Since Norton Security Suite has such good reviews this year, I'm thinking of buying it. However, I'm wondering if there is a better firewall available. Any and all suggestions are welcome. Also, comments on the Norton Suite.
There are several free firewall options that are consistently rated in the top group. There's no reason for you to pay for Norton if you can get something else (rated higher, no less) for free.
I've recently switched to Kaspersky because I got it for free (after rebates) from Fry's. It has done very well. Previously, I was using Comodo, which also did very well.
I don't know how the current Norton suite is, but they have a bad reputation in recent years, mainly having to do with the effort it takes to get rid of it. Whatever you choose to do, make sure you backup your system before installing the security product to make sure you can easily roll things back if you don't like it.
What do you think of these firewalls in their ability to control programs' access to the Internet? Can they do a fine-grain control of which programs (inclusing OS programs) can contact which remote addresses?
Comodo seems to do this well. Does Kaspersky also do this job well? Are there others that are particularly good at this? Thanks for your thoughts.
BTW, is there any difference between Comodo PRO and FREE, other than the added help and handholding services? Thanks again.
I can't really answer that question. I only use it to allow or block internet access for each program and process. I don't limit it to specific addresses. I don't know exactly what you're trying to do. But if you just want specific IP addresses allowed to those on your network, then it would probably be better accomplished through your router settings.
I chose Comodo. It does what ZoneAlarm used to do but does it even better. Other firewalls did the general job well enough but didn't have the fine-grain control desired.
To G and Volker Birk: There's good reason to control apps. Example: My newsreader is permitted to access my ISP's DNS server and my news service's servers. That's all. No longer do I find it trying to access various applications' servers to report who-knows-what to their publishers, because those apps (even though blocked from access) have used other apps (such as my my newsreader) to access the Internet.
In an experiment with the current ZoneAlarm Pro (yes, purchased), it still tries to access the Internet and reach ZA servers even when all of the access-related options are turned off. Also, ZA refuses to allow its firewall or program-control settings to prevent Internet access by its own programs or components. Further, when effectively blocked by a hardware (router) firewall from reaching its home servers' IP addresses, ZA enlists various other apps including operating system components to silently try to reach its home servers. And they call this a security program???
Comodo may or may not be the only firwall that's really good at this aspect. If you know of others, do tell.
Yes, people who have actually monitored what their software is doing come away very disturbed about this. On the other hand, those who buy security software and look no further, assuming that their security software is protecting them, can be blissfully (if ignorantly) happy.
The single worst offender is the MS Windows operating system. Again and again, Windows components that perform a local task and have no reason whatsoever to access the Internet are busy doing just that. Further, if blocked, they try multiple IP targets and try to hijack other apps on your computer and connect through them. They keep trying repeatedly, filling up your log with thousands of rapid-fire attempts and slowing down your system while doing so. Ugh!
BTDT. After configuring the chatty programs appropriately, only update routines are connecting outbound. I fail to see why one would be disturbed about that.
"ignorant" being the operative word. Particularly about personal firewalls creating additional security holes.
Name one that can't be configured to not do that.
Besides, if the manufacturer of your operating system decided to have the operating system phone home, no software running on top of said operating system could actually prevent it from doing so. You do realize that, don't you?
It may not disturb you (and probably many others), and that's fine. But it does bother me (and at least a few others) when software establishes communications with remote servers without my knowledge or consent.
People can have various good reasons for not wanting such communications. Some have sensitive financial, technical, or personal information that might be compromised. Some may not want inventories of the software on their drives reported because they haven't paid for it all. Some may have signed nondisclosure contracts which cannot be fulfilled if outflow of information from their computers is no longer within their control.
And some (including me) find it in principle obectionable. How would you react if you hired someone to do some work in your home only to find them rummaging through your file cabinet and faxing copies of your information to confederates unknown to you?
Sure. See below. Also, if you do block their external access, they go nuts trying to get around the block, and some desired tasks may not work. And it's hard to spot such activity if they go through svhost.exe or other apps.
Sure. Here are three (all in WinXP-SP2 and SP3):
userinit.exe wininit.exe winlogon.exe
These are multipurpose apps, but they sometimes can be found initiating external communications when none should occur.
That's why we have hardware routers with built-in firewalls. By blocking the target IP addresses of the persistent offenders within the router's firewall, you can indeed stop it.
A suggested strategy is to permit the legitimate communications for your tasks (including your own ISP's DNS server IP addresses rather than permitting all traffic on port 53) and blocking other target IPs in the router's firewall.
Disable the update routines as well. Problem solved. Still nothing to be disturbed about.
Ummm... what makes you believe that some program's update routine would transmit any other information that its own software version (and perhaps the operating system's version)?
You find keeping your software up-to-date objectionable in principle? Then why are you wasting any thought at all on computer security?
I would most certainly *not* lock him into my office and try to somehow prevent him from communicating. Instead I would do what I do with any software behaving that way: remove the culprit from my premises.
- What kind of connections did those processes supposedly try to establish for no good reason?
- What's the path of those executables?
- Did you verify that they're in fact the system files supplied by Microsoft and not some malware disguising itself as a system file?
Besides, userinit.exe for one has (among other things) the purpose to establish network connections, so it actually does have business accessing the network.
True. What does that have to do with personal firewalls?
Yes, these OS components are the right ones and in the right paths.
Of course the update options in Windows and in apps were turned off. And still they try to reach their publisher's servers. Sometimes, disabling a Windows service can stop it, but sometimes the services cannot be stopped or they cannot be stopped without losing needed functions.
Various apps collect and report lots of data about your hardware and software, often extensive, often of little apparent relevance. Look at the dumps that are sent or attempted to be sent.
Sure, userinit has legitimate functions, but my point that it initiates external communications with MS servers when none should occur stands. Look at the firewall logs, which will show lots of such entries if you either track all Internet access or block access to MS servers.
"What doies that have to do with personal firewalls?" The router (hardware) firewalls are needed because, as you said, firewalls that sit on top of the OS cannot fully control OS communications. So an effective firewall system for outbound data requires both.
My exploration of this topic was prompted not by any great secrets but by curiousity about unknown access entries appearing in firewall logs. I find the results of that exploration disturbing. You don't. I did something about it (selectively blocking external access using firewalls). Everyone here will individually decide how much of this fits their needs and preferences.
Information is transferred by encoding¹. Encoding means, that someone is transmitting data, which is seen as a message by sender and receiver, which contains that information as the meaning of the message.
If there is connectivity between sender and receiver, they can transmit any information they want, if they've a common code. Connectivity means, that they have the possibility to send at least as many different messages as they need to discribe the words of the formal language they want to transmit, which is used to discribe the information they want to transmit.
For example, if someone wants to transmit your Bank account PIN, and this PIN has four digits, which can be from 0 to 9, then they need to be able to transmit at least 10'000 different words.
For that case, it does not matter at all, *which* words they're able to transmit, and it does not matter at all, *how* they're transmitting.
For example, the first digit 1 can be transmitted by not transmitting anything at 12:00 o'clock, while transmitting the second digit as 2 can be done by requesting the software update on an odd hour of the day.
The code is at will. It just has to be known by sender and receiver.
So if a "Personal Firewall" enables connectivity in *any* way, it is possible to transmit *any* information. Because "Personal Firewalls" are filtering, they're preventing many codes from working.
Others do work. So an attacker just will switch codes.
The worst design flaw in a "Personal Firewall" I saw yet, was in Norton InSecurity: They were filtering your bank PIN out of any transmitted data.
This way they're publicizing your bank PIN to anybody who wants to have it, and whose web server you're browsing; one just has to have the de Bruijn sequence for four digits² in a hidden field of an HTML form, and the digit combination which is filtered out is your bank PIN - filtering is used as code to transmit this data here.
The only way to stop transmitting arbitrary information is to prevent connectivity. Just cut your cable with a knive ;-) And don't use WLAN...