Norton vs Zone Alarm firewalls
in [Firewalls]
|
From: Poprivet` on 27 Nov 2007 12:08 raylopez99 wrote: > On Nov 24, 9:50 am, "Poprivet" <popri...(a)devnull.spamcop.net> wrote: >> Hi Luis, .... > > I keep hearing this 'fact' about outgoing messages having to be > checked by a firewall, but, though I see the logic behind it, I'm not > entirely convinced. After all, if a virus is smart enough to > penetrate the incoming firewall, don't you think it will be smart > enough to penetrate the outgoing firewall? Say by pretending it is a > legitimate windows process (like MSFT Update) and then tricking the > user into approving of it? I think so. An entirely possible set of events, yes. But there are other avenues onto a system than always in-bound and alone through the 'net ports. One example is being invited in: there's a program or 5 out there that will let you use smilies wherever you want to use them; Word, IE, Wordpad, most any application. Yahoo carries it as a link. Lots of newbies think Yahoo is pretty danged neat and go ahead and download it. I forget what it's called and it is pretty neat at first, but then the machine starts to slow down and you keep noticing lots of downloads coming into your machine. If the firewall see is, they allow it because it's a familiar name and has to do with the app they just downloaded, claiming to be its updates. Only the "updates" never stop. It's the GAIN spyware though it goes by several different names. It's a PIA to remove and even their remove instructions, of course, don't fully work. I found it on the client's machine quickly with a malware scan. Another possibility is a disk from a friend or acquaintance. It may or may not get scanned by a newbie. If it's only spyware it covertly contains, AV won't catch a problem. Not all spyware detectors will find it right away so if all you use is say Windows Defender, there's a good chance you're not going to catch it, if you did bother to scan it. So, it starts calling home and guess what? You have spyware being downloaded into your machine, small pieces at at time until ... . There's another side of this discussion too I'd like to mention. It seems a lot of the posts have begun to concentrate on the really miserable malware out there that's actually seldom seen by the normal user. Rather than discuss the generally relevant information in addition to the tough ones, they are contentrating on the tough ones as though they are all that exist. It appears to me to be more an attempt to display inflated egos than to impart any useful information to the masses and is dangerously close to being trolling in more than one of the posters; the others are just being sucked into endless discussions, the signature responses trolls hope for. > > >> You're also correct in that having two software firewalls working at >> the same time is a no-no. They will step on each other's resources >> even if they seem to work together. Many firewalls won't even >> install until you disable any other one you have working. Some even >> make you actually Remove the other firewall before they'll install >> and XP also has a firewall monitor that'll complain to you. > > Two software firewalls may be a no-no, but I have three antivirus and > spyware programs (AVG AntiSpyware, Kaspersky Antivirus, and Webroot) > and they all happily play nicely together, with the most obnoxious of > the three programs being Kaspersky (the "heuristics" is a pain), > followed by Webroot (has given false positives in the past, though the > company is good at correcting these mistakes) and AVG (works so nice, > with no problems, that I sometimes wonder if it's doing anything at > all, since I've seen ads saying that of all the vendors AVG products > miss the most viruses, but when scanning your system AVG finds > tracking cookies that the other two programs miss). Also Blacklight's > free online Windows Explorer ActiveX product has found tracking > cookies that all three of the above programs have missed. That's a reasonable arsenal you have, IMO with the exception of possibly Webroot, which I've only read about but don't have any actual experience with. Heuristics, for what it's worth, IS good, but by its nature very prone to false positives; better a false positive than a false negative. The user should be fairly savvy and understand what is causing the hits with heuristics or it can create a sense of worry that's totally unnecessary. Heuristics is simply watching for virus-like activity, unable to know whether it's legitimate accesses due to a user's programs or viral activity, so it notifies the user each time. Cookies, IMO I don't worry too much about. I only keep a few of them on my machine that I need for certain web site password, fast signongs etc and delete everything else. I use WinPatrol for that but for a lot of other things unrelated, too. REgards, Pop` > > RL
From: Gerald Vogt on 27 Nov 2007 18:53 RalfG wrote: > It doesn't need to be a virus. I did encounter that one time when accessing > a web page unexpectedly triggered OE and the firewall blocked it. A Which means again you went to that web page to start with. It was your action which brought you there. > firewall may have the ability to block -any- application from sending email > without explicit approval. Monitoring outbound traffic also entails Still, any application can send email without explicit approval if it really wants to. That's the point which is usually not mentioned. > differentiating the legitimate processes from suspicious ones or spoofs. All > firewalls are not equal, but if the firewall is doing the job well it's not > enough for a process to pretend to be "iexplore.exe" in order to pass the > firewall, it has to be c:\program files\internet explorer\iexplore.exe, with > additional identifying information, be it a specific version number, CRC > etc. etc.. An what keeps the malware from using the original IE to send out its data? > Viruses aren't smart, they're all constrained to operating within specific > program parameters. Some are more cleverly written than others but the vast > majority have already been beaten. Yes. But that's all. A single little bit cleverer malware sends out your credit card number through DNS. Your firewall does not help. It does not recognize it. You still need more effective means to protect your data which no security suite can provide. > Anyway this thread seems to be missing the point. It's analagous to saying > that we shouldn't bother using crosswalks or crossing at the lights because > it is always possible that some idiot driver might ignore the signals and > run us down anyway. One side (anti-security) says avoid the problem by never > crossing a street, the other side (pro-security) says use due caution and No. That is the wrong analogy. Noone ever said you can never cross the street. You say you have to install security firewall, i.e. you have to cross the street with the security installed, i.e. at the lights. You must not cross the street at any other place (i.e. without security) because you will be killed, i.e. it is impossible to cross the street at any other place except at the lights. Others say, this is not true. You don't need the security software. You can cross the street wherever you want. The traffic lights won't prevent you from being killed if all you do is to cross the street at the lights and never looking to the right or left. If you just start to walk when it's green you'll be eventually killed. There are a lot of nice drivers who stop at their red light but eventually you'll meet the one who does not. The alternative is not to rely on the lights. Don't trust the lights. The effective security is to switch on your brain and protect yourself looking to the left and right and making sure yourself it is safe to cross the street at this time and at this place. This effectively protects you far better than relying on some software which tries to make the decision for you when it is safe to cross and when not. And once you have learned how to cross the streets safely at any place you'll figure that you don't really need the lights as they only slow down your computer. Then you'll see that there is no MUST to use a security software as there are other far more efficient means to protect you. Then you'll see that all those people you think they MUST cross at the lights tend to turn off their brains because everybody else does the same and they'll never think about what they could do to protect themselves as it is "too complicated" or because everybody says "it is not possible otherwise". That's the correct analogy if you want to use the "lights". Noone ever said you cannot cross the street. On the contrary. (I already know how you will now adjust your analogy but...) > cross with the lights. I use a firewall mainly to keep unauthorised -people- > out of my PC, AV and AS software to keep out or kill malicious software. Anything that comes on to your computer first of all got there because of your action, i.e. your "invitation". But none of the security suites really deals with this fact nor Gerald
From: Kayman on 27 Nov 2007 19:35 On Tue, 27 Nov 2007 14:24:21 +0100 (CET), Ansgar -59cobalt- Wiechers wrote: > In comp.security.firewalls Kayman <kaymanNoSpam(a)operamail.com> wrote: >> On Tue, 27 Nov 2007 06:43:39 GMT, HEMI-Powered wrote: >>> Kayman added these comments in the current discussion du jour >>>> "People think that putting one AV engine after another is somehow >>>> defense in depth. They think that if one engine doesn't catch the >>>> worm, the other will catch it," he said. "You haven't decreased your >>>> attack surface; you've increased it because every AV engine has >>>> bugs" >>> >>> I don't think anyone thinks that having more than one true AV utility >>> running at a time is a good idea. But, what I listed running all the >>> time, eTrust Pest Patrol, commercial Zone Alarm, and NAV 2006 are all >>> intended to do different things in different ways. And, running >>> Ad-Aware and Spy Bot Search & Destroy as separate utilities >>> periodically do yet another security-related purpose. So, I see no >>> conflicts here. >> >> Conflict(s) is/are not the issue; The OS may appear working smoothly. >> But installing anti-whatever applications has made your OS more >> vulnerable to attacks. > > Not true. Conflicts between two on-access scanners are a very real issue > and are indeed the main argument against installing concurring scanners. Yes of course! Utilizing more than one (1) real-time anti-virus scanning engine most likely will cause conflicts; I didn't mean to suggest otherwise. I was trying to emphasise that additional software such as on-demand av/a-s and other anti-whatever apps. are not causing noticable conflicts per se. Sorry for confusion. > Also, installing applications does not necessarily make an OS more > vulnerable. The OS only becomes more vulnerable if some application has > an exploitable bug. Of course installing additional software does > increase the chance of that happening, but it doesn't automagically make > the OS (more) vulnerable. > > For example: you can easily run two or more on-demand virus scanners > without a single problem, because they're running as simple userspace > applications (and thus won't affect each other), and only run with the > privileges of the user initiating the scan. > > However, that doesn't mean that it'd be okay to install arbitrary AV > software, because several of them have issues aside from what I > mentioned above. > > cu > 59cobalt
From: Ansgar -59cobalt- Wiechers on 27 Nov 2007 19:59 Unknown <unknown(a)unknown.kom> wrote: > "Ansgar -59cobalt- Wiechers" <usenet-2007(a)planetcobalt.net> wrote: >> In comp.security.firewalls Kayman <kaymanNoSpam(a)operamail.com> wrote: >>> Conflict(s) is/are not the issue; The OS may appear working >>> smoothly. But installing anti-whatever applications has made your OS >>> more vulnerable to attacks. >> >> Not true. Conflicts between two on-access scanners are a very real >> issue and are indeed the main argument against installing concurring >> scanners. Also, installing applications does not necessarily make an >> OS more vulnerable. The OS only becomes more vulnerable if some >> application has an exploitable bug. Of course installing additional >> software does increase the chance of that happening, but it doesn't >> automagically make the OS (more) vulnerable. >> >> For example: you can easily run two or more on-demand virus scanners >> without a single problem, because they're running as simple userspace >> applications (and thus won't affect each other), and only run with >> the privileges of the user initiating the scan. >> >> However, that doesn't mean that it'd be okay to install arbitrary AV >> software, because several of them have issues aside from what I >> mentioned above. > > I use absolutely no virus programs whatsoever, have never had a virus > or malware. Can you tell me why? You may want to explain how exactly that is supposed to relate to what I wrote. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: RalfG on 28 Nov 2007 10:16
"Gerald Vogt" <vogt(a)spamcop.net> wrote in message news:ex5$zCVMIHA.1164(a)TK2MSFTNGP02.phx.gbl... > RalfG wrote: >> It doesn't need to be a virus. I did encounter that one time when >> accessing a web page unexpectedly triggered OE and the firewall blocked >> it. A > > Which means again you went to that web page to start with. It was your > action which brought you there. Normal usage of the computer for browsing, yes. Staying off of the internet is almost certainly the best way to avoid trouble but that's just a tad self defeating. >> firewall may have the ability to block -any- application from sending >> email without explicit approval. Monitoring outbound traffic also entails > > Still, any application can send email without explicit approval if it > really wants to. That's the point which is usually not mentioned. In your preferred setup nothing prevents emails from being sent. With an appropriate firewall the firewall can block emails from being sent without user intervention. >> differentiating the legitimate processes from suspicious ones or spoofs. >> All firewalls are not equal, but if the firewall is doing the job well >> it's not enough for a process to pretend to be "iexplore.exe" in order to >> pass the firewall, it has to be c:\program files\internet >> explorer\iexplore.exe, with additional identifying information, be it a >> specific version number, CRC etc. etc.. > > An what keeps the malware from using the original IE to send out its data? In your setup nothing, with many firewalls nothing as well, however there are firewalls which do monitor all processes that try to start other processes. >> Viruses aren't smart, they're all constrained to operating within >> specific program parameters. Some are more cleverly written than others >> but the vast majority have already been beaten. > > Yes. But that's all. A single little bit cleverer malware sends out your > credit card number through DNS. Your firewall does not help. It does not > recognize it. You still need more effective means to protect your data > which no security suite can provide. You're basing your argument on a hypothetical malware and deficient AV and firewall apps. Sorry, that strawman logic doesn't work. One of the reasons for monitoring outbound traffic is precisely to stop unrecognized processes from making connections, either to the internet or to other nodes on a LAN. Firewall X might do this better than Firewall Y, Firewall Z might not do it at all. Y may not be as good a firewall as X but it is still better than Z, and even Z is better than nothing at all. >> Anyway this thread seems to be missing the point. It's analagous to >> saying that we shouldn't bother using crosswalks or crossing at the >> lights because it is always possible that some idiot driver might ignore >> the signals and run us down anyway. One side (anti-security) says avoid >> the problem by never crossing a street, the other side (pro-security) >> says use due caution and > > No. That is the wrong analogy. Noone ever said you can never cross the > street. > > You say you have to install security firewall, i.e. you have to cross the > street with the security installed, i.e. at the lights. You must not cross > the street at any other place (i.e. without security) because you will be > killed, i.e. it is impossible to cross the street at any other place > except at the lights. I never suggested certainty. The whole computer security issue is about probabilities. There is a greater probability of being hit by traffic if you don't use the crosswalks just as there is a greater probability of falling victim to malware if you don't use security software. > Others say, this is not true. You don't need the security software. You > can cross the street wherever you want. The traffic lights won't prevent Drivers do so love aggressive j-walkers... so many bonus points. <rofl> > you from being killed if all you do is to cross the street at the lights > and never looking to the right or left. If you just start to walk when > it's green you'll be eventually killed. There are a lot of nice drivers > who stop at their red light but eventually you'll meet the one who does > not. > > The alternative is not to rely on the lights. Don't trust the lights. The > effective security is to switch on your brain and protect yourself looking > to the left and right and making sure yourself it is safe to cross the > street at this time and at this place. This effectively You just described using due caution. > protects you far better than relying on some software which tries to make > the decision for you when it is safe to cross and when not. > > And once you have learned how to cross the streets safely at any place > you'll figure that you don't really need the lights as they only slow > down your computer. Then you'll see that there is no MUST to use a > security software as there are other far more efficient means to protect > you. Then you'll see that all those people you think they MUST cross at > the lights tend to turn off their brains because everybody else does the > same and they'll never think about what they could do to protect > themselves as it is "too complicated" or because everybody says "it is not > possible otherwise". > > That's the correct analogy if you want to use the "lights". Noone ever > said you cannot cross the street. On the contrary. (I already know how you > will now adjust your analogy but...) There's no need to adjust my analogy. You haven't yet made a compelling argument in favour of your position.. and I doubt that accident statistics will support your contentions either. :) >> cross with the lights. I use a firewall mainly to keep >> unauthorised -people- out of my PC, AV and AS software to keep out or >> kill malicious software. > > Anything that comes on to your computer first of all got there because of > your action, i.e. your "invitation". But none of the security suites > really deals with this fact nor Blaming the victim? > > Gerald |