Re: Norton vs Zone Alarm firewalls
- From: Gerald Vogt <vogt@xxxxxxxxxxx>
- Date: Mon, 26 Nov 2007 11:12:45 +0900
Poprivet` wrote:
Actually, what it does is sit and monitor what goes in/outExactly. It does not integrate. That's why it is so difficult to
(sometimes only in), compare it against its rules, and send messages
appropriately to/from the system. It does not "integrate" into the
OS.
uninstall that stuff afterwards???
No, not really. If your questions are serious, I'll go thru here and give you what I have experience and knowledge with, so maybe that'll help.
"Integrate" means to essentially become a part of. However, I do understand that the term is used very loosely by many people. AV sw looks
I don't always know the correct terms either that describe what I am trying to say exactly the way so that everybody understands it - in particular as English is not my first language.
into, and captures, system communications in order to monitor and function. Depending on what you've asked it to do, some of those can be more than just inserting itself in between your internet connection and your email client of browser, which is where most of the detection is done.
However, there is a big difference with security software which tries to block out the bad stuff. It cannot only use standard system hooks to monitor and possibly block a few things. Using standard hooks to tap into the IP stack to control IP traffic or to tap into the way windows loads files to scan the for viruses before they are executed. Standard hooks are there and you can easily tap into there but you can also as easily remove those taps again. Security software would not be security software if it was so easy for malware to deactivate it, in particular as many people still use Windows as user with administrative privileges. So what they do is to implement various ways how they can make sure that it is not possible to remove their hooks into the system. What they do there are definitively not standard windows settings anymore.
In the beginning, software firewalls simply set a proxy in internet options and redirected all internet traffic through that. They have reconfigured the e-mail client to use pop through their own local pop proxy. Obviously, any malware could quickly change that as those settings were local user settings and not system wide (protected settings if you were not Administrator).
Some other firewalls in the beginning replaced the whole IP stack. That of course did not go so well either, because implementing a fast, efficient and bug-free network protocol stack is rather difficult even if it looks so simple from the model perspective.
I am not up to date with the latest tricks they use to make themselves permanently "integrated" into the system so that not even a malware running as Administrator can simply knock them out. A few root-kit like tricks are usually the most effective ones. But the game Administrator malware against Administator software firewall/antivirus is obviously useless to think about but still, due to the unfortunate fact that many users run as administrator user on their computer, they try it anyway.
Which leads me to one of the major reasons why I generally advise against those security packages: when installing a security software it could very well analyze the current system and set it up, if necessary, to offer the user a limited user account on XP for normal day-to-day work. That would be a effective way to prevent some more serious damage. If the user insists to work as Administrator anyway the security software should simply and clearly state "I can't really help you here because it is futile to fight against an enemy which was made unnecessarily powerful by user an administrator account all the time..."
Why don't they do something like that? "User convenience"? "Doesn't sell"? It's security software which is supposed to protect my computer! It should do something like that.
A software firewall wants to provide security. For that it must
establish itself somewhere deep in the OS to prevent evasion or the
ability to turn it off quickly.
In general, the only way toWhy exactly do you need additional tools available from Symantec to
get properly rid of an installed (single) software firewall on aBlatantly untrue and misinformed information here. It occurs to me
Windows system is to reinstall the system.
that you
uninstall Norton completely from your computer?? Is that untrue?
No, it's definitely true! There are some silly reasons and some good reasons for it. The silly reason is that you might want to reinstall it in the future and that way it preserves all your settings and things should you reinstall it to "fix" a file corruption or whatever. But if your aim is to
I am not talking about simple settings left behind. I don't mind those. I am talking about people frequently reporting that there computer does not work properly anymore after they have uninstalled their software firewall. The system did not work like before the installation. There is a long history of that, often because of some of those "tricks" which I have mentioned before. Replacing system files and making those replacements permanent can cause trouble with standard windows updates. Either the windows update overwrites the replaced file or the firewall notices it and puts its own version back. Once you deinstall the firewall again, it restores an old version it backed up during installation. All of a sudden we have an buggy version of the file in place or it may be a version which does not work correctly together with other system files as Microsoft made a few modifications to the internal APIs...
I had a computer where I started with Norton 2000 I think and upgraded until 2003 where I wanted to get rid of it which was basically not possible. Windows showed all kinds of problems. I know this was a few years ago but I see too many posts of too many people who still have those kinds of issues with the latest versions.
Otherwise you may see allO.K. What was exactly the good reasons why some uninstallers forgot to
kinds of issues after the uninstallation plus usually not everythingNot "everything" is "gone" after almost ANY uninstall of almost ANY
is gone after the standard deinstallation from the software wizard.
software. There are some good and some not so good reasons for that
but I'll not go into them because I can feel the hardness of your
skull from here.
remove the proxy setting in the internet options which prevented
people to use the internet after uninstallation?
As I've said above, I have no experience with that. My most recent removal of Norton was a few weeks ago in order to try out the free NIS my ISP was offering, but it also wanted me to remove ZoneAlarm before it'd install, so that that says there IS some truth to what you're alleging. But if it's not Norton's proxy, I wouldn't expect it to fix anything that ZA did and vice versa. It does however, appear to be covered in the documentation. I read that I should uninstall ZA, but didn't, and NIS just refused to install until I did uninstall it. AFter the install, I reinstalled ZA and all was fine.
You should get VirtualPC or VMWare for those tests. Both are free except for the windows license of course...
I don't like to test bigger software products which may make many changes to my system and then hope it will properly uninstall afterwards. Before the test I make a snapshot with vmware and after the test I revert back to the snapshot. Thus even my xp installation in my vmware is always a nice clean installation despite any tests I have run on it.
Regarding your uninstallation of norton: Uninstalling the software more or less directly after installation, in particular without any windows updates is the easiest part. That should always work. I would really worry if it would not.
Again though, I see the same things in other applications and not always explained or recognized. Norton at least controlled the sitiation with NIS 2007. I had no issues at all uninstalling it and reinstalling my SystemWorks 2006.
So, that's the extent of my experience there. Sorry.
Interesting. It seems NIS and others finally learn a few things from their errors in the past... I don't have direct hands-on experience with the latest version except for that on other people's computers which I don't want to count here as it does not give me the opportunity to do some more in-depth longer analysis.
I simply believe that inconsistancies and misinformation are bad, very bad, in a public place because too many newbies will hook onto the one they like the best and remember that instead of the more accurate assessments. I think I've said a LOT other than insults, and if you find them personal, you need a slightly thicker skin. I'm gentle by many standards but I do say what I think and mean what I say. If I'm wrong then so be it; I'm not afraid to say so, and if you're actually reading this, I guess I was wrong and apologize for that. I felt that the misinformation needed to be pointed out, in particular, and wanted it to stop.
I think the biggest misinformation is just to follow the mainstream and adverts of the major players in this game. Other approaches are possible. The crucial element in computer security is simply the person in front of the computer and what this person does.
The biggest misinformation in my opinion is:
* to tell newbies that they must install security software because otherwise they are lost.
* not to tell them that they are lost anyway if they mess up.
* not to tell them that they have to learn about the security of their computer
* to tell them that it is far too complicated to learn it as newbie.
* to confuse them with overly complicated warnings which just adds to the newbie's experience that it is too complicated.
* to confuse them with fully unnecessary warnings about "problems" which do not exist (e.g. port scan on closed ports or downloading a virus attachment from a POP server which the user would not ever open).
* not to tell them that a few fairly simple rules would be far more effective in the resulting overall security of the computer
* to tell them (or strongly make them believe) that they don't have to worry about those rules with security software installed
* to tell them that they don't have to learn about the security because it is too complicated and the security software does far better then that.
I repeat: the biggest misinformation is that the crucial element to computer security is the user itself.
If the vendors of security software wanted good and effective information for their users they would much more use a learning approach for the user: educate the user on the way with internet experience to avoid the real issues in which they may have run and which the security software may be able to prevent. The real informed way would be an approach to make themselves more or less superfluous in the end.
But that is not going to happen because any marketing department would not accept it as it looks as if they would cut into their own profits...
* A software is more intelligent than a human being?
No, but it's more reliable, consistant and usually much more dependable.
Malware cannot mess with my brain. It can mess with the computer system and the software running on that system including any security software.
An educated user is still the most effective way to prevent malware.
* It is more effective to use some security software then to learn
something about security and to be careful while in the internet?
* It is not possible to run a computer securely connected to the
internet without any antivirus and firewall?
Not really. Within minutes, the "noise" of the internet is likely to discover one or more of your open ports and start testing them. One can literally become infected with a virus or spyware within minutes of accessing the internet without some sort of protection in place, especially considering all of the "noise" looking for you are covert in nature and aren't going to announce themselves. You'll find very, very few
This is the standard statement there and it basically considers a fresh system installation. This is fully unrealistic. Noone suggested to do that. I could as well just say you are not able to download the latest NIS, ZA, or whatever else software from the internet fast enough on a fresh XP to prevent it either.
If you want to compare the setups you have to compare it with a computer which is properly and securely configured for internet use. That would be a fair comparison.
Of course, one of the rules to follow for a user is:
* enable the XP firewall with no exceptions and then start windows update. Install all updates first before you do anything else. If you have XP SP2 or Vista preinstalled the firewall is enabled anyway I think.
and:
* don't use services which you don't need. If you don't need windows file sharing and you are connected directly connected to the internet with your computer there is no need to have the windows file sharing services running and have open ports on those.
recommendations to EVER connect to the 'net without some sort of protection installed. If fact, if you find such a site saying you can connect safely, get the hell away from them; they are likely already probing you. It can ruin a good afternoon of rebuilding a system.
I connect my windows laptop to a public hotspot without issues. It does not have any open ports listening on the internet. It is not so awfully difficult to achieve that even though Windows comes with a stack of open ports in a fresh installation. And if you are very nervous about the open port on IP address 127.0.0.1 you can still enabled the XP SP2 firewall with no exceptions for the piece of mind. The XP SP2 firewall does not have the performance penalty which those other software firewalls have.
There's a little hype involved, but if you'd like to see what's happening on your machine and who can see what in and on it, visit grc.com and let them run a few tests on you ports. In my current configuration, I'm fully "stealthed", meaning no one on the 'net can see me in any way. That's the target to shoot for. It's a free service, and pretty good. There are others also but I like grc.
Among experts grc is always good for a laugh.
What do you think is "stealth"? Stealth generally is considered to be "as if I was not there". Correct? What you want is that it looks as if there was no computer on the IP address scanned? Correct? This is what people think would "stealth" be and this is what I think people believe if they read that grc.com certifies them "stealth".
However, make a network test. Take a network scanner. Scan an IP address with a "stealthed" computer in place. Now unplug the computer. Do the same scan again (and that's the mean thing with those security scanners like grc.com because you cannot do this revealing test). Now compare the results. Ooops. If a computer is not there the upstream router will return an ICMP message with an error destination not reachable or host is down or similar. (Obviously, a ICMP filtering firewall on the scanning computer will block this return message...)
So what is this "stealth" in reality? It is like a person who stands in the middle of the street and who does not answer to any of those people yelling at him to get out of the way thinking if I don't responds people don't know that I am there. ;-)
If you wanted to be stealthed the router of your ISP would have to return the correct ICMP message that the IP address is not used. Not responding is a clear sign that something is there and that someone is probably running some software firewall which may make a nice target to exploit the latest security vulnerability in the scanning engine of the firewall.
There is nothing like "stealth" on a computer, at least not with the help of your ISP.
I don't mind people scanning my router. They do it all the time. They do it whether I block the port closed ICMP messages or not. If I don't block it the scan is over quickly. If I block they do the usual 3 timeout/retry cycles on each port before they give up adding to the noise instead of reducing it. I don't block (certain) incoming ICMP because I find it helpful to see the reason why something does not work if I try to connect to a particular host in the internet instead of just running blindly in a timeout without having any idea whether some route on the path is down or the server is down or something else.
"You must install AV. You must install PFW."
That of course is not entertaining but boring.
Face reality. It is possible without AV and with PFW.
No idea where PFW came from; that's a product I don't use but is still a viable firewall.
Sorry. I used software firewall everywhere else:
PFW - Personal Firewall aka software firewall which includes your ZA
If you're really sans firewall and antivirus software, you're going to understand soon enough; that's about all I can say.
I am without firewall. There are no open ports to block. I am without antivirus. It is generally me who decides what I execute and what not. I connect behind my router. I connect at public hotspots. I have not malware. I know exactly what has changed lately if I simply boot from my linux cd and compare the current harddrive content with the content of the last full backup. No malware there.
It works fine. You just have to know what you do and how you do it. But it is not a big miracle. The big misinformation is to tell people that it is impossible otherwise. Because that makes them dependent on security software simply because they believe it is not possible otherwise.
People should learn how to secure their computer instead of thinking installing a security suite is the only thing they effectively can do.
Just to make that clear: I am not saying here that any newbie should buy some laptop in a shop and then first thing is to connect to the internet somewhere at the closest hotspot and start browsing.
People have to learn about security. It is possible to learn it and it does not require a phd in computer science. This is far more effective then some security software.
If security software really wanted to help and effectively prevent problems they should by far use a more educating approach helping the user to understand the problem he caused. This would help the user to understand and learn security and how to adjust in what he does to avoid it in the first place before the problem occurs.
Be honest: how many of the warnings of your AV or software firewall were effectively linked with a real problem? Something that really would have been a problem, i.e. actually causing malware infection. Blocked virus attachments during POP download do not count. Port scan warnings do not count. Exploits of some five year old security vulnerability which has long been patched do not count. A real issue which you could have not known before and where you could have not done anything against?
And please not those "home phoning" software! It is still the user who decides to install this software and I found that often people use their software firewall to block those which as often are simple update checks which they unfortunately miss causing potential risks. No one is forced to used a certain software or OS. If you don't like some software which you have installed to connect to the network, get informed before you install it and don't install it if you don't like the policy.
I do apologize if you felt attacked.
No problem.
I'm more than willing to discuss things amicabley.
If you're just trolling though, I'm done.
How many trolls post lengthy posts?
Gerald
.
- Follow-Ups:
- Re: Norton vs Zone Alarm firewalls
- From: Poprivet`
- Re: Norton vs Zone Alarm firewalls
- Prev by Date: usenet group does not come up?
- Next by Date: RE: offline file
- Previous by thread: Re: Norton vs Zone Alarm firewalls
- Next by thread: Re: Norton vs Zone Alarm firewalls
- Index(es):
Relevant Pages
|
