# Solved: Need firewall with Microsoft Security Essentials?



## smithmdan (Nov 6, 2001)

Have just recently change from Kaspersky Anti virus 2011 to Microsoft security essentials and was just wondering if I need more protection that I lost when changing. 

Do I need a firewall in addition to MSE ?

Kaspersky; I was happy with for years but it seemed to slow down my computers with each new year's upgrade.

Also, was just given a laptop that is running Comodo Internet Security. Is it a good product ?

Thanks,,,,


----------



## 1002richards (Jan 29, 2006)

Hi,
I don't know how Comodo rates, but with Microsoft Security Essentials you need to activate the o/s built in firewall (XP, Vista, or Windows 7).

Richard.


----------



## Tech-man (Sep 17, 2011)

Comodo is not good for protection. Instead you must install mse inplace of it. It installs all those useless stuff such as ask toolbar and comodo geek buddy with it. Its protection is also not good as mse.


----------



## golferbob (May 18, 2004)

i use comodo free firewall with mse and have no problems. you do need to watch when you install it for a toolbar and other items you don't need.

http://www.majorgeeks.com/Comodo_Personal_Firewall_d5033.html


----------



## lunarlander (Sep 22, 2007)

Comodo and MSE provide different kinds of protection. Comodo is a Firewall and Host Intrusion Detection System. MSE is a plain vanilla antivirus. You need both. Comodo's firewall provides both inbound and outbound protection. Inbound protection is for stopping hackers. Outbound protection is for stopping spyware and botnets from calling out to their master controller. According to Comodo, their HIDS ( called Defence+ ) stops malware from installing, and thats a good thing. I just reinstalled Free Comodo and it only comes bundled with Geek Buddy, sounds like a online tech support chat/remote control thing. And you can unselect that during install. It used to also bundle Ask Toolbar ( which you can unselect ), but that seems to be gone now. 

If you are using Windows XP, then you should use Comodo, because the XP built-in firewall doesnt have outbound protection. And for laptop owners, Comodo also have different firewall profiles for when you are at a public WiFi hotspot, when it will block File Sharing. Windows Vista and 7 users have a newer Windows Firewall which has outbound protection, and profiles, but outbound protection is off by default and needs to be turned on.


----------



## smithmdan (Nov 6, 2001)

Thanks for all the replies and information.

Will probably try Comodo Firewall with MSE.

Also glad to know that XP firewall not sufficient

Any cons to using comodo firewall? Heard it might have some bugs or block some programs. Any info on that?

Wish I could find a good program like Kaspersky that would stop changing every year and bog down the computer so much!

Seems "simple" would be best, but guess they need to keep creating new products to keep the cash flow going!

Anybody know of that dream product I'm hoping for?
Thanks


----------



## Snagglegaster (Sep 12, 2006)

Actually, the XP SP2 firewall or later is certainly sufficient. Granted, the XP firewall doesn't include outbound protection, but that was a conscious decision on the part of the MS security team. MS Senior Security Strategist Steven Riley has a good article on the topic here. You should read it before you decide that outbound protection is essential. Here's the deal, many (if not most) freeware security products function as advertisements to sell the full version of the product. Just because some 3rd party firewall like ZoneAlarm or Comodo generates lots of alerts, doesn't mean that they are delivering a higher level of protection.


----------



## lunarlander (Sep 22, 2007)

I disagree with Steven Riley's article on one point. He states that most users just blindly click 'allow' for any security prompt. Well we security concious users don't do that because we have a healthy dose of paranoia. And so, the outbound protection does serve a purpose for those that want to stay secure. 

He also states malware can hijack an allowed connection. I take it that its possible, but we also want 'defence in depth' and throw roadblocks here and there to stop the attackers. Or maybe MS is just not capable of writing a leak test proof firewall at that stage. If I remember correctly, MS was late in introducing a native firewall to XP, because I remember I was already using Zonealarm or Kerio before SP2 came out and turned on the firewall.


----------



## Snagglegaster (Sep 12, 2006)

lunarlander said:


> I disagree with Steven Riley's article on one point. He states that most users just blindly click 'allow' for any security prompt. Well we security concious users don't do that because we have a healthy dose of paranoia. And so, the outbound protection does serve a purpose for those that want to stay secure.
> 
> He also states malware can hijack an allowed connection. I take it that its possible, but we also want 'defence in depth' and throw roadblocks here and there to stop the attackers. Or maybe MS is just not capable of writing a leak test proof firewall at that stage. If I remember correctly, MS was late in introducing a native firewall to XP, because I remember I was already using Zonealarm or Kerio before SP2 came out and turned on the firewall.


Actually, I think what happens in practice is that users either blindly click "allow" or "deny" with about the same frequency. Come on! How many user systems do you see with unpatched versions of Acrobat Reader, Flash, or Java just because the user kept clicking "Remind me later"? I also think that a significant point of Riley's thesis is that an infected system is likely to have it's firewall (regardless of provider) disabled, and often any malware protection on the system is likely to be disabled as well. That's another way of saying that if your computer is compromised, you can't rely on your firewall after the fact. Personally, I agree.

Ed Bott has a good observation here on how system get infected, and I would refer interested readers to his blog and the included links. Still, here's an observation from one study:

_"Users who were infected became victims because they were missing security updates, typically for third-party programs.

On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.

The most striking part of all is the list of vulnerabilities used by these exploit kits. Of the 12 entries that made up the list, five had been patched a full year earlier, and half involved vulnerabilities that had been identified and fixed between 2004 and 2008.

The authors conclude: "[A]s much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages."_

I encourage everyone to read the full article and links. And I still think these potential security holes trump any firewall software.


----------



## lunarlander (Sep 22, 2007)

Hi Snagglegaster,

Good link. Points out the importance of patching. 

However, I still feel vulnerable if I were to turn off my Vista's outbound protection. And I think/hope that the attacker needs admin rights to turn off my Vista's firewall, cause I use a standard account daily.


----------



## jiml8 (Jul 3, 2005)

> Ed Bott has a good observation here on how system get infected, and I would refer interested readers to his blog and the included links. Still, here's an observation from one study:


You should be careful about your quoting.

Further up in the article, it states:



> The test involved more than 640 hosts running Windows XP Professional with no third-party applications and with auto-updating disabled. With the Windows firewall turned off, the mean time before a host was compromised was just over 18 hours, with the Conficker worm doing more than its fair share of damage.
> 
> But once a firewall was turned onthe default configuration for every Windows system shipped in the past seven yearsthe numbers changed dramatically:
> 
> With the firewall enabled, the mean survival time of the Windows XP SP2 systems increased to 336 days. No system with this control enabled was compromised in less than 108 days.


.

Thus, the conclusion appears to be that systems which are protected by a firewall are much less vulnerable to vectors that would attack from the outside, therefore the remaining vectors (unpatched apps on the machine that might load files brought in from outside) are the remaining vulnerability.

This suggests that a firewall is an essential defense - THE front line defense - and after the firewall is in place, then it becomes necessary to deal with other possible vectors as those are identified.


----------



## Snagglegaster (Sep 12, 2006)

jiml8 said:


> You should be careful about your quoting.
> 
> Further up in the article, it states:
> 
> ...


I never said that a firewall wasn't important. What I said was I believe the Windows XP firewall is sufficient without resorting to a 3rd party solution. And, of course, it was the Windows firewall used in the tests to which Ed refers. So, I hope we're on the same page now.

Anyway, this is just an issue where lunarlander and I aren't ever likely to agree. But, that's a no more than a legitimate difference of opinion. Overall, I've found 3rd party firewalls to be more hassle than they are worth, both in terms of bugs and nuisance value. Just because I'm always right and never wrong doesn't mean I always expect everyone to agree with me


----------



## lunarlander (Sep 22, 2007)

Hi Snagglegaster,

Maybe you'd be interested to know that Vista and Win7's outbound firewall protection generates no popups - any outbound traffic not covered by firewall rules are silently dropped.


----------



## Snagglegaster (Sep 12, 2006)

lunarlander said:


> Hi Snagglegaster,
> 
> Maybe you'd be interested to know that Vista and Win7's outbound firewall protection generates no popups - any outbound traffic not covered by firewall rules are silently dropped.


Well, yes, I'm aware of that. However, the same can't be said of some 3rd party software. Here's a case in point: last week I had to troubleshoot printer issues on a customer's computer, and during the process, I also updated their Acrobat Reader, Flash Player, Quicktime, etc. ("Remind me Later" in full bloom) and their AVG Internet Security 2011 kept dutifully reporting that it had automatically generated new firewall access rules for JRE, Adobe Updater, blah, blah, blah, so on and so forth. By the time I had the printers both working again, I had seen that doggone notification balloon so many times that if it had popped up a message that said it had automatically created a new access rule for the Zeus Trojan, I might not have noticed. Perfect example of security theatrics.


----------



## HalfwayHose (Jun 5, 2011)

Hi,

I just updated my free ZoneAalarm and in less than two days I am miffed at the barrage of adverts for Netflix etc. I am looking for a new free contender.



Snagglegaster said:


> What I said was I believe the Windows XP firewall is sufficient without resorting to a 3rd party solution.


I have Security Essentials running and Updates for all of my installed software are checked weekly.

So, being a newbie in the Firewall tech department, is the MSoft Firewall all that you are using as a Firewall?

You sound to know what you are talking about and I read the two links quoted above. My eyes glazed over a bit so I am back to asking for advice rather than trying to struggle through the techno-tech. 

I have no doubts that I am uninstalling ZoneAlarm, but I do know I need a Firewall.

Should I just reinstate the MSoft Firewalls on Win7 and Vista PCs?
OR
Is there a friendly free Firewall out there that works better?

Thanks


----------



## golferbob (May 18, 2004)

like a said to you a month ago try comodo free firewall. it does a nice job .just watch when you install about the ask toolbar. i have used comodo for many years and mse only about a year. they play nice together. i also think you should update to sp3.


----------



## Snagglegaster (Sep 12, 2006)

Today, everyone using a broadband connection is already behind a decent hardware firewall, and the Windows firewall is as effective as any 3rd party solution.


----------



## HalfwayHose (Jun 5, 2011)

@Golfer
I did try Comodo and it is just too busy. I spent half my life approving or setting rules.

@Snaggle
You didn't answer my question. Are you using the windows Firewall?
As to my ADSL Modem, it is set to "Low" as anything higher either ignores what I want to do or just blocks stuff without notifications. The settings are pretty course and not selective. It is a Seimens modem supplied by the ISP and the few other modems I have tried will not connect and the ISP is no help. I am stuck with the modem Firewall on Low or nothing.


----------



## Snagglegaster (Sep 12, 2006)

HalfwayHose said:


> @Golfer
> I did try Comodo and it is just too busy. I spent half my life approving or setting rules.
> 
> @Snaggle
> ...


I do use the Windows firewall on all my computers; and I have 6 machines running XP, Vista, and Windows 7. I just haven't seen convincing evidence that any 3rd party firewall is more effective at keeping your computer secure than the Windows firewall. Though I do find 3rd party firewalls to be more generally buggy and intrusive. And, of course, anyone on a broadband connection is already behind a very effective hardware firewall. I expect that is most likely the case even with your Siemens modem. At any rate, you're already behind two levels of firewall protection.

I guess I might as well go ahead and bash on Matousec a bit. I think they're a third-rate company that spends much more time and effort trying to promote their business rather than doing anything genuinely useful from a security standpoint. Case in point, does anybody remember Matousec's 2010 "discovery" of Khobe, and how it bypassed all current AV software? Oh, yeah! The Apocalypse was imminent!

Well, if you don't remember all the publicity about Khobe and Earthquake, that's because, just as all AV vendors said at the time, it was an essentially bogus vulnerability. If you want to read more, simply fire up the search engine of your choice, or look at the archives of any AV vendor.

I think this is relevant because this is precisely the business model Matousec applies to their firewall tests. Right out of the gate, I should mention that Matousec collects money from the products they test, and no tester that does this can be considered even remotely impartial or legitimate. There is some disagreement on this point, but I'll get back to that in a bit.

The core issue is how Matousec tests firewalls; and the answer is basically that they have set up an arbitrary and statistically flawed system that artificially favors products designed to do well on their tests. Of course, since these products potentially pay Matousec to be tested, a cynic might speculate that the tests are designed to favor specific products. But, of course, that would just be speculation.

Just to clarify this a bit, Matousec has set their own standards for what a firewall should do, and products that don't meet their criteria are doomed to failure. An obvious example is when a particular firewall is part of a security suite and relies on other components in the suite to perform some of the functions Matousec tests for in the firewall. Since Matousec evaluates firewalls included in security suites as though they were a standalone product, you would expect them to be low rated. And, in fact this is generally what you see in Matousec's test results. And, of course, all of Matousec's criteria are put forward without demonstrating any real world relevance. With the non-event of Khobe, I think we've already seen the "value" of Matousec's research.

If you want to read a less biased and cynical interpretation of Matousec's tests (as well as a more thorough one) let me suggest Gizmo's Matousec Proactive Security Challenge Analyzed.

Edit: Gizmo's article presents the non-cynical (I'd say non-cynical and under-imaginative) viewpoint on why Matousec's "test for pay" model shouldn't be held suspect. Want to bet those easy links to obtaining the reviewed products don't get Matousec some sort of affiliate revenue?


----------



## Snagglegaster (Sep 12, 2006)

Well, I guess all this commentary on Matousec begs the question, "Gosh, why don't more organizations test firewall software?" My response would be that reputable testing organizations realize that testing firewalls is about as relevant as testing software that teaches users how to knap flint into tools.


----------



## DWreck (Dec 2, 2011)

Well I may be wrong but... Free Anti-Virus and Anti-Malware programs aren't bad because they are free, they aren't so bad in general too. My point is the cheap Russians in a frozen little den getting $1 a day to download those free programs and study them so they can make a Virus to get past them is why some not all but most likely the popular ones aren't to good. Now as for the paid Anti-Virus and Anti-Malware programs they are better in some ways then others but mostly they protect more because they have more funding and the cheap Russians can't or just don't bother to try because they wont get to far or might not have the money. That's how I like to think about it.


----------



## HalfwayHose (Jun 5, 2011)

Snagglegaster said:


> And, of course, anyone on a broadband connection is already behind a very effective hardware firewall. I expect that is most likely the case even with your Siemens modem. At any rate, you're already behind two levels of firewall protection.


Thanks for the details Snaggle, but I doubt the broadband modem firewall is of much use. I do like the warm-fuzzy-feeling I get when ZoneAlarm warns me that some software on my PC wants to call home which the Windows one does not. I have yet to block anything going out because they have been requests from legitimate apps checking for updates. BUT, I sure like to know anyway.

I have faith in MSoft's Security Essentials vetting what is on the PC, but I suspect that MSoft does not check outgoing requests with their Firewall as it is probably contrary to the interests of software publishers. I know several apps I have installed use third-party test-for-validity software that I have to grant access to the Internet or the parent software will not run. I guess MSoft have to walk a thin line between safety and pleasing fellow software vendors.

Anyway, magically, since posting that first gripe and moan about daily ads from ZoneAlarm, I have not had any since, so ZA is still my Firewall of choice.

Thanks to all who got involved, one can never have too much knowledge.


----------



## Snagglegaster (Sep 12, 2006)

DWreck said:


> Well I may be wrong but... Free Anti-Virus and Anti-Malware programs aren't bad because they are free, they aren't so bad in general too. My point is the cheap Russians in a frozen little den getting $1 a day to download those free programs and study them so they can make a Virus to get past them is why some not all but most likely the popular ones aren't to good. Now as for the paid Anti-Virus and Anti-Malware programs they are better in some ways then others but mostly they protect more because they have more funding and the cheap Russians can't or just don't bother to try because they wont get to far or might not have the money. That's how I like to think about it.


Some free AV software is excellent; Avira and Avast free versions for instance. But they are still more limited than the "for pay" versions of the same programs. In fact, almost all free AV software has a "for pay" version. I don't think you can say free AV programs "aren't so bad in general" anymore than you could make the same statement about "for pay" software. There's a pretty big performance spread, and there are a pretty large number of "security solutions" that truly suck. These days, I think it's almost certainly true that there's more money to made by writing malware than defending against it, so a lot of malware is created by some quality talent, and I'm sure they are compensated accordingly. Depressing, ain't it?


----------



## Snagglegaster (Sep 12, 2006)

HalfwayHose said:


> Thanks for the details Snaggle, but I doubt the broadband modem firewall is of much use. I do like the warm-fuzzy-feeling I get when ZoneAlarm warns me that some software on my PC wants to call home which the Windows one does not. I have yet to block anything going out because they have been requests from legitimate apps checking for updates. BUT, I sure like to know anyway.
> 
> I have faith in MSoft's Security Essentials vetting what is on the PC, but I suspect that MSoft does not check outgoing requests with their Firewall as it is probably contrary to the interests of software publishers. I know several apps I have installed use third-party test-for-validity software that I have to grant access to the Internet or the parent software will not run. I guess MSoft have to walk a thin line between safety and pleasing fellow software vendors.
> 
> ...


You can get an idea of how effectively your router blocks external threats by running Gibson Research's Shields Up. Of course you'll need to disable ZoneAlarm during the test. I'd be curious to read about your results, since I still think your router may be better than you believe. Of course, I could be wrong, especially since I'm just not familiar with your hardware. I've certainly seen some routers *cough* 2Wire *cough* that have poor firewalls.

MSE certainly isn't terrible, but I think it has settled into what I would consider the upper end of mediocrity. You can see how it performs on Virus Bulletin tests and also AV Comparatives tests.

Ah, the warm and fuzzy feeling one gets from notifications is how a lot of products find a permanent home on computers. But, bear with me a moment while I play Devil's Advocate. Imagine that I am the infamous Russian hacker Boris The Spider, and I have written a nasty bit of malware that logs everything you do on your computer and sends me a daily update. It sends passwords to every site you visit, your SSN, mother's maiden name, blah blah blah. It slips past MSE, and infects your system (hope you enjoyed those Khloe Kardashian pictures, BTW). So, your system is now infected with Boris The Spider's BOGUGA (bend over grease up grab ankles). Now, do you think I'd be such a twit as to let this daily data feed report itself to Windows as BOGUGA, or would I perhaps design it to report that "The Bonjour Printer Updater has found updates." Got iTunes? So, in a nutshell, that's my objection to firewall software; the outbound monitoring that they are all so proud of is a purely reactive technology that's easily defeated, and that may tend to make users too complacent.


----------



## jiml8 (Jul 3, 2005)

Snagglegaster said:


> You can get an idea of how effectively your router blocks external threats by running Gibson Research's Shields Up. Of course you'll need to disable ZoneAlarm during the test. I'd be curious to read about your results, since I still think your router may be better than you believe. Of course, I could be wrong, especially since I'm just not familiar with your hardware. I've certainly seen some routers *cough* 2Wire *cough* that have poor firewalls.
> 
> MSE certainly isn't terrible, but I think it has settled into what I would consider the upper end of mediocrity. You can see how it performs on Virus Bulletin tests and also AV Comparatives tests.
> 
> Ah, the warm and fuzzy feeling one gets from notifications is how a lot of products find a permanent home on computers. But, bear with me a moment while I play Devil's Advocate. Imagine that I am the infamous Russian hacker Boris The Spider, and I have written a nasty bit of malware that logs everything you do on your computer and sends me a daily update. It sends passwords to every site you visit, your SSN, mother's maiden name, blah blah blah. It slips past MSE, and infects your system (hope you enjoyed those Khloe Kardashian pictures, BTW). So, your system is now infected with Boris The Spider's BOGUGA (bend over grease up grab ankles). Now, do you think I'd be such a twit as to let this daily data feed report itself to Windows as BOGUGA, or would I perhaps design it to report that "The Bonjour Printer Updater has found updates." Got iTunes? So, in a nutshell, that's my objection to firewall software; the outbound monitoring that they are all so proud of is a purely reactive technology that's easily defeated, and that may tend to make users too complacent.


The software firewalls that do a proper job of outbound reporting begin upon installation by making an inspection of your installed executables and constructing a hash value using some algorithm based upon the executable. Might just be as simple as a checksum.

Then, when your BOGUGA tries to access the internet referring to itself as something innocuous or well known, the firewall gets the process ID of the process making the request, then looks up the location of the binary that was loaded to create that process, computes the hash value of the disk file, and compares it to its internal database of known programs. If there's a match, then the rules are applied to the program and it is allowed out if it is allowed, not allowed out if it isn't allowed, and you are asked if there is no match or matching rule.

This puts the total kibosh on your rogue program identifying itself as something else. Unless, of course, the system is already infected when the firewall is installed.

IIRC, it was Zone Alarm that was the first Windows firewall to do this, back in the days when ZA was a good firewall. This, actually, was THE feature that set it above all others at the time. Now, all the good ones do it.

It's actually a pretty effective way to control outgoing connections, so long as the user employs just a modicum of sense.


----------



## DWreck (Dec 2, 2011)

Snagglegaster said:


> Some free AV software is excellent; Avira and Avast free versions for instance. But they are still more limited than the "for pay" versions of the same programs. In fact, almost all free AV software has a "for pay" version. I don't think you can say free AV programs "aren't so bad in general" anymore than you could make the same statement about "for pay" software. There's a pretty big performance spread, and there are a pretty large number of "security solutions" that truly suck. These days, I think it's almost certainly true that there's more money to made by writing malware than defending against it, so a lot of malware is created by some quality talent, and I'm sure they are compensated accordingly. Depressing, ain't it?


Yes in deed it is... I did I guess have Avast on my PC but I switched to ESET Smart Security not because Avast is bad but because I just prefer ESET.


----------



## Snagglegaster (Sep 12, 2006)

jiml8 said:


> The software firewalls that do a proper job of outbound reporting begin upon installation by making an inspection of your installed executables and constructing a hash value using some algorithm based upon the executable. Might just be as simple as a checksum.
> 
> Then, when your BOGUGA tries to access the internet referring to itself as something innocuous or well known, the firewall gets the process ID of the process making the request, then looks up the location of the binary that was loaded to create that process, computes the hash value of the disk file, and compares it to its internal database of known programs. If there's a match, then the rules are applied to the program and it is allowed out if it is allowed, not allowed out if it isn't allowed, and you are asked if there is no match or matching rule.
> 
> ...


Yes, but... let's count the fallacies here. "unless the system is infected when the firewall is installed" is what I would consider a serious gotcha.

But the big problem you miss is that the user *is *asked to make a decision to allow or deny access for unknown software. That's precisely the reason I used Bonjour Printer Updater as an example of a way for malware to pass itself off as legit. Lots of folks running Windows use iTunes, and I'm sure that many of them know that bonjour is a component of iTunes. So, when presented with the question of whether to allow or deny access to some bit of software that claims to be the Bonjour Printer Updater, there is a pretty high probability that it will be approved even if the user doesn't know what a bonjour compatible printer is and may not have a clue as to whether or not they have one. That's just the same kind of social engineering that's responsible for so many malware infections in the first place. Expecting a user to react to this kind of message with "a modicum of sense" is about like saying "Clap your hands if you believe in Fairies!" And that's just the simplest way to compromise firewall software.

On a more sophisticated level, one of the first things many malware infections do is disable the infected system's antimalware protection, including firewalls, and that generally includes disabling notifications of problems. Just in case you're curious, the Bonjour Printer Updater isn't a made up example. It's a legitimate bit of software, but I'm also working on a malware removal where a rogue imitation was serving as a vector to download additional malware to the infected computer.


----------



## Snagglegaster (Sep 12, 2006)

DWreck said:


> Yes in deed it is... I did I guess have Avast on my PC but I switched to ESET Smart Security not because Avast is bad but because I just prefer ESET.


I'm a serious NOD32 partisan, but I stick with the basic program and don't run Smart Security. I think this thread has made my opinion on 3rd party firewalls pretty clear, and between my ISP's email filtering, Thunderbird's mail filtering, etc. I'm just not motivated to do the Smart Security package. Well, we all know what opinions are like  and I may be wrong, but I am consistent.


----------



## jiml8 (Jul 3, 2005)

Snagglegaster said:


> Yes, but... let's count the fallacies here. "unless the system is infected when the firewall is installed" is what I would consider a serious gotcha.


Install the firewall when the system is known clean, and there's your solution.



> But the big problem you miss is that the user *is *asked to make a decision to allow or deny access for unknown software. That's precisely the reason I used Bonjour Printer Updater as an example of a way for malware to pass itself off as legit. Lots of folks running Windows use iTunes, and I'm sure that many of them know that bonjour is a component of iTunes. So, when presented with the question of whether to allow or deny access to some bit of software that claims to be the Bonjour Printer Updater, there is a pretty high probability that it will be approved even if the user doesn't know what a bonjour compatible printer is and may not have a clue as to whether or not they have one.


This is where the "modicum of sense" comes in.



> That's just the same kind of social engineering that's responsible for so many malware infections in the first place. Expecting a user to react to this kind of message with "a modicum of sense" is about like saying "Clap your hands if you believe in Fairies!" And that's just the simplest way to compromise firewall software.
> 
> On a more sophisticated level, one of the first things many malware infections do is disable the infected system's antimalware protection, including firewalls, and that generally includes disabling notifications of problems. Just in case you're curious, the Bonjour Printer Updater isn't a made up example. It's a legitimate bit of software, but I'm also working on a malware removal where a rogue imitation was serving as a vector to download additional malware to the infected computer.


You cannot protect people from themselves. Regardless of that unfortunate fact, a firewall is an essential piece of software on any modern computer. It is certainly not a sufficient piece of software by itself, but it is a necessary one.

A firewall is not an anti-malware device; even if the user is totally aware and clued in, the clever piece of malware will be written to talk on the net using an allowed channel, such as the web browser. What any firewall does is protect the computer from external attack. Any firewall that monitors outgoing connections allows the user to take control of his computer, and block or allow the software that HE wants to have talking on the net, rather than the software that vendors or malware writers want to have talking on the net. It won't be perfect, but it is far better than the alternative, which is no control over that since you don't even know who is talking. A firewall can provide considerable assistance in dealing with malware, but that isn't its primary purpose.

As far as that goes, I can offer complaints about shortcomings in literally any anti-malware package or program you care to name. That every product is deficient is no reason to not use them. It is a reason to employ defense in depth, using multiple products by multiple vendors that perform complementary functions - and the reason for use of multiple vendors rather than this or that super anti-malware suite is that by avoiding monoculture products you make the malware writer's job harder and greatly increase the odds that the malware won't correctly function on the targeted machine.

This, actually, is why I don't use the microsoft firewall on my Windows virtual machines. I have no objection to it and nothing negative to say about it. I don't use it because it is provided with Windows and therefore is a primary and easy target for anything that does manage to slip past my defenses. I have found the Online Armor firewall to be trustworthy (and rest assured; I have tested it extensively) and it is one step out of the monoculture. I use it on my Windows 7 virtual machines. On my XP and Win2K VMs, I use an early version of Zone Alarm. I stopped upgrading it when they stopped providing just a firewall and started trying to be a super anti-malware product.

Since I'm running VMs, there is a host, which is Linux. I do some brute-force control of what the VMs are allowed to do regardless using iptables, and I routinely monitor traffic from my VMs to and from the internet using scripts based on tcpdump. So I know to considerable detail what my Windows machines are doing, and I can say that Online Armor works fine and can easily be trained to be quiet except when it has something legitimate to say.

I have firewalls everyplace. My systems come under external attack all the time. Nothing ever gets in. Firewalling is part of that. Only part, but a very important part. I use firewalls to control what talks from the Windows VMs, to control positively what ports are visible where, both on the LAN and on the internet, and proactively to actively stop attacks when they start - which they do on a daily basis as someone starts hammering on the ports I have open to the internet.

Anti-malware is only one aspect of computer security, and I would suggest that the firefox plugin noscript is a far more important tool in that battle than a firewall is. Computer security encompasses far, far more than just malware, and a firewall is an essential tool.

Security is not a destination. It is a journey.


----------



## HalfwayHose (Jun 5, 2011)

Snagglegaster said:


> You can get an idea of how effectively your router blocks external threats by running Gibson Research's Shields Up.
> ...snip...
> Boris The Spider's BOGUGA (bend over grease up grab ankles)


  

Thanks for the Belly laugh, but back to the issue. I have been a ZoneAlarm user since they first began the Free version for personal use. Can't recall what v-Number that was but I am guessing around 2 or so. ZoneAlarm has been the first thing I install on a new computer so I am pretty confident Boris is not listening and I can put the grease to better use on another, more pleasant occasion. 

I occasionally use Shields Up and like ZoneAlarm, have been a fan of it since Gibson started posting his Research.

I accepted your challenge and turned off ZA and ran Shields Up and to my surprise it came back as Stealth for all but some specific Port probing. I ran a Port exerciser I wrote and the Probe momentarily interfered with the processing but still returned "Stealth" status.

So, the modem may well be stronger at this than I give it credit, but I still like to know if something wants to call home and I get the option to approve or disapprove.


----------



## DWreck (Dec 2, 2011)

Snagglegaster said:


> I'm a serious NOD32 partisan, but I stick with the basic program and don't run Smart Security. I think this thread has made my opinion on 3rd party firewalls pretty clear, and between my ISP's email filtering, Thunderbird's mail filtering, etc. I'm just not motivated to do the Smart Security package. Well, we all know what opinions are like  and I may be wrong, but I am consistent.


Well, it looks like I'll have to change that good opinion of yours on the "Smart Security package" from "not motivated" to motivated.  But of course you would have to be willing, am I wrong? Or could I somehow get through your brain and trick you into my ultimate plan to convert everyone in to ESET Smart Security believers! Just kidding.

Or am I muahahaha!


----------



## hogndog (Jan 22, 2007)

smithmdan said:


> Have just recently change from Kaspersky Anti virus 2011 to Microsoft security essentials and was just wondering if I need more protection that I lost when changing.
> 
> Do I need a firewall in addition to MSE ?
> 
> ...


Go here to configure your Comodo firewall.. you'll be glad you did. Both of these applications work together like peas and carrots.. :up:

Hogndog

At least they do for me..


----------



## Snagglegaster (Sep 12, 2006)

jiml8 said:


> Security is not a destination. It is a journey.


Agreed. Unfortunately many folks can't read a map and even have problems with GPS. I agree that a firewall isn't exactly antimalware per se, but when you have to deal with outbound traffic alerts and give them a go/no go decision, aren't you implicitly using it as a malware detector?

In a perfect world, all antimalware software, firewalls, etc. would always be installed on machines that are known to be clean. In the real world, when do most users start to be concerned about security software? Usually after they are infected. Anyway, I'm not trying to say that 3rd party firewalls are evil. What I do believe is that I have never seen clear evidence that they perform better than recent versions of the Windows Firewall at blocking external intrusion, and that they aren't worth the hassle most of them create.

If anyone can demonstrate that ZoneAlarm or whatever is actually better at preventing intrusion than the Windows firewall, feel free to post the data. And, I'm talking about real world tests, not some synthetic measurements like Matousic's junk.

I realize that some people like the various alerts from 3rd party firewalls, and that's OK. I just regard most of it as "sound and fury signifying nothing." But, then, I'm not the one using your computer. Maybe that's why they are called Personal Computers?


----------

