Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda
From: Alexander Delarge (alex@nowhere.com)
Date: 03/08/03
- Next message: David: "Re: Help with finding hardware firewall that acts like software firewall"
- Previous message: David 01: "Re: Zone alarm message - help requested"
- In reply to: Thunking: "BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alexander Delarge" <alex@nowhere.com> Date: Sat, 08 Mar 2003 22:43:32 GMT
"Thunking" <thunking@hotmail.com> wrote in message
news:ssiaa.5449$aq6.4906794@news3.news.adelphia.net...
> I set a simple test to determine if BlackIce PC protection, which from
what
> I hear on this board, is the premier IDS solution for consumer use, is
> capable of detecting and more importantly, blocking Nimda.
>
> I infected a IIS webserver with Nimda, and then from the machine running
> BlackIce I browsed the infected web page on that web server.
Interestingly,
> BlackIce popped up a message readme[1].exe is attempting to execute.. If
I
> chose "Terminate", the machine wouldn't get it infected. If I chose
> "Continue", the machine got infected. I was expecting to see a message,
> indicating an infection attempt by Nimda. Any ideas ?
>
> I tried a similar test with the latest Sygate Firewall Pro. It faired even
> worse with no alert at all.
No firewall, IDS, or computer can ever compensate for the stupidity of its
user. If you think installing software and clicking buttons will make your
systems secure, you are very misinformed.
In your tests, BI performed exactly as it should. If you machine was
actually infected you would have seen the RICHED32.DLL alert triggered.
For more entertaining tests. Put BI on your IIS web server then try to feed
it Code Red or some other worm. It will automatically respond and block your
IP address. It will also identify the attack, capture the packets in a trace
file, and if you were using the corporate version of BI (which is a totally
different product in many ways) would alert the central console and could
email you that this attack had taken place.
Zone, Sygate - and NONE of the other "personal firewalls" can do that. For
example, NONE of them capture trace files. I don't mean pretty little text
log files, I mean Sniffer style trace logs that capture raw frames off the
wire.
Alex
- Next message: David: "Re: Help with finding hardware firewall that acts like software firewall"
- Previous message: David 01: "Re: Zone alarm message - help requested"
- In reply to: Thunking: "BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
