locked
Anything that OC's FW can actually defend against? RRS feed

  • Question

  • Do you know something that OC's FW can actually defend against? The thing the FW is for right now is knowing programs that is set to access the internet, or it doesn't even know about it. It's like having no FireWall at all - except that you get asked from time to time as there's no rule for a program and it may take speed (and it sure uses resources). Either it allows it or it doesn't know a **** about it. It doesn't defend against anything, which is the main purpose of a (freakin') FireWall. You'd almost be better off without it.

     

    Not only that, but it has also been under fire, for example because it blindly just allows Java applications - one of the big vurnerabilities in the Windows OS which remains in XP doing nothing but leaving you unsecure if you don't uninstall it.

     

    I don't know if there can be any block alerts anyway, so why don't we change the notification option to only allow notifications? I mean, it has allowed 180Solutions before.

    Sunday, July 15, 2007 12:24 PM

Answers

  • Mr. Murphy,

     

    Unfortunately, though the ideas used by the OneCare firewall are actually quite simple, the methods used by both the OneCare and Windows firewalls to actually perform these operations are really beyond the average user. This and the confusion caused by all the 'noise' created by most firewalls when detecting outbound connections is exactly why the OneCare firewall was designed differently than earlier generations whether by Microsoft or other vendors.

     

    First, let me clarify that the Windows XP SP2 firewall was never designed to block outbound connections, only inbound which were and still are the biggest concern, since allowing these without filtering would leave you open to any new vulnerability found in a network facing service or application. The Windows Vista firewall is completely capable of being a two way firewall, however, it's not designed to do this in a 'friendly' way, but rather requires that you manually configure it. The recommended method is to configure it to block all outbound traffic by default and then manually configure only the applications, ports and protocols that are required to support your needs. Obviously this wasn't designed for the average user, but rather for skilled Network Administrators of larger networks with centralized Group Policy administration via Active Directory. There is absolutely nothing wrong with either of these firewalls, just with those that don't understand their design criteria and claim they are somehow lacking, since the Windows development group has always left more user friendly firewall design to third parties including the entirely independent Windows Live OneCare development group.

     

    As for the OneCare firewall, it was designed from the ground up in an entirely different way than earlier firewalls by other vendors, precisely to avoid the 'noisy' and confusing pop-ups whenever possible. This was accomplished by first allowing all digitally signed applications (with certificates) by default, since this identifies the application developer. Then there is a 'Firewall Policy' list similar to the antivirus signatures, but these are a list of 'good' or 'known' applications instead and are updated as frequently as possible to include new versions of major applications once they're released. Additionaly, if the application is known to be 'bad' via a malware signature it will be blocked by default. Finally, if an application isn't covered by any of these the firewall will generate a pop-up to ask the user, since there's really no other way for it to make a good/bad determination. This is the simplest explanation I can give that's basically complete, without being too technical.

     

    Now within the above there are additional issues that aren't covered such as how does a 'bad' (malware) application get blocked, if it's either digitally signed (yes, it happens) or something like JavaScript, which the firewall doesn't directly handle. It's really quite simple, that's the job of the AntiVirus/AntiSpyware component of OneCare. Since OneCare isn't a stand alone monolithic application, but rather a set of supporting applications operating in parallel, it doesn't have to try to do the entire job within one application. This means that if one piece of the system doesn't detect and block some specific malware another part might. This is termed a 'layered' defense approach and is actually a much better design than trying to do everything in one layer like a firewall. That's because for a firewall to defend fully it would have to add a malware signature ability, which really isn't what it's best at doing, so the vendor has to go outside their area of expertise to make this happen.

     

    This is what is meant by Windows Live OneCare Protection Plus, a complete set of protection applications that work together, which is why you can't break up the parts and use them separately. They are designed and intended to work together to give you complete protection, since matching individual applications from different vendors to make this happen is nearly impossible, especially for non-technical users.

     

    So your issue with how the OneCare firewall works comes from the fact that you are attempting to look at it as a stand alone item, which it isn't. It's part of the OneCare suite of protection that works together as a team to protect your PC. This way if something new and unknown attacks your PC at least one portion of the protection may have a chance at catching the attack and notifying you, such as when the firewall notifies you of an unknown application attempting to make outbound contact. If you choose badly when this happens, there's really nothing that any product can do, which is why the OneCare firewall blocks by default, to give you one last chance to make a good decision.

     

    OneCareBear

    Monday, July 16, 2007 10:05 PM
    Moderator

All replies

  • I'm not sure what you mean, Mr. Murphy.

    The OneCare firewall does indeed restrict access inbound and outbound based on built in rules and settings that you can configure manually or by responding to prompts. 

    I am aware of the Java applications issue, but I'm not sure that it is as big an issue as some say it is.

    -steve

     

    Sunday, July 15, 2007 6:04 PM
    Moderator
  • I mean things like known malware, leaks - things that shouldn't come in or out from your system. That's only an example. I can come with more as it pass my mind.

     

    As you say "restrict access inbound and outbound" - could you describe that more thoroughly? I'm well aware of the two location-settings - Home or Work and Public - which is a good start, but I'm sure there must be something else then that you mean.

     

    Have you seen block-notifications by yourself for things that you haven't chosen yourself - in other words - automatical defense done by the FW to protect you? Cause, just to mention, that's exactly what your aim-group - the basic users - will need, and I can almost promise you that they'll click on allow all the time since that's what they've learnt for getting internet access with their applications unknown to the FW.

    Sunday, July 15, 2007 7:43 PM
  • Yes Mr. Murphy

    I have seen several Malwares that have been stopped by OneCare and not being given the choose of allowing or not, if that is what you want.

     

    chuck

    Sunday, July 15, 2007 9:46 PM
  • Thx a lot for the answers. I'd still like more information if you can come up with it, like how it defends you against leaks and screenshots for example.

     

    And Steph, do you mean anything else than the restrictions for Public Networks?

    Sunday, July 15, 2007 10:00 PM
  • OneCare doesn't throw up any messages when blocking inbound traffic - it is blocked without notice unless you have specifically allowed it. Outbound traffic - yes, I get prompted to allow applications and there are some that will be blocked without any ability to allow - some P2P applications for example.

    Public locks down the settings tighter and Home lets you do File and Printer Sharing, etc.

    -steve

    Monday, July 16, 2007 12:05 AM
    Moderator
  • Was that about leaks too?

     

    I dunno if you can post screenshots, but it would be really helpful. Otherwise, could you atleast link some of the FW in action defending you?

     

    Sadly I haven't seen any great tests of OneCare's FW involved. I've only seen under-fire-articles and about WinXP SP2's FW which doesn't catch ANYTHING at all. It just makes me curious how this FW would be so much better from the devs. If it based on Vista's FW, I'm really worried since it's only a big lie that it handles Outbound blocking. All there is are allow rules for specific things in the OS - no blocking whatsoever.

    Monday, July 16, 2007 11:55 AM
  • This forum doesn't support posting screenshots.

    OneCare *does* block outbound traffic unless the traffic is from an application in the trusted and known list updated to OneCare with the "rules" updates, or if you have modified the firewall to allow the specific application.

    -steve

    Monday, July 16, 2007 5:09 PM
    Moderator
  • Mr. Murphy,

     

    Unfortunately, though the ideas used by the OneCare firewall are actually quite simple, the methods used by both the OneCare and Windows firewalls to actually perform these operations are really beyond the average user. This and the confusion caused by all the 'noise' created by most firewalls when detecting outbound connections is exactly why the OneCare firewall was designed differently than earlier generations whether by Microsoft or other vendors.

     

    First, let me clarify that the Windows XP SP2 firewall was never designed to block outbound connections, only inbound which were and still are the biggest concern, since allowing these without filtering would leave you open to any new vulnerability found in a network facing service or application. The Windows Vista firewall is completely capable of being a two way firewall, however, it's not designed to do this in a 'friendly' way, but rather requires that you manually configure it. The recommended method is to configure it to block all outbound traffic by default and then manually configure only the applications, ports and protocols that are required to support your needs. Obviously this wasn't designed for the average user, but rather for skilled Network Administrators of larger networks with centralized Group Policy administration via Active Directory. There is absolutely nothing wrong with either of these firewalls, just with those that don't understand their design criteria and claim they are somehow lacking, since the Windows development group has always left more user friendly firewall design to third parties including the entirely independent Windows Live OneCare development group.

     

    As for the OneCare firewall, it was designed from the ground up in an entirely different way than earlier firewalls by other vendors, precisely to avoid the 'noisy' and confusing pop-ups whenever possible. This was accomplished by first allowing all digitally signed applications (with certificates) by default, since this identifies the application developer. Then there is a 'Firewall Policy' list similar to the antivirus signatures, but these are a list of 'good' or 'known' applications instead and are updated as frequently as possible to include new versions of major applications once they're released. Additionaly, if the application is known to be 'bad' via a malware signature it will be blocked by default. Finally, if an application isn't covered by any of these the firewall will generate a pop-up to ask the user, since there's really no other way for it to make a good/bad determination. This is the simplest explanation I can give that's basically complete, without being too technical.

     

    Now within the above there are additional issues that aren't covered such as how does a 'bad' (malware) application get blocked, if it's either digitally signed (yes, it happens) or something like JavaScript, which the firewall doesn't directly handle. It's really quite simple, that's the job of the AntiVirus/AntiSpyware component of OneCare. Since OneCare isn't a stand alone monolithic application, but rather a set of supporting applications operating in parallel, it doesn't have to try to do the entire job within one application. This means that if one piece of the system doesn't detect and block some specific malware another part might. This is termed a 'layered' defense approach and is actually a much better design than trying to do everything in one layer like a firewall. That's because for a firewall to defend fully it would have to add a malware signature ability, which really isn't what it's best at doing, so the vendor has to go outside their area of expertise to make this happen.

     

    This is what is meant by Windows Live OneCare Protection Plus, a complete set of protection applications that work together, which is why you can't break up the parts and use them separately. They are designed and intended to work together to give you complete protection, since matching individual applications from different vendors to make this happen is nearly impossible, especially for non-technical users.

     

    So your issue with how the OneCare firewall works comes from the fact that you are attempting to look at it as a stand alone item, which it isn't. It's part of the OneCare suite of protection that works together as a team to protect your PC. This way if something new and unknown attacks your PC at least one portion of the protection may have a chance at catching the attack and notifying you, such as when the firewall notifies you of an unknown application attempting to make outbound contact. If you choose badly when this happens, there's really nothing that any product can do, which is why the OneCare firewall blocks by default, to give you one last chance to make a good decision.

     

    OneCareBear

    Monday, July 16, 2007 10:05 PM
    Moderator
  • First of all, I appreciate your firm replie which should explain a lot. Second, I NEVER thought or said the FW was supposed to work alone. That's why it's always one component of three in a simple protection combo; AV, AS and FW. What I was talking about, is that it should DO its job. For example I explained one of its jobs in another topic. That was that it must block malware -  best would be automatically ofcourse - BEFORE it even comes in a single inch, because of this reason; dangerous malware, and malware in general can compromise your security when it's come in. It can disable AV/AM software completely, leaving you helpless. It can even destroy software, like what happened to OneCare in testing. OneCare could not be accessible (or Windows Defender) in one test - it was destroyed - and in another you couldn't access the GUI anymore. This happened in the testing of OneCare 1.0 by PCMag, and I'm not sure it's improved its self-protection in the newer versions. Windows Defender practically didn't have any self-protection at all, so why would OneCare be so much better in that aspect after it has been proven it isn't?

     

    The part with noise provided by FWs has been an issue with top-priority. This shows in other FWs like Kaspersky's and all the other since they do exactly the same thing like you - recognizing the software because of the demands from the users - and I wouldn't say your contribution is better than the others. Lots and lots of software on my PC has only been a big question for OneCare's FW while all the other vendors are improving their program recognition while keeping it extremely effective in terms of security at the same time.

     

    The most important thing wasn't that SP2's FW didn't have any Outbound Protection - it was that it didn't protect you from anything. All it did was asking if software could access the internet, and I'm not sure it would warn about malware trying to access. - Maybe they would use Outbound to send back info to the makers. Saying that it's more userfriendly than 3rd parties isn't really true. 3rd parties would actually recognize software like OneCare's do for some, and the built-in didn't for any. IT'S lacking. I'm not saying that because I think it's fun. All tests are pointing out that the built-in FW isn't protecting you - maybe not at all - and now we don't know how good the OneCare component actually is, only that it *should* protect you.

     

     

    Tuesday, July 17, 2007 12:53 PM
  • I think in Windows XP SP2  security software can easily be compromise by malware disabling security software but in Windows Vista it's much better on handling that problem since Windows Live Onecare work alongside the UAC.


    Nothing has change in Onecare firewall it has always been the same since version 1. Onecare Firewall need improvement since they have not pay much attention to it or even talk about it that much.The Windows Live Onecare Firewall is almost similar to Windows Firewall protection except that they added outbound and of course made it easier for user. Windows Live Onecare is known to use Windows built in application. Are they using the Windows Vista inbound/outbound Firewall in Onecare.

     

     

     

     

    Tuesday, July 17, 2007 4:50 PM
  • Mr Murphy,

     

    First, this is not 'My' firewall, I'm just a volunteer Moderator, not part of the Microsoft development tem or even an employee. Other than facts, these discussions are my opinion, based on both experience in the world of network security and more specifically spyware. Since I also use this knowledge to support friends and family I've seen both OneCare and other products at work in the 'real world' and have seen how badly many of these products really perform when non-technical users are involved. This is where oneCare has made the biggest strides, though as with any product in this field, it must be making constant improvement to keep up with changes in the security landscape. Discussing tests done by PCMag a year ago has little relavance today, especially since I have no faith in their abilities to properly test security products in the first place, but again that's my own opinion so you believe what you want.

     

    I find it interesting that you've experienced a lot of software that isn't recognized by the OneCare firewall, since to date I've had none. However, I also limit the number of ancillary programs installed on my PC since these are now the area of largest growth with respect to new vulnerabilities as the last few weeks have shown. Almost every major application such as Acrobat Reader, Apple QuickTime, Sun Java Runtime, and others have had updates released within the last month to cover newly discovered vulnerabilities. Patching these is now considered nearly as important as the OS itself, so the more software installed the higher the risk. Lack of updates from an application vendor also doesn't mean it's 'safe', it may just mean that no one is bothering to keep that application up to date. Since most major applications are known to OneCare, large numbers of unknown applications would cause me to be concerned about the obscurity and thus security of the applications themselves.

     

    The firewall in Windows XP SP2 was designed only to block inbound connections, so it had no ability to block outbound. There was also a Microsoft provided API set that allowed the addition of port exceptions to the firewall without any warning to the user. At the time that firewall was released that was considered sufficent protection since most of the hackers at the time were just 'script kiddies' using simple malware 'kits' to do nothing more than show off. Those who were producing major malware were using the Internet as a transport for Worms that attacked large numbers of hosts, so inbound protection was the primary goal. There was nothing wrong with this at that point in time and in fact this is still sufficient for most users who are careful about where they browse and have a good antivirus installed to protect from malware entering via email or other means. This design doesn't make that firewall 'bad', just obsolete for the current realities of the Internet and how some people use it.

     

    A firewall is designed to block and protect ports from being accessed by anything, not specifically malware, based on a configuration profile of some sort. In the case of OneCare, it automatically varies this based on a choice made by the user of either 'Public' or 'Home or Work' network which determines whether sharing is enabled or disabled. In the outbound direction it operates as I described above and will block anything that doesn't fit one of those rules unless you choose to override and allow it. I don't know what else you expect a firewall to do, but OneCare does that as designed from everything I've seen to this point.

     

    OneCareBear

    Tuesday, July 17, 2007 7:16 PM
    Moderator
  • Okay, thx for your further explanation. So, just out of curiousity, wasn't SP2's firewall (or Vista's) designed to defend you against leakage of information, like personal information? Cause that's what's being tested today as one of the most important things when it comes to firewalls and that's where SP2's firewall doesn't protect you even a bit. I'd really like to see how much it stealths you and protects you in other ways, but most of all I would like to see a test of OneCare's FW - not just under-fire articles (which on the other hand means something, but..), but tests together with other top-FW software. I've tried to search, but haven't find any results really.. Do you have any tests of OneCare's alternative that you could provide?
    Tuesday, July 17, 2007 8:58 PM
  • The XP SP2 firewall does not block *any* outbound access and only blocks all uninvited inbound. That *is* protection, though it is limited.

     

    The OneCare firewall blocks outbound that is not on the allow list or allowed by you and blocks all inbound uninvited traffic. That *is* a higher level of protection.

     

    Yes, if malware is downloaded and not detected by the antimalware protection in OneCare, you are correct - the threat can take action - up to an inclduing disabling the critical services so that OneCare (or any other protection) becomes useless. I do believe that the antimalware team is continually striving to meet those kinds of threats head on. Is it perfect? No. Does it do a good job as an application? I believe that it does. We'll have to see how the team has progressed when 2.0 is put through the rigors of 3rd party testing. Hopefully, it will do well.

     

    -steve

     

     

    Wednesday, July 18, 2007 1:15 AM
    Moderator
  •  Mr. Murphy wrote:
    Okay, thx for your further explanation. So, just out of curiousity, wasn't SP2's firewall (or Vista's) designed to defend you against leakage of information, like personal information? Cause that's what's being tested today as one of the most important things when it comes to firewalls and that's where SP2's firewall doesn't protect you even a bit. I'd really like to see how much it stealths you and protects you in other ways, but most of all I would like to see a test of OneCare's FW - not just under-fire articles (which on the other hand means something, but..), but tests together with other top-FW software. I've tried to search, but haven't find any results really.. Do you have any tests of OneCare's alternative that you could provide?

     

    Firewalls don't protect against "leakage" of personal information. They protect against traffic coming into a computer uninvited and protect against an unknown program or process gaining outbound access to open the pipeline for return traffic or to transfer data outbound that you may include your personal data collected by the unknown program.

     

    Nor do they protect against malware getting in as malware comes in riding on an approved applications process - the user downloads it and activates it. This may be because they clicked a link in a web page or loaded a web page in their browser that has a nasty payload. The payload then uses a known vulnerability of that application - say the web browser - to do it's work. Or a user clicking an attachment in an email or executing a downloaded file.

     

    These examples are what the real time protection of antispyware and antivirus are supposed to prevent - if the code exhibits malware like tendencies, it should be stopped. If it matches a known signature it *is* stopped.

     

    -steve

    Wednesday, July 18, 2007 1:26 AM
    Moderator
  • I respect and appreciate your replies - I really do - but let me just show two of the most respected tests, just to show *it's* supposed to block leakage of different information; #1 http://firewallleaktester.com/ or directly to the test: http://firewallleaktester.com/tests.php and #2 http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php.

     

    There it's. This is two of the users guidelines for choosing FW software. Another very important site: http://www.pcflank.com/. There you can test your FW's ability to stealth you among other things in terms of FW security.

    Wednesday, July 18, 2007 12:02 PM
  • Mr.Murphy,

    With all respect, If you are not happy with OC then DITCH IT!!!  GET YOUR MONEY BACK!!!  Your arguing and complaining is Really annoying!!

     

    Have a nice day!

    Thursday, July 26, 2007 9:27 AM
  •  irishgirllucky wrote:

    Mr.Murphy,

    With all respect, If you are not happy with OC then DITCH IT!!!  GET YOUR MONEY BACK!!!  Your arguing and complaining is Really annoying!!

     

    Have a nice day!

    I do believe that Mr. Murphy likes OneCare. There is value in questioning the claims made about the product and the test results from 3rd parties. Some of the discussions can get heated, but I wouldn't want Mr. Murphy or anyone else to feel that they can't ask these kinds of questions.

    -steve

    Thursday, July 26, 2007 2:09 PM
    Moderator
  • I've been trying to find positive articles and/or reviews on google, searching with different terms - but all I get is big let-downs and critics. I can't seem to find anything really good no matter what term I search.

     

    For example, the widely known and respected company Agnitum - provider of the high-performing FireWall OutPost - tested OneCare's FW to see what it provides and protects against. The review at a glance can be found here: http://www.agnitum.com/news/onecare.php  and the full version here: http://www.agnitum.com/news/securityinsight/issues/june2006

     

    As mentioned before, I've only seen many under-fire articles criticising its approach, for example allowing Java applications - a very vurnerable component of the OS, outdated and still included in XP doing nothing. The argument that signed apps. are safe isn't enough - not even a bit - it feels like a totally empty argument, neither is the argument that 'then the AM component will take care of it if it's found as malware'. Dangerous malware being let-in disables and destroy's AM components. That has already been shown to the security expert reviewing OneCare at PCMag; Neil J. Rubenking.

     

    Other things that was supposed to be something to be proud of is that the FW is just a shell for Vista's FW or something is making me sick-worrying. All you see as OutBound rules are allow rules - there's no protection to it, and that's the first (freakin') point with a FW to consider. We didn't install it to have it say "we recognize that program". We installed it because it should protect us. Now it feels like an empty hole with some questions.

     

     

    Now, if the devs. of the software are active here in the forum - and I really appreciate that - could you respond and explain what the FW really does to protect us and what you do for the things of the review, or is it only a choice of different zones as news?

    Sunday, July 29, 2007 12:09 PM
  • I merged your post into your original thread.

    -steve

    Monday, July 30, 2007 1:53 AM
    Moderator
  • Okay - thx Steve.

     

    Is it okay that I change the topic to 'unanswered', just to make sense and make the ones in charge notice?

     

    Tuesday, July 31, 2007 5:52 PM
  • You can mark it unanswered if you wish, but it has been answered multiple times. I'm not sure what else you would like regarding how the firewall works.

    The OneCare reviews have been mixed, I'll grant you that, but the firewall does work as advertised and the virus protection has been certified independently. It would seem to me that you will only consider the thread answered if a 3rd party review came out that was very favorable towards OneCare.

     

    -steve

     

    Tuesday, July 31, 2007 6:06 PM
    Moderator
  •  Mr. Murphy wrote:

    I've been trying to find positive articles and/or reviews on google, searching with different terms - but all I get is big let-downs and critics. I can't seem to find anything really good no matter what term I search.

     

    For example, the widely known and respected company Agnitum - provider of the high-performing FireWall OutPost - tested OneCare's FW to see what it provides and protects against. The review at a glance can be found here: http://www.agnitum.com/news/onecare.php  and the full version here: http://www.agnitum.com/news/securityinsight/issues/june2006

    If you will accept an afternoon of playing by a Product Marketing Manager of a [partially] competing product as a valid test, then you'll never recognize a real test if you see it. If you read closely you'll notice the references to 'predatory pricing', which implies that the writer is concerned what OneCare might do to his company's bottom line, which is exactly what I'd expect a Marketing person to be concerned about and the only thing he's competent to discuss.

     

    Personally, as a customer I'm quite happy that OneCare is reasonably priced complete protection. Individual specialty products like those Agnitum produces are expected to excel in their product area. If they didn't why would anyone ever choose them over the much more cost effective product suites in the first place, no matter who produces them?

     

     Mr. Murphy wrote:

    As mentioned before, I've only seen many under-fire articles criticising its approach, for example allowing Java applications - a very vurnerable component of the OS, outdated and still included in XP doing nothing. The argument that signed apps. are safe isn't enough - not even a bit - it feels like a totally empty argument, neither is the argument that 'then the AM component will take care of it if it's found as malware'. Dangerous malware being let-in disables and destroy's AM components. That has already been shown to the security expert reviewing OneCare at PCMag; Neil J. Rubenking.

    Though much noise was made about this around the time OneCare first released, it's died out completely since then. Likely this is because it really wasn't the proper concern in the first place, the larger issue was with the inadaquate security of the third-party Sun JRE and its update strategy. However, that's a separate issue, so to address your specific concern about Java code, it's again the job of the AntiVirus to deal with this malicious code. See the Windows Live OneCare Team Blog: Firewall and Windows OneCare – a multi-layered defense which discussed the issue at that time.

     

    Since anything entering the file system is always handed to the AntiVirus first, before being passed to any other application, it will be detected before it can become operational, which means it can't disable the AntiMalware components. The entire assumption here is a fallacy anyway, because the same issue would affect any AntiMalware application, firewall or otherwise. This is why outbound firewall leak tests have little true value, since the malware would simply disable the anti-leak software before sending out the information anyway.

     

     Mr. Murphy wrote:

    Other things that was supposed to be something to be proud of is that the FW is just a shell for Vista's FW or something is making me sick-worrying. All you see as OutBound rules are allow rules - there's no protection to it, and that's the first (freakin') point with a FW to consider. We didn't install it to have it say "we recognize that program". We installed it because it should protect us. Now it feels like an empty hole with some questions.

    All Vista firewalls simply use the provided Windows Filtering Platform API set, which is the same base that the Windows Vista firewall itself was built on. They may make different decisions relating to how to allow configuration or limit initial access to applications, but they're all really the same underneath. This is why the other vendors are so concerned, the only thing that differentiates them are configuration and GUI differences, so what kind of story do they really have to tell?

     

     Mr. Murphy wrote:

    Now, if the devs. of the software are active here in the forum - and I really appreciate that - could you respond and explain what the FW really does to protect us and what you do for the things of the review, or is it only a choice of different zones as news?

    Not sure what they could tell you that we already haven't, since most of what we've stated has come from them originally. I'd suggest reading the firewall article link above and any others you find there, since those are the official postings made by the development team members while OneCare was being built.

     

    OneCare does things differently than most individual standalone products. It combines and layers several types of protection together in a complete package. This means that isolating an individual component to test or discuss has no real meaning, which other security vendors understand yet still attempt to exploit. Over time as more and more users try OneCare, it will become clear that it's cooperative approach is stronger than most and leads to a better overall protection of the PC, despite what competitors might want you to believe.

     

    OneCareBear
    Tuesday, July 31, 2007 7:45 PM
    Moderator
  • Okay, I think that's very thorough and probably as long as I get. I'll leave the topic answered, only noting that the review should be read thoroughly. Ofcourse I'm very aware that you should be critical against a company reviewing another company's alternative, and I'm, but it's not like they're only advertising their own product - they're explaining important things for a FW to defend the users, not just a bunch of leak-tests and the like.

    Take this for example: "Amazingly, OneCare lacks the accepted industry standard of Intrusion Detection and Protection systems used by most third-party firewalls (Outpost Firewall Pro, Norton Personal Firewall). This is a serous omission, as there are many hacker tools available today which can generate automated, wide-scale intrusion attempts on thousands of PCs in the hope of finding inadequately-protected PCs that can be exploited in the future. These tools are being constantly improved and expanded, and it is very quite disturbing that Microsoft does not provide any kind of protection against such attacks for their OneCare customers.

     

    OneCare’s packet filtering is on a par with its competition, and the ability to select a port range for any chosen protocol is a useful feature."

     

    They're not only criticizing the software - they're explaining why and credit for good things they see in their testing - even if it looks like to me they snap everything negative they can find, which you might suspect.

     

    An example with leak-tests. Read it, and you get what's supposed to be important.

     

    "it treated leaktests as if they were normal Windows Explorer (explore.exe), Internet Explorer and other credible applications widely used on a Windows-based computer, failing to detect the tests’ tendency to imitate, implant its code in, or hijack a credible application on which behalf it subsequently gained access credentials.

    The implications of this poor performance are far-reaching: any competent piece of malware would have no problem stealing data from a PC ‘protected’ by OneCare, and the firewall uttered not a single peep to prevent this from happening. This is a pretty serious shortcoming, since one of the primary functions of a firewall is to protect against unauthorized program connections – both incoming and outgoing; OneCare on this basis does not even meet the minimum requirements for an effective firewall."

     

    Most of this positive for the programs nice looking and organized interface;

     

    "The OneCare interface looks sophisticated and well-organized; it has a colorful information window from which all program settings and commands can be accessed. The program is based on Microsoft’s proprietary .Net technology and requires users to install the .Net package before using it.

    As we were primarily interested in the firewall component, we went first for the Firewall tab - available from the Settings menu. The remainder of this article is a description of our experience and the impressions we garnered while using the OneCare firewall."

     

     

    There's much more written, but with very negative attitude. This atleast gives you the most important details I think of the article/review.

    Tuesday, July 31, 2007 10:38 PM
  • Mr Murphy,

     

    I did read it completely and I wasn't impressed. It's exactly what I stated above, a Product Manager talking about someone else's product, which he really has no knowledge of, in terms of what he knows about his own product. In other words, it's pointless drivel.

     

    The problem is that unknowledgeable people tend to believe such 'articles' because they don't know any better, so anything sounds good. This is how the 'Security Community' has been leading the public (and the press) around by the nose for the last several years. If you'll think about it, they really haven't solved any of the problems, just lined their pockets by convincing everyone that all these neat sounding things like 'Leak-Tests' are what matter.

     

    OneCare started from a different point of view. That most users aren't technical, don't understand all of the technical gibberish and shouldn't really have to. Instead, they focused on the most important issues that exist, good basic protection (AV,AS, FW), keeping the OS and the protection itself updated and most important, user apathy. These are the real problems, since most infected systems occur due to a simple lack of current OS, application or protection updates or user mistakes, not high tech attacks.

     

    The most successful automatic hacking toolkit that currently exists, called MPack, is using several well known exploits going back to at least early 2006. What this means is that a properly patched Windows XP system, with just the Windows XP SP2 Firewall and all current patches, along with current versions of WinZip and QuickTime if they're installed, should be immune to this set of exploits. So why does it succeed? Because many systems aren't current with their patches or application updates. This is why AntiVirus and AntiSpyware are important, to catch the malware code that might otherwise succeed if the updates aren't current or a new 'zero-day' exploit is released.

     

    A PC that is protected by OneCare isn't totally immune, nothing is, but it's many times better than the average PC on the Internet if the OneCare Icon is green. Since OneCare makes these updates easy to maintain with little user interaction required, it also helps solve the user apathy problem, at least to some extent.

     

    Real PC Security isn't all that high tech, it's actually very simple, boring and can be time consuming. OneCare takes this all on for the user at a very reasonable cost, and makes the complex portions as simple as possible for a non-technical user.

     

    OneCareBear

    Thursday, August 2, 2007 3:40 AM
    Moderator
  •  OneCareBear wrote:

    Mr Murphy,

     

    The problem is that unknowledgeable people tend to believe such 'articles' because they don't know any better, so anything sounds good. This is how the 'Security Community' has been leading the public (and the press) around by the nose for the last several years. If you'll think about it, they really haven't solved any of the problems, just lined their pockets by convincing everyone that all these neat sounding things like 'Leak-Tests' are what matter.

     

     

    Now, I'll not assume that was aimed at me. In any case - I'm not interested in that freakin' name and all the names they come up with, I'm interested about what it's. I don't give a **** about the name, and you should know that. All I do is summing it up with that name, cause that what it's called. If you actually read what it was about, you should write how OneCare counters that and not hang up on the name. What does OneCare do against these important attacks? I haven't seen you said anything what it does about the content of the names (except for the automatic attack, which isn't - according you - even directly a FW matter.) in your previous post, only what they're called.

    Thursday, August 2, 2007 1:38 PM
  • Leaks can only occur if there is already malware operating on your PC. Since that malware can just as easily disable the software that would normally block those leaks, be it a firewall, IDS/IPS or whatever, this isn't really as valuable as it may sound.

     

    The best way to avoid leaks is to block the entry of the malware in the first place. OneCare does this by keeping the Operating System, Office Applications and its own protection software as up to date as possible. It also attempts to inform the user in as easy to understand terms as possible when something unknown tries to access the Internet, allowing the user to make an informed decision. This is only necessary when the item is completely unknown, since any known malware would have been stopped automatically when it was recognized by either the AntiVirus or AntiSpyware, the other parts of the OneCare Defense in Depth layered protection software.

     

    You keep focusing on something that is a symptom of malware already operating on your system. This is sometimes found with firewall only protection software since they don't include an AV or AS software, so they must attempt to attack the problem entirely via packet monitoring techniques. These techniques are problematic, since they generally require user interaction and a high level of technical understanding by the user to succeed. OneCare purposefully avoids such techniques since they will generally fail with non-technical users, especially children.

     

    If you are stuck on the idea that firewall leak protection is the only measure of good protection you are looking at the wrong product. OneCare is concentrating on a suite of protection that avoids complexity and simplifies the operation for the non-technical user. Leak protection software is intended to appeal to 'techies', since they tend to believe that highly technical solutions will work best. However, over time it's been proven that exactly the opposite is true. That simple, solid ideas like keeping the OS, applications and protection software up to date provides better protection in the long run.

     

    Allowing an organization with specific product goals to define the requirements for all protection products would be foolish. Some highly technical users might find highly technical software to be of value. However, the largest group of users are non-technical or just don't want to be bothered, so they are better off with software that does the job quietly in the background, only alerting and involving them when it's abosultely necessary. This is OneCare's main strength, which tends to bother 'techies' since they like to be over-informed. No product will be perfect for everyone.

     

    If you're interested in leak-tests and other such 'techie' results, you'd probably be better off with products that concentrate on such things. This is unlikely to ever be a primary focus of OneCare since they're more interested in avoiding the need for such overly intrusive techniques.

     

    OneCareBear

    Thursday, August 2, 2007 2:32 PM
    Moderator
  • Good. That's the answer I needed - thank you... All I wanted was an answer to what I asked, not that I hang up on some technique. I only needed to know what it was and how OneCare takes care of it. I hope the FW of OneCare can do its role/job - meet what the users need and the requirements of a FW to protect them. (With the help of other parts of the program if that's all that's needed to succeed for the attack in question.)

     

    Thursday, August 2, 2007 7:58 PM