N
notachance
With Vista and Defender, and a good antiVirus (Avast), do I need
another layer of complexity and protection?
another layer of complexity and protection?
G
Guest
-- Windows Defender tells you not to have more than one Firewall running at
the same time, for example, so if you fall for the hype, you must disable
Windows Defender, which came free with Vista, and use another product that
someone will tell you is the "best". If you have a good free anti-virus (such
as the highly-praised Avast, which you have) and MS own Windows Defender
you're protected.
Read "Security Center" help in Control Panel to answer your concerns.
Wayne
the same time, for example, so if you fall for the hype, you must disable
Windows Defender, which came free with Vista, and use another product that
someone will tell you is the "best". If you have a good free anti-virus (such
as the highly-praised Avast, which you have) and MS own Windows Defender
you're protected.
Read "Security Center" help in Control Panel to answer your concerns.
Wayne
G
Guest
Further to what I said is the "rule of thumb" that you only have one of any
protection running at one time. This is specially true of antivirus programs.
I use only Avast and Windows Defender, and cancelled my Internet Provider's
free
protection, because it comes free with Vista, and it would have lessened my
protection. One of each is the rule, and more is not better.
Go into Control Panel> Security Center, Windows Firewall, Windows Defender,
and all will be explained. Make sure everything is on, and set to your
liking. Wayne
protection running at one time. This is specially true of antivirus programs.
I use only Avast and Windows Defender, and cancelled my Internet Provider's
free
protection, because it comes free with Vista, and it would have lessened my
protection. One of each is the rule, and more is not better.
Go into Control Panel> Security Center, Windows Firewall, Windows Defender,
and all will be explained. Make sure everything is on, and set to your
liking. Wayne
M
Mike Hall - MVP
Wayne
You do NOT have to disable Windows Defender in order to use a firewall.. WD
is an anti-spyware utility, not a firewall..
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
You do NOT have to disable Windows Defender in order to use a firewall.. WD
is an anti-spyware utility, not a firewall..
Wayne L. said:
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
M
Mike Hall - MVP
Run the Windows Firewall alongside them.. people will tell you that a 3rd
party firewall is the best solution, but the problem with those is that they
ask the users questions regarding allowing access for which the users do not
have an educated answer.. so, do you want ICQ to act as a server (you have
five seconds to respond or quit the program)? What are the implications?
Most do not know, so they answer YES.. now ICQ will let anything through,
and the firewall has been told it is ok to do that.. OOPS..
In actual fact, ICQ is useless if not allowed to act as a server, but other
programs that ask for access may not be so forgiving, especially when the
reference is to some obscure internal executable..
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
party firewall is the best solution, but the problem with those is that they
ask the users questions regarding allowing access for which the users do not
have an educated answer.. so, do you want ICQ to act as a server (you have
five seconds to respond or quit the program)? What are the implications?
Most do not know, so they answer YES.. now ICQ will let anything through,
and the firewall has been told it is ok to do that.. OOPS..
In actual fact, ICQ is useless if not allowed to act as a server, but other
programs that ask for access may not be so forgiving, especially when the
reference is to some obscure internal executable..
notachance said:
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
J
Jon
Mike Hall - MVP said:
If that's an attempt to justify the inexcusable lack of prompts in the
outbound Vista firewall, then it doesn't wash.
Most people are computer savvy enough to realize that when dkfljdf.exe is
trying to connect to collectcreditcardinfo.com then something aint quite
right. The prompts act an invaluable warning sign.
I suspect the real reason for the lack of outbound prompts is that MS don't
want the average user being made aware of every outbound connection that
their own operating system is making.
M
Mr. Arnold
Jon said:
The average joe blow computer user is not savvy enough to know this. And
there are too many questions asked by such solutions that the user becomes
oblivious to them, much like I would suspect is happening with UAC. It's to
the point with these type of solutions for most users, solutions that ask
too many questions, that they basically start blowing them off.
A FW's main job is to stop unsolicted inbound traffic and to protect
services like HTTP, SMTP, POP etc and etc. Its job is not to be asking the
user to be making decisions as to what they should and what they should not
allow to access the Internet with something like Application Control in
personal FW(s).
Personal FW's are not FW(s) and are only machine level packet filters with a
bunch of snake oil in them trying to protect one from his or her self that
it cannot do.
M
Mr. Arnold
notachance said:
No you don't need another level of complexity. You should be enabling the
Vista FW/personal packet filter. There is another element on the O/S that I
like to use to supplement the Vista FW, when the machine has a direction
connection with the modem and is a direct connection to the Internet.
It's called IPsec, which can be used to stop inbound or outbound traffic by
port, protocol, IP or subnet. I use IPsec to stop outbound traffic behind
the Vista FW if I ever need to stop outbound. I never had a need to stop
outbound traffic using XP's FW and IPsec as well, when I was using XP.
http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
I implemented the AnalogX IPsec polices and made my adjustments to the
policies as to what I was letting through and what I was not letting through
for services like HTTP, POP3, SMTP. On the client side I let the traffic
through for those services needed. On the server side of the polices,
traffic is not let through for the services, because I have no need for
those services to be active.
http://www.analogx.com/CONTENTS/articles/ipsec.htm
I have never had to use this part of IPsec, but it's there.
http://support.microsoft.com/kb/813878
M
Mike Hall - MVP
In no way does it justify lack of prompts by a Windows firewall.. people
griping about an MS monopoly is what causes the lack of prompts by a Windows
firewall..
And you are wrong about most being computer savvy.. if only I had a cent for
everytime a user said to me "but I have a firewall".. the majority ask how
to turn the prompts off because they get in the way.. or worse still,
disable the firewall..
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
griping about an MS monopoly is what causes the lack of prompts by a Windows
firewall..
And you are wrong about most being computer savvy.. if only I had a cent for
everytime a user said to me "but I have a firewall".. the majority ask how
to turn the prompts off because they get in the way.. or worse still,
disable the firewall..
Jon said:
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
J
Jon
Mr. Arnold said:
I'll refrain from quibbling about how widely computing knowledge is
disseminated, or on what the limits to the role of a firewall should be -
since both of those are fairly subjective.
What I will say is this. Anyone who has ever used a third party firewall,
such as Zone Alarm, Sygate etc - of which the numbers are many - is already
familiar with being told, on a fairly informative level, which applications
are connecting and to where.
If you quizzed Vista users who have downloaded another firewall (such as
Zone Alarm, Vista firewall) in preference to the Vista one, on why they made
the switch, then I suspect you'd also discover that the number one reason
for the switch (however trivial it may seem to some), is that they WANT the
prompts. They want to know which applications are connecting from their
computer and to where.
Yes, in older versions of Windows it WAS a bit of a snake oil - any other
running program could (and did )easily toggle off the firewall to suit its
evil purposes. With the introduction of UAC this is no longer the case - the
potential is there for a fairly robust outbound firewall + UAC combination.
So it's kind of ironic that an otherwise highly security conscious operating
system, should have such a major area of weakness.
J
Jon
This is a good point and undoubtedly was a major factor.
M
Mr. Arnold
Jon said:
It's not subjective. A FW seperates two networks. The network it's
protecting from usually the Internet and the network it's protecting the
LAN. A FW sits at the junction point between the networks. A FW has two
interfaces, one interface faces the WAN/Internet the untrusted zone and the
other interface faces the LAN the trusted zone.
If it's a host based software FW on a gateway computer, then it's going to
be controlling traffic between two or more NIC(s). The NIC facing the WAN
and the NIC(s) facing the LAN. If it's a packet filtering FW router, the it
has the two interfaces the WAN port and the LAN ports with it controlling
the traffic between the two interfaces. The same holds true for a FW
appliance and it has the two interfaces as well.
All a PFW is --- is a machine level packet filter that doesn't fit the bill
of being a FW solution. It doesn't meet the definition of being a FW.
And I am telling you that is not the case. I have seen users on the job and
off, particualy off the job home users that don't have a *clue* about it,
with them sitting there using the 3rd party solution right there in his or
her and in my face.
I think that's speculation on your part. The number one reason IMHO, is that
they don't know any better to challenge it, and it's monkey see as monkey
do.
Malware can circumvent every last bit of it and even punch through a PFW 3rd
party or not and set its own rules as to not be detected, and they do just
that.
If the right malware can get there and can be executed on the machine, which
is not a problem for the user that has the happy fingers that will click on
everything under the Sun, then it can, does, and will happen. A compromise
doesn't happen by itself. The user must contribute to the compromise in
someway, and they do just that and don't know it.
It doesn't matter what security protection is there on any O/S. If the
conditions are right and the user contributes to it in someway, then the
malware can circumvent every last bit of it.
Anything that runs with the O/S, which can be fooled, circumvented and
defeated, itself, can have it happen to it as well, because it *runs* with
the O/S.
UAC is no stops all and ends all solution. And if you think it is, then
you're fooling yourself, just like those that depend upon the snake-oil
solutions in 3rd party PFW(s) leaning on them like a crutch and thinking
that they have things that are stops all and ends all solutions in them.
It's not the case.
http://blogs.zdnet.com/security/?p=203&tag=nl.e550
It don't take much to get a user to *click*, *click* and *click* until the
compromise happens.
http://www.eweek.com/article2/0,1895,2132447,00.asp
J
Jon
Mr. Arnold said:
You're clearly keen to expound the virtues of a hardware based firewall over
a software one, and to retain a traditional usage of the term - which is all
very well, and you are entitled to do so- but it isn't the issue in this
thread. The issue in this thread is whether a software based firewall is
better off with the option of an outbound popup, or not. In my mind there is
no argument on this issue. Someone who is being informed that their computer
is connecting to downloadtrojan.net, and clicks to prevent that happening
has an inherently more secure system than someone who doesn't.
And no, I said the UAC+firewall combination was 'fairly robust' not fully
comprehensive. Other measures are necessary as well, and having UAC+software
firewall enabled doesn't prohibit someone from implementing them.
It's an interesting workaround for UAC, but again having other measures in
place - scanners of start menu entries etc, could pick up such an attempted
exploit. I don't regard that as the main weakness of UAC, since it still
requires a program to get onto the system (which an antivirus / spyware
scanner could pick up) to set up the bogus entries in the first place. Its
main weakness is that if you run any elevated process once eg an installer,
then that program has the potential to make system wide changes, including
future programs running elevated without UAC prompts. But again having other
measures in place alongside the firewall + UAC could mitigate that threat.
The 'click happy' user is admittedly a harder threat to deal with ;-)
M
Mr. Arnold
Jon said:
I don't think you get the picture a network host base software FW solution
is just as powerful as any hardware based solution, whether that be a FW
router or FW appliance.
And it IS the issue, because PFW(s) are not FW(s), and on top that, they
have absolute snake-oil crap in them trying to protect one from his or
herself that it cannot do.
It's a packet filter running at the machine level. It's not a FW solution.
There are plenty of arguments about the issue. And if you were to post what
you're talking about to a FW and Security NG, they would absolutely cut you
down about this, don't take it the wrong way. But they would do just that.
I disagree with you, because I don't use such snake-oil solutions. You see
it all depends on who is behind the wheel and doing the driving. And when I
was using solutions that had that kind of snake-oil in them, I disabled it.
I don't need to be asked a bunch of questions.
Well, we agree on something.
Are you kidding about that above that malware detection is going to pick up
anything when not only can the O/S be fooled but the detction software as
well that runs with the O/S can be fooled too?
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
I have seen posts and have helped seasoned professionals where malware has
hit a Web server as an example with them saying "I have scan and hit it
with everything but the kitichen sink and nothing is detected, but I know
something is there."
You may not have heard of a zero-day exploits.
I don't think so, and with me being a programmer by profession being able to
produce and present the Vista UAC manifest to Vista programming wise, would
circumvent everything, if I can get the user to click and install it.
But one would say hey but wait, if this is a .NET solution then the .NET
Framework can stop the code that has malicious intent code running. But I
can say I can always turn that feature off through code.
And the there are the programs that can be written that are not .Net
dependent that can hit the machine as well with malicious intent.
You see, detection tools that do scaning are mainly dependent upon a
signature file to detect something. If it's not in the signature file, then
it's going to be missed.
Again we agree on something.
I myself don't depend upon snake-oil solutions. I would much rather use the
proper tools and go look for myself from time to time to see what's
happening with the machine.
http://preview.tinyurl.com/klw1
Vista has got some more bells and whistles on it, but nevertheless, it's
just another NT based O/S that can be attacked just like its predecessors
with it being in the wrong hands.
Sorry, but you're looking through rose colored glass, when the reality is
something else.
M
Mike Hall - MVP
If a user clicks on NO to any firewall question, and subsequently loses
access to either a messenger program or chat, trust me in that they will
never click NO again, regardless of what is asking for access.. they very
quickly learn to associate NO with not being able to talk to their
'friends'.. try teaching them drag n drop so fast..
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
access to either a messenger program or chat, trust me in that they will
never click NO again, regardless of what is asking for access.. they very
quickly learn to associate NO with not being able to talk to their
'friends'.. try teaching them drag n drop so fast..
Jon said:
--
Mike Hall
MS MVP Windows Shell/User
http://msmvps.com/blogs/mikehall/
C
cquirke (MVP Windows shell/user)
This is always contentuous.
"Free" users are the only person with the right, and therefore
responsibility, to make that call - unless they subcontract that out
to some other entity. No-one should usurp that role.
"Serf" users are expected to delegate that right and responsability to
the tech overseer designated by the boss, who owns both the computing
resources used and the serf's time spend using them.
More to the point, there are mechanisms whereby malware can act as the
fist within some other app that is used as the "glove puppet":
- ADS are assumed to be the files they are attached to
- BHOs, toolbars and plugins act within the browser
- RunDLL and SVCHost can shell malware too
IOW...
- prompts help savvy users
- no prompts help no users
....so why not at least help those who can be bothered to learn?
That, too, is true. In a way, UAC does what some 3rd-party add-ons
like All-Seeing-Eye and PrevX do, i.e. prompt on internal activities
in much the same way that firewalls do for networking.
I've used such tools, but they are too noisy to live with outside test
environments - much as folks are saying about UAC, in fact. I
typically use them on suspect PCs after clean-up, if I have some
doubts as to how clean they may be.
Assuming they don't just pass those through unreported? More likely a
deference to "business partners", such as DRM etc.
More to the point; does MS really want to enter a field that requires
constant revision and imposes a significant support load?
A firewall should be a fairly static defense, i.e. not something that
needs to be updated all the time, as an av does.
Once it starts identifying things and asking users about them, those
users may call MS or their OEM to ask what to do. If such calls are
to be handled as effectively as the user hopes, the staff that take
the calls will have to be up to speed with all the entities they are
asked about. I wouldn't want that load, and I'm pretty sure MS, Acer,
HP, Dell, Toshiba, FSN et al don't want it either.
Since XP debuted MS's first bundled consumer firewall, MS has indeed
entered those waters, first with Defender, and lately with arms-length
value-added "Live" products and services.
Aside from Defender, these new facilities make sense, postioned as
they are as a separate division that can pay its way, or be amputated
if it becomes a sink-hole for expense.
C
cquirke (MVP Windows shell/user)
Yep; please, let's put this one to bed.
I (and I suspect other posters) are not suggesting a desktop software
firewall is a replacement for a NAT router, for example.
Else it's like trying to debate which type of fencing works best AS a
fence, and having someone butting in with "neither of them is a wall".
Who is General Failure and
why is he reading my disk?
J
Jon
Mr. Arnold said:
No it doesn't simply protect a user from themselves. I personally use many
useful pieces of software which I find useful....but I don't let them dial
home to daddy (which is their only fault). This can be implemented easily
and efficiently using a software firewall.
A 'network host based software' firewall more secure than a software one?
Nope it isn't.
Ask yourself this question - 'Why should the software running on that
'firewall machine' be any more secure than that running on the main machine
with the operating system?' and you'll see why.
I'm happy to be humbled. It's good for my soul ;-)
This was actually my point there. Installing programs is UAC's Achilles
heel, since the UAC prompt is expected at that particular point. Run a
suitably written malicious program once elevated, and yes, you can forget
about UAC.
This is a limited view of the capabilities of detections tools and anyway,
you are not forced to rely on their 'signatures' alone. As a programmer you
should be capable of writing your own programs to monitor your own system ..
programs of which malware has no knowledge. For example I have programs
running here that check the status of the firewall, check for any newly
created scheduled tasks etc etc. No malware is aware of these, and could not
possibly be, since they are not in the public domain.
And this is in fact is what many people forget. Malware has no inherent
knowledge of your system, other than the way it comes out of the box. Any
variation from that and it's at a loss.
J
Jon
Mike Hall - MVP said:If a user clicks on NO to any firewall question, and subsequently loses
access to either a messenger program or chat, trust me in that they will
never click NO again, regardless of what is asking for access.. they very
quickly learn to associate NO with not being able to talk to their
'friends'.. try teaching them drag n drop so fast..
Sounds like you have a particular user in mind there ;-)
J
Jon
You make some great posts cquirke. Keep 'em coming.