N
notachance
With Vista and Defender, and a good antiVirus (Avast), do I need
another layer of complexity and protection?
another layer of complexity and protection?
Wayne L. said:-- Windows Defender tells you not to have more than one Firewall running
at
the same time, for example, so if you fall for the hype, you must disable
Windows Defender, which came free with Vista, and use another product that
someone will tell you is the "best". If you have a good free anti-virus
(such
as the highly-praised Avast, which you have) and MS own Windows Defender
you're protected.
Read "Security Center" help in Control Panel to answer your concerns.
Wayne
notachance said:With Vista and Defender, and a good antiVirus (Avast), do I need another
layer of complexity and protection?
Mike Hall - MVP said:Run the Windows Firewall alongside them.. people will tell you that a 3rd
party firewall is the best solution, but the problem with those is that
they ask the users questions regarding allowing access for which the users
do not have an educated answer.. so, do you want ICQ to act as a server
(you have five seconds to respond or quit the program)? What are the
implications? Most do not know, so they answer YES.. now ICQ will let
anything through, and the firewall has been told it is ok to do that..
OOPS..
In actual fact, ICQ is useless if not allowed to act as a server, but
other programs that ask for access may not be so forgiving, especially
when the reference is to some obscure internal executable..
Jon said:If that's an attempt to justify the inexcusable lack of prompts in the
outbound Vista firewall, then it doesn't wash.
Most people are computer savvy enough to realize that when dkfljdf.exe is
trying to connect to collectcreditcardinfo.com then something aint quite
right. The prompts act an invaluable warning sign.
I suspect the real reason for the lack of outbound prompts is that MS
don't want the average user being made aware of every outbound connection
that their own operating system is making.
notachance said:With Vista and Defender, and a good antiVirus (Avast), do I need another
layer of complexity and protection?
Jon said:If that's an attempt to justify the inexcusable lack of prompts in the
outbound Vista firewall, then it doesn't wash.
Most people are computer savvy enough to realize that when dkfljdf.exe is
trying to connect to collectcreditcardinfo.com then something aint quite
right. The prompts act an invaluable warning sign.
I suspect the real reason for the lack of outbound prompts is that MS
don't want the average user being made aware of every outbound connection
that their own operating system is making.
Mr. Arnold said:The average joe blow computer user is not savvy enough to know this. And
there are too many questions asked by such solutions that the user becomes
oblivious to them, much like I would suspect is happening with UAC. It's
to the point with these type of solutions for most users, solutions that
ask too many questions, that they basically start blowing them off.
A FW's main job is to stop unsolicted inbound traffic and to protect
services like HTTP, SMTP, POP etc and etc. Its job is not to be asking
the user to be making decisions as to what they should and what they
should not allow to access the Internet with something like Application
Control in personal FW(s).
Personal FW's are not FW(s) and are only machine level packet filters with
a bunch of snake oil in them trying to protect one from his or her self
that it cannot do.
In no way does it justify lack of prompts by a Windows firewall.. people
griping about an MS monopoly is what causes the lack of prompts by a
Windows firewall..
Jon said:I'll refrain from quibbling about how widely computing knowledge is
disseminated, or on what the limits to the role of a firewall should be -
since both of those are fairly subjective.
What I will say is this. Anyone who has ever used a third party firewall,
such as Zone Alarm, Sygate etc - of which the numbers are many - is
already familiar with being told, on a fairly informative level, which
applications are connecting and to where.
If you quizzed Vista users who have downloaded another firewall (such as
Zone Alarm, Vista firewall) in preference to the Vista one, on why they
made the switch, then I suspect you'd also discover that the number one
reason for the switch (however trivial it may seem to some), is that they
WANT the prompts. They want to know which applications are connecting from
their computer and to where.
Yes, in older versions of Windows it WAS a bit of a snake oil - any other
running program could (and did )easily toggle off the firewall to suit its
evil purposes. With the introduction of UAC this is no longer the case -
the potential is there for a fairly robust outbound firewall + UAC
combination. So it's kind of ironic that an otherwise highly security
conscious operating system, should have such a major area of weakness.
Mr. Arnold said:It's not subjective. A FW seperates two networks. The network it's
protecting from usually the Internet and the network it's protecting the
LAN. A FW sits at the junction point between the networks. A FW has two
interfaces, one interface faces the WAN/Internet the untrusted zone and
the other interface faces the LAN the trusted zone.
If it's a host based software FW on a gateway computer, then it's going to
be controlling traffic between two or more NIC(s). The NIC facing the WAN
and the NIC(s) facing the LAN. If it's a packet filtering FW router, the
it has the two interfaces the WAN port and the LAN ports with it
controlling the traffic between the two interfaces. The same holds true
for a FW appliance and it has the two interfaces as well.
All a PFW is --- is a machine level packet filter that doesn't fit the
bill of being a FW solution. It doesn't meet the definition of being a FW.
And I am telling you that is not the case. I have seen users on the job
and off, particualy off the job home users that don't have a *clue* about
it, with them sitting there using the 3rd party solution right there in
his or her and in my face.
I think that's speculation on your part. The number one reason IMHO, is
that they don't know any better to challenge it, and it's monkey see as
monkey do.
Malware can circumvent every last bit of it and even punch through a PFW
3rd party or not and set its own rules as to not be detected, and they do
just that.
If the right malware can get there and can be executed on the machine,
which is not a problem for the user that has the happy fingers that will
click on everything under the Sun, then it can, does, and will happen. A
compromise doesn't happen by itself. The user must contribute to the
compromise in someway, and they do just that and don't know it.
It doesn't matter what security protection is there on any O/S. If the
conditions are right and the user contributes to it in someway, then the
malware can circumvent every last bit of it.
Anything that runs with the O/S, which can be fooled, circumvented and
defeated, itself, can have it happen to it as well, because it *runs* with
the O/S.
UAC is no stops all and ends all solution. And if you think it is, then
you're fooling yourself, just like those that depend upon the snake-oil
solutions in 3rd party PFW(s) leaning on them like a crutch and thinking
that they have things that are stops all and ends all solutions in them.
It's not the case.
http://blogs.zdnet.com/security/?p=203&tag=nl.e550
It don't take much to get a user to *click*, *click* and *click* until the
compromise happens.
http://www.eweek.com/article2/0,1895,2132447,00.asp
Jon said:You're clearly keen to expound the virtues of a hardware based firewall
over a software one, and to retain a traditional usage of the term - which
is all very well, and you are entitled to do so- but it isn't the issue in
this thread.
The issue in this thread is whether a software based firewall is better off
with the option of an outbound popup, or not.
In my mind there is no argument on this issue.
Someone who is being informed that their computer is connecting to
downloadtrojan.net, and clicks to prevent that happening has an inherently
more secure system than someone who doesn't.
And no, I said the UAC+firewall combination was 'fairly robust' not fully
comprehensive. Other measures are necessary as well, and having
UAC+software firewall enabled doesn't prohibit someone from implementing
them.
It's an interesting workaround for UAC, but again having other measures in
place - scanners of start menu entries etc, could pick up such an
attempted exploit. I don't regard that as the main weakness of UAC, since
it still requires a program to get onto the system (which an antivirus /
spyware scanner could pick up) to set up the bogus entries in the first
place.
Its main weakness is that if you run any elevated process once eg an
installer, then that program has the potential to make system wide
changes, including future programs running elevated without UAC prompts.
But again having other > measures in place alongside the firewall + UAC
could mitigate that threat.
The 'click happy' user is admittedly a harder threat to deal with ;-)
Jon said:You're clearly keen to expound the virtues of a hardware based firewall
over a software one, and to retain a traditional usage of the term - which
is all very well, and you are entitled to do so- but it isn't the issue in
this thread. The issue in this thread is whether a software based firewall
is better off with the option of an outbound popup, or not. In my mind
there is no argument on this issue. Someone who is being informed that
their computer is connecting to downloadtrojan.net, and clicks to prevent
that happening has an inherently more secure system than someone who
doesn't.
And no, I said the UAC+firewall combination was 'fairly robust' not fully
comprehensive. Other measures are necessary as well, and having
UAC+software firewall enabled doesn't prohibit someone from implementing
them.
It's an interesting workaround for UAC, but again having other measures in
place - scanners of start menu entries etc, could pick up such an
attempted exploit. I don't regard that as the main weakness of UAC, since
it still requires a program to get onto the system (which an antivirus /
spyware scanner could pick up) to set up the bogus entries in the first
place. Its main weakness is that if you run any elevated process once eg
an installer, then that program has the potential to make system wide
changes, including future programs running elevated without UAC prompts.
But again having other measures in place alongside the firewall + UAC
could mitigate that threat.
The 'click happy' user is admittedly a harder threat to deal with ;-)
"Jon" wrote in message
there are too many questions asked by such solutions that the user becomes
oblivious to them, much like I would suspect is happening with UAC.
"Mr. Arnold" <MR. (e-mail address removed)> wrote stuff I snipped
You're clearly keen to expound the virtues of a hardware based firewall over
a software one, and to retain a traditional usage of the term - which is all
very well, and you are entitled to do so- but it isn't the issue
Who is General Failure and--------------- ----- ---- --- -- - - -
Mr. Arnold said:I don't think you get the picture a network host base software FW solution
is just as powerful as any hardware based solution, whether that be a FW
router or FW appliance.
And it IS the issue, because PFW(s) are not FW(s), and on top that, they
have absolute snake-oil crap in them trying to protect one from his or
herself that it cannot do.
There are plenty of arguments about the issue. And if you were to post
what you're talking about to a FW and Security NG, they would absolutely
cut you down about this, don't take it the wrong way. But they would do
just that.
Are you kidding about that above that malware detection is going to pick
up anything when not only can the O/S be fooled but the detction software
as well that runs with the O/S can be fooled too?
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
I have seen posts and have helped seasoned professionals where malware has
hit a Web server as an example with them saying "I have scan and hit it
with everything but the kitichen sink and nothing is detected, but I know
something is there."
You may not have heard of a zero-day exploits.
.....
You see, detection tools that do scaning are mainly dependent upon a
signature file to detect something. If it's not in the signature file,
then it's going to be missed.
Mike Hall - MVP said:If a user clicks on NO to any firewall question, and subsequently loses
access to either a messenger program or chat, trust me in that they will
never click NO again, regardless of what is asking for access.. they very
quickly learn to associate NO with not being able to talk to their
'friends'.. try teaching them drag n drop so fast..
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.