PFWs are designed around the patently false assumptions that a firewall process can control the behavior of other processes running under the same OS kernel instance, and is somehow immune to being controlled by other processes.
I accept that your experience as a person making a living designing secure solutions leads you to believe PFWs are 100% effective, yet I somehow doubt you would recommend your clients run anything other than firewall processes on their firewalls. Same thing.
Can you cite an instance where a PFW provided protection which was not afforded by best practice - i.e. services minimised, least privilege, user vigilance?
Yes, taking my laptop into a government agency, where they were compromised by a exploit that was killing their network, infecting machines that a patch had not been issued for yet. My laptop running Tiny was set to block all INBOUND and ALL OUTBOUND (my normal starting point when I walk into a new client/wild). I was able to see the inbound traffic, keep my computer from being infected by the exploit.
A good example of the outbound protection was the 4 computers that were infected with a SMTP engine virus at a Sorority. While one machine had a PFW, it was setup to only allow SMTP access to the local outbound email server - this computer was "Trying" to spew more than 100 emails/sec to random addresses, but the PFW blocked it from reaching outbound via SMTP of it's own engine (the virus didn't try and relay through the local server). The other three machines were not protected by a PFW and were spewing virus containing emails all over the planet. At the same time, after being called in, I set my laptop to block all in/out, then setup an IP on the network, then watched the traffic hitting my laptop - determined the compromised machines and disconnected them until clean.
As a side not we got a contract to setup their network and secure their systems - keep in mind that these are all different types of computers, various OS's, various AV/PFW products, etc... In the following periods this group has only had one infection (in three years) and it was an exploit in AOL IM that caused 5 machines to be compromised, but, that was through a path that was normally open and easy to pass through - it was odd that the AV software didn't pick it up (it did a couple days later)... Almost every system arriving for this year had quality AV software, all were running at least SP2 and had the Windows Firewall enabled, about 40% were running NIS or ZAP, and the ones running a PFW have had the least issues this year.
No. On-demand scanners allow you to scan files before you execute them. On-access scanners check whether a file you're about to access/execute is infected. Both will help you to avoid an infection.
You seriously need to get your terms straight. A firewall prevents unwanted traffic between two or more networks. That's what firewalls are made for. In case of a host-based firewall it prevents unwanted traffic
*to* that host. It may thus protect a host from worms. Virii OTOH, though some of them may also show worm characteristics, are in general something completely different as they don't necessarily need to cause any kind of network traffic.
That's why personal firewalls can't (by design and definition) protect you from virii though they may protect you from worms. If a personal firewall detects traffic caused by a virus on your system, the virus is already active and has compromised your system.
On-demand scanners allow you to scan files you KNOW ABOUT before you act on them, but many programs act on more than just the file you are opening, which will not be scanned by an "on-demand" scanner.
On-demand, On-access -- I've no idea what you're talking about (and neither do I want to know).
When I scan with AVG7 it tells me if there are any viruses present (it has not happened yet) and I'm told that the infected file is placed in a secure 'virus vault' - so I can replace the original from my backup disks/tape, whatever.
A resident scanner, something that runs in the background all the time, like AVG7, will scan files in real time as they are accessed, and it will also check memory in real time. An On-Demand scanner is one that is not resident/running in the background, it only scans files/memory when you click the button to do it.
If you have the Resident Shield feature enabled, AVG scans 'infectable' files whenever the operating system attempts to open a file, and blocks access to the file if a virus is found.
If you have the E-mail Scanner feature enabled, AVG scans incoming and outgoing e-mail and attachments, and blocks the message if a virus is found.
These features prevent infections. Disabling them is just plain silly.
I can only read your words, not your intention. So if you want to be understood correctly: use the correct terms. Don't say 'blue' when you really mean 'red'.
*sigh*
Read my words and at least *try* to understand them this time:
THAT'S WHAT WORMS DO. THAT'S NOT WHAT VIRII DO.
Yes, the packet filter of a personal firewall can protect you from this kind of threat (at least as long as it's self isn't subject to the attack [1,2]). However, that protection can also be achieved by simply not providing any services to the outside world [3].
I'm genuinely interested in hearing about scenarios where a PFW provided protection which was not afforded by best practice, but I don't see one here.
I would boot the laptop from CD, and put the NIC in promiscuous mode (without an IP address) to sniff the exploit traffic. No risk of infection, not even if the exploit targeted a vulnerability in the sniffer code.
I cannot see how such a scenario could be possible already in theory. Perhaps if we'll find one in theory, we could search for a case, where a "Personal Firewall" ever was useful, compared to best practice.
But if you want to, I can tell you lists of scenarios, where "Personal Firewalls" are counter-productive. And I can tell about cases where this was the problem, why boxes where 0wned.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.