't been successfully exploited in either direction outside of a test lab. Even if it were possible, how would an attacker get this onto the desired target system , and make sure that it didn't get used with any other firewall that does detect and alert to fragmented packets?
I seriously doubt that anyone is going to assemble a piece of malware to try to exploit a theoretical vulnerability that exists in one specific, older firewall, one that is no longer supported by its vendor and is primarily used by people who prefer rule based security software and separate security programs. That is a very small group of users to target and they run well secured systems. Anyone who would go thru this much effort would have to be obsessed with hacking a specific person and be an expert.
Even if such malware existed, SSM would detect it trying to start. If it used an installer, that would be detected as well. Kerio 2.1.5 and SSM free are an excellent combination. Each complements and defends the other. SSM controls processes, dll injection, drivers, etc. Kerio controls internet traffic. There's no overlap in function. For users who understand how to configure them, these 2 apps together are some of the best security software you can get.
Doesn't Comodo Firewall cover some of the same areas? Processes, dll injection, ect...
In fact, VMWare and VPC are hardware emulation tools, not OS+files ones . The reason I suggest it is simple- some software won't be able to be installed propertly under sandbox restrictions (it is impossible to install driver, for instance).
Yes but in a strange way (according to the last time I tried it), like
1. It does prevent changed processes to connect to the internet
2. It does not prevent the modification (or dll injection) of the process
What I am asking myself: when an application is able to notice processes to be modified, why doesn't it give the users an option to prevent the modification from happening.
I have tested this about three months ago, so this 'experience' could be solved in a new version. Comodo users can check this by downloading Zapass and see whether it prevents the dll-injection (now in the cuurent version).
re. Adobe's Reader software and autoupdater.exe and blocking. You could always just remove Updater.api from the Adobe Acrobat reader plugins folder.
Separate names with a comma.