stupid adware is doing crap to my comp !!!

[mechBgon]

Originally posted by: ForumMaster

Originally posted by: spikespiegal
For the nth frikken time, Firewalls won't stop Spyware and Malware from infecting your machine. God people, get a damn clue.

incorrect. get a clue yourself. ZoneAlarm blocks the initial install of most spyware. i have the security suite and consquentially, i haven't had a single problem since i baught it.

If your ZoneAlarm firewall gets nuked by the malware, then it can still do what it wants to. It might also piggyback onto an OK'ed process to download what it wants to download. Also, remember that the ZoneAlarm suite isn't just a firewall, it includes antivirus software, so citing the results of that protection as an example of a firewall stopping spyware is not completely accurate.

Read a few hundred detailed malware descriptions and you'll see both tactics mentioned. Great reasons to use common sense and a Limited account as a couple of your layers of protection. If the malware is getting far enough that the firewall has to deal with it, that's just scary.

 

[Markbnj]

If the malware is getting far enough that the firewall has to deal with it, that's just scary.

Well it does, for millions of people every day. I don't get malware on my system because I don't browse the kinds of sites that host it, and I don't go looking for free screensavers and IM buddy icons, either. But millions of people do. There is a great article in Business Week about the operation of malware company Direct Revenue. No technical details, but the breadth of the effect they had is well-detailed.

All the tactics you guys mention are valid ones, but they don't constitute a reason not to use what protection is available.

 

[Solema]

Sadly, most of the problems can be solved by smart browsing. Don't go to sites that look bootleg, and don't click on the garbage in your email, and have a hardware firewall at the router.

Anything more and you're just protecting yourself from... yourself.

I work on my computer 10+ hours a day between my job and browsing/gaming, and all I have is Symantec Antivirus and a WRT54G firewall. I haven't had a single spyware instance in 3 years with my current XP installation.

Software firewalls that provide outbound blocking are nothing more than a pain in the ass, having to approve every single thing going out. Not to mention, most are too complex for the end-user.

When you have to approve three or more outbound communications for something like HP camera software updates or whatever, and the firewalls say something to the effect of "Outbound TCP port xxxx hpoevst.exe process ID 3387, Accept?" How the hell is the end-user supposed to know if he should allow or not?

 

[Lemon law]

To Clear up any misconceptions about firewalls----they are a FIRST line of defense only---they prevent any Tom Dick and Harry from just pinging any open port on your computer
and having your computer just swing its doors wide open to any garbage they want to dump into your PC.---and that is basically all a firewall does.---and without one you will fall victim to the first port scan that comes along.--although I should point out a good two way firewall can also prevent any installed spyware from reporting information about your computer to outsides sources.

But as others have pointed out, there are lots of other ways for malware to get in a firewall won't protect you from. And once the malware gets in, it becomes the job of your other defenses to make the malware's lifespan on your computer nasty, brutish, and short.---process controls and active AV or spyware programs can prevent it from even registering--sort of like a abortion---killed before being even born---and passive AV and anti-spyware apps can usually find the miscreant at first scan and also give it that old heave ho.

Markbnj is correct on both points---use the protections available. And any that think that one single protection will due are fooling only themselves. But the greatest danger to your PC is the operator---who often downloads freebie software crammed chock full of malware.

Lots of people are writing Malware for fun and profit---if you want to use the internet---you better learn to steer of this stuff or you too will get infested.--and if you are infested--learn how to get it removed.---only in rare cases are the infestations so bad that only a clean install will effect a cure.

Malware greatest ally is ignorant people.

 

[Markbnj]

Software firewalls that provide outbound blocking are nothing more than a pain in the ass, having to approve every single thing going out. Not to mention, most are too complex for the end-user.

I run Windows Firewall on my system, and on my kids systems. It's overhead is minimal, it's configuration was simple enough for the braindead, and it only pops a dialog on the first installation of software that it doesn't recognize. The dialog pops, you click "unblock" if you recognize the app, and that's it.

Now I admit that even knowing whether to click "unblock" might be too much for many users, but what is the alternative? Turn it off? If you have any understanding of how malware works you would agree that is not a good alternative on general-purpose systems whose users are average, mostly computer-illiterate consumers.

To Clear up any misconceptions about firewalls----they are a FIRST line of defense only---they prevent any Tom Dick and Harry from just pinging any open port on your computer
and having your computer just swing its doors wide open to any garbage they want to dump into your PC.---and that is basically all a firewall does.

Part of the problem is the terminology in use here. We're using "firewall" to refer to both perimeter devices that block inbound connection attempts, and software that runs on the systems within the perimeter and blocks outbound connection attempts. You are referring to the operation of a perimeter device, and to the operation of a local firewall when no perimeter device is present. Most home networks should have both types of devices. It's a common error to think that a perimeter device protects against malware, because it blocks incoming connections. Those home devices are all configured to allow unlimited outbound connections out of the box. So you get a chunk of malware on your system and it connects outbound to download its package, and nothing stops it. That's what local firewall software such as Windows firewall will do, and it will prevent most of the worst kind of malware from downloading its payload, despite the caveats from others on this thread.

 

[RebateMonger]

Originally posted by: Markbnj

Software firewalls that provide outbound blocking are nothing more than a pain in the ass, having to approve every single thing going out. Not to mention, most are too complex for the end-user.

.......Those home devices are all configured to allow unlimited outbound connections out of the box. So you get a chunk of malware on your system and it connects outbound to download its package, and nothing stops it. That's what local firewall software such as Windows firewall will do, and it will prevent most of the worst kind of malware from downloading its payload, despite the caveats from others on this thread.

Uh, Windows Firewall in XP SP2 is inbound-only. It doesn't watch outbound traffic at all.

Personally, I agree that an inbound-only firewall is probably best for most users. It helps keeps them from getting contaminated if another PC in the office or house gets infected. And, as noted, outbound-monitoring firewalls like ZoneAlarm are, in my opinion, a bit complex for most Users.

 

[Lemon law]

Being somewhat complex is a sin???????????---and sorry--I think the one way SP2 firewall is another case of microsoft sending a boy to do a mans job--as if somehow the golden M emblassened across the microsoft superhero pajamas makes the SP2 firewall anything but better than nothing. Sorry, a decent two way firewall is better--every time.--nor are they always annoying once they learn what outbound software you trust. Its the stuff you don't know about that should worry you.

But either the user spends some time in self education--or they can repent at leisure when something really bites them--the internet is getting to be a dangerous place. You either have to invest some personal time learning how to protect yourself--try spyware warriors or castle cops to mention but two--or its almost certain that user ignorance will be no protection.

But why is this thread wasting some much time debating firewalls?---they stand between you and the internet---but are just one in the four layers of protection you should have.

 

[Markbnj]

Uh, Windows Firewall in XP SP2 is inbound-only. It doesn't watch outbound traffic at all.

That's true. When I thought it was blocking outbound connections it was blocking inbound attempts to connect to an application that was listening, i.e. Call of Duty 2. So I guess if you want to block outbound you need some third party tool like Norton worm protection. In any event, I still think having something that blocks outbound connection attempts is worthwhile.

 

[John]

Originally posted by: Markbnj

Uh, Windows Firewall in XP SP2 is inbound-only. It doesn't watch outbound traffic at all.

That's true. When I thought it was blocking outbound connections it was blocking inbound attempts to connect to an application that was listening, i.e. Call of Duty 2. So I guess if you want to block outbound you need some third party tool like Norton worm protection. In any event, I still think having something that blocks outbound connection attempts is worthwhile.

Norton = crap

To block outbound traffic you can use a 3rd party firewall like Comodo, Kerio, Zone Alarm, etc.

 

[mechBgon]

Here's an example of some malware that piggybacks itself onto applications that are probably allowed through the firewall:

http://www.symantec.com/avcenter/venc/data/downloader.sumina.html

Injects itself into the following processes:

• iexplore.exe
• mozilla.exe
• msn.exe
• myie.exe
• opera.exe
• outlook.exe
• reget.exe
• thebat.exe

so that the Trojan constantly attempts to download other files.

Fun. An ounce of prevention is... yeah.

 

[John]

Mech, the nice thing is that supposedly Comodo personal firewall (and others) is supposed to prevent that from happening.

The trouble starts when malicious applications deliberately circumvent normal program control by masquerading as authorized programs. Comodo's Application Monitor watches for this sort of trickery, aided by its Application Behavior Monitor and Component Monitor. Like the Component Control feature in ZoneAlarm Pro, Component Monitor starts off in learning mode. That means when you authorize a program for Internet access, you're also authorizing all its components. After a while, you switch Component Control all the way on. After that, any application component accessing the Internet for the first time generates its own confirmation pop-up.

I turned Component Control on and tested the firewall with a dozen leak tests?programs that exercise specific malware-inspired techniques. Comodo blocked every single one?an impressive performance. The ZoneAlarm free firewall doesn't provide this level of protection (though the Pro version does a fantastic job), nor does Agnitum's Outpost Firewall. Kerio did better in testing, but it still missed a third of the test programs and blocked other legitimate events. In most cases, Comodo provided a very clear message about the problem, for example: "copycat.exe has modified iexplore.exe in memory. This is typical of Virus, Trojan, and Spyware behavior" or "iexplore.exe is a safe application. Wallbreaker.exe may be using iexplore.exe to connect to the Internet." I noticed in the detailed activity log that most leak-test protection was credited to the Application Monitor, with a few trapped by the Application Behavior Monitor.

 

[Lemon law]

Still looking for that perfect firewall myself---BTW comodo has gotten some impressive reviews---but won't work for me because it won't play nice with my two computer network.

So I am still using sygate 5.5--------which stealths my ports just fine.

When push come to shove---the hacker will go after someone with no protection rather than someone with decent protection. But there is no such thing as perfect safety on the internet.

 

[brainwrinkle]

I've found safe mode to help the most in conjunction with antivirus and spyware scanners.

In other news, an ounce of prevention jumped to a record high today, settling at 3.5 pounds of cure.

 

[mechBgon]

Originally posted by: John
Mech, the nice thing is that supposedly Comodo personal firewall (and others) is supposed to prevent that from happening.

The trouble starts when malicious applications deliberately circumvent normal program control by masquerading as authorized programs. Comodo's Application Monitor watches for this sort of trickery, aided by its Application Behavior Monitor and Component Monitor. Like the Component Control feature in ZoneAlarm Pro, Component Monitor starts off in learning mode. That means when you authorize a program for Internet access, you're also authorizing all its components. After a while, you switch Component Control all the way on. After that, any application component accessing the Internet for the first time generates its own confirmation pop-up.

I turned Component Control on and tested the firewall with a dozen leak tests?programs that exercise specific malware-inspired techniques. Comodo blocked every single one?an impressive performance. The ZoneAlarm free firewall doesn't provide this level of protection (though the Pro version does a fantastic job), nor does Agnitum's Outpost Firewall. Kerio did better in testing, but it still missed a third of the test programs and blocked other legitimate events. In most cases, Comodo provided a very clear message about the problem, for example: "copycat.exe has modified iexplore.exe in memory. This is typical of Virus, Trojan, and Spyware behavior" or "iexplore.exe is a safe application. Wallbreaker.exe may be using iexplore.exe to connect to the Internet." I noticed in the detailed activity log that most leak-test protection was credited to the Application Monitor, with a few trapped by the Application Behavior Monitor.

I wonder if that works against what McAfee brackets as the LowZone attack... where the malware adds specific sites to the Trusted Sites zone and then sends a browser there, where it inhales a nice selection of malware.

On my home system, I just use the Windows Firewall plus a router. But that's in addition to a Limited account, a disallowed-by-default Software Restriction Policy, antivirus, patching, basic common sense, hardware DEP, and it's the only computer on the network too. So I hope not to need outbound monitoring on the basis of there being nothing malicious to monitor. If whatever-it-is can get past all those other countermeasures, I'm in big trouble

 

[Markbnj]

I've found safe mode to help the most in conjunction with antivirus and spyware scanners.

Agreed, because you might be able to keep those processes from getting loaded and the files locked.

Comodo sounds cool. I will give that a try.

 

[chango]

I always turn off system restore and boot into safe mode when immunizing customers computers.

 

[RebateMonger]

Originally posted by: Lemon law
Sorry, a decent two way firewall is better--every time.--nor are they always annoying once they learn what outbound software you trust. Its the stuff you don't know about that should worry you.

The issue with two-way firewalls is that you are expecting the SAME person who installed "bad" software on his/her computer to now make a technical judgement about whether to allow outgoing traffic through the firewall. Why do you think the PC owner will make a better decision about firewall traffic than he/she made about installing Spyware in the first place?

I agree that a two-way firewall is desirable, but I haven't seen any that aren't a nuisance and beyond the technical capability of most home users....especially the users who are having problems with Spyware already.

 

[Lemon law]

To Rebate Monger,

So the solution is a firewall that does the users thinking for them? Which the user will dump the first time their firewall won't let them do what they want.

The few, the dumb, and the brave without protection will soon have a system so infested with spyware that they will be shunted into the slow lane of the internet.
I recall reading some stats lately that an unprotected windows computer has a average lifespan of 15 minutes on the internet before its compromised in some way.
Some of those dummies will actually pay someone to clean the spyware off their computer---after being hit with those high service charges for a few times they may
finally be motivated to gasp---actually learn about computer security.

But what disturbs me about this thread is the implied implication that a firewall is a magic bullet that will stop ALL Malware dead--when the truth is that it only filters some of it
away---and what then does get in must be stopped by other means.

 

[RebateMonger]

Supposedly Vista has a two-way firewall. I haven't installed Vista yet, so I can't comment about how good it is or how user-friendly it is. Hopefully it'll be usable by the average computer user. Supposedly, Microsoft was going to put a two-way firewall in XP SP2, but backed off after usability testing.

My experience is that firewalls don't help those who are determined to contaminate their own PC. They mostly protect you from others who are already contaminated.

As Lemon Law notes, the BEST protection is for users to spend some time reading about computer security, along with limiting User Rights, and installing any REPUTABLE firewall, active antipyware, and antivirus software.