Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Leak' Test of 21 Personal Firewalls

Posted by Zonk on from the keep-the-hold-sealed-there-lad dept.

mork writes "Matousec.com, as part of a larger analysis of personal firewalls on Windows, has conducted a thorough leak test of 21 pieces of firewall software. Leak tests imitate common methods used by trojans or spyware to send your information from your computer. Windows Firewall XP SP2 fails every test, so the fears that the days of third party firewall software was over seem groundless. Surprisingly the two top programs are both freeware." From the article: "Some firewalls totally failed tests made against their default settings but their results on the highest security settings were much better. Kaspersky Internet Security 6.0.0.303 is the product with the biggest difference between the default settings score and the highest security settings score. Another such product is Safety.Net. Some products like BitDefender, F-Secure, McAfee, Panda, etc. include antivirus engines. The sad and funny thing in once is that lots of them mark leak-testing software as viruses or malware."

15 of 104 comments (clear)

  1. That's not the point. by richdun · · Score: 3, Insightful

    Windows Firewall XP SP2 fails every test, so the fears that the days of third party firewall software was over seem groundless.

    The fears aren't because MS figured out how to build a good firewall; the fears are based on supposed "features" in Vista that would make it very hard/impossible for third party vendors to access parts of the OS needed to build good security software without first going through MS for some kind of certification. Not only that, but as MS integrates other security into Windows, like anti-virus, it may become very difficult to install third party AV and firewalls because the built-in AV wouldn't allow it.

    Now, I'm not sure how much of these fears were grounded in reality, but I'm pretty sure they had nothing to do with some perceived accomplishment of the built-in Windows Firewall.

  2. Obvious.... by RhadamanthosIsChaos · · Score: 3, Insightful
    "The sad and funny thing in once is that lots of them mark leak-testing software as viruses or malware."

    This may seem obvious to me.... but the leak-testing software's imitating how a virus or trojan sends messages to the net, right? Wouldn't that of course mean that anti-virus software is going to mark it as malware?

    I mean, the anti-viruses must be matching either the behavior of the program itself, or the signature of that data-sending bit. Of course they'll think it's a virus.

    --
    +++OUT OF CHEESE ERROR+++ REDO FROM START +++
    1. Re:Obvious.... by tverbeek · · Score: 3, Insightful

      "When I tried to sneak an empty pistol onto a plane to test airport security, they arrested me as a possible terrorist! Isn't that odd?"

      --
      http://alternatives.rzero.com/
  3. Firewalls for Linux by SheeEttin · · Score: 2, Insightful

    Yes, but how many of these firewalls run on Linux?

    I've really only seen Linux firewalls based on iptables/ipchains. I use one, called TuxGuardian (try Google/SourceForge if you want a link) that seems to work well.

    1. Re:Firewalls for Linux by Martin+Blank · · Score: 2, Insightful

      Because iptables/ipchains does not provide for comprehensive traffic analysis. When combined with snort and squid, it is possible to get a more comprehensive package, but my parents are in no situation to be dealing with filtering through which snort rules they should or should not have, monkeying around with the format of what can be complex iptables rulesets, or trying to fine-tune the proxy configuration to allow access to their favorite sites.

      --
      You can never go home again... but I guess you can shop there.
    2. Re:Firewalls for Linux by jZnat · · Score: 3, Insightful

      Since your parents obviously aren't network admins, they wouldn't be qualified to do that on Windows either. Your point?

      --
      'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
  4. From the Steve Gibson school of thought by Beryllium+Sphere(tm) · · Score: 4, Insightful

    What is "sad and funny" about catching a program that uses the same techniques as malware, techniques which are outside the range of normal software, and flagging it as potential malware?

    It's also annoying to see a firewall listed as a failure because it's a firewall and not a host-based IDS.

    I'd also argue that the host-based IDS programs are being sold for a purpose that is not their best use. Once a system has malicious software on it, expecting a process on the same machine to protect you and itself is, um, optimistic. Sure they try to defend themselves but that puts them on the wrong side of an arms race.

    What they're best for is monitoring and control of "legitimate" software. I have Zone Alarm set to prompt me every time a program tries to run IE6, and to block media players from phoning home to whisper about what I'm watching.

  5. Hardly critical by sheldon · · Score: 1, Insightful

    What's important is a firewall stops incoming traffic, to prevent worm attacks.

    Stopping outgoing traffic is for the obsessively insane.

    1. Re:Hardly critical by ben+there... · · Score: 3, Insightful
      Stopping outgoing traffic is for the obsessively insane.

      Not for people who:
      - run Windows
      - don't update their OS
      - don't use a router/firewall
      - use IE or Outlook Express
      - run as admin
      - install anything and everything from warez sites/P2P
      - visit shady pr0n sites
      - open random email attachments
      - don't understand why every website they go to suddenly has popups and why the intarweb is so slow

      aka your average computer user.
  6. Under your control by alanjstr · · Score: 3, Insightful

    [sarcasm] Ok, so let me get this straight. I am stupid enough to allow something to be installed on my system like a trojan or malware, but I'm supposed to be smart enough to secure my system to prevent them from getting back out? [/sarcasm]

    I have used firewalls that let me control my outbound. I've found them to be a pain in the ass because I have lots of things that need to get out. And of course every time I update one of them I have to update my list. Try using a Firefox nightly and changing it at least once a week and you'll soon be tired of that. I protect my system by scanning things I download, running A/V, and occasionally verifying my system with an automated spybot check.

    1. Re:Under your control by hey! · · Score: 2, Insightful

      Stupidity is helpful to mal-ware, but it is neither necessary nor sufficient.

      Ever install any software you got off the Internet? Well, you trusted somebody then, didn't you? Unless you only install software you compile yourself after doing a thorough code inspection, you are vulnerable to some degree. It may be that your choice of things to install (e.g. web servers, scripting languages) are seldom if ever vehicles for mal-ware. Also, you may tend to get these from well known sources, especially if you're a Linux user who only uses signed software from trusted distribution sites.

      Your invulnerability depends on the black hat's choice of targets and motivation. Anybody who stops to think a moment wouldn't download a codec from a porn distrubtor because (a) there's not reason for those guys to use a non-standard codec and (b) there's plenty reason for them to want to install mal-ware on your computer. But what about economic espionage and sabotage? If I were really interested in that, I'd be more interested in infesting copies of framework APIS, servers and scripting programs. We don't necessarily consider people who download those things as stupid; yet if I were serious about it, it would not be out of the question to distribute malware even through trusted repositories.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  7. Not what I care about by brunes69 · · Score: 3, Insightful

    Leak tests imitate common methods used by trojans or spyware to send your information from your computer.

    This is the least important piece of security I care about on my PC.

    If there is a trojan already running on my PC, then I have already lost the war. It is irrelevant if it can communicate directly with an outside server or not. It could send data in a PLETHORA of undetectable ways aside from this (could send stealth emails from my default email program, could post data stealthily in a hidden frame it sets as my browser start page, etc etc).

    The goal is to not get the spyware and virii on your PC in the first place. Once it's there, you're already screwed.

    1. Re:Not what I care about by mdarksbane · · Score: 2, Insightful

      On the other hand, while I would prefer to keep termites out of my house completely, I would rather know when I have an infestation before they eat the entire house.

      The whole idea of a trojan is that the user doesn't know that it's running. Having something that might alert you to it can be quite helpful. And yes, SOME trojans install enough of a rootkit that they will be undetectable, but much malware just creates a "Happy bunnies.exe" process that sends your information out. I'd like to have some opportunity to have a "wtf did I install happy bunnies and why does it need to connect to the internet" before it starts sending out my personal info. It should definitely be a second line of defense, but that doesn't negate its utility.

  8. Typical Security Guys by jandrese · · Score: 4, Insightful

    I notice that there was no column in there about how aggravating the installed firewall rendered your system. How many of those firewalls are going to try to pop up a dialog box on a game that just went full screen and freeze the game (so you can't even alt-tab out) until you click on a box you can't even see? I mean I could have designed a firewall that would easily pass their tests with 100% reliability, it's called "unplug the network firewall", and it's very simple to install, just reach behind your computer, find the ethernet cable, and pull it out. Viola! Perfect Score!

    One thing that struck me about Windows Firewalls as compared to Unix firewalls is that Unix firewalls are focused on keeping malicious traffic out of your machine. Windows firewalls are designed to keep malicious traffic from getting out to the internet. In the end, it's no surprise that the results are a mixed bag, once your system is compromised you really can't expect these firewalls to save you. It's a lot like the antivirus market, where you have a constant arms race between the virus writers (do people write honest to goodness viruses anymore?) and the antivirus companies.

    My final complaint is that programs like ZoneAlarm Pro are exceedingly resource hungry for what they do. ZoneAlarm takes over a minute to start on my fairly modern laptop, whereas everything else in the system takes about 30 seconds or so total. Why does a firewall need 24 MB of resident memory?

    --

    I read the internet for the articles.
  9. Re:Mod parent comment DOWN, not up! by MagicM · · Score: 3, Insightful

    Because moderation should not be based on whether you agree/disagree with the comment or with something it implies. Moderation should be based on whether the comment is valuable to the thread. In this case, it had some information in it (from Microsoft directly) which clarified something. Some people found that Informative.