A CiscoPIX 501 and a Dream...

You can't stop them externally. You can't stop them on the host. The only solution is to not install those malware. The hardware to enforce this policy is called 'Brain 1.0' and can't be ordered seperatly.

That's always a good idea. But this do not stop malware from harming your system.

deny ip any any

access-list deny_outbound line 1 perm tcp any host proxy eq 3128

So your spyware is allowed to transfer data to outside and your malware can update themself. Futhermore your worms can infect other systems out there.

The "line x" option does help.

Yes.

Clean your system and do not click on every icon which does not disappear instantanously from the desktop.

No, it's the only solution.

Which universe do you come from? Is there a way to get into?

It would be enough to read the documentation. But maybe you can't reach

Short answer is you can't stop it with a Pix. Even if you were to block everything except for a few ports such as dns, pop, www, daily used stuff etc the viruses/keyloggers would simply use those ports you have open. While a lot of viruses these days have a "signature" they use random ports and will scan until they find something open. To stop them you would need some type of inline anti-virus/malware scanner, symantec etc.

Hiya Lutz!

What a fine example of your kind you are. The kind who supposedly know more about something than someone and enjoy trying to bust balls! What kind of name is "Lutz" anyway, lol. "Lutz" - LOL, it sounds like slang for an ass affliction. Oh, and thanks for the cisco.com tip, I wouldn't have thought of that. What a great resource for a newbie like myself with nothing but time on my hands! I'll just drop everything and immerse myself so I can be an expert overnight! Wait, it's more complicated than I thought, maybe I'll try posting some questions to a newsgroup? Wait, "Lutz" is there and he's an asshole. You are the type that believes it's an instructors right to try and humiliate the student as he instructs. Much can be gleaned from your stupid reply - about you, where you are from, your social status, your love life, lol. Oh well, I guess I'll just weed out the dime a dozen internet "Lutz's" and learn from the rest, lol.

Well I'm at a loss then.. I bought the Cisco to improve my security, I see that it is highly configurable yet I can not seem to figure out a SINGLE thing I can do beyond the default configuration to improve my security. I do have Ad Aware, Ad Watch, Spy Sweeper and Zone Alarm. And !avast antivirus. There does not seem to be a simplistic "how to" around for absolute Cisco beginners like myself. The idiot above, Luzt, suggests cisco.com as if I have not been ther 50 times or done 50 "Cisco PIX 501 beginner etc" searches. Well thanks for your answer Brian V, I won't spend any more time on that concept, lol. Thanks again.

Peace

Thank you. Beside you deleted all the useful tips, here a FAQ on this subject. It even mentions "Zone Alarm".

Configure your PIX to block all outgoing traffic except that going to sites and ports that you are willing to trust. It is a trade-off between convenience and security: every time you decide you want to see a new site, you would have to add it to the permitted list.

Consider that by the time that a packet makes it on to the network, there is no way for an outside device to know whether the packet was originated by a "good" program or a "bad" program: the best the outside device can do is to check to see whether you've decided to trust the destination (even if only by default, if you haven't blocked it.)

Unfortunately, although software that runs right on your machine might have a chance of determining whether the source was a "good" program or a "bad" program, that software is subject to being subverted by the "bad" programs, whether that's by the "bad" program altering the data files for the checking program, or by the "bad" program altering the checking program itself, or by the "bad" program altering the operating system (or by more subtle means like the program altering the alternate data stream for a file.) In particular, "Windows Firewall" is not to be trusted by itself: there are too many programs around that know how to tell Windows Firewall that they are trusted programs... or to just bypass the entire firewall layer.

You mentioned a PIX 501, which implies PIX 6.x operating system. The PIX 515, 515E, 525, and 535, and the Cisco ASA 55x0 series, can run 7.x software, which is able to monitor data flows to see whether the kind of data being sent through matches the kind of data to be expected for that port. This would catch programs that used port 80 (because it is often open) but did not talk http over the port. Unfortunately, there are lots of ways to embed pretty much any information transfer you want into http and the inspection agents would not be able to tell whether it is "good" data or "bad" data.

Computing theory tells us that there is no *reliable* way to be able to exchange general purpose information such that the exchange cannot be used to covertly communicate unwanted data (e.g., your passwords).

Even humans have trouble determining whether any given program is a "good" program or a "bad" program -- and the same data, transfered to the same place, might be used for beneficial or harmful purposes. Furthermore, what one person sincerely considers beneficial can be what a different person sincerely considers harmful.

Thanks Walter, I have learned more from you than anyone by far and I truly appreciate your answers.