Re: Tips on blocking 'difficult' services..
- From: "Bogwitch" <Bogwitch@xxxxxxxxxxxxxxxxxxx>
- Date: Tue, 05 Dec 2006 17:26:34 GMT
"Sebastian Gottschalk" <seppi@xxxxxxxxx> wrote in message
news:4tlfs4F14le1iU2@xxxxxxxxxxxxxxxx
arja wrote:you want.
"Sebastian Gottschalk" <seppi@xxxxxxxxx> schreef in bericht
news:4tk7bhF13sddtU1@xxxxxxxxxxxxxxxx
arja wrote:
And more worse, you always forget ports.
And even worse, you can run all of these protocols over any port
nonsense?Now when will people stop following this "outbound filtering"
infection.
Never because it often provides usefull information in case of an
provides
OK, at first you may provide me with a "personal firewall" that
useful information. At next, you may present one that providesinformation
in case of an infection.
And then we might discuss how serious Intrusion Detection Systems are
implemented.
I hesitated to reply to this, but since you're in the business of
providing good information I thought I might share.
Now, please be aware that I'm now talking about a home Internet
connected PC, not sat behind a firewall, as I used to have set up.
I use the system regularly, I use MS apps, and I go to 'dodgy' sites in
order to collect infectious material. Not a standard user.
I used AtGuard, a reasonably good firewall (and, dare I say, IDS) It
provides useful information in so far as I could see the purported IP
address of intrusion attempts. It provided useful information if a piece
of malware infected my system as I could (using outbound port blocking)
see what connections the malware was trying to make, therefore,
providing useful information in the case of infection.
One particular piece of malware infected explorer.exe and attempted to
spew spam out on port 25.
Now, I'll have to admit at this point that I did not allow ANY software
to freely spew on port 25, but AtGuard would have picked it up anyway as
explorer.exe should not be communicationg over the Internet, let alone
on port 25. Hence an infection detection.
Sure, it took further research to identify the culprit DLL, which was
then submitted to my AV companies of choice as it was not detected by
them.
OK, so as I said before, it is not a standard user setup, but it is a
case that required an outbound port blocking firewall and it worked as
required.
Incidentally, I still use AtGuard when users where I work bring software
they have a genuine business requirement to use, to check it to see what
connections the software attempts to make.
I would be interested to hear how you would perform the task described.
I am happy with the results I have achieved, but I'm sure that would be
alternative and better ways to get there.
Bogwitch
.
- References:
- Tips on blocking 'difficult' services..
- From: Geir Holmavatn
- Re: Tips on blocking 'difficult' services..
- From: Me
- Re: Tips on blocking 'difficult' services..
- From: arja
- Re: Tips on blocking 'difficult' services..
- From: arja
- Tips on blocking 'difficult' services..
- Prev by Date: Re: Tips on blocking 'difficult' services..
- Next by Date: Re: Tips on blocking 'difficult' services..
- Previous by thread: Re: Tips on blocking 'difficult' services..
- Next by thread: Re: Tips on blocking 'difficult' services..
- Index(es):
Relevant Pages
|
