I have KAV installed, with everything enabled including scanning of http traffic ("web anti-virus" as it terms it). The way it does this is to act as a proxy process, and thus the firewall (which I'm using to control outgoing connections) can't distinguish what app is making the request. And since I allow KAV free access to fetch its updates I'm essentially allowing any application outboud http.
I think my choices are:
1 - do nothing On the basis that if the local application is a bad'un KAV will have caught it anyway!
2 - install Kasperky's firewall product I believe it's quite solid, but when I played with it I thought its UI was awful (inability to specify ORs in rule tuples (eg tuple={protocol, destination, (application1 or application2),...}, combined with an inability to copy rules. I could see me spending forever configuring it). Actually bad UI seems to be quite a common feature amongst the firewall & av products I've played with (including kav).
3 - disable KAV http scanning I don't really have a clear view on what this is actually meant to be doing and why it has to happen here rather than by controlling the app that's receving the http stream. I suppose a browser could receive a dodgy applet that takes advantage of an unpatched bug to retrieve user data or some such?
I think that ramble pretty clearly spells out why I'd like some expert opinion :)
[Ranting lunatics trying to pick fights need not apply].
eh.. so the "personal firewall" can't effectively be used to control outbound connections.
whether it's news or not, it's something I wish to control.
It's the only option labeled "1".
exactly.
which bit exactly? and why?
Your responses suggest you have superior knowledge, which is encouraging as that's obviously what I was looking for by posting here. Unfortunately that's as far as they go. If you actually have constructive comments I'd very much like to hear them.
It wastes resources, creates various problems, slows down the connection and is absolutely useless?
It can't anyway. Thus, it's no loss at all.
Reality doesn't care for your wishes. Such a control simply doesn't work, and you'd be better of not wasting resources on trying.
And I don't care. If the application is malicious, then there's nothing you can do.
So what? Wishes are exactly not what security is. And virusscanners can't protect against malicious applications, they can serve as intrusion detection system at best. In most cases, you really have to assume that the malicious application doesn't get detected, because no signature is available and the creator for sure checked it against existing signatures.
At first, matching for applications is superfluos nonsense. For the second, it's no firewall. At third, it's not solid, but known to be very error-prone. And for the obvious, there are various well-working host-based packet filters for Windows like par example Wipfw, which by using the IPFW1 rule definitions preprocessed by your favorite command shell (yes, cmd.exe also does a good job), the power of the ruleset is virtually unlimited. So you really shouldn't wonder why someone is laughing about these useless click-and-point UIs ...
Well, how should someone create something constructive with such an obviously flawed concept and even more flawed software? Your problem is none, since it's not the software which has defects, but you want it to do something impossible.
Heck, you even believe that the creators of exploits wouldn't obfuscate them to make them undetectable. Or that an application could be controlled. Or that a webbrowser with known security holes would be reasonably acceptable.
Why can't it? Are you saying that all personal firewall products are faking it? Or only detecting apps that "play nice" ?
as above - y doesn't it work? It certainly appears to - after all I set some rule in the personal firewall, and hey presto, when such and such an app tries to make an outbound connection the firewall detects it (and can potentially block it).
I guess there are degrees (some apps might not be considered malicious, more privacy infringing, and I'd still want to be able to prevent their constant dial-homes), but are you saying that if truly malicious then a firewall simply can't prevent itself from being subverted/bypassed/overcome in some way?
Yeah, that's what I meant (by the exclamation mark; not very obvious i guess): that one can't completely rely on the AV. So my reasoning is that in cases where the malicious app isn't detected by the AV, the firewall is a second level of protection.
(And in case where it's not malicious as such, but possibly subjectively undesirable, like say media player just playing the cd and not doing goodness knows what; Or finding that a piece of software supposedly uninstalled has left a remnant behind which is phoning home in the background - mcaffee did this and I wouldn't have known about it without a pfw).
On the aside of intrusion detection - seems to me that ultimately this is what it comes down to - AVs, firewalls, etc all play a part in prevention, but since it's not guaranteed one has to have detection. Worst case is to "catch" something and not know - prevention is better; knowing early is good; not knowing at all is bad.
how so? Surely all security comes down to determining trust, at some level of granularity, in this case deciding which apps are to be trusted? eg. If some app X tries to access the internet (or my ISP mail server or whatever) then the fact that I've configured only http access for mozilla, and smtp for whatever should assure its interception, shouldn't it?
For the second,
Very interesting - could you point me at details?
agreed - such configuration is more flexible than the constraints often imposed by a UI. But as you say, ipfw doesn't take account of the source application - so the granularity of control is either all applications or none; if I want to allow, say, smtp from one particular application I have to allow it for all.
I don't see why what I'm trying to achieve is a flawed concept - I want to know, and be able to prevent, whcih application is making outbound connection. How can the software both be flawed yet not have defects?
of course they would try to do this - if they all waved little red flags we wouldn't need detection software at all! To what extent "undetectable" can be achieved I don't know. Undetectable to me sitting in front of the PC - very easy to achieve. Undetectable to the AV program - depends if one is unlucky to be one of the first to be hit with something and therefore no signature yet; or if the AV program can be subverted or brought down in some way; or if the AV is plain rubbish; etc. Undetectable to system intrusion detection? Depends - I guess hard to hide from something run off separate bootable ro media, but this is hardly a practical early warning mechanism! Something like osiris with the server elsewhere - dunno how effective this would be for a pc, as while it'll detect changes it's hard to determine which ones matter (and then there's the small matter of the registry...)
I'm under the impression that privileged processes can interpose themselves in appropriate places to control some of what an application might try to do - eg. intercept and allow/prevent registry changes; intercept and allow/prevent network accesses, etc. Is this untrue? Because this seems to be the premise on which all the software we've been talking about (including ipfw) is based.
I don't think I said that. Anyway, I rather suspect that all web browsers have security holes, it's just a question of whether anyone has put the effort in to find them - a trust decision, and a problem for sure. Isn't this the standard tradeoff (ie. if i don't run anything I'm really secure but can't do anything useful; if I run this thing then I can do more but I'm a bit less secure. And the point of security software is to try and edge that balance to the more secure end of the spectrum?
A mixture of both. The latter being the general reason.
After all, this is exactly why this stuff sells so well. Apparently it does work - and you won't recognize the cases where is fails. Well, such cases are so trivial to construct.
So what? They are malicious.
Yes, that's what I'm saying. Welcome to reality!
Very very far away from the truth. Hey, virusscanner seem to have at least a little effect in reality, but "firewalls" fail so blatantly.
Then it's malicious. Or you're just too stupid to configure it correctly. After all, which media player does such a thing as you claim?
Then you're really a loser. Trying to achieve security through a host-based packet filter, but even too stupid for such simple commands as 'netstat'?
Quite the contrary. None of these can protect, they can at best detect.
Well, what about actually implementing prevention? You said you have some software spying on you? I wouldn't even have installed it in first place. Software didn't uninstall properly? Dude, my software doesn't need either installation or deinstallation, uninstalling is just a matter of deleting the application folder and that's it. WTF are you doing to your system?
Definitely not. What stops malicious software to remote control Mozilla to upload all your files to a certain software? Well, exactly nothing!
For the latter, just keep reading this NG or read some forums - the number of people which come up and say "dude, my personal firewall makes problems" is overwhelming. KIS has it's part, too. The problem is usually solved with uninstalling it, whereas not even deactivating it worked - that's a typical eye-opener for those who think that such software is not a big piece of crap just because it sells so well.
And that's what it bogs down to anyway, since there's no chance that such an application control could even particularly work in any reliable way. And legitimate applications don't require such granularity, since they don't do such stuff by definition.
Then you have to cut out every interprocess communication. No more copy & paste, no drag & drop, no remote controlling, no OLE, no DDE, no local loopback NIC, and all application data have to be fully separated in filesystem and configuration data. And your system becomes unusable. Not to mention this would be impossible on Windows and pretty hard on Unix.
And this is why you're lacking a concept: your wishes are not even particularly fulfillable in reality.
And that's where you should take the consequences: These things don't work, thus you have to address the more fundamental issue - not running malicious applications in first place. And getting a good concept how to evaluate the trustworthyness of software.
I just said that your problem is not related to the flaws in the software. Thus, even if the software would be flawless and perfect and complete, your problem would be unsolvable.
Until the software emulates an entire JavaScript engine and captures all relevant data, it won't work.
And actually you can encode the every step of an exploit into pure side effects. And then it's even theoretically impossible to verify what's actually going on.
No. But it's trivially circumvented if you allow just one little legitimate application.
That's what the entire security concept of most Oses is based on. But they're making clear all-or-nothing decisions based on security contexts. And that's why most don't even care for controlling network access.
Known security holes == the public knows about the security hole, there has been an updated version of the browser, but the hole was not fixed. And I know only one where this applies: IE, where the oldest security now celebrates the third year, and currently more than 20 being known. Well, if you even call it a webbrowser, since it's officially documented to be unsuitable for being used on the WWW.
The point of serious security software is to provide tools for the competent administrator to help implementing security strategies. Technology is not a panacea. Without any clue and without any concept, you'll just achieve the contrary or at best nothing at all.
Look, folks, the bottom line is, leave computers to the experts. Throw out your home PC. Let's go back to the 60's. Us nerds were happy then in a world where there was no interference from that ignoramus Joe Public ;-)
No. Leave it to someone who is competent. Hence, if this is not you, you might pay someone for adequate service. At any rate, you can't deny responsibility.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.