About to ditch Vista Windows defender for 3rd party firewall. Suggestions?

[Locut0s]

When I used XP I always ran the free version of Kerio's personal firewall. Great firewall! Since upgrading to vista some months back I've only been relying on Vistas Windows Defender. I think it's time I ditched it for something better. Sunbelt has yet to release a version of "Kerio" Personal Firewall compatible with Vista so I'll be going with something else. I'm thinking of installing Comodo Personal Firewall 3.x instead. Anyone with experience with it good or bad or other recommendations? I don't want Zone Alarm, a resource hog and not enough configurability.

 

[mechBgon]

Windows Defender isn't a firewall, it's primarily an antispyware program. So you can use Windows Defender and a firewall together if you want.

 

[nsafreak]

Frankly I've never been a huge fan of software firewalls and I much prefer hardware level firewalls instead. Routers have pretty good firewalls built in nowadays or you can even flash the firmware with even better firewall setups.

 

[Oakenfold]

Originally posted by: nsafreak
Frankly I've never been a huge fan of software firewalls and I much prefer hardware level firewalls instead. Routers have pretty good firewalls built in nowadays or you can even flash the firmware with even better firewall setups.

I agree with you that a router with a firewall is a minimum for being on the net but you are much more secure as a home user using a software firewall in addition to the router.

This is my logic, let me know if it is not correct. A user somehow manages to download a trojan, the trojan dials home, your firewall in your router is not going to block that outbound connection.

Now if you have a software firewall and it's configured correctly it should detect and stop the connection until you choose to allow or deny it.

 

[Locut0s]

Originally posted by: Oakenfold

Originally posted by: nsafreak
Frankly I've never been a huge fan of software firewalls and I much prefer hardware level firewalls instead. Routers have pretty good firewalls built in nowadays or you can even flash the firmware with even better firewall setups.

I agree with you that a router with a firewall is a minimum for being on the net but you are much more secure as a home user using a software firewall in addition to the router.

This is my logic, let me know if it is not correct. A user somehow manages to download a trojan, the trojan dials home, your firewall in your router is not going to block that outbound connection.

Now if you have a software firewall and it's configured correctly it should detect and stop the connection until you choose to allow or deny it.

Your logic is correct. I do have a router with a good firewall already.

 

[mechBgon]

Now if you have a software firewall and it's configured correctly it should detect and stop the connection until you choose to allow or deny it.

That has its limitations. If malware gains a toehold and sends your web browser someplace, the software firewall's outbound filtering may not stop it, because after all, your Web browser is undoubtedly cleared to access the Internet. (example from today's crop at Symantec Threat Explorer)

When the Trojan is executed, it creates the following file in order to hide its presence on the computer:
%System%\drivers\uuid.sys (Hacktool.Rootkit)

Next, the Trojan checks the following registry subkey in order to determine the default browser:
HKEY_CLASSES_ROOT\htmlfile\shell\open\command

The Trojan then launches a hidden instance of this the default browser to download a file from the following location:
[http://]ads.adslooks.info/ads/web[REMOVED]

The above file is downloaded to the following location:
%Temp%\update.exe (W32.Almanahe.B)

Once the above file has been downloaded and executed, the Trojan deletes itself by creating and running the following batch file:
%Temp%\UNIS.bat

Malware may also attempt to bypass, terminate, or subvert the firewall... for example, a rapidly-growing branch of the Zlob family uses the Windows BITS to fetch malware. For those reasons, I wouldn't bet the farm on a software firewall's outbound filtering, particularly if the user is operating as an Admin. An ounce of prevention... yeah.

 

[Oakenfold]

Originally posted by: Locut0s
Your logic is correct. I do have a router with a good firewall already.

We got a little OT, sorry about that.
I wish I could offer some input on other firewalls, I've only used Zone Alarm for what seems like an eternity.

Originally posted by: mechBgon

Now if you have a software firewall and it's configured correctly it should detect and stop the connection until you choose to allow or deny it.

That has its limitations. If malware gains a toehold and sends your web browser someplace, the software firewall's outbound filtering may not stop it, because after all, your Web browser is undoubtedly cleared to access the Internet. (example from today's crop at Symantec Threat Explorer)

When the Trojan is executed, it creates the following file in order to hide its presence on the computer:
%System%\drivers\uuid.sys (Hacktool.Rootkit)

Next, the Trojan checks the following registry subkey in order to determine the default browser:
HKEY_CLASSES_ROOT\htmlfile\shell\open\command

The Trojan then launches a hidden instance of this the default browser to download a file from the following location:
[http://]ads.adslooks.info/ads/web[REMOVED]

The above file is downloaded to the following location:
%Temp%\update.exe (W32.Almanahe.B)

Once the above file has been downloaded and executed, the Trojan deletes itself by creating and running the following batch file:
%Temp%\UNIS.bat

Malware may also attempt to bypass, terminate, or subvert the firewall... for example, a rapidly-growing branch of the Zlob family uses the Windows BITS to fetch malware. For those reasons, I wouldn't bet the farm on a software firewall's outbound filtering, particularly if the user is operating as an Admin. An ounce of prevention... yeah.

As always, very nice example Mech. :thumbsup:

 

[John]

I'd recommend disabling Windows Defender by opening the program and looking under 'options'. Afterwards you can disable the Windows Defender service (windows key + r > services.msc). Now you can install SUPERAntiSpyware which has virtually zero impact on system performance and arguably the best spyware/adware/trojan detection in the industry. If you want real-time protection step up to the Pro version w/ lifetime updates for $19.95.

 

[nsafreak]

Originally posted by: Oakenfold

Originally posted by: nsafreak
Frankly I've never been a huge fan of software firewalls and I much prefer hardware level firewalls instead. Routers have pretty good firewalls built in nowadays or you can even flash the firmware with even better firewall setups.

I agree with you that a router with a firewall is a minimum for being on the net but you are much more secure as a home user using a software firewall in addition to the router.

This is my logic, let me know if it is not correct. A user somehow manages to download a trojan, the trojan dials home, your firewall in your router is not going to block that outbound connection.

Now if you have a software firewall and it's configured correctly it should detect and stop the connection until you choose to allow or deny it.

The thing is if a piece of malware/virus gets on your system one of the first things it's likely going to try and do is to disable the Windows firewall or get around it in some way. If you ask me I would recommend watching your own behavior more than anything else. Don't log on as an administrator. Don't open attachments in emails. Don't visit sites you aren't sure are safe. Really just common sense stuff.

 

[mechBgon]

Also, don't assume "safe" sites are really safe all the time, either.

• Attackers favor compromise over creation About half of the malicious sites these days are normally safe, according to these guys.
  
• Legitimate sites serving up stealthy attacks
  
• <a target=_blank class=ftalternatingbarlinklarge href="http://www.eweek.com/c/a/Security/Online-Publishers-Powerless-Against-RBNs-Malicious-Ads/">Online Publishers Powerless Against RBNs Malicious Ads
  </a>
• More on the hijacking Flash banner ads....
  
• Mass web infection leaves researcher scratching her head
  
• <a target=_blank class=ftalternatingbarlinklarge href="http://www.eweek.com/c/a/Security/RBN-Takes-a-Bite-Out-of-Monster/">RBN Takes a Bite Out of Monster.com (the job-search site)
  </a>
• Google searches for innocent stuff can get you attacked Google for stuff like "how to teach a dog to play fetch" and you might hit something nasty.

All great reasons to avoid running a Web browser as an Admin, IMO.

Also be wary of malware which travels by infecting USB devices (HDDs, flash drives, cameras, iPod/MP3 players, digital picture frames, memory cards). Some of these have been found to be pre-infected at the factory :frown: Malware can also infect burned CDs and DVDs. For these categories of threats, consider disabling AutoPlay using Microsoft's TweakUI on WinXP/2000 systems and/or disable AutoPlay in Group Policy Editor if your version of Windows has it (Start > Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > AutoPlay Policies). This comes at the cost of functionality, of course

Update: regarding the above paragraph, check THIS out:

Just today we received an email from someone who has witnessed and has evidence of an infection at a photo Kiosk at a retail store. His email had this to say:

?Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it. Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe. The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file. At first I thought this virus came in on one of our employee?s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us. Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. ?

--from SANS

Great. :roll:

 

[jameswhite1979]

If it is a software firewall replacement from windows I suggest Comodo's here http://www.personalfirewall.comodo.com/ takes a day or so to train but worth it. If you router supports firewall worth setting up.

 

[Entropism]

I'm using Comodo on Vista x64, nice program, can be a BIT flakey at times, but overall works well.

 

[Entropism]

Comodo is pretty damn good for me on Vista x64, but it can be a bit noisy at times. Your best bet is to make ABSOLUTELY certain your PC is clean (reformat, whatever) and then run Defense+ in clean PC mode, and the firewall in Train with safe mode. The clean PC mode basically trusts whatever you had originally installed on your computer, and distrusts anything new you put on it until you tell it to be trusted. Installs take a few clicks, but otherwise it's quite smooth and quiet.

 

[spikespiegal]

If malware gains a toehold and sends your web browser someplace, the software firewall's outbound filtering may not stop it, because after all, your Web browser is undoubtedly cleared to access the Internet.

Which is why you shouldn't surf with admin rights. However, reading this forum and others convinces me that getting maximum frame rates in video games is of far more importance than understanding the security differences between Windows 98 and XP.

 

[blackangst1]

Originally posted by: mechBgon
Also, don't assume "safe" sites are really safe all the time, either.

• Attackers favor compromise over creation About half of the malicious sites these days are normally safe, according to these guys.
  
• Legitimate sites serving up stealthy attacks
  
• <a target=_blank class=ftalternatingbarlinklarge href="http://www.eweek.com/c/a/Security/Online-Publishers-Powerless-Against-RBNs-Malicious-Ads/">Online Publishers Powerless Against RBNs Malicious Ads
  </a>
• More on the hijacking Flash banner ads....
  
• Mass web infection leaves researcher scratching her head
  
• <a target=_blank class=ftalternatingbarlinklarge href="http://www.eweek.com/c/a/Security/RBN-Takes-a-Bite-Out-of-Monster/">RBN Takes a Bite Out of Monster.com (the job-search site)
  </a>
• Google searches for innocent stuff can get you attacked Google for stuff like "how to teach a dog to play fetch" and you might hit something nasty.

All great reasons to avoid running a Web browser as an Admin, IMO.

Also be wary of malware which travels by infecting USB devices (HDDs, flash drives, cameras, iPod/MP3 players, digital picture frames, memory cards). Some of these have been found to be pre-infected at the factory :frown: Malware can also infect burned CDs and DVDs. For these categories of threats, consider disabling AutoPlay using Microsoft's TweakUI on WinXP/2000 systems and/or disable AutoPlay in Group Policy Editor if your version of Windows has it (Start > Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > AutoPlay Policies). This comes at the cost of functionality, of course

Update: regarding the above paragraph, check THIS out:

Just today we received an email from someone who has witnessed and has evidence of an infection at a photo Kiosk at a retail store. His email had this to say:

?Recently I found a virus on it called Troj_Agent.SAO, which is what Trend Micro named it. Anytime you plug a removable device into it, it would create two files Autorun.inf and autorun.exe. The exe would place itself in the recycler\recycler folder and the .inf would place itself on the root of the removable drive as a hidden file. At first I thought this virus came in on one of our employee?s pen drive but after further investigation I discovered that the files that the virus uses were created on the kiosk the day it was shipped out to us. Also our vendor is using this kiosk in some of their stores at the moment and there have been reports that the kiosks have given their customers a virus. ?

--from SANS

Great. :roll:

UAC FTW