GhostWall

Here's the url:

I just took a quick look at it out of curiosity. Odd that no Help is available yet since at version 1.0.0 it's not Alpha or Beta.

As always, before you try it, make sure to backup the registry. I had a Blue screen shortly after trying it on Win 2K.

Art

I'm trying it on XP, ver 1.150, and it's working really smooth....it sure doesn't use much in the way of resources....seems decent to me for a 'personal firewall'

rm

As far as I know or remember, this one does not have any outbound app control, but rather, is just a vanilla packet filter. If that's what you want, you will be infinitely better off using CHX, which is the (IMO) best of the packet filters, and free to boot. Try it and you will see. There are sample rule sets on the site as well as online documentation, which you should read thru before installing.

There are outbound settings, but I haven't had a chance to play around with them. Thanks for the suggestion.

rm

This is true, but any "outbound app control" can be ignored in a very easy way; you can read POC code here:

A precompiled binary to test with your "Personal Firewall" you'll find here:

To test it, start Internet Explorer first.

So "outbound app control" does not work at all; only applications which allow to be controlled can be controlled. This is not, what I would call security.

Yours, VB.

Volker, I personally don't put much stock in app control and prefer to rely on my common sense rather than the software, using just a router and a good AV here.

But, here is what I think. I think that your exploit above is perhaps used by say 5% of malware at best. So that still leaves 95% of malware that doesn't use it and uses some other type of technique, which CAN be caught by the average firewall using "outbound app control". If that is indeed the case, then wouldn't you say that it is still worth it for the average user to use a "personal firewall", knowing that it will protect him/her from 95% of the nonsense that tries to dial out to the net?

Just because malware CAN use your technique, doesn't mean the it WILL use it. No? :-)

Beside the fact, that this is _not_ an exploit (I'm using Windows messages as intended and documented), it does not matter, how many malware programs are using this technics.

It even does not matter, that this only is one single way to do this out of many ways. Zonelabs already have documented another way.

"Security" does not mean to _hope_ that everything will work. Security means, that you can be sure, that everything will work.

So "outbound control" is not secure at all.

Yes. They could use one of the many other ways, too.

Counter-question: what do you think, have the malware authors already realized, that many people are using "Personal Firewalls"? How likely will it be in the near future that most of them will react?

Yours, VB.

Well, I seriously doubt that most people (average users) will be able to be "sure" that everything will work and be secure. The average user is clueless. He/she has no idea how to harden a system or close ports and so on. So for the average user, it is still wiser to use some form of "personal firewall" in order to at least limit the chances of having problems with malware dialing out. The average user is likely to visit unsavory sites and download and install malware. So, all I am saying is, I believe that something is better than a black and white all or nothing approach where you use nothing for protection.

I think, this is a misunderstanding.

What I meant is, that if you can avoid a type of attack, avoid it. If you can't avoid it, then it depends on the type of attack, what will be sensible.

If you cannot avoid any serious attack of a specific type, then claiming that you can is just wrong. If people know that, they're lying.

Just telling people, that they have to hope that the malware author is so dumb, that he never heard of "Personal Firewalls" and their "application control" is not what I would call security.

Yes. Let's help to improve that a little bit!

If this would be true, that a "Personal Firewall" is limiting the chances of damage with malware already running on the PC of the user, then I would agree. For the reasons I showed, this unfortunately is not true at all.

Quite the opposite is true, even if the user does not work as Administrator, some "Personal Firewalls" like Sygate and Outpost for example are helping running malware with privilege elevation because of their b0rken design.

Other "Personal Firewalls" like Zonealarm and Symantec Norton are working counter-productive with their "PIN protection" nonsense, which results in publicizing the secrets they should hide.

What I'm missing is one single "Personal Firewall" which is _better_, not even worse than a simple packet filter.

Yes. And this must be fighted.

Again, hoping that all or at least most of the malware authors are completely dumb does not help at all.

Yours, VB.