Pleas Please Me
November 6, 2008 8:24 PM Subscribe
I need security software that blocks specific programs from using the internet. ZoneAlarm does this well, but it does not do this completely. Help?
I've had good luck with ZoneAlarm over the past 5 years--it does pretty much what I want. No, Word, you don't get to use the internet. Sorry, Adobe Update, no phoning home. Unfortunately, there are some scraps remaining:
The other day I caught a program using some Windows Help .exe to grab its html help files from the web. It sounded pretty innocuous, but could used to sinister ends. Then, there are the "Windows Generic Host processes" -- you can't really lock them down (with ZA) without paying a huge price, because nothing really works then.
So, I want software that runs programs inside a web-less sandbox. I may end up having to run a VM with file-only access, but I'd rather not--that's kinda slow, and not very seamless. If there were software that viciously scalpeled all web dlls from the offending program, that'd be okay too. But I need to know that this software isn't phoning home. I don't give IE permission to use the net until I have to use it, because I have a suspicion some programs show up as IE in ZA.
99% of the programs out there talk about "stopping spyware before it's even installed" or removing it once it's been identified. I don't want that--I'm paranoid, what are my options?
I've had good luck with ZoneAlarm over the past 5 years--it does pretty much what I want. No, Word, you don't get to use the internet. Sorry, Adobe Update, no phoning home. Unfortunately, there are some scraps remaining:
The other day I caught a program using some Windows Help .exe to grab its html help files from the web. It sounded pretty innocuous, but could used to sinister ends. Then, there are the "Windows Generic Host processes" -- you can't really lock them down (with ZA) without paying a huge price, because nothing really works then.
So, I want software that runs programs inside a web-less sandbox. I may end up having to run a VM with file-only access, but I'd rather not--that's kinda slow, and not very seamless. If there were software that viciously scalpeled all web dlls from the offending program, that'd be okay too. But I need to know that this software isn't phoning home. I don't give IE permission to use the net until I have to use it, because I have a suspicion some programs show up as IE in ZA.
99% of the programs out there talk about "stopping spyware before it's even installed" or removing it once it's been identified. I don't want that--I'm paranoid, what are my options?
Best answer: What dda said. But if you're determined to do things the hard and expensive way, you might look into Sandboxie. It doesn't give you the web control you want, but it does claim to allow you to roll back any damage the drive-by nasties do to you.
I haven't used it myself, because I prefer not to do things the hard and expensive way.
posted by flabdablet at 8:52 PM on November 6, 2008
I haven't used it myself, because I prefer not to do things the hard and expensive way.
posted by flabdablet at 8:52 PM on November 6, 2008
Why are you running Windows if you're paranoid? Why not 100% open source software like Linux expect occasional proprietaries under VM?
posted by jeffburdges at 8:53 PM on November 6, 2008
posted by jeffburdges at 8:53 PM on November 6, 2008
Response by poster: I'm concerned about things phoning home, not messing up my files. Sandboxie has been useful... but it doesn't really control the net. Running as limited doesn't help either--I don't expect programs to trash my MBR these days, just log my credit card number and send it home. Open source/non-windows would be a disaster--Linux users are still in the honeymoon phase where they expect software to be polite. For example, last time I checked, there was no equivalent to program-blocking in linux (!!). And they liked it that way!
posted by gensubuser at 9:28 PM on November 6, 2008
posted by gensubuser at 9:28 PM on November 6, 2008
this won't help you because you're using a windows machine but I thought I'd add that os x users can use little snitch, which does exactly what you want it to, in case they'll later search for keywords leading to this thread.
posted by krautland at 9:48 PM on November 6, 2008
posted by krautland at 9:48 PM on November 6, 2008
For example, last time I checked, there was no equivalent to program-blocking in linux (!!). And they liked it that way!
Personally it's not so much the lack of program blocking I like - it's the lack of the need for program blocking.
The reason we can still have a reasonable expectation that software should and can be polite is because the software we run has no secrets.
All the stuff that runs on my machine is open source - that means that if I don't like the way it behaves, I can make it behave some other way. Even if I don't have programming skills (which, as it happens, I do have) there's a good chance that if I don't like the way a given package behaves, somebody else who does have programming skills will also have objected to that misbehaviour, patched it away, and described the change somewhere Google can find it.
You know what makes me sad? What makes me sad is contemplating the vast army of ordinary computer users who have had their expectations of how software is supposed to work bashed and squashed and beaten down by inscrutable commercial bastardware until they think that what they're suffering is normal.
I don't want to need to stop stuff on my machine from phoning home. I want to run stuff that I know and can prove just doesn't phone home unless I want it to. I want my computer to be a haven of software sanity. Living with security threats that come from Out In The Cloud is quite bad enough. I don't see why I need to inflict additional threats on myself by a poor choice of software.
Your mileage may, as ever, vary.
posted by flabdablet at 11:42 PM on November 6, 2008
Personally it's not so much the lack of program blocking I like - it's the lack of the need for program blocking.
The reason we can still have a reasonable expectation that software should and can be polite is because the software we run has no secrets.
All the stuff that runs on my machine is open source - that means that if I don't like the way it behaves, I can make it behave some other way. Even if I don't have programming skills (which, as it happens, I do have) there's a good chance that if I don't like the way a given package behaves, somebody else who does have programming skills will also have objected to that misbehaviour, patched it away, and described the change somewhere Google can find it.
You know what makes me sad? What makes me sad is contemplating the vast army of ordinary computer users who have had their expectations of how software is supposed to work bashed and squashed and beaten down by inscrutable commercial bastardware until they think that what they're suffering is normal.
I don't want to need to stop stuff on my machine from phoning home. I want to run stuff that I know and can prove just doesn't phone home unless I want it to. I want my computer to be a haven of software sanity. Living with security threats that come from Out In The Cloud is quite bad enough. I don't see why I need to inflict additional threats on myself by a poor choice of software.
Your mileage may, as ever, vary.
posted by flabdablet at 11:42 PM on November 6, 2008
Have a look at sygate personal firewall - it's not being updated anymore but it's very through in restricting applications from Internet access.
posted by bigmusic at 1:00 AM on November 7, 2008
posted by bigmusic at 1:00 AM on November 7, 2008
Also a freeware version for the mac: GlowWorm FW Lite.
posted by bigmusic at 1:15 AM on November 7, 2008
posted by bigmusic at 1:15 AM on November 7, 2008
Netveda Safety.Net
This does what you need. This will stop any application from accessing the internet till you explicitly allow it.
posted by shr1n1 at 1:17 AM on November 7, 2008
This does what you need. This will stop any application from accessing the internet till you explicitly allow it.
posted by shr1n1 at 1:17 AM on November 7, 2008
Try Comodo. I haven't used it, but it's apparently a pretty popular up-and-coming firewall that's done a good job.
And yes, Little Snitch for the Mac is amazing for this. I know this doesn't help you because you're on Windows, but I thought I'd mention it.
posted by joshrholloway at 6:47 AM on November 7, 2008
And yes, Little Snitch for the Mac is amazing for this. I know this doesn't help you because you're on Windows, but I thought I'd mention it.
posted by joshrholloway at 6:47 AM on November 7, 2008
Open source/non-windows would be a disaster--Linux users are still in the honeymoon phase where they expect software to be polite.
FreeBSD + ipfw will do this and more.
Another alternative is to not use software that is net-enabled. Or if you must then disabling the startup applets or disabling the feature that allows auto-updates. That along with zone alarm is more than enough for casual computer use.
That said, there's no incentive for Adobe or Microsoft to sniff your credit card or your weight in kilograms. Perhaps a holistic approach is to decide what level of privacy you want. Usually you cannot have your cake and eat it too on the same machine, especially without encryption.
Running as limited doesn't help either
Sure it does. If these apps run with your credentials as a LU then they cant decide down the line to start installing things or making system changes. Any system change or update will need to be approved by an administrator.
Lastly, if I had your level of paranoia I would jettison all the client-side stuff and set my router's firewall to disallow all traffic unless explicitly allowed. I would also remove DNS from my machine. All the sites I frequent would be given exception on the router's firewall and I would use a hosts file to resolve the names. I would also encrypt my personal stuff.
posted by damn dirty ape at 7:16 AM on November 7, 2008
FreeBSD + ipfw will do this and more.
Another alternative is to not use software that is net-enabled. Or if you must then disabling the startup applets or disabling the feature that allows auto-updates. That along with zone alarm is more than enough for casual computer use.
That said, there's no incentive for Adobe or Microsoft to sniff your credit card or your weight in kilograms. Perhaps a holistic approach is to decide what level of privacy you want. Usually you cannot have your cake and eat it too on the same machine, especially without encryption.
Running as limited doesn't help either
Sure it does. If these apps run with your credentials as a LU then they cant decide down the line to start installing things or making system changes. Any system change or update will need to be approved by an administrator.
Lastly, if I had your level of paranoia I would jettison all the client-side stuff and set my router's firewall to disallow all traffic unless explicitly allowed. I would also remove DNS from my machine. All the sites I frequent would be given exception on the router's firewall and I would use a hosts file to resolve the names. I would also encrypt my personal stuff.
posted by damn dirty ape at 7:16 AM on November 7, 2008
If you want to avoid getting a credit card number/important passwords logged, you can try this: make a live cd or no-persistence live usb with some linux distribution. When you need to do important stuff online, use that OS. Keep your regular OS for less important things.
posted by trig at 8:53 PM on November 7, 2008
posted by trig at 8:53 PM on November 7, 2008
Response by poster: I was giving Sandboxie another chance, and it turns out there is a setting to disallow all web access for programs running in a given sandbox. This is exactly the feature I needed. Sweet program!
posted by gensubuser at 9:19 PM on November 30, 2008
posted by gensubuser at 9:19 PM on November 30, 2008
I stand corrected. Glad you got a result.
posted by flabdablet at 3:00 AM on December 1, 2008
posted by flabdablet at 3:00 AM on December 1, 2008
Just web access? If so thats probably only port 80, 8080, 8000, and 443. Chatty apps try those ports first then try some non-standard ports. Adobe updater uses some random port.
posted by damn dirty ape at 9:38 AM on December 1, 2008
posted by damn dirty ape at 9:38 AM on December 1, 2008
This thread is closed to new comments.
Windows Help .exe to grab its html help files from the web.
The HTML help application in windows is a browser in itself. This is a feature not a bug/hack, but yes, it can be exploited.
I don't want that--I'm paranoid, what are my options?
You should also learn how to run as a limited user and not as local admin.
posted by damn dirty ape at 8:39 PM on November 6, 2008