Professional Documents
Culture Documents
Firewall Protection How To
Firewall Protection How To
Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly used
mainly for various adware (and adware is a program that is supported by
presenting advertisements to the user), and that during their installation
process, they install an independent program which we shall call "adbot". The
adbot runs independently even if the hosting adware is not running, and it
maintains the advertisements, downloads them from the remote server, and
provides information to the remote server. The adbot is usually hidden. There
are many companies that offer adbots, and advertisements services to
adware. The information that the adbots deliver to their servers from the
computer where the adbot is installed, is "how much time each advertisement
is shown, which was the hosting adware, and whether the user clicked on the
advertisement. This is important so that the advertisements server will be
able to know how much money to get from each of the advertised companies,
and how much from it to deliver to each of the adware maintainers. Some of
the adbots also collect other information in order to better choose the
advertisements to the users. The term "spyware" is more generic, but most of
the spyware fall into this category. Many types of adbots can be identified
and blocked by personal firewalls.
Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with
specific sites. This can be used in order to prevent downloading of
advertisements in web pages, and thus to accelerate the download process of
the web sites. This is not a very common use of a personal firewall, though.
Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal
firewall is not the best tool for that anyway. This is not the main purpose of a
firewall, and neither its main strength. Some of them can block some of the
advertisements from being downloaded, if you know how to configure them
for that. Yet, there are better tools for that, such as Proxomitron
(http://www.proxomitron.org), CookieCop 2 (search for the word cookiecop
on http://www.pcmag.com), or Naviscope (http://www.naviscope.com), and
there are many other programs as well. You may check for other alternatives,
e.g. in Tucows (http://www.tucows.com/adkiller95.html).
One of the main problems with personal firewalls, is that you cannot simply
install them and forget them, counting on them to do their job. They can deny
or permit various types of communications according to some criteria, but
what is this criteria, and who decides what is the criteria for whether they
should permit or deny some communication?
The answer, is that it is the computer user's job to define the exact criteria
when the firewall should allow a communication and when it should block it.
The firewall may make it easier for you, but it should not take the decisions.
There are too many programs, too many versions, and it is not possible for
the firewall to decide accurately when a communication is legitimate and
when it is not. One person might think that it is legitimate for some program
to deliver some information to the outside in order to get some service, while
another will think that it is not. One version of a program might communicate
with its home server in order to check whether there is an upgrade, and
another version might also install the upgrade even if you do not wish. Some
firewalls will try to identify communication efforts which are largely
considered as legitimate, and will let you the information so that it will be
easier for you to decide whether such should be allowed. Others will suffice
with more basic information, making no suggestions (and thus - no incorrect
recommendations). One way or another, once you installed a firewall, you will
have better means to understand what types of communications are running
on your computer, but you will also have to understand them in order to be
able to configure your firewall so that it will correctly know which
communications to allow and which to block.
As we've already learned here, a firewall is limited in its ability to secure your
computer. Yet, many people believe that if they will install a personal firewall
they will be secured against the various security threats. I was even surprised
to find out that there are people who believe that give much higher priority in
installing a personal firewall than in installing an antivirus program. An
always updated antivirus program plays a much more important role in the
security of a personal home computer than installing and maintaining a
personal firewall. A personal firewall should not come on account of any other
security measure that you use.
When you install a firewall and you look at all the communication efforts
through it, you might be surprised at the amount of communication efforts
from the Internet to your computer. Most of them are blocked by a typically
configured firewall. There are all the times efforts to try to communicate with
various backdoor Trojans on your computers. If you are not infected, there
will be nothing to listen and to respond to those communication efforts, and
they are thus practically harmless. There are efforts to communicate with
your NBT driver, to see if your computer by mistake allows file sharing. There
are other types of probes to see if your computer exists, or various efforts of
servers to probe your computer in order to find the best path for legitimate
communication to it. There are sometimes remnants of communications that
were supposed to go to other computers, but made their way to yours (for
advanced readers: because the IP number that your computer uses, were
used by some other computer earlier). Those communication efforts are
blocked even without a firewall. If your computer is not infected with a RAT,
and if your computer don't have NetBIOS over TCP/IP enabled or even it does
not have file and print sharing enabled (and on most computers this is
disabled by default), then none of these pose any security threat. If your
computer is not infected with a SubSeven Trojan, then no matter how often
there will be efforts to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or ZoneAlarm)
by default proudly announce that they have just blocked an effort to crack
into your computer. Norton may even define those efforts that were blocked
as "high security threats" while they were not a threat at all even if your
computer didn't have a personal firewall at all. Such firewalls give you the
false impression that they save your computer again and again from
extremely dangerous threats on the Internet, so that you wonder how did
you survive so much time without noticing any intrusion before you installed
the firewall. I usually say, that those personal firewalls are set their "report
level" to "promotional mode". Namely, the personal firewall is set to give you
the false impression that it is much more important than it really is.
1. They do not take resources from the computer. This should be clear. This is
especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan horse to
disable it, because it does not reside in the same computer that the Trojan
has infected. It is not possible to use the specific communication while totally
bypassing the firewall.
3. They can be used without any dependence on the operating system on the
computer(s) they defend.
4. No instability problems.