1. Home
  2. Networking Firewalls
  3. Statefull Packer Inspection against Malware attacks!

Statefull Packer Inspection against Malware attacks!

On Wed, 11 Aug 2004 15:08:36 +0000 (UTC), beatnik spoketh

Why not? What possible reason can you have for not wanting to apply fixes to your computer?

That's what firewalls do. Even a cheap NAT router will block all incoming traffic except that which is responses to your outbound connections. Even the built-in firewall in XP does this, now even better with SP2 being officially released (at least here in the US).

A firewall does not do this type of inspection. That's what anti-virus software is for. Granted, some firewall appliances does look for viruses, this is not usually a job for firewalls.

Bad idea.

There are no need to search for patches every day. Enable "Automatic updates" on your computer, and simply wait for the updates to come to you.

No, they intercept the virus before it's stored on your hard drive. Say you want to download a file to the c:/temp directory, and it contain a virus. As soon as your file are ready to be saved in this location, the anti-virus software will intercept it and remove the file from that location.

Yes, but very inefficient, as the data stream may be very long and slow, and your firewall software will have to piece together all the packets to make such a determination. That means it'll need a large amount of cache (either in memory or disk) to temporarily store this data while at the same time also handling other traffic in and out. And, if this is a software solution running on your desktop computer, then you already have the problem of the virus being stored on your computer (in the firewalls cache) before it's actually deleted.

Firewalls and anti-virus doesn't belong together.

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen
Loading thread data ...

Lets assume that i do not want to run critical security updates (patches) by Micro$oft.

a) I was wondering if just a firewall can save my ass without even using AV. Is there a WinXp firewall tool with stafefull packet inspection that i will configure it to accept inbound traffic only as a respond to mine previous outbound connection?

b) If there is one, then i would like it also that firewall to inspect each incoming packet to my network interface and if the data portion of the packet matches a virus/trojan/worm/ or anykind of malware packet then simply it will have to drop it of.

That way even if i deliberately choose to open a virus infected link or a worm infected attachment my OS still be in no danger at all even without running an AV or Pacthes!

I think this is a logical demand and we dont have to search every day for pacthes to secure our holes in our OS instead will leave the firewall to update his database automatically.

Antivirus Packages after all dont work as they should in my opinion!. They wait for your machine to get infected with a virus which is stored in a hdd file and then because they have a scannable object in their hands, only then, they can delete the damn thing....

I beleive Statefull Packer Inspection by examining the contents of the ip packets data portion against a malware(trojan/worm/virus) database that would update it self periodically would be a far more secure approach. No?!?!

What you guys think of of it? Am i asking too much?

Reply to
beatnik

let see, if you want something that searches for bad thing, but you don't want to update your list of bad things, but you want it to autodetect and remove the new bad things, without any updates... Get the point, it ain't going to happen on a single PC.

With a real firewall you can remove ActiveX, JavaScripts, JAVA Applets, cookies, removal of all downloads, etc... You can also filter email of all attachments... If you did all of this, you might stand a chance, but you would also find that your Internet experience would be very limited.

Try running IE in high security modem some time - disable everything in the custom config, make sure that you also disable the extra's. Then only get your email via the web interface, not using OE or something else. If you can live with that method then you can secure your machine like you want, but I don't know of anything you can install on your PC that does it - most are appliances or $$$$$ firewall products (not the cheap kids ones).

Reply to
Leythos

Then I would assume that you're an idiot not worthy of consideration.

greg

Reply to
Greg Hennessy

On Wed, 11 Aug 2004 19:42:32 +0000 (UTC), beatnik spoketh

Depends on the method of download ... Some applications will store the file in a temporary location, and move it to its final location once the download is complete.

Even so, the anti-virus software should spot the file right away as it is saved as a whole, and quarantine it. If your AV software doesn't do that, then you simply doesn't have a good AV software.

If you're always getting infected, you need to consider just what you are doing, and quite downloading crap from all over the place. I've worked with computers for over 10 years, and I've never had a computer infected with a virus. I've gotten them in e-mails just like everyone else, but they've all been weeded out before anything bad could happen even though I am using Microsoft Outlook...

And any files you've downloaded should be quarantined by your AV software as soon as the download is complete. Same thing, really. If your AV software doesn't do that, then you're using a bad product...

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

Lars M. Hansen wrote in news: snipped-for-privacy@4ax.com:

What you mena as soon as the file is ready to be saved on hdd? You are saying that is saved to a cache (temporarily disk space or memory) before it actually store itself to the specific location we want in hdd? Will intercept it from were before storing to hdd?

No. The file is saved in the hdd piece by piece until all the file completes downloading. Then the AntiVirus Software, who now has a scannable file object, checks the file and decides its a virus after pattern matching the file's content against its virus database.

That why i'am always getting infected and then the av tells me hey, dude its avirus on your desktop named "somename". You want me to delete it? I say yes and then although it recognizes it, the av still cant delete it.

How you explain this?

So what? That cache will be the firewall' quarantine cache and the virus wont spread out until it actually gets deleted.....

Reply to
beatnik

Leythos wrote in news: snipped-for-privacy@news-server.columbus.rr.com:

But they do exist! Thats ncie to hear. Well someone sai that spi and signature patetrn matching against malware can be done ny using just the software firewall iptables.

Reply to
beatnik

Not even close. While IPTables is nice, to do all that you want it will take MUCH more than IPTables. My firewall, the one I paid $4500 for, to protect our offices, will do all of what you want. So will the slower version for $1700, but I don't know of ANYTHING you can install on your computer that will do all of that.

Reply to
Leythos

Or a warez version.....

Reply to
optikl

Sure it can. Who told you it couldn't?

Reply to
Micheal Robert Zium

Leythos wrote in news: snipped-for-privacy@news-server.columbus.rr.com:

So you are saying that only a hardware solution can do the job? But why not a software one? (well ok it would take a lot of hdd cache and memory and cpu cycles which would make the system slower but why not possible) ?

Reply to
beatnik

Lars M. Hansen wrote in news: snipped-for-privacy@4ax.com:

Kaspersky its not a bad AV pick. But as i said the virus stores itself in the hdd and then it recognizes it as a virus but the worst of all it cant delete it although it finds it.

Not only Kasperksy but other viruses as well! I donr know what to do? I just want to open a virus infected attachement and not get infected....

Reply to
beatnik

If you read the entire list of what was asked I don't see where IPTables can handle all of it.

Reply to
Leythos

No, I was trying to meet the requirements posted by the OP. I don't know of anything, or combination of things that could be installed on the OP's personal computer that could do EVERYTHING he asked for, without updates, that would protect him as requested. I do know of appliance solutions that can handle it out of the box. Yes, I do know that it could also be done by installing a linux box and several packages, but, I think it would be beyond the OP to handle that.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.