Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firewalls with on-demand anti-spyware scanning option


  • Please log in to reply
9 replies to this topic

#1 spc3rd

spc3rd

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:04:43 AM

Posted 13 September 2011 - 01:08 PM

Good afternoon everyone,

I know a number of 3rd-party firewall applications have within them an option to run an on-demand anti-spyware scan and even a scheduled one.

My question is this: Since I already have Malwarebytes Pro (real-time scanning enabled, as well as, performing regular quick/full scans); Avast! Antivirus (free); and SuperAntispyware (free version - which I will perform periodic quick & full scans with)...is there any reason to perform an on-demand anti-spyware scan with the FIREWALL product as well?

Thank you in advance for your time and any enlightenment!

spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


BC AdBot (Login to Remove)

 


#2 ichito

ichito

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 AM

Posted 15 September 2011 - 03:10 AM

I think it makes no sens to have third anti-malware app/module even in firewall. You already have in real-time Avast Free and MBAM Pro and it's enough.

Edited by ichito, 15 September 2011 - 03:10 AM.

Vista: SpyShelter Firewall + Shadow Defender + Keriver 1-Click Free

XP SP3: Kerio 2.1.5 + SpyShelter Premium + NVT ExeRadar Pro + Shadow Defender + Keriver 1-Click Free


#3 spc3rd

spc3rd
  • Topic Starter

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:04:43 AM

Posted 15 September 2011 - 07:44 AM

Thank you for your time and response, ichito.

spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 AM

Posted 15 September 2011 - 07:53 AM

As a general rule, using more than one anti-spyware program like Malwarebytes Anti-Malware, SuperAntispyware, Windows Defender, Spybot S&D, Ad-Aware, Spyware Terminator, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and others as stand-alone scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. The overlap of protection from using different signature databases will aid in detection and removal of more threats when scanning your system for malware. However, competing tools may provide redundant alerts which can be annoying and/or confusing as a result of the overlap in protection.

If using multiple real-time resident shields (TeaTimer, Ad-Watch, MBAM Protection Module, Spyware Terminator Shields, etc.) together at the same time, there can be conflicts when each application tries to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while these programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.

Keep in mind that you can overkill a system with resource heavy security programs that will slow down performance. Sometimes you just have to experiment to get the right combination for your particular system as there is no universal "one size fits all" solution that works for everyone.

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. Just because one anti-virus detected threats that another missed, does not mean its more effective. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-vendors. Security vendors use different scanning engines and different detection methods such as heuristic analysis or behavioral analysis which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus database is updated can also account for differences in threat detections.

Further, each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 spc3rd

spc3rd
  • Topic Starter

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:04:43 AM

Posted 15 September 2011 - 09:07 AM

Hi quietman7!

I really appreciate the detailed info you provided! I've not run an anti-spyware scan with my firewall program as I wanted to ascertain first, if there was any benefit in doing so. As mentioned before, my Avast! and MBAM Pro run in real-time, as does the Outpost Firewall. The SuperAntispyware program I only use for on-demand scans. (I've noted it tends to pick up a lot of cookies).

The overlapping coverage benefit you mentioned makes logical sense to me. In my observations thus far, I've noted the Outpost Firewall seems to be the one program intercepting Intrusion Attack attempts from one specific IP address in China. (I did place that IP on the automatic Blocklist, but I will usually get a brief popup alert from Outpost FW stating it has blocked the IP [and subnet] from sending what's termed suspicious packets (TCP protocol)).

I almost never get alerts now from MBAM, since installing the Outpost Firewall Pro (paid version).
Avast! will often show at least one suspicous event every day or every other day in the Behavior Shield graph. (These events only seem to occur after I have been on the Internet. I've not noticed one occurring if I have remained offline the entire day).

In closing, thanks very much again for taking the time to provide the detailed information! :busy:

spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 AM

Posted 15 September 2011 - 09:32 AM

You're welcome. Here's some more information pertaining to some of the issues you addressed.

I've noted the Outpost Firewall seems to be the one program intercepting Intrusion Attack attempts from one specific IP address in China. (I did place that IP on the automatic Blocklist , but I will usually get
a brief popup alert from Outpost FW stating it has blocked the IP [and subnet] from sending what's termed suspicious packets (TCP protocol ))

A firewall controls network traffic and serves two basics purposes:
  • Prevent incoming communications that you did not request from entering your computer;
  • Monitor what programs on your computer are allowed to communicate out.
The firewall does this by enforcing an access control policy to permit or block (allow or deny) inbound and outbound traffice. Thus, the firewall acts as a central gateway for such traffic by denying illegitimate transfers and facilitatint access which is deemed legitimate. The goal of the firewall is to prevent remote computers from accessing yours and provide notification of any unrequested traffic that was blocked along with the IP address. keep in mind however, that a firewall is not a panacea to solve all of your security problems. If you will open ports through your firewall to allow access to an infected machine, then the firewall is no longer relevant.

If your firewall provides an alert which indicates it has blocked access to a port or detected an intrusion attempt that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer.
Alerts are often classified by the network port they arrive on, and they allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it.What are TCP and UDP ports
TCP/UDP Ports Explained
It is not unusual for a firewall and some anti-virus programs to provide numerous alerts regarding probing and intrustion attempts to access your computer. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion. If your computer is sending out large amounts of data, that can indicate that your system may have a Trojan. For more information about Port Scanning, please refer to Port Scanning Basic Techniques.

If the alerts become too annoying, you should be able to go into your firewall/anti-virus settings and lower them or turn them off (Hide notification messages).


I almost never get alerts now from MBAM

IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. Some legitimate programs on your computer have access to the Internet and that action can also trigger an IP alert. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious but from what you describe, the firewall is doing that.


The SuperAntispyware program I only use for on-demand scans. (I've noted it tends to pick up a lot of cookies).

SUPERAntiSpyware will scan for cookies if you have it configured to do so. There is no need to do this as cookies are not a threat.

Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

  • Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted. These types of cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site.
  • Session (transient) cookies are not saved to the hard drive, do not collect any information and have no set expiration date. They are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session.
Cookies can be categorized as:
  • Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
  • Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
  • Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.
The type of persistent cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. Cookies are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners.

Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Cookies cannot be used to run code (run programs) or to deliver viruses to your computer.

Microsoft's Description of Cookies

To learn more about Cookies, please refer to:Flash cookies (or Local Shared Objects) and Evercookies are a newer way of tracking user behavior and surfing habits but they too are not a threat, nor can they harm your computer.

An Evercookie is a Javascript API created and managed persistent cookie which can be used to identify a user even after they have removed standard and Flash cookies. This is accomplished by creating a new cookie and storing the data in as many storage locations (currently eight) as it can find on the local browser. Storage mechanisms range from Standard HTTP and Flash cookies to HTML5's new storage methods. When evercookie finds that other types of cookies have been removed, it recreates them so they can be reused over and over.Flash cookies are cookie-like data stored on a computer and used by all versions of Adobe Flash Player and similar applications. They can store much more information than traditional browser cookies and they are typically stored within each user’s Application Data directory with a ".SOL" extension, under the Macromedia\FlashPlayer\#SharedObjects folder. Unlike traditional cookies, Flash cookies cannot be managed through browser controls so they are more difficult to find and remove. However, they can be viewed, managed and deleted using the Website Storage Settings panel at Macromedia's Support Site. From this panel, you can change storage settings for a website, delete a specific website or delete all sites which erases any information that may have been stored on the computer. To prevent any Flash Cookies from being stored on your computer, go to the Global Storage Settings panel and uncheck the option “Allow third-party Flash content to store data on your computer”. For more information, please refer to:As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize the number of them which are stored on your computer by referring to:Third party utilities to Manage (view & delete) Cookies:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 spc3rd

spc3rd
  • Topic Starter

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:04:43 AM

Posted 15 September 2011 - 09:52 AM

WOW quietman7!!!

I can see it will take me a while to read through and digest all this additional cookie info you've provided! When I read the portion describing the Evercookies, it almost sounds like they are talking about those "Borg nanoprobes" from the Star Trek (The Next Generation series)!

One other note here about those intrusion attempts from that China-based IP address I mentioned...when reviewing the event log, it always lists the event type as "Scanning", and the log shows the intruder is attempting to access various different ports on each intrusion attempt. (It even lists the port numbers)

Once again...my sincerest thanks for the additional information! :thumbsup:

Edited by spc3rd, 15 September 2011 - 10:04 AM.

spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 AM

Posted 15 September 2011 - 10:01 AM

I always heard that "cookies" were especially appetizing to the Borg. Resistance is futile.

Posted Image


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 spc3rd

spc3rd
  • Topic Starter

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:04:43 AM

Posted 15 September 2011 - 12:08 PM

That was a one-of-a-kind post, quietman7!

One thing I see in the information you provided on cookies, says that cookies are not a threat, and in the paragraph right above that statement, it says tracking cookies are a cause for concern.

I'm wondering how it's possible to discern the difference between just a persistent cookie and a tracking cookie. In a quick scan I just did with SAS, it displayed something like 6 items, all listed under the heading "Adware.tracking cookie."

* Haven't yet finished reading through all the info you provided, so maybe there are some tips on how to do this.

Thanks for the UNIQUE post! You WON'T be assimilated!

Edited by spc3rd, 15 September 2011 - 12:11 PM.

spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:43 AM

Posted 15 September 2011 - 12:21 PM

A tracking cookie is just a type of persistent ccokie and there are privacy concerns with them (not threats). The links I provided you explain things in detail.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users