New firewall user question

I have been testing out a few firewalls recently. I didn’t bother with Zone Alarm because last time I used it (years ago) it just bogged down the system more than it helped. Please correct me if you think I should consider it.

So far, when a bad file (.exe for example) is detected with the firewalls, I get a notice and am able to remove these files in safe mode. I also run a virus program (AVG) at this time. However, it doesn’t remove all the .exe files, even the ones the firewalls pick up aren’t removed. I have also done online virus checking, but I get almost the same results. One file I see was removed.

From this, I ask, ??? why do I need a firewall besides the fact it will alert me when a bad file is trying to launch? ??? What’s happening is the virus gets downloaded through what appears to be ad related when I use a specific program, and this is only related with the IE browser. In Firefox, since it’s not the default, I assume the files aren’t getting loaded. So, as long as I have IE disabled, I can use this program without getting any notices from a firewall and use Firefox to browse.

The issue is not so much the program, but the use of a firewall. I appreciate the alerts, but it doesn’t make me feel any safer as a potential internet customer by having a firewall. I enjoy the firewall programs as a learning experience, and I would like to find out how to use the firewall more effectively so I can be more certain files detected by a firewall can be instantly removed and how to backtrack some way to find out if other files are hibernating in the background waiting to be triggered.

To clarify a possible solution, why isn’t there a scan of the “system32” folder and compared to a default installation? This way you could just delete everything else that isn’t related to the OS needs. Yes, maybe this would affect other programs on the computer, but in that case there could be a “locked” feature which allows a user to lock a file and it cannot be deleted.

I would much rather keep track of the files I want to launch than guess which files I don’t want launching. Does this make sense?

Hiya!
This is a difficult question to answer quickly. If you don’t us a firewall, your computer is vulnerable to all sorts of attacks and it can be happening each time you connect to the internet. According to some statics somewhere, someone tries to hack into any unprotected computer within minutes of it connecting to the internet. Effectivelly, the hacker can connect through a number of your ports without your knowledge what so ever, sieze your connection and can us a program to see everything to type and every page you visit and automatically retrieve any information that your computer sends out. Firewalls do prevent a large amount of viruses etc from getting into your computer by closing and stealthing any unsused port and only allow user initiated traffic to come in and out of your computer. In essance the firewall is the first line of defence against viruses and hackers. The leak test and outbound protection is so in the event a virus or malware / spyware etc gets onto your computer having disguised itself as a friendly file stops it from sending the information it’s gathered from your computer (like your credit card number if you do internet shopping or passwords, home address, and any other vital personal information.) Viruses and malware and spyware connect and send this data using invisible or hidden connections by opening and accessing a port on your computer and this can be going on the whole time without your knowledge what so ever.

It’s hard for me to explain everything about it but you need a firewall as a first line of defense against the baddies, a decent antivirus as a second line of defense and anti-spyware as a third line of defense. If you go here:

http://www.microsoft.com/athome/security/default.mspx

That should explain at least the basics. YOU NEED A FIREWALL SWITCHED ON. If you’re using the internet a Firewall is a must! Currently, Comodo is proving to be THE most effective at keeping baddies away.

I give up… someone else’s turn…

Hi and welcome to the forums.

If you want to know why you need a firewall, let me ask you the same question in a different context - why do you have a lock on your front door? It’s probably because you don’t want to let people in you don’t know right? :wink: Well a firewall works in excatly the same way, BUT, it can also stop things from going out as well (unlike a front door). ;D

You mention a virus problem with IE but not FireFox. The reason FF is not affected is because it doesn’t use the same rendering engine as IE, so exploits specific to IE will not affect FF. In fact most browser exploits which work in IE won’t in FF.

Not sure what you mean by that. Are you talking about virus scans? If so, when you initiate a full scan (all) anti-virus apps scan the sys32 folder.

“If so, when you initiate a full scan (all) anti-virus apps scan the sys32 folder.”

However, it’s not removing the bad files from that folder. I was using AVG and it didn’t remove kernels88.exe.

It seems regardless the firewall, when I get a virus I have to go into safe mode and remove files manually. If I disable IE, I don’t get any problems. Firewalls are not a factor in this case.

I tried to make my point as simply as I could. I don’t know how to make it any simpler.

SITUATIONS AS IT STANDS IN DIAGRAM FORM:

  1. Virus infects computer —> Firewall detects file trying to run —> I reboot in safe mode and remove virus files manually while scanning using AVG

  2. Virus infects computer —> No firewall running —> I reboot in safe mode and remove virus files manually while scanning using AVG

  3. Disable IE explorer —> No firewall running —> The same viruses cannot be found, so for those there is no need to reboot in safe mode

A firewall, at least in this instance, isn’t doing anything besides amplifying the fact the computer has a virus. So, is it really necessary here?

I think it may help to understand exactly what a software firewall is supposed to do.

A software firewall’s only purpose is to stop unauthorized outbound traffic. When you say that “Firewall detects file trying to run” what is happening is that the firewall has detected the file trying to access the internet. It’s not detecting a malware per se; it’s simply doing its job in that it warns you of an unauthorized outbound traffic.

Software firewalls typically provide a measure of protection against unauthorized Inbound traffic (ie, a hacker), but this is not the primary purpose; inbound protection is where a hardware firewall is used.

Very few antivirus applications actually remove infections; most of them just detect and quarantine. Typically what happens is that separate “stingers” are created by the AV companies to remove specific infections, as trying to write all that into the AV program is too code-intensive.

If your concern is that your firewall is not stopping you from getting a virus, you are correct. Your software firewall will not prevent you from getting a virus; that is not its job. An AV will not prevent you from getting a virus; it will only detect it (and possibly remove). Most modern viruses are designed in such a way as to avoid detection and removal by AV programs; they attempt to move themselves, change their names, etc to try to avoid the AV program.

If you want to have protection against getting a virus in the first place, you probably need a HIPS, which will monitor and alert you to things happening in real time, to prevent a virus from getting its claws into your system. Be aware, however, that this is not actually preventing you from downloading the virus - it just lets you know the instant the virus tries to do something, so you can block it. Once it has been blocked, it is basically ineffective. It is, however, still present on your machine until you remove it with an appropriate removal tool/application. The point of a HIPS is that the virus/malware cannot grab CPU time. If it can’t get CPU time, it can’t run. If it can’t run, it cannot “infect” your system.

Probably the best measure of prevention against downloading viruses is safe surfing habits, and a browser that has protection against running scripts (such as Firefox, Opera, etc) as well as an application not filled with as many security holes as Internet Explorer.

Inasfar as your question about whether a firewall is necessary, I would say yes. No hesitation. Especially given that it seems your system is prone to getting viruses (and may well have some on it of which you are not aware, that your AV cannot detect). In this instance, a firewall should stop these from getting back out.

I hope that helps,

LM

HI,

OK, i see what you are saying now. I appologise for not duplicating your initial question. ::slight_smile:

Your issue is with a virus / malware. This is not a problem or a bug with CPF, which is, like you say simply informing you of the fact you have a problem. And if you didn’t know you actually had this problem that would be a good thing ??? Now, i googled kernels88.exe and it came up with a few decent links which address this particular file. I can tell you now that kernels88.exe is not a system file, and that the reason you can not remove it whilst in a normal Windows session is because the file is loaded into memory. You can remove it via safe mode because its obviously not loaded during safe mode which only permits basic drivers to load. I found the information here: http://fileinfo.prevx.com/adware/QQ7caf55829015-KERN28875420/KERNELS88.EXE.html to be useful, and they even provide a removal tool. Of course i can not verify if the tool works because (thankfully) i’m not infected with kernels88.exe. ;D

A viri and malware can enter your system through email, but i know AVG has a mail scanner (i used to use it before switching to Avast), so as long as thats working your safe there. And YES it is important that you use a firewall as well. There are many sites out there which contain scripts that automatically download stuff to your hard drive without you knowing. A firewall can help to prevent this because it will warn you of potential nasties. But the most important thing you can do is stay vigilant, keep away from porn sites, keygen sites, serial code sites etc.

If all else fails, and the previously mentioned removal tool does not work then you’ll have to re-install your OS and make sure you install security before connecting to the internet.

BTW, you’ve chosen the best firewall there is, so you’ll be fine once you have gotten rid of this malware.

EDIT:
What LM says as well… ;D

Little Mac,

I downloaded the free version of System Safety Monitor at http://www.syssafety.com/

However, Comodo wouldn’t allow me to update it.

“If you want to have protection against getting a virus in the first place, you probably need a HIPS, which will monitor and alert you to things happening in real time, to prevent a virus from getting its claws into your system.”

I don’t understand how a HIPS is going to help out if the firewall I am using, in this case Comodo, won’t even allow me to update the program. It would have to be weaker than the virus that did invade without Comodo stopping it. So either the SSM program is not the best of choices, or I don’t need a HIPS running.

If I need a HIPS, can you recommend one?

The second question is, is this the normal way of doing things when using the internet, firewall, and virus program together? (1 get infected, 2 get notice of infection from both the firewall and virus program, 3 reboot in safe mode, 4 remove bad files, 5 scan, 6 modify system settings back to normal)

If not, what is the prescribed method to deal with these viruses on the internet?

AFAIK, SSM is a very good HIPS. A lot of people use it, and there are no known compatibility issues with CPF (that I’m aware of). What you’re seeing is not a compatibility issue; you need to create an application rule (Application Monitor) for SSM’s update executable, to allow it to update.

In the event that you’re not sure what that executable is, I’ll give you some steps to take within CPF, to create the rule you need.

  1. Go to Security/Advanced/Miscellaneous.
  2. Move the Alert Frequency slider to High.
  3. Press OK.
  4. Reboot your computer (this clears out the old memory, and sets the changes). You may see alerts for svchost.exe, and for your default browser to be allowed to act like a server; you will need to allow these (they’re internal communications only, you don’t need to worry about them; you’re seeing it only because of the High alert setting).
  5. After logging back in, open the SSM application. Activate the updater.
  6. When you get the popup for it, check “Remember” and click Allow. Wait for the update to finish.
  7. Open CPF’s application window; click the Application Monitor link on the main page.
  8. Confirm that there is a rule to Allow SSM’s update module/executable.
  9. Go to Security/Advanced/Miscellaneous
  10. Move Alert Frequency slider to Medium (or low, which is the default).
  11. Press OK, reboot.

SSM may be kind of “busy” for you; I’m not sure, as I don’t use it. By “busy” I mean it may generate a lot of popups at first, with warnings about your applications. It’s establishing a pattern of behavior for your system. If you don’t like that, or you’re uncertain about exactly what it’s telling you, you might like CyberHawk (which is what I use).

On your second question from the last post, in a “perfect” scenario, you would expect the AV to notify you of an infection before the firewall does. However, AV’s are working off of DAT files (virus definitions), and they are usually running behind the viruses. In other words, the viruses are being changed/updated faster than the AV companies are getting the new DAT files updated and to the users. As far as the removal in safe mode, that will depend on the virus; by booting into safe mode a lot of applications (and perhaps some viruses) are not active, and thus the virus is easier to remove. Most AV sites have free removal tools (commonly called “stingers”); once you have identified the virus(es) you have, you can download the tool and follow their instructions to get rid of them.

It’s probably a good idea to read about the different types of malware, and what they do (ie, trojan, worm, virus, backdoor, dialer, etc). Again, most AV sites have info on these things as well.

Your current AV, AVG, has active scanning (on-access) and email, as well as on-demand scanning (scheduled). In addition to keeping that updated, I would also recommend using something like aSquared Free, which (in its free version) has only on-demand scanning. You can update and run this on a regular basis, to help ensure you are catching everything.

Hope this helps,

LM

Thank you very much for the help. I am going to try that cyberhawk program and see how all this works.

No problem, glad to help.

https://forums.comodo.com/index.php/topic,4883.msg36148.html#msg36148 This is a link to a post of mine discussing HIPS and computer security. It gives a pretty good overview of my views on computer security, and security programs.

You might enjoy it, and Melih’s comments a couple posts later, about the HIPS that is planned for a future version of CPF.

LM