'Leak' Test of 21 Personal Firewalls 104
mork writes "Matousec.com, as part of a larger analysis of personal firewalls on Windows, has conducted a thorough leak test of 21 pieces of firewall software. Leak tests imitate common methods used by trojans or spyware to send your information from your computer. Windows Firewall XP SP2 fails every test, so the fears that the days of third party firewall software was over seem groundless. Surprisingly the two top programs are both freeware." From the article: "Some firewalls totally failed tests made against their default settings but their results on the highest security settings were much better. Kaspersky Internet Security 6.0.0.303 is the product with the biggest difference between the default settings score and the highest security settings score. Another such product is Safety.Net. Some products like BitDefender, F-Secure, McAfee, Panda, etc. include antivirus engines. The sad and funny thing in once is that lots of them mark leak-testing software as viruses or malware."
Re: (Score:2, Offtopic)
Outbound filters do tell the user "You've been PWN3D!!!" Just a little too little, a little too late.
Anybody who has tried to clean the latest set of nasties off an OS will agree with the conclusion that is almost impossibe. Even simple adware is using rootkit-style technques to embed itself, and regenerates
Re: (Score:2)
I allow some people shell accounts. As long as they are not abusive. Outbound traffic monitoring is as important to me as inbound.
1 - Its bandwidth. Which is a resource
2 - I don't want to be found administering a spam factory
3 - I need to control P2P content (also see point 1). (I just had to cut someone off for sharing the movie "Click"). I do get those "take-down notices"! And I have to be brutal about it.
None of those things has anything
Re: (Score:2)
When I refered to SYN, I wasn't talking about flooding. I meant INITIATING outbound, any non-whitelist TCP traffic. Most perimeter firewalls are set up to block non-whitelist incoming, and that's a comfort.
I don't want an admin deciding to touch unknown web or FTP destinations from a trusted host, etc. Outbound firewalls are good here. I have some other cases, but with Windows servers, it's good not to let the Admins get into a habit of readi
That's not the point. (Score:4, Insightful)
Windows Firewall XP SP2 fails every test, so the fears that the days of third party firewall software was over seem groundless.
The fears aren't because MS figured out how to build a good firewall; the fears are based on supposed "features" in Vista that would make it very hard/impossible for third party vendors to access parts of the OS needed to build good security software without first going through MS for some kind of certification. Not only that, but as MS integrates other security into Windows, like anti-virus, it may become very difficult to install third party AV and firewalls because the built-in AV wouldn't allow it.
Now, I'm not sure how much of these fears were grounded in reality, but I'm pretty sure they had nothing to do with some perceived accomplishment of the built-in Windows Firewall.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
It's more like in Joe SixPack's mind (assuming Joe gives any thought to security at all) "this thing has a built-in firewall thingie, so I don't need to get one o' those from somewhere else".
Same argument goes for web browsers, e-mail clients, IM, multi-media player, etc.
The more that's hanging off the periphery of the OS, the less likely third party software is looked at.
Obvious.... (Score:3, Insightful)
This may seem obvious to me.... but the leak-testing software's imitating how a virus or trojan sends messages to the net, right? Wouldn't that of course mean that anti-virus software is going to mark it as malware?
I mean, the anti-viruses must be matching either the behavior of the program itself, or the signature of that data-sending bit. Of course they'll think it's a virus.
Re: (Score:2, Funny)
Re:Obvious.... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
an empty gun is as dangerous as a stapler.
Re: (Score:1)
Re: (Score:2)
So you're right, an empty gun is as dangerous as a stapler.
Re: (Score:2)
If you don't threaten to hit/punch someone with your fists, they're not weapons.
Re: (Score:2)
Re: (Score:2)
Comodo (Score:2, Informative)
Re: (Score:2)
I like the look of the Comodo, and based on your recommendation I will install it tonight.
Thanks!
At minimum, this is VERY weird. What's happening? (Score:2)
Matousec's review covered "personal firewalls", an artificial category which may eliminate products of interest. For example, Comodo doesn't recommend its own firewall, it recommends the Trustix Enterprise Firewall [trustix.com], which is free, also.
At minimum, this is VERY weird. I'm
Thanks. (Score:2)
Now, we still need to address why we have never heard of these companies before today, and now they are the best?
Comodo installer may be unsafe (Score:1)
Why can't the instal
Firewalls for Linux (Score:2, Insightful)
I've really only seen Linux firewalls based on iptables/ipchains. I use one, called TuxGuardian (try Google/SourceForge if you want a link) that seems to work well.
Re: (Score:2, Informative)
Re: (Score:2)
I've really only seen Linux firewalls based on iptables/ipchains.
Re: (Score:3, Insightful)
Re:Firewalls for Linux (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
From the Steve Gibson school of thought (Score:5, Insightful)
It's also annoying to see a firewall listed as a failure because it's a firewall and not a host-based IDS.
I'd also argue that the host-based IDS programs are being sold for a purpose that is not their best use. Once a system has malicious software on it, expecting a process on the same machine to protect you and itself is, um, optimistic. Sure they try to defend themselves but that puts them on the wrong side of an arms race.
What they're best for is monitoring and control of "legitimate" software. I have Zone Alarm set to prompt me every time a program tries to run IE6, and to block media players from phoning home to whisper about what I'm watching.
Other test to perform. (Score:1, Funny)
Another test to perform: just browse some adult oriented sites. That's the so-called "lick test". If your firewall licks, then it sucks !
ZoneAlarm (Score:1)
PS- I use AntiVir for virus protection and have been happy with it as well.
Re:ZoneAlarm cracker pro (Score:1)
Re: (Score:2)
But Zonealarm was good, easy to use. I imagine the 'Pro' version would be just as good.
XP SP2 firewall is inbound only (Score:5, Informative)
So of course it failed every test.
Yet it tries to anyway, and poorly (Score:1)
Re: (Score:3, Informative)
They include "protection" when an app opens a port to receive data on. That would "protect" against apps that are trying to allow your computer to be controlled remotely. However, nothing gets filtered when an app decides to send data somewhere.
disclaimer: These arguments are 100% based on truthiness.
Re: (Score:2)
Did MagicM not say just that? The Windows firewall does not have any outbound protection at all, as Microsoft themselves make clear.
fwiw, my Linux firewall is set up in exactly the same way: block all incoming traffic but permit all outgoing. I am a bit hazy on the DNS firewall requirements.
Mod parent comment DOWN, not up! (Score:1, Flamebait)
Why did people moderate that comment up? Microsoft never claimed it made good software, so the quality of its software should ignored?
George W. Bush [futurepower.org] never advertised himself as a moral person, so he shouldn't be impeached? The U.S. government never advertised itself as non-violent, so the fact that it has killed 650,000 Iraqis [jhsph.edu] should be ignored?
Re: (Score:3, Insightful)
What about Zone Alarm FREE? (Score:2)
Re: (Score:2, Informative)
ZoneAlarm works for us. (Score:2)
ZoneAlarm sometimes gives false positives, but that is a small problem compared to worrying about networks being infected.
Re: (Score:1)
IANADriverProgrammer, but as far as I can see, any Personal Firewall would surely install driver-hooks that would measure as part of the process that uses the networking API, not as part of the ZoneAlarm process. Last time I used ZoneAlarm it bogged down my computer considerably.
That said - and using some other wise mans aphorism:
If personal firewalls are the answer, you are most certainly asking the wr
"ZoneLabs programmers lack important knowledge..." (Score:2)
Quote: ZoneLabs "programmers lack important knowledge needed for writing security products for Windows NT operating systems."
This fits with our experience. ZoneLabs was sold to CheckPoint Software. After that, ZoneAlarm seemed to have many, many problems.
Hardly critical (Score:2, Insightful)
Stopping outgoing traffic is for the obsessively insane.
Re:Hardly critical (Score:4, Informative)
Re: (Score:2)
Re: (Score:3, Informative)
Keep up with the updates, use FireFox for web, use a webmail client or Thunderbird, don't download anything from an untrustworthy site, don't run executables from Usenet or P2P networks, stick yourself on a private network, isolated from the 'net. In short, be smart about where you go, how you get there, wha
Re: (Score:2)
Re: (Score:2)
While these programs are noted as "personal", most sys admins make sure their networks are crunchy on the outside and on the inside both, so firewalls at the borders and on the clients are useful. Messy egress traffic is often best stopped at the client level through access privileges set by these programs or within Windows. With limited bandwidth (it's always limited no matter your connection) you don't want people with peer-to-peer programs, itunes
Re:Hardly critical (Score:4, Insightful)
Not for people who:
- run Windows
- don't update their OS
- don't use a router/firewall
- use IE or Outlook Express
- run as admin
- install anything and everything from warez sites/P2P
- visit shady pr0n sites
- open random email attachments
- don't understand why every website they go to suddenly has popups and why the intarweb is so slow
aka your average computer user.
Once infected.... (Score:2)
Software firewalls are to keep you from being attacked in the first place, or possibly for privacy. They won't protect you once you're infected.
Re: (Score:2)
Re: (Score:2)
A outbound firewall is going to stop popups, spyware and trojans.
Exactly how. I really would love to hear your explanation.
Re: (Score:2)
A while back, I used to run as admin, like most Windows users. I used ZoneAlarm and had it prompt me every time IE tried to connect. I used Firefox, but all the spyware apps that I came across popped up their ads in IE. So I basically knew if ZoneAlarm prompted me about IE, anytime, it was just about guaranteed to be adware.
I've also caught SaveNow, which was bundled with Bearshare. And a few others. I don't bother running it anymore, and spyw
Erh... no (Score:2)
Outgoing is, given the amount of problem programs that come piggybacked on other software today, at least as problematic. All it takes f
Re: (Score:2)
Re: (Score:2)
So MS would be the very last company I'd trust in the consumer area when it comes to security.
Re: (Score:2)
Depends. (Score:2)
Under your control (Score:4, Insightful)
I have used firewalls that let me control my outbound. I've found them to be a pain in the ass because I have lots of things that need to get out. And of course every time I update one of them I have to update my list. Try using a Firefox nightly and changing it at least once a week and you'll soon be tired of that. I protect my system by scanning things I download, running A/V, and occasionally verifying my system with an automated spybot check.
Re: (Score:3, Insightful)
Ever install any software you got off the Internet? Well, you trusted somebody then, didn't you? Unless you only install software you compile yourself after doing a thorough code inspection, you are vulnerable to some degree. It may be that your choice of things to install (e.g. web servers, scripting languages) are seldom if ever vehicles for mal-ware. Also, you may tend to get these from well known sources, especially if you
Re: (Score:1)
The good news is that nobody is doing anything like that in a way that large groups of people find harmful, or we would hear about it.
Re: (Score:1)
Re: (Score:2)
I had DSL service from PacBell. The software that they gave me to create PPOE connections had a cute little feature that they neglected to tell me about. It created outbound connections to some site that was monitoring every web page that I went to. Very nice. Would I have caught such improper behavior from "legit" software if I had not had an
CoreForce (Score:2)
Not what I care about (Score:4, Insightful)
Leak tests imitate common methods used by trojans or spyware to send your information from your computer.
This is the least important piece of security I care about on my PC.
If there is a trojan already running on my PC, then I have already lost the war. It is irrelevant if it can communicate directly with an outside server or not. It could send data in a PLETHORA of undetectable ways aside from this (could send stealth emails from my default email program, could post data stealthily in a hidden frame it sets as my browser start page, etc etc).
The goal is to not get the spyware and virii on your PC in the first place. Once it's there, you're already screwed.
Re: (Score:3, Insightful)
The whole idea of a trojan is that the user doesn't know that it's running. Having something that might alert you to it can be quite helpful. And yes, SOME trojans install enough of a rootkit that they will be undetectable, but much malware just creates a "Happy bunnies.exe" process that sends your information out. I'd like to have some opportun
Re: (Score:2)
It's not the only feature on which a firewall should be judged, but it is useful to know which ones do it properly.
Re: (Score:2)
Typical Security Guys (Score:5, Insightful)
One thing that struck me about Windows Firewalls as compared to Unix firewalls is that Unix firewalls are focused on keeping malicious traffic out of your machine. Windows firewalls are designed to keep malicious traffic from getting out to the internet. In the end, it's no surprise that the results are a mixed bag, once your system is compromised you really can't expect these firewalls to save you. It's a lot like the antivirus market, where you have a constant arms race between the virus writers (do people write honest to goodness viruses anymore?) and the antivirus companies.
My final complaint is that programs like ZoneAlarm Pro are exceedingly resource hungry for what they do. ZoneAlarm takes over a minute to start on my fairly modern laptop, whereas everything else in the system takes about 30 seconds or so total. Why does a firewall need 24 MB of resident memory?
Re: (Score:1)
Re: (Score:1)
It also gives each process a rating based on how Microsoft rate the program - Permitted, Unknown etc, etc.
Re: (Score:1)
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
>
So, your laptop doesn't have wifi? How do you unplug a network that has no plug?
Not quite so easy, eh?
Router (Score:3, Interesting)
Re:Router - How would THAT help? (Score:2)
Ok, let's put a non-NAT router in there. If THAT isn't transparent by default, it would definitely be returned as defective.
So how DOES a router compare at all?
Now, if you obtained your router from your broadband supplier, port 25 outbound may be blocked (I've never seen this, but it IS possible). That may be acceptable. But try block
Re: (Score:2)
Forget trojans here's the real threat to society (Score:1)
Nothing but the best (Score:1)
The Basic flaw in this testing method... (Score:1)
Le
Matousec's business model (Score:2)
On the surface, it looks like blackmail. "Nice firewall you got here, sure would hate to expose a hole in it..." But when you consider how much work is involved, it's more like being forced to hire these people for their results. Kind
detecting "test" programs (Score:1)
--
http://www.moosoft.com/ [moosoft.com]
Virus from the ZIP (Score:1, Interesting)