Kaspersky anti-virus undermines firewall - Firewalls

This is a discussion on Kaspersky anti-virus undermines firewall - Firewalls ; I have KAV installed, with everything enabled including scanning of http traffic ("web anti-virus" as it terms it). The way it does this is to act as a proxy process, and thus the firewall (which I'm using to control outgoing ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Kaspersky anti-virus undermines firewall

  1. Kaspersky anti-virus undermines firewall


    I have KAV installed, with everything enabled including scanning of http
    traffic ("web anti-virus" as it terms it). The way it does this is to
    act as a proxy process, and thus the firewall (which I'm using to
    control outgoing connections) can't distinguish what app is making the
    request. And since I allow KAV free access to fetch its updates I'm
    essentially allowing any application outboud http.

    I think my choices are:

    1 - do nothing
    On the basis that if the local application is a bad'un KAV will have
    caught it anyway!

    2 - install Kasperky's firewall product
    I believe it's quite solid, but when I played with it I thought its UI
    was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    destination, (application1 or application2),...}, combined with an
    inability to copy rules. I could see me spending forever configuring
    it). Actually bad UI seems to be quite a common feature amongst the
    firewall & av products I've played with (including kav).

    3 - disable KAV http scanning
    I don't really have a clear view on what this is actually meant to be
    doing and why it has to happen here rather than by controlling the app
    that's receving the http stream. I suppose a browser could receive a
    dodgy applet that takes advantage of an unpatched bug to retrieve user
    data or some such?


    I think that ramble pretty clearly spells out why I'd like some expert
    opinion

    [Ranting lunatics trying to pick fights need not apply].

  2. Re: Kaspersky anti-virus undermines firewall

    Are you going to "keep looking over your shoulder" the rest of your life?
    Don't you know running an antivirus will slow down your computer? Sometimes
    it's fun to access the internet with those zombie computers anyways. You see
    if you can react quicker than the computer can you know like closing down
    sites before they pop up. Like i said before why use something that always
    tells you your serial number is blacklisted?

    graham wrote:

    > I have KAV installed, with everything enabled including scanning of http
    > traffic ("web anti-virus" as it terms it). The way it does this is to
    > act as a proxy process, and thus the firewall (which I'm using to
    > control outgoing connections) can't distinguish what app is making the
    > request. And since I allow KAV free access to fetch its updates I'm
    > essentially allowing any application outboud http.
    >
    > I think my choices are:
    >
    > 1 - do nothing
    > On the basis that if the local application is a bad'un KAV will have
    > caught it anyway!
    >
    > 2 - install Kasperky's firewall product
    > I believe it's quite solid, but when I played with it I thought its UI
    > was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    > destination, (application1 or application2),...}, combined with an
    > inability to copy rules. I could see me spending forever configuring
    > it). Actually bad UI seems to be quite a common feature amongst the
    > firewall & av products I've played with (including kav).
    >
    > 3 - disable KAV http scanning
    > I don't really have a clear view on what this is actually meant to be
    > doing and why it has to happen here rather than by controlling the app
    > that's receving the http stream. I suppose a browser could receive a
    > dodgy applet that takes advantage of an unpatched bug to retrieve user
    > data or some such?
    >
    > I think that ramble pretty clearly spells out why I'd like some expert
    > opinion
    >
    > [Ranting lunatics trying to pick fights need not apply].



  3. Re: Kaspersky anti-virus undermines firewall

    graham wrote:

    > I have KAV installed, with everything enabled including scanning of http
    > traffic ("web anti-virus" as it terms it).


    That's bad.

    > The way it does this is to
    > act as a proxy process, and thus the firewall (which I'm using to
    > control outgoing connections) can't distinguish what app is making the
    > request.


    Eh... so what?

    > And since I allow KAV free access to fetch its updates I'm
    > essentially allowing any application outboud http.


    Eh... where're the news?

    > I think my choices are:
    >
    > 1 - do nothing
    > On the basis that if the local application is a bad


    Well, that's the only option.

    >'un KAV will have caught it anyway!


    Yeah, you wish...

    > 2 - install Kasperky's firewall product
    > I believe it's quite solid, but when I played with it I thought its UI
    > was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    > destination, (application1 or application2),...}, combined with an
    > inability to copy rules. I could see me spending forever configuring
    > it). Actually bad UI seems to be quite a common feature amongst the
    > firewall & av products I've played with (including kav).


    No, this is nonsense.

    > 3 - disable KAV http scanning
    > I don't really have a clear view on what this is actually meant to be
    > doing and why it has to happen here rather than by controlling the app
    > that's receving the http stream. I suppose a browser could receive a
    > dodgy applet that takes advantage of an unpatched bug to retrieve user
    > data or some such?


    Well, you should do so. But not for your flawed reasoning.

  4. Re: Kaspersky anti-virus undermines firewall

    Sebastian Gottschalk wrote:
    > graham wrote:
    >
    >> I have KAV installed, with everything enabled including scanning of http
    >> traffic ("web anti-virus" as it terms it).

    >
    > That's bad.


    why?


    >
    >> The way it does this is to
    >> act as a proxy process, and thus the firewall (which I'm using to
    >> control outgoing connections) can't distinguish what app is making the
    >> request.

    >
    > Eh... so what?


    eh.. so the "personal firewall" can't effectively be used to control
    outbound connections.

    >
    >> And since I allow KAV free access to fetch its updates I'm
    >> essentially allowing any application outboud http.

    >
    > Eh... where're the news?


    whether it's news or not, it's something I wish to control.

    >
    >> I think my choices are:
    >>
    >> 1 - do nothing
    >> On the basis that if the local application is a bad

    >
    > Well, that's the only option.

    It's the only option labeled "1".

    >
    >> 'un KAV will have caught it anyway!

    >
    > Yeah, you wish...


    exactly.

    >
    >> 2 - install Kasperky's firewall product
    >> I believe it's quite solid, but when I played with it I thought its UI
    >> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    >> destination, (application1 or application2),...}, combined with an
    >> inability to copy rules. I could see me spending forever configuring
    >> it). Actually bad UI seems to be quite a common feature amongst the
    >> firewall & av products I've played with (including kav).

    >
    > No, this is nonsense.


    which bit exactly? and why?


    >
    >> 3 - disable KAV http scanning
    >> I don't really have a clear view on what this is actually meant to be
    >> doing and why it has to happen here rather than by controlling the app
    >> that's receving the http stream. I suppose a browser could receive a
    >> dodgy applet that takes advantage of an unpatched bug to retrieve user
    >> data or some such?

    >
    > Well, you should do so. But not for your flawed reasoning.


    Your responses suggest you have superior knowledge, which is encouraging
    as that's obviously what I was looking for by posting here.
    Unfortunately that's as far as they go. If you actually have
    constructive comments I'd very much like to hear them.

  5. Re: Kaspersky anti-virus undermines firewall

    graham wrote:

    >>> I have KAV installed, with everything enabled including scanning of http
    >>> traffic ("web anti-virus" as it terms it).

    >>
    >> That's bad.

    >
    > why?


    It wastes resources, creates various problems, slows down the connection
    and is absolutely useless?

    > eh.. so the "personal firewall" can't effectively be used to control
    > outbound connections.


    It can't anyway. Thus, it's no loss at all.

    >>> And since I allow KAV free access to fetch its updates I'm
    >>> essentially allowing any application outboud http.

    >>
    >> Eh... where're the news?

    >
    > whether it's news or not, it's something I wish to control.


    Reality doesn't care for your wishes. Such a control simply doesn't work,
    and you'd be better of not wasting resources on trying.

    >>> 1 - do nothing
    >>> On the basis that if the local application is a bad

    >>
    >> Well, that's the only option.

    > It's the only option labeled "1".


    And I don't care. If the application is malicious, then there's nothing you
    can do.

    >>> 'un KAV will have caught it anyway!

    >>
    >> Yeah, you wish...

    >
    > exactly.


    So what? Wishes are exactly not what security is. And virusscanners can't
    protect against malicious applications, they can serve as intrusion
    detection system at best. In most cases, you really have to assume that the
    malicious application doesn't get detected, because no signature is
    available and the creator for sure checked it against existing signatures.

    >>> 2 - install Kasperky's firewall product
    >>> I believe it's quite solid, but when I played with it I thought its UI
    >>> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    >>> destination, (application1 or application2),...}, combined with an
    >>> inability to copy rules. I could see me spending forever configuring
    >>> it). Actually bad UI seems to be quite a common feature amongst the
    >>> firewall & av products I've played with (including kav).

    >>
    >> No, this is nonsense.

    >
    > which bit exactly? and why?


    At first, matching for applications is superfluos nonsense. For the second,
    it's no firewall. At third, it's not solid, but known to be very
    error-prone.
    And for the obvious, there are various well-working host-based packet
    filters for Windows like par example Wipfw, which by using the IPFW1 rule
    definitions preprocessed by your favorite command shell (yes, cmd.exe also
    does a good job), the power of the ruleset is virtually unlimited. So you
    really shouldn't wonder why someone is laughing about these useless
    click-and-point UIs ...

    >>> 3 - disable KAV http scanning
    >>> I don't really have a clear view on what this is actually meant to be
    >>> doing and why it has to happen here rather than by controlling the app
    >>> that's receving the http stream. I suppose a browser could receive a
    >>> dodgy applet that takes advantage of an unpatched bug to retrieve user
    >>> data or some such?

    >>
    >> Well, you should do so. But not for your flawed reasoning.

    >
    > Your responses suggest you have superior knowledge, which is encouraging
    > as that's obviously what I was looking for by posting here.
    > Unfortunately that's as far as they go. If you actually have
    > constructive comments I'd very much like to hear them.


    Well, how should someone create something constructive with such an
    obviously flawed concept and even more flawed software? Your problem is
    none, since it's not the software which has defects, but you want it to do
    something impossible.

    Heck, you even believe that the creators of exploits wouldn't obfuscate
    them to make them undetectable. Or that an application could be controlled.
    Or that a webbrowser with known security holes would be reasonably
    acceptable.

  6. Re: Kaspersky anti-virus undermines firewall

    Sebastian Gottschalk wrote:
    > graham wrote:
    >
    >>>> I have KAV installed, with everything enabled including scanning of http
    >>>> traffic ("web anti-virus" as it terms it).
    >>> That's bad.

    >> why?

    >
    > It wastes resources, creates various problems, slows down the connection
    > and is absolutely useless?



    >
    >> eh.. so the "personal firewall" can't effectively be used to control
    >> outbound connections.

    >
    > It can't anyway. Thus, it's no loss at all.


    Why can't it? Are you saying that all personal firewall products are
    faking it? Or only detecting apps that "play nice" ?

    >
    >>>> And since I allow KAV free access to fetch its updates I'm
    >>>> essentially allowing any application outboud http.
    >>> Eh... where're the news?

    >> whether it's news or not, it's something I wish to control.

    >
    > Reality doesn't care for your wishes. Such a control simply doesn't work,
    > and you'd be better of not wasting resources on trying.


    as above - y doesn't it work? It certainly appears to - after all I set
    some rule in the personal firewall, and hey presto, when such and such
    an app tries to make an outbound connection the firewall detects it (and
    can potentially block it).

    >
    >>>> 1 - do nothing
    >>>> On the basis that if the local application is a bad
    >>> Well, that's the only option.

    >> It's the only option labeled "1".

    >
    > And I don't care. If the application is malicious, then there's nothing you
    > can do.


    I guess there are degrees (some apps might not be considered malicious,
    more privacy infringing, and I'd still want to be able to prevent their
    constant dial-homes), but are you saying that if truly malicious then a
    firewall simply can't prevent itself from being
    subverted/bypassed/overcome in some way?

    >
    >>>> 'un KAV will have caught it anyway!
    >>> Yeah, you wish...

    >> exactly.

    >
    > So what? Wishes are exactly not what security is. And virusscanners can't
    > protect against malicious applications, they can serve as intrusion
    > detection system at best. In most cases, you really have to assume that the
    > malicious application doesn't get detected, because no signature is
    > available and the creator for sure checked it against existing signatures.


    Yeah, that's what I meant (by the exclamation mark; not very obvious i
    guess): that one can't completely rely on the AV. So my reasoning is
    that in cases where the malicious app isn't detected by the AV, the
    firewall is a second level of protection.

    (And in case where it's not malicious as such, but possibly subjectively
    undesirable, like say media player just playing the cd and not doing
    goodness knows what; Or finding that a piece of software supposedly
    uninstalled has left a remnant behind which is phoning home in the
    background - mcaffee did this and I wouldn't have known about it without
    a pfw).

    On the aside of intrusion detection - seems to me that ultimately this
    is what it comes down to - AVs, firewalls, etc all play a part in
    prevention, but since it's not guaranteed one has to have detection.
    Worst case is to "catch" something and not know - prevention is better;
    knowing early is good; not knowing at all is bad.

    >
    >>>> 2 - install Kasperky's firewall product
    >>>> I believe it's quite solid, but when I played with it I thought its UI
    >>>> was awful (inability to specify ORs in rule tuples (eg tuple={protocol,
    >>>> destination, (application1 or application2),...}, combined with an
    >>>> inability to copy rules. I could see me spending forever configuring
    >>>> it). Actually bad UI seems to be quite a common feature amongst the
    >>>> firewall & av products I've played with (including kav).
    >>> No, this is nonsense.

    >> which bit exactly? and why?

    >
    > At first, matching for applications is superfluos nonsense.


    how so? Surely all security comes down to determining trust, at some
    level of granularity, in this case deciding which apps are to be
    trusted? eg. If some app X tries to access the internet (or my ISP mail
    server or whatever) then the fact that I've configured only http access
    for mozilla, and smtp for whatever should assure its interception,
    shouldn't it?


    For the second,
    > it's no firewall. At third, it's not solid, but known to be very
    > error-prone.


    Very interesting - could you point me at details?

    > And for the obvious, there are various well-working host-based packet
    > filters for Windows like par example Wipfw, which by using the IPFW1 rule
    > definitions preprocessed by your favorite command shell (yes, cmd.exe also
    > does a good job), the power of the ruleset is virtually unlimited. So you
    > really shouldn't wonder why someone is laughing about these useless
    > click-and-point UIs ...


    agreed - such configuration is more flexible than the constraints often
    imposed by a UI.
    But as you say, ipfw doesn't take account of the source application - so
    the granularity of control is either all applications or none; if I want
    to allow, say, smtp from one particular application I have to allow it
    for all.


    >
    >>>> 3 - disable KAV http scanning
    >>>> I don't really have a clear view on what this is actually meant to be
    >>>> doing and why it has to happen here rather than by controlling the app
    >>>> that's receving the http stream. I suppose a browser could receive a
    >>>> dodgy applet that takes advantage of an unpatched bug to retrieve user
    >>>> data or some such?
    >>> Well, you should do so. But not for your flawed reasoning.

    >> Your responses suggest you have superior knowledge, which is encouraging
    >> as that's obviously what I was looking for by posting here.
    >> Unfortunately that's as far as they go. If you actually have
    >> constructive comments I'd very much like to hear them.

    >
    > Well, how should someone create something constructive with such an
    > obviously flawed concept and even more flawed software? Your problem is
    > none, since it's not the software which has defects, but you want it to do
    > something impossible.


    I don't see why what I'm trying to achieve is a flawed concept - I want
    to know, and be able to prevent, whcih application is making outbound
    connection. How can the software both be flawed yet not have defects?

    >
    > Heck, you even believe that the creators of exploits wouldn't obfuscate
    > them to make them undetectable.


    of course they would try to do this - if they all waved little red flags
    we wouldn't need detection software at all! To what extent
    "undetectable" can be achieved I don't know.
    Undetectable to me sitting in front of the PC - very easy to achieve.
    Undetectable to the AV program - depends if one is unlucky to be one of
    the first to be hit with something and therefore no signature yet; or if
    the AV program can be subverted or brought down in some way; or if the
    AV is plain rubbish; etc.
    Undetectable to system intrusion detection? Depends - I guess hard to
    hide from something run off separate bootable ro media, but this is
    hardly a practical early warning mechanism! Something like osiris with
    the server elsewhere - dunno how effective this would be for a pc, as
    while it'll detect changes it's hard to determine which ones matter (and
    then there's the small matter of the registry...)


    > Or that an application could be controlled.


    I'm under the impression that privileged processes can interpose
    themselves in appropriate places to control some of what an application
    might try to do - eg. intercept and allow/prevent registry changes;
    intercept and allow/prevent network accesses, etc.
    Is this untrue?
    Because this seems to be the premise on which all the software we've
    been talking about (including ipfw) is based.

    > Or that a webbrowser with known security holes would be reasonably
    > acceptable.


    I don't think I said that. Anyway, I rather suspect that all web
    browsers have security holes, it's just a question of whether anyone has
    put the effort in to find them - a trust decision, and a problem for sure.
    Isn't this the standard tradeoff (ie. if i don't run anything I'm really
    secure but can't do anything useful; if I run this thing then I can do
    more but I'm a bit less secure. And the point of security software is to
    try and edge that balance to the more secure end of the spectrum?



  7. Re: Kaspersky anti-virus undermines firewall

    graham wrote:

    >>> eh.. so the "personal firewall" can't effectively be used to control
    >>> outbound connections.

    >>
    >> It can't anyway. Thus, it's no loss at all.

    >
    > Why can't it? Are you saying that all personal firewall products are
    > faking it? Or only detecting apps that "play nice" ?


    A mixture of both. The latter being the general reason.

    > as above - y doesn't it work? It certainly appears to - after all I set
    > some rule in the personal firewall, and hey presto, when such and such
    > an app tries to make an outbound connection the firewall detects it (and
    > can potentially block it).


    After all, this is exactly why this stuff sells so well. Apparently it does
    work - and you won't recognize the cases where is fails. Well, such cases
    are so trivial to construct.

    >> And I don't care. If the application is malicious, then there's nothing you
    >> can do.

    >
    > I guess there are degrees (some apps might not be considered malicious,
    > more privacy infringing, and I'd still want to be able to prevent their
    > constant dial-homes),


    So what? They are malicious.

    > but are you saying that if truly malicious then a firewall simply can't
    > prevent itself from being subverted/bypassed/overcome in some way?


    Yes, that's what I'm saying. Welcome to reality!

    >> So what? Wishes are exactly not what security is. And virusscanners can't
    >> protect against malicious applications, they can serve as intrusion
    >> detection system at best. In most cases, you really have to assume that the
    >> malicious application doesn't get detected, because no signature is
    >> available and the creator for sure checked it against existing signatures.

    >
    > Yeah, that's what I meant (by the exclamation mark; not very obvious i
    > guess): that one can't completely rely on the AV. So my reasoning is
    > that in cases where the malicious app isn't detected by the AV, the
    > firewall is a second level of protection.


    Very very far away from the truth. Hey, virusscanner seem to have at least
    a little effect in reality, but "firewalls" fail so blatantly.

    > (And in case where it's not malicious as such, but possibly subjectively
    > undesirable, like say media player just playing the cd and not doing
    > goodness knows what;


    Then it's malicious. Or you're just too stupid to configure it correctly.
    After all, which media player does such a thing as you claim?

    > Or finding that a piece of software supposedly
    > uninstalled has left a remnant behind which is phoning home in the
    > background - mcaffee did this and I wouldn't have known about it without
    > a pfw).


    Then you're really a loser. Trying to achieve security through a host-based
    packet filter, but even too stupid for such simple commands as 'netstat'?

    > On the aside of intrusion detection - seems to me that ultimately this
    > is what it comes down to - AVs, firewalls, etc all play a part in
    > prevention, but since it's not guaranteed one has to have detection.


    Quite the contrary. None of these can protect, they can at best detect.

    > Worst case is to "catch" something and not know - prevention is better;
    > knowing early is good; not knowing at all is bad.


    Well, what about actually implementing prevention? You said you have some
    software spying on you? I wouldn't even have installed it in first place.
    Software didn't uninstall properly? Dude, my software doesn't need either
    installation or deinstallation, uninstalling is just a matter of deleting
    the application folder and that's it. WTF are you doing to your system?

    >> At first, matching for applications is superfluos nonsense.

    >
    > how so? Surely all security comes down to determining trust, at some
    > level of granularity, in this case deciding which apps are to be
    > trusted? eg. If some app X tries to access the internet (or my ISP mail
    > server or whatever) then the fact that I've configured only http access
    > for mozilla, and smtp for whatever should assure its interception,
    > shouldn't it?


    Definitely not. What stops malicious software to remote control Mozilla to
    upload all your files to a certain software? Well, exactly nothing!

    >> For the second, it's no firewall. At third, it's not solid, but known
    >> to be very error-prone.

    >
    > Very interesting - could you point me at details?




    For the latter, just keep reading this NG or read some forums - the number
    of people which come up and say "dude, my personal firewall makes problems"
    is overwhelming. KIS has it's part, too. The problem is usually solved with
    uninstalling it, whereas not even deactivating it worked - that's a typical
    eye-opener for those who think that such software is not a big piece of
    crap just because it sells so well.

    > But as you say, ipfw doesn't take account of the source application - so
    > the granularity of control is either all applications or none; if I want
    > to allow, say, smtp from one particular application I have to allow it
    > for all.


    And that's what it bogs down to anyway, since there's no chance that such
    an application control could even particularly work in any reliable way.
    And legitimate applications don't require such granularity, since they
    don't do such stuff by definition.

    > I don't see why what I'm trying to achieve is a flawed concept - I want
    > to know, and be able to prevent, whcih application is making outbound
    > connection.


    Then you have to cut out every interprocess communication. No more copy &
    paste, no drag & drop, no remote controlling, no OLE, no DDE, no local
    loopback NIC, and all application data have to be fully separated in
    filesystem and configuration data. And your system becomes unusable. Not to
    mention this would be impossible on Windows and pretty hard on Unix.

    And this is why you're lacking a concept: your wishes are not even
    particularly fulfillable in reality.

    And that's where you should take the consequences: These things don't work,
    thus you have to address the more fundamental issue - not running malicious
    applications in first place. And getting a good concept how to evaluate the
    trustworthyness of software.

    > How can the software both be flawed yet not have defects?


    I just said that your problem is not related to the flaws in the software.
    Thus, even if the software would be flawless and perfect and complete, your
    problem would be unsolvable.

    >> Heck, you even believe that the creators of exploits wouldn't obfuscate
    >> them to make them undetectable.

    >
    > of course they would try to do this - if they all waved little red flags
    > we wouldn't need detection software at all! To what extent
    > "undetectable" can be achieved I don't know.


    eval(AES_decrypt("longAESencryptedexploit",document.location"));

    Until the software emulates an entire JavaScript engine and captures all
    relevant data, it won't work.

    And actually you can encode the every step of an exploit into pure side
    effects. And then it's even theoretically impossible to verify what's
    actually going on.

    >> Or that an application could be controlled.

    >
    > I'm under the impression that privileged processes can interpose
    > themselves in appropriate places to control some of what an application
    > might try to do - eg. intercept and allow/prevent registry changes;
    > intercept and allow/prevent network accesses, etc.
    > Is this untrue?


    No. But it's trivially circumvented if you allow just one little legitimate
    application.

    > Because this seems to be the premise on which all the software we've
    > been talking about (including ipfw) is based.


    That's what the entire security concept of most Oses is based on. But
    they're making clear all-or-nothing decisions based on security contexts.
    And that's why most don't even care for controlling network access.

    >> Or that a webbrowser with known security holes would be reasonably
    >> acceptable.

    >
    > I don't think I said that. Anyway, I rather suspect that all web
    > browsers have security holes, it's just a question of whether anyone has
    > put the effort in to find them - a trust decision, and a problem for sure.


    Known security holes == the public knows about the security hole, there has
    been an updated version of the browser, but the hole was not fixed. And I
    know only one where this applies: IE, where the oldest security now
    celebrates the third year, and currently more than 20 being known. Well, if
    you even call it a webbrowser, since it's officially documented to be
    unsuitable for being used on the WWW.

    > And the point of security software is to try and edge that balance to the
    > more secure end of the spectrum?


    The point of serious security software is to provide tools for the
    competent administrator to help implementing security strategies.
    Technology is not a panacea. Without any clue and without any concept,
    you'll just achieve the contrary or at best nothing at all.

  8. Re: Kaspersky anti-virus undermines firewall

    Sebastian Gottschalk wrote:
    > graham wrote:
    >
    >>>> eh.. so the "personal firewall" can't effectively be used to control
    >>>> outbound connections.
    >>> It can't anyway. Thus, it's no loss at all.

    >> Why can't it? Are you saying that all personal firewall products are
    >> faking it? Or only detecting apps that "play nice" ?

    >
    > A mixture of both. The latter being the general reason.
    >
    >> as above - y doesn't it work? It certainly appears to - after all I set
    >> some rule in the personal firewall, and hey presto, when such and such
    >> an app tries to make an outbound connection the firewall detects it (and
    >> can potentially block it).

    >
    > After all, this is exactly why this stuff sells so well. Apparently it does
    > work - and you won't recognize the cases where is fails. Well, such cases
    > are so trivial to construct.
    >
    >>> And I don't care. If the application is malicious, then there's nothing you
    >>> can do.

    >> I guess there are degrees (some apps might not be considered malicious,
    >> more privacy infringing, and I'd still want to be able to prevent their
    >> constant dial-homes),

    >
    > So what? They are malicious.
    >
    >> but are you saying that if truly malicious then a firewall simply can't
    >> prevent itself from being subverted/bypassed/overcome in some way?

    >
    > Yes, that's what I'm saying. Welcome to reality!
    >
    >>> So what? Wishes are exactly not what security is. And virusscanners can't
    >>> protect against malicious applications, they can serve as intrusion
    >>> detection system at best. In most cases, you really have to assume that the
    >>> malicious application doesn't get detected, because no signature is
    >>> available and the creator for sure checked it against existing signatures.

    >> Yeah, that's what I meant (by the exclamation mark; not very obvious i
    >> guess): that one can't completely rely on the AV. So my reasoning is
    >> that in cases where the malicious app isn't detected by the AV, the
    >> firewall is a second level of protection.

    >
    > Very very far away from the truth. Hey, virusscanner seem to have at least
    > a little effect in reality, but "firewalls" fail so blatantly.
    >
    >> (And in case where it's not malicious as such, but possibly subjectively
    >> undesirable, like say media player just playing the cd and not doing
    >> goodness knows what;

    >
    > Then it's malicious. Or you're just too stupid to configure it correctly.
    > After all, which media player does such a thing as you claim?
    >
    >> Or finding that a piece of software supposedly
    >> uninstalled has left a remnant behind which is phoning home in the
    >> background - mcaffee did this and I wouldn't have known about it without
    >> a pfw).

    >
    > Then you're really a loser. Trying to achieve security through a host-based
    > packet filter, but even too stupid for such simple commands as 'netstat'?
    >
    >> On the aside of intrusion detection - seems to me that ultimately this
    >> is what it comes down to - AVs, firewalls, etc all play a part in
    >> prevention, but since it's not guaranteed one has to have detection.

    >
    > Quite the contrary. None of these can protect, they can at best detect.
    >
    >> Worst case is to "catch" something and not know - prevention is better;
    >> knowing early is good; not knowing at all is bad.

    >
    > Well, what about actually implementing prevention? You said you have some
    > software spying on you? I wouldn't even have installed it in first place.
    > Software didn't uninstall properly? Dude, my software doesn't need either
    > installation or deinstallation, uninstalling is just a matter of deleting
    > the application folder and that's it. WTF are you doing to your system?
    >
    >>> At first, matching for applications is superfluos nonsense.

    >> how so? Surely all security comes down to determining trust, at some
    >> level of granularity, in this case deciding which apps are to be
    >> trusted? eg. If some app X tries to access the internet (or my ISP mail
    >> server or whatever) then the fact that I've configured only http access
    >> for mozilla, and smtp for whatever should assure its interception,
    >> shouldn't it?

    >
    > Definitely not. What stops malicious software to remote control Mozilla to
    > upload all your files to a certain software? Well, exactly nothing!
    >
    >>> For the second, it's no firewall. At third, it's not solid, but known
    >>> to be very error-prone.

    >> Very interesting - could you point me at details?

    >
    >
    >
    > For the latter, just keep reading this NG or read some forums - the number
    > of people which come up and say "dude, my personal firewall makes problems"
    > is overwhelming. KIS has it's part, too. The problem is usually solved with
    > uninstalling it, whereas not even deactivating it worked - that's a typical
    > eye-opener for those who think that such software is not a big piece of
    > crap just because it sells so well.
    >
    >> But as you say, ipfw doesn't take account of the source application - so
    >> the granularity of control is either all applications or none; if I want
    >> to allow, say, smtp from one particular application I have to allow it
    >> for all.

    >
    > And that's what it bogs down to anyway, since there's no chance that such
    > an application control could even particularly work in any reliable way.
    > And legitimate applications don't require such granularity, since they
    > don't do such stuff by definition.
    >
    >> I don't see why what I'm trying to achieve is a flawed concept - I want
    >> to know, and be able to prevent, whcih application is making outbound
    >> connection.

    >
    > Then you have to cut out every interprocess communication. No more copy &
    > paste, no drag & drop, no remote controlling, no OLE, no DDE, no local
    > loopback NIC, and all application data have to be fully separated in
    > filesystem and configuration data. And your system becomes unusable. Not to
    > mention this would be impossible on Windows and pretty hard on Unix.
    >
    > And this is why you're lacking a concept: your wishes are not even
    > particularly fulfillable in reality.
    >
    > And that's where you should take the consequences: These things don't work,
    > thus you have to address the more fundamental issue - not running malicious
    > applications in first place. And getting a good concept how to evaluate the
    > trustworthyness of software.
    >
    >> How can the software both be flawed yet not have defects?

    >
    > I just said that your problem is not related to the flaws in the software.
    > Thus, even if the software would be flawless and perfect and complete, your
    > problem would be unsolvable.
    >
    >>> Heck, you even believe that the creators of exploits wouldn't obfuscate
    >>> them to make them undetectable.

    >> of course they would try to do this - if they all waved little red flags
    >> we wouldn't need detection software at all! To what extent
    >> "undetectable" can be achieved I don't know.

    >
    > eval(AES_decrypt("longAESencryptedexploit",document.location"));
    >
    > Until the software emulates an entire JavaScript engine and captures all
    > relevant data, it won't work.
    >
    > And actually you can encode the every step of an exploit into pure side
    > effects. And then it's even theoretically impossible to verify what's
    > actually going on.
    >
    >>> Or that an application could be controlled.

    >> I'm under the impression that privileged processes can interpose
    >> themselves in appropriate places to control some of what an application
    >> might try to do - eg. intercept and allow/prevent registry changes;
    >> intercept and allow/prevent network accesses, etc.
    >> Is this untrue?

    >
    > No. But it's trivially circumvented if you allow just one little legitimate
    > application.
    >
    >> Because this seems to be the premise on which all the software we've
    >> been talking about (including ipfw) is based.

    >
    > That's what the entire security concept of most Oses is based on. But
    > they're making clear all-or-nothing decisions based on security contexts.
    > And that's why most don't even care for controlling network access.
    >
    >>> Or that a webbrowser with known security holes would be reasonably
    >>> acceptable.

    >> I don't think I said that. Anyway, I rather suspect that all web
    >> browsers have security holes, it's just a question of whether anyone has
    >> put the effort in to find them - a trust decision, and a problem for sure.

    >
    > Known security holes == the public knows about the security hole, there has
    > been an updated version of the browser, but the hole was not fixed. And I
    > know only one where this applies: IE, where the oldest security now
    > celebrates the third year, and currently more than 20 being known. Well, if
    > you even call it a webbrowser, since it's officially documented to be
    > unsuitable for being used on the WWW.
    >
    >> And the point of security software is to try and edge that balance to the
    >> more secure end of the spectrum?

    >
    > The point of serious security software is to provide tools for the
    > competent administrator to help implementing security strategies.
    > Technology is not a panacea. Without any clue and without any concept,
    > you'll just achieve the contrary or at best nothing at all.


    Look, folks, the bottom line is, leave computers to the experts. Throw
    out your home PC. Let's go back to the 60's. Us nerds were happy then
    in a world where there was no interference from that ignoramus Joe
    Public ;-)

    --
    Wilf

  9. Re: Kaspersky anti-virus undermines firewall

    Wilf wrote:

    [uff, big long fullquote snipped]

    > Look, folks, the bottom line is, leave computers to the experts.


    No. Leave it to someone who is competent. Hence, if this is not you, you
    might pay someone for adequate service. At any rate, you can't deny
    responsibility.

+ Reply to Thread