Using Private Firewall With No Virus Thanks ERP

Discussion in 'other anti-malware software' started by TerryWood, Dec 13, 2017.

  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    Hi All

    Grateful for your response to the following.

    Using Win 10 x64 Bitdefender Free, Private Firewall, No Virus Thanks ERP, Malwarebytes Anti Exploit.

    My questions are:

    1) Is using Private Firewall and No Virus Thanks together seen as overkill or complementary? I am not one who goes to the darkest edges of the internet.

    2) If using the two together is seen as overkill which should go, either PF and and revert back to Windows firewall or remove No Virus Thanks.

    Thanks for your help

    Terry
     
  2. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    I see no reason for Private Firewall. Contrary to what some may want you to believe, Windows Firewall is a very capable and easy to use firewall (especially in W10).

    NoVirusThanks is a company, not a program. They make many products, none of which are named "NoVirusThanks". So exactly which NoVirusThanks product are you using?

    Frankly, since you said you don't venture out to the darkside, Windows Defender and Windows Firewall, along with Malwarebytes just for double-checking (needed regardless primary scanner of choice) is all you need AS LONG AS you keep Windows updated and you are not "click-happy" on every unsolicited download, link, attachment and popup you see. That combination is what I use on all my systems with never a problem.
     
  3. guest

    guest Guest

    "No Virus Thanks ERP"
    = this product (Anti Executable): NoVirusThanks EXE Radar Pro (ERP)
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My bolding. That is true for everything except outbound. Most would say you don't really need that as if an untrusted program can't call home. The need for that was born out thy CCleaner fiasco. It was a trusted program. I went back and tested in my VM. And when the malware triggered, it called home, and Private Firewall caught. It was all that caught it.
    Now in all fairness, at the time I might not have paid attention. I do now.
     
  5. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    @bill Bright

    In my post I wrote this"No Virus Thanks ERP". I believe this shows which product I am referring to.

    Thank you

    @ Peter2150

    Thanks for the info very useful, but does not answer the questions I posed. ie Do you use both together if not which one

    Thanks

    Terry
     
  6. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    Thanks for the ERP explanation.

    Not sure one exception (and an odd one at that) defines the rule. That "fiasco" caught just about every expert AND alternative security solution off-guard. And it should be noted that version of CCleaner was compromised during the development process in Piriform/Avast facilities, not after it was installed on users computers.

    Now if CCleaner was already a known, installed and authorized program to Private Firewall and it caught the compromised version, then that is great. But the fact virtually every other security app in the world didn't, including those used by the high-tech companies that malware targeted, suggests Private Firewall simply had a lucky catch and not that the rest of the world is incompetent.
     
  7. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Hi Terry Wood...
    ad 1) PFW and ERP are complementary - ERP is an anti-exe so in generaly block processes that don't have permission to work in system..it means
    - unknown apps are blocked in "lock-down mode" or alerted in "alert mode"
    - the rest...it means allowed apps/processes and its actions...can be detected by HIPS/BB module of PFW and by this way we can make specific/needed rules (also for in/out connection).
    No conflicts and issues in my systems in which PFW and ERP...or SS (Premiun and FW) and ERP...were working in the not so deep past. In my opinion that are light and efficient non-signatured combo.

    This statement is close to be curiosum...for those "high-tech companies" Piriform was trusted producer so they in generaly didn't controll CCleaners actions even if they were not obvious and normal. PFW...and perhaps each old-school HIPS/BB/monitor...could detect unwanted action and probably not by accident.
     
    Last edited: Dec 13, 2017
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Nope, not a lucky catch. Simply because CCleaner never made any other outbound concections it was a new connection and it alerted on it.
     
  9. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    The Private Firewall that was discontinued four years ago?
    I'm not saying it's bad, but it may not be quite up-to-date, yes?
     
  10. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    Okay. That makes perfect sense. But that also is counter to your claim above where you noted using bold emphasis that Windows Defender was not a capable firewall for "outbound" requests. Sorry, Peter, but that was a misleading comment. Had Personal Firewall seen a CCleaner outbound request before, it is very likely it would have let it through too.
    Not curious at all. If you check out this PCWorld report on the CCleaner hack and scroll 1/2 way down you can see it targeted Intel, Samsung, HTC, VMWare, Cisco, and others.

    The fact CCleaner is a trusted producer is immaterial. History shows us over and over again even so called trusted producers get hacked - either through incompetence or just really smart bad guys or both. Worse is the so called trusted companies who then try to hide or cover up the hack (Equifax).

    Just because a program (or site) comes from a trusted company, that in no way means it should automatically and completely be trusted.

    That suggests there would be widespread detection by such products. That did not happen! It was detected by two, just two researchers. Not by programs you mentioned.

    CCleaner was a very unique case and should not be used as any sort of typical example one way or another. But it certainly should be used to learn a lesson.
     
    Last edited: Dec 13, 2017
  11. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    1,037
    @ichito
    Thank you for answering the questions posed.
    I appreciate your understanding.

    Terry
     
  12. guest

    guest Guest

    ERP + Binisoft WFC (or other similar GUI for Windows Firewall) is good enough.
     
  13. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    OK...sorry Im late but I wanded to preapare my annswer:
    - no, it is...very common feature/option in many security apps is to trust "digitaly sugned/instaled in Program Files/whitlisted" or something like that and this is default option that the "paranoid user" can disable
    Only by two?...and why?...maybe because they trust to much their inteligent technology not their ayes...analysis...common sense? I mentioned about "old-school HIPS/BB/monitor" and then I decided to try how it looks in such apps. Below some info about that:
    - I'm gained the installator of CCleaner v5.33.6162 which is already detected as malware
    - every tests was made on Vista 32-bit and as the detection tools was used Online Armor Free 3.5.032 ( VII 2009), ThreatFire (III 2011) and the newest build of SpyShelter FW 10.9.6.
    According to such explanation
    https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708123
    the main goal was to catch the ping connection before normal/correct installation...so - voila!
    The oldest app - OA (version developed by Tall Emu, already abandoned and not connected to server of OASIS, decision are based only internal/local HIPS detection)
    OA Panorama.jpg

    THreatFire (set on 5 level of detection, without connection to dev servers and without enabled advanced settings - based only on own heuristic)...in this case we shoul allow such action to see the next step of installation/detection
    TF 171218181913_3.jpg

    SpyShelter FW - still in development but made in "like old-school manner HIPS", set on "ask user" level
    SS Panorama.jpg

    So...it can means that even abandoned apps could detect and block suspicious action of prapared CCleaner installator.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If PF is not monitoring process execution, then why not combine it with EXE Radar? PF is meant to alert about app behavior and ERP's only job is to block processes that are not white-listed from running. So they complement each other.
     
  15. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Are you referring to win 10 or 7 or both?
    The OS firewalls, what i have read about are a little different? For example win 10 is the better compared to 7 firewall, or is that just hype?
     
    Last edited: Dec 18, 2017
  16. guest

    guest Guest

    Originally about Win10.
    The Windows Firewall in Win10 is just a "bit" better than in Win7 but nothing really outstanding. So my advice can be applied to both OSes.
    However the one in WinXP is bad.
     
  17. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    74
    @Bill_Bright It's way more nuanced than that and simply installing all Windows Updates willingly is one way to secure you're owned by MS, bloated by a ton of junk by MS and you get your system slowed down. No need for OT, though, so sorry for that. Just my 2 cents.

    Windows Firewall is indeed a very capable firewall, but it is no more than that, i.e. no more than a firewall. So the clear reason why PrivateFirewall is needed is for its HIPS module. Try as you might but you won't get WinFirewall to act as a HIPS. Just with a firewall and without HIPS you are way less protected ...
     
    Last edited: Dec 19, 2017
  18. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    74
    Completely agree. PFW clearly does that as I pointed out here https://www.wilderssecurity.com/threads/ccleaner-connects-despite-being-blocked-in-fw.397846/

    But PFW IS monitoring process execution ... and always has been. Just up to the user as to how he/she sets up and uses PFW ...
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    So it is possible to set up PFW to ask user for each process execution to be allowed or not? And to create a whitelist of what is allowed to run?
     
  20. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    74
    Yes, this is what I've been able to setup and use without problem.

    Enable process detection, set process monitor to high and be VERY careful what and how you respond to each and every on-screen prompt. Most importantly - NEVER (and I mean Never) hit 'Apply to all alerts' checkbox on any of the prompts. If you do so then if you allow one process related to an exe, this will also allow other (potentially unwanted) processes related to that exe to run. Don't know why pfw is setup this way but this is what I've noticed. It is sufficient and enough to only hit the 'Remember this setting' checkbox but never the 'Apply to all alerts' one. It's a bit pain in the ... but it's worth it after you've gone thru the trillions of prompts you'll get.

    From there on go to:

    1. Settings, detected applications and under the processes tab you'll see what's allowed and what's not. Possibly adjust further from here on.
    2. Main menu / Process monitor and see how each and every single app is set up. Allow what you know must be allowed but at best keep things to Filter. Go ahead and customize each and every app and its (21, as I remember) rules. Make sure you know what each of the 21 rules means before you tweak it.

    Do that and see if anything will act contrary to your will.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thnx for explanation. I made a quick test and it indeed has a special control of Process creation. As you said only drawback is that it creates rule on parent's side of process creation. This complicates a creation of whitelist. It would be much better if child side was monitored and could be whitelisted.
     
  22. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    Owned by MS? Got your tinfoil hat on? It is arguably the best way to ensure you are secure, not "owned" by MS. If anyone owns you, it is your ISP and cell carrier. If you think Microsoft owns you, why are you using their products? Any one who is just a little clever and willing to take the time to adjust to the learning curve can install Linux and do just about anything they can do on a Windows system.

    :argh: You complain about bloat by Microsoft in one sentence then in the very next sentence praise the bloat in PFW. The HIPS module in a firewall package is just bloat!!!! Firewalls don't need extra features.

    PrivateFirewall is NOT needed for its HIPS module because a separate HIPS feature is no longer needed - just like we (the vast majority of users) no longer need separate anti-spyware or anti-trojan software. It is just added bloat. Normal modern anti-malware programs (yes, including Windows Defender) already monitor "behavior" and changes to our systems and will stop malicious or suspect behavior before anything bad happens!

    If you don't connect through a NAT router, if you don't keep your OS updated, if you are click-happy on unsolicited links, downloads, attachments and popups, you might need a separate HIPS feature.

    See What on earth has happened to viable HIPS software availability. See my #7 and note @FleischmannTV 's excellent reply in #13 and how many, including many in this thread, totally agreed with him.
     
  23. soewhaty

    soewhaty Registered Member

    Joined:
    Feb 28, 2014
    Posts:
    74
    That's indeed an interesting and funny paragraph. FYI, my work machine is on Windows (due to company policy), my private machine is on Ubuntu. Thanks for clarifying for us who's clever and who's not :)

    You correctly indicate the isp and cell carrier owning you, but you fail to see the bigger picture of MS owning you? Deyum, brother ... :) Refer back to that learning curve of yours.

    That is certainly your own opinion, but it doesn't have to be shared by all. It certainly appears you got it all wrong about HIPS modules. Wish you for xmas to actually enlighten yourself to their value. Will be your best present :) Take one example - show me how, without a hips module, you'll prevent one app opening a url in your default browser with a command line? Best of luck there.

    First thing I disable after I used to install Windows was Defender. Blessed be your trust in it. Wish you best of luck with that otherwise lofty wish for Christmas, i.e. trusting your 'normal modern anti-malware programs (including Windows Defender)'.

    Certainly saw your post #7 but failed to see the value in it. The REAL answer is in post #3 in the same thread from Peter2150. I saw a lot more value in it. U should prolly see it too. Post #13 in that thread is indeed nailing the point but I fail to see how it relates to your post. Yes, many incl. me agree with that post and still see no connection to your posts in that or this thread.

    Best of luck installing every single MS update, trusting their Defender and so on. Try a HIPS like PFW for 1 day and see how much of the built-in, supposedly-offline MS stuff tries to connect to the internet FOR NO APPARENT REASON. :) That might re-write some of your definition as to being so click-happy to trust them :)
     
    Last edited: Dec 19, 2017
  24. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,040
    Location:
    Nebraska, USA
    Peter's answer is certainly valid but it fails to point out the obvious which you fail to see too.

    IF HIPS software was needed yet the mass public didn't use because it was too complicated (as Peter correctly points out), the mass public would now be infected. But surprise, surprise! They aren't. Where are the 100s of millions of infected users you suggest must be out there because they don't use HIPS?

    Does PFW work? Sure. But if you don't need it, that does not mean other products are incapable of protecting you.

    You don't need to drive an Abrams Tank to get from A to B safely. You just need a properly maintained and updated, recent model basic car, and most importantly, you must drive defensively.

    You can follow the link in my sig to see who the newbie is around here.

    Ah! Your true colors come out. You are just biased against Microsoft. This discussion has nothing to do with Windows Update and other features. Thanks for clarifying. Have a good day.
     
  25. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @Bill_Bright...
    no offense...you are just lazy beeing fan of full automated AV/IS and you try to build in your statement a worthless theory around HIPS. Fortunately, this is only your private opinion so do you mind if we stay with ours and just stop such discuss? :cool:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.