I've changed firewalls.

[YK]

How many users would use kerio with sponge's list AND wouldnt have
used spybot S&D and/or spywareblaster? I submit this number is very
very small, almost zero.

By the volume of posts in the MS newsgroups, your facts are true. They
are totally unaware of firewalls and Windows Update.

If we are talking about casual users and spyware, i would recommend
spybot and spywareblaster rather then recommending sponge's list with
kerio which at best is a overly complicated way and not too reliable
way of fighting spyware and at worse leads to additonal
complications. Asking a casual user to start with a rule based
firewall like kerio is asking for trouble.

Very true.

Spybot s&D, adaware at least works like a AV which most people are
familar with. Using a rule based firewall with a long list of blocked
ips is not what most casual users would be ready for at first.

Reading the MS newsgroups, many users are not using AV software or it is
hopelessly out of date.

My argument is as follows

1) Casual users wont benfit much from Sponge's list since there are
more direct and easier ways of handling spyware.

Recommending turning on the built in XP firewall or the use of ZoneAlarm is
a start. Then recommending Ad-Aware and SpyBot S&D with emphasis on
keeping the reference files up to date is a good next step.

I dumped Sponge's list as it was poping up alerts so many times. This
would totally confuse the casuall user as this would get them thinking they
are being attacked.

2) An "expert user" who is loaded up with the usual protective gear,
wouldnt be troubled at all by websites that tried to peddle such
wares. So any gain from using Sponge's list is minimal.

The paranoid of course could and would use sponge's list.


Relevance? A firewall without Sponge's list would have informed you
something is amiss as well.

IMHO, sponge's list might be useful in that if any spyware tries to
phone home, the rules could trigger telling you specifically where it
was going to. But of course you could do a reverse dns lookup anyway
yourself.

But when sponge's list blocks websites from displaying that are
essentially harmless when you are well protected, it's value is much
less.

I agree.

 

[donut]

Any online firewall tests I have run say ZA is blocking what it should.
I know others prefer a more hands on approach but ZA suits my needs for
now.

Since you cannot specify ports to block with ZA, it is especially helpless
where the LOvsan worm is concerned.

 

[donut]

How many users would use kerio with sponge's list AND wouldnt have used
spybot S&D and/or spywareblaster? I submit this number is very very
small, almost zero.

What the hell sense does this make? We are talking about apples and
oranges. I'm talking about know nothing users, and you're talking about
something else entirely.

 

[donut]

But when sponge's list blocks websites from displaying that are
essentially harmless when you are well protected, it's value is much
less.

Here's where you are showing that you are uninformed. A popup box that
alerts to the presence of Gator or some such other on a site is not the
same as blocking a site. The site is not blocked.

You try to say that Spybot - Search and Destroy is all you need, and why
confuse a newbie with the vagarities of firewalls? Spybot - S&D is merely
one tool in an arsenal of SUPPORT tools. Such tools would also include Ad-
Aware. These are fine, but the real point is to make sure you never need
them. That's why I included my experience with the games disk - because I
thought I was well protected, and ended up being vulnerable because I did
not recognize the source of the problem. As it was, I found Alexa
immediately, because it was time to run Ad-aware anyway. I ran it right
after installing the games, and found it immediately.

What could any of these tools have done to protect against the LovSan worm,
for instance? Absolutely nothing. The only thing that would have protected
anybody (aside from a properly patched OS) would have been a properly
configured firewall that is blocking port 135, among others.

You have a problem with Sponge's ruleset? Go take it up with him. I used to
debate with him over this very issue. My point was - why have dozens of
deny rules, when only one is necessary?

Block All - all services, all ports, all endpoints, both directions, at
the very bottom. It works, and that rule is still there.

And that really is all that is needed. I tried his ruleset basically to see
what all the fuss was about. My ruleset was fine, but I did like the fact
that I could be alerted if a site was using Gator or something similar.

THEN I COULD WARN OTHERS WHO ARE NOT USING A FIREWALL ABOUT SUCH SITES. Now
do you get it?

People need to know that they can get spyware, or worse, from malicious
HTML on a website. They need to know that they can get it from game CDs. I
don't see why my saying that is such a threat to you, but it seems to be,
for some reason.

 

[George]

Since you cannot specify ports to block with ZA, it is especially helpless
where the LOvsan worm is concerned.

AFAIK LOvscan utilises port 135 which ZA blocks. Plus it "seems" to be
NT, 2000 and XP specific. I'm still using 98SE.

 

[Aaron]

Why? Firewall usually work on the principle that unless you explictly
allow them they wont be allowed in or out.



Aaron

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Why? Firewall usually work on the principle that unless you
explictly allow them they wont be allowed in or out.

It's been a long time since I used ZAF, but several years ago it did
keep ports 135-139 closed by default. I can't imagine that ZoneLabs
would have changed that behaviour.

 

[Gord McFee]

In

It's been a long time since I used ZAF, but several years ago it did
keep ports 135-139 closed by default. I can't imagine that ZoneLabs
would have changed that behaviour.

It still keeps them closed by default.