Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mcafee Personal Firewall Plus


  • Please log in to reply
6 replies to this topic

#1 Lille

Lille

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 05 October 2006 - 03:33 AM

I am looking for more detailed information on how to determine which applications should be allowed which type of access and how to understand the events and what to do to determine which incoming events should require action on my part. I have googled and searched sites, but find little useable info. The flashing icon for new events detected seems to go continually. Reporting to Hacker Watch does not provide useable information to one who doesn't understand the significance of the items.

I'm looking to hopefully find more details about the use and logic of the way the firewall operates on the above levels. The firewall tutorial here is good, but very basic and obtaining details to put everything together for yourself from info available in my searches seems impossible. Thanks to anyone who can cite a site which may put this in more perspective.

BC AdBot (Login to Remove)

 


#2 SNC-Zach

SNC-Zach

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 06 October 2006 - 10:19 AM

LOL at effectively using McAfee.

I would advise learning TCP/IP, and do a google search on a few of the terms below:

SYN/ACK
ICMP
NAT
SPI Firewall
Common TCP/UDP Ports

#3 Lille

Lille
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 06 October 2006 - 10:52 AM

Thanks for your advice on the terms, Zack. I will check them out. I think I have a ways to go before I understand what I even read.


Mcafee came packaged as a subscription when I bought the computer and still has a year or more to go. I take it that you are not impressed with them.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 PM

Posted 06 October 2006 - 11:39 AM

Unfortunately for every computer its a different situation. Basically software firewalls work in two ways.

Packet Level (Hardware firewalls typically only use packet level filtering)
Application Level

In packet level, a firewall is supposed to deny all inbound access to your computer from a remote computer. This effectively protects you from all vulnerabilities in Windows that can be exploited by a remote user. If on the other hand, you need to provide access to certain servers on your computer (web server, ftp server, etc) then you can specifically tell the firewall to allow these ports to be opened.

When I say ports, I mean either TCP or UDP ports. When a program that allows remote connections, which makes it a server, starts it connects to a TCP or UDP port on your computer and listens on that port for connections. By default a packet level firewall should block inbound access to all ports on your computer. If you need remote users to be able to connect to these ports remotely, then you would need to open these ports on the firewall. More info on tcp/udp ports can be found here:

http://www.bleepingcomputer.com/tutorials/tcp-and-udp-ports-explained/

For the majority of home users you will never need to adjust the packet level filters of a firewall. Just let it deny everything inbound.

Now when you see event alerts, that typically just means that the firewall blocked access to your computers as it is supposed to be doing. The Internet is a big place and there are constantly programs, worms, malware, hackers, and scripts attempting to exploit vulnerabilities in your Operating system or other programs running on your computer. So these attempts are being blocked by your firewall and letting you know.

Now application level works a bit differently. With application level firewalling when a program attempts to access the Internet, your computer will ask you if it should be allowed. For the most part you should be able to tell what program should be allowed. For example:
  • Internet Explorer needs to connect to remote web sites so it should be allowed to connect.

  • Windows Update (C:\Windows\System32\wuauclt.exe) should be allowed to connect

  • Antivirus programs that need to update definitions should be allowed to connect

  • Itunes should be allowed to connect
Etc, etc,etc... If a program utilizes the Internet in some manner, then it needs to be allowed through the firewall in order to function correctly. Now the application level firewalling also helps identify malware. For example, if one day you are using your computer and a strange program is trying to access the Internet, then you can deny that access and scan that file at a site like www.virustotal.com to see if its malware.

Also remember, any blocking or allow decision you make when it asks are not permanent. If you block an application from using the Internet, and decide in the future that you need to allow it, you can always go into the Mcafee firewall console and change the permissions on the app. i am not sure exactly where you do that, but all software firewalls support this.

So, use your judgement when allowing programs access. If you are confused you can always ask us here.

Hope this helps.

#5 Lille

Lille
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 10 October 2006 - 02:18 PM

Thanks Lawrence! That certainly does help. I can see that I was becoming jittery about nothing-for which I am glad.

However, I seem to have a lot of hits on ports 1026, 1027, 1433 and 5900. I know that hacker watch has a warning on port 5900. I wonder if I need to do anything more than report them to hacker watch (It is 360 hits blocked in the last 30 days)? The hits are from various IP's and reporting them doesn't give me a response. I have not found a site at Mcafee that seems to go into detail and the help file is difficult to understand. Anyway, I thank you very much for the time and information.

I will check the other link you provided and I think I can begin to understand this from your explanation. Thanks again!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:09 PM

Posted 10 October 2006 - 02:26 PM

What you are seeing are people scanning for open VNC and Microsoft SQL servers. They could be worms, scripts, or hackers. Nothing much you can do but report them.

If you are not running these (VNC and MSSQL) then you do not need to worry about it.

#7 Lille

Lille
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:09 PM

Posted 11 October 2006 - 06:19 AM

Thank you, Grinler. I am not running either one, so I will stop worrying about it. Thanks again for your time and helpful information.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users