General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
When will people realize the best (and FREE) personal firewall software is ZoneAlarm? I'm not affiliated with ZA in any way but I am a huge advocate of their product for home/small office use.
And not just because it is free either. It may be the better FREE one but stil not be the best overall.
Is it really better than Norton Internet Secuity ?
I found it not to be.
I use NIS and even Mr Gibson reports all ports tested to be in the "STEALTH" mode.
The following is a (very slightly OT) post which I copied from comp.security.firewalls which deals with Steve Gibson's assessment of ZAF/ZAP and BID. It's quite an interesting read:-
Quote:
There is a lot misinformation about BlackICE, mostly caused by the
uninformed Steve Gibson.
1. BlackICE has a firewall - actually more true than Zone. What BlackICE is
not, is an application gate. BlackICE blocks traffic at the port/IP level
(or packet level). This is actually how most "true" firewalls work. An
Application Gate is a different kind of "firewall". It controls access to
the network interface based on which programs or programming interfaces
(called APIs) you have allowed to communicate with the network. Application
gates are generally something that can only be used on local machines,
although there are some network-based gates of this kind. But they work off
the different network protocols and not the actual application.
2. BlackICE does outbound blocking. The version that Mr. Gibson tested
(2.1) is rather old now. The current release (2.9 for Defender and 3.0 for
the corporate products) absolutely do outbound blocking.
3. BlackICE's core technology is an Intrusion Detection System (IDS). That
means BlackICE actually monitors the traffic entering and exiting your
computer for suspicious activity. It does not just block traffic en-mass
like Zone and Tiny. BlackICE is more accurately described as a protocol
analyzer mated to firewall with an analysis engine to detect suspect
traffic.
4. Traffic that poses no threat to the computer, like a simple outbound HTTP
request is not filtered because it does not threaten the computer. This is
why Gibson's Leaktest "cuts through" BlackICE. Only traffic that poses an
immediate threat to the computer (like transmission of outbound registry
information) is detected and stopped. You could say, BlackICE does not get
in the way of normal traffic, it only cares about the dangerous stuff.
5. ZoneAlarm and other "Application Gates" have one fatal flaw to them: they
do not actually monitor traffic. What that means is if a spyware application
proxies its outbound traffic through an "accepted" application such as
Internet Explorer or Netscape, Zone will not stop the traffic. In other
words, the spyware "piggybacks" its traffic on accepted applications which
Zone does not stop. Most advanced spyware now works in this manner. Don't
believe me, see http://archives.neohapsis.com/archiv...rent/0056.html
6. Both Zone and BlackICE have weaknesses. It just depends on your comfort
level. Zone provides "blunt level" blocking. That is it will block things
en-mass. This will stop most inexperienced hackers and poorly designed
spyware. BlackICE is a more sophisticated engine that can identify a lot of
what are called "Zero Day" exploits. That is hacks that have not been
discovered yet. BlackICE was actually one of the only Intrusion Detection
Systems able to detect the CodeRed worm, before people even knew what it was
called. BlackICE is actually more susceptible to simplistic spyware, but it
is very good against higher-end hacks and spyware. BlackICE will detect
outbound spyware traffic, even if it is encrypted or proxied.
Sygate, Tiny and all the others have their strengths and weaknesses as well.
What it all comes down to is what you want. I have used BlackICE for two
years. It has caught all sorts of things, including outbound spyware. I
have also used Zone. It was good but I found it more infuriating to use.
Mr. Gibson's opinions of BlackICE are very skewed. First off, there is ample
proof that Mr. Gibson did not install or use BlackICE properly. Secondly,
Mr. Gibson has a strong and rather suspicious relationship with ZoneLabs. He
is practically their Director of Sales. I am not saying Zone is a horrible
product, but realize that Mr. Gibson has a bias. Lastly, Mr. Gibson's
refusal to retest BlackICE and his pathetic Leaktest demonstrate that he
doesn't want to really analyze software based on how hackers might use it.
He wants to analyze software based on how ZoneAlarm works. In a since,
Gibson sees Zone as "the perfect tool" and therefore evaluates all other
software based on how Zone works. That is like comparing the value every car
to a Chevy Impala. Since a BMW 540i does not have a pushrod V6, it is
therefore not a good car, because the Chevy Impala does.
One of the things BlackICE does extremely well is intrusion detection.
BlackICE's corporate products are outstanding for this very reason. Their
distributed host-based IDS is one of the best next to Snort and RealSecure
(another ISS product).
The point is, no security solution is 100% effective. As a security
engineer, we use a layered approach to security. We have hardware-based
firewalls doing mass blocking of ports, probes, etc. Then we have intrusion
detection systems monitoring our network. We use both BlackICE and Snort
(and excellent combination I might add). Lastly, we perform regular
vulnerability analysis of our network using a combination of security tools
such as nmap, Nessus, and this great tool called STAT from Harris
Corporation. All our corporate workstations are running centrally managed
versions of BlackICE.
We had a few knuckleheads download some MP3 that had SubSeven on it. Our
BlackICE's lit up light Christmas trees when those SubSevens tried to
communicate with the outside world. It temporarily shut them down until we
went out and A) scolded the users B) cleaned their machine.
Now, this is probably a little too much for a home user. But the point of
all this is: don't think you're 100% safe just because you plunk down $40
for Zone, BlackICE, Sygate, Tiny or any firewall. Good security starts with
paying attention to details and being careful. You are just as hackable
using Zone as using Sygate.
Personally, this is why I like BlackICE. Its IDS engine tells me a lot more
information about network activity, it also arms me with trace files that
can be used as evidence for police. We have already helped the feds spot one
hacker, thanks to the trace files we got off our BlackICE systems.
Last edited by brett; 14th February 2002 at 01:32.
don't think you're 100% safe just because you plunk down $40 for Zone, BlackICE, Sygate, Tiny or any firewall.
Thank you Brett.
Like the SubSeven Brett mentioned, this **** will will ride in on what is supposed to be clean software. ESPECIALLY DOWNLOADED stuff
It is not blocked by the Firewall because it is not a driect attack.
The lines below also come from grc.com after testing my Slields
Before You Break Out
the Champagne...
***********
What I could NOT do today,
I MIGHT be able to do tomorrow.
************
A FALSE sense of security
is worse than being unsure.
------------------------------------------------------
It is of my own opinion that to keep our machines as clean as possible it takes;
Something such as Ad-Aware to clean out the SypWare that may get in from the Net and STORE BOUGHT software.
An Anti-Virus program running constanly and one that can be set to check e-mail BEFORE it gets to the inbox. ( after may be too late ) A couple of days ago 3 out of 6 of my e-mails had a virus in them. Thank you NAV for catching them.
Some of the newer AV programs have the capabliity of checking e-mail before it goes out. ( great addition ) I know NAV 2002 does.
A firewall running at all times to close as many ports as possible ( hopefully all ) and block attacks.
Something such as Cleaner3 to find and clean up any Trojan that might sneak through on Store Bought or downloaded software.
If we are on a DSL or Cable Modem the above become more important.
And most important of all, the above MUST BE KEPT UP TO DATE.
I know that running AV & a Firewall does use up a few resources. ( 8 on this machine ) But the protection they provided is well worth it.
AV & Firewall software may ( if purchased ) $70. But if they block just one Virus or Trojan it can save 100s of $$$$$$ in lost time and/or data and aggrevation in cleaning up the machine.
An Anti-Virus program running constanly and one that can be set to check e-mail BEFORE it gets to the inbox.
I simply scan on-demand using (the free) F-Prot for DOS which actually has a better detection rate than many "pay-for" products. I'm quite careful anyway about what I let onto my machine and for e-mail use The Bat! as it is somewhat more secure than the standard MS client.
I haven't had a misshap yet!
*fingers crossed*
Last edited by brett; 14th February 2002 at 14:58.
Awesome post, brett! I stand corrected on Steve Gibson's assessment. I think he has some valid points but I agree with the statement,
Quote:
Mr. Gibson has a strong and rather suspicious relationship with ZoneLabs. He
is practically their Director of Sales.
I think the real key to the best virus/firewall protection is how savvy the user is. No software can ever guarantee that your computer will never be infected or hacked because all it takes is someone not paying close enough attention to an alert or an attachment. I keep my software up to date but I'm also aware of everything coming and going from my PC.
I myself Use Eudora which also seems to be a somewhat more secure than Outlook Express or Outlook ( neither of which are even on any of my machines )
I simply scan on-demand using (the free) F-Prot for DOS
Would the version of Windows being used have any effect on whether you could run that or not ?
I ask because Win95 thru 98SE have good DOS capabilities. But I find that ME was not as good for running DOS.
I had ME for awhile but went back to the original 98 because it seems to handle DOS software better.
Plus I was referring more to the average everday user that just starts up the machine and goes.
I was in a Computer ( well known chain ) store awhile back and overheard a customer mention DOS. The reply from the Salesperson was, DOS ! What is that ?
And I have stayed with 98 for the same reason. Not the actuall software but for the DOS capabilities.
Hulka
I will 2nd, 3rd and 4th your paragraph regarding a great deal of the success ( or failure ) of AV/Firewall resting right at the tips of the fingers that operate the keyboard.
BillyBob
Last edited by BillyBob; 14th February 2002 at 17:30.
I think the real key to the best virus/firewall protection is how savvy the user is.
I'll "fifth"(?) BillyBob's comments in relation to the above!
My intention in posting that usenet article was not to knock Steve Gibson, but rather to highlight the fact that SG is simply an individual and his opinions as to how good a piece of software may (or may not) be are invariably going to be contradicted by others. I am satisfied that SG is one of the "good guys" and, if nothing else, has raised awareness as to security related matters. His advice is pretty solid and by following his suggestions a person will only enhance their security (that is not to say that his suggestions are always the best suggestions!). SG does, however, to my mind at least, tend to promote ZAF/ZAP rather more vigorously than is appropriate for a supposedly independent person and as he has a fairly high profile his views do tend to be noted and followed.
ZAF and ZAP are not bad products; neither are they necessarily "the best". What is "the best" will, as has already been pointed out above, depend on the users needs, level of knowledge and what sits comfortably on his or her system.
In my opinion, both TPF and Outpost (linked to above) are better options for the average user than either ZAF or ZAP. I would explain the reasons for my making this assertion, but time presses!
Last edited by brett; 14th February 2002 at 23:17.
