So many (techie) product questions...

  • 17 October 2014
  • 38 replies
  • 144 views

Userlevel 1
Please pardon all of my techie questions but I want to ask them before I spend more cash on yet another product that may or may not really fit my needs.
 
Are there "basic" versions that do NOT want to manage my passwords and/or credit card information? (like so many other products want to point to as some wonderful "feature" aka: wonderfully packaged and sold security risk IMHO when there is no way to actually stop the underlying processes from still gathering and storing your passwords etc...)
 
I am very particular about system resource use, running process, and communication ports being held open. (as another product  wanted to hold 24 ports open at times - in port matched loop-back pairs... totally wasted resources, running process, services, threads, and handles.)
 
Will these products potentially cause any unsolicited inbound packets to show up at my router? (I had issues with other products that were not using TCP/IP communication correctly causing hundreds a week at times)
 
All that I want and need is coverage for 3 PCs with:
  1. Basic Anti-virus that is lightweight and reliable.
  2. Basic Internet Security (without any account, identity, or credit card information storage)
  3. Basic Firewall management functionality (able to block and report attempts at intrusion)
I DO NOT want or need an on-line backup system, password manager, credit card information cache, or auto fill in for passwords and or credit cards. (I will manage all of that on my own thank you!)
 
 
Which product would fill my needs if any?
 
Thank you very much for any clear and honest information!
 

38 replies

Userlevel 7
Hi practicality! 
 
Good to see you again!  Admittedly we can't always fix everything, but we do always do our best to try to help.  Sometimes the best we can do is figure out who or where to refer someone to :(
 
I have been on here a while obviously, but I still learn every day.  No one ever knows everything, but I learn a lot just by trying to help others out!
Userlevel 4
Badge +10
Creating a support ticket makes sense to find how to streamline WSA scans---or to put in a feature request for it. IDK what table or index the scan refers to and how it varies on other boxes but hope to hear more about this. No "bait and switch" tactics here. In this community, I found other inquisitive folks who care to help and are wise enough to know where to refer questions to. Like you, I wrote to potential internet security providers. For whatever reason, I did not get an answer from this community at the time. But in fairness, did not check for one--once I realized that WSA is the best thing available for Mac. Health permitting, I follow this community and learn. For most folks here it is probably time permitting. I appreciate the attitude and spirit of this community.
Userlevel 7
Hi RussH
 
Apologies if we have not been as responsive as you would like but most of us here are volunteers and therefore have day job too...and so our time available to come into the Community and help is can be irregular and sometimes limited (I knoe that my time recently has been more than I would like).
 
In terms of what yo are seeing the first thing that I would do is to review the Scan Log for each system and see if there are any significant difference in terms of the number of Good [g] and Unknown [u] files found on each...more [u]s wcan mean a longer scan time for reasons that are...well, obvious really.
 
IMHO the only option that you have is a Support Ticket so that the Support Team can investigate the make up of each system & the installation of WSA to determine is there is some conflict there.  They will most likely send you some system investigation tools and as you to gather logs and configuration details for analysis back at the ranch.
 
That is what I would do.
 
Hope that helps?
 
Regards, Baldrick
Userlevel 1
So I guess here is my rub...
Not to mention I feel like this has turned into some bait and switch with the community responses (or lack there of) here... Remember the knowledgeable community here was one of my major reasons for purchasing this software in the first place...
 
Box #1 running an i7 with 12GB memory, dual SATA3 240GB SSD, single SATA3 1.5TB 10K RPM data drive, using 3 separate USB 3.0 external drives on occasion (but have not reconnected any of them since the original manual scan done on them)
Scans continue to look for files on these now removed (removable) drives and it is also till looking for a now deleted file that had flagged as a threat...
27,430 files scanned took 3:13...
 
 
Box #2 running an i3 with 8 GB memory single 1.5 TB 7200 RPM SATA3 drive...
54,640 files scanned took 1:19...
 
Both systems running Windows 7x64 Ultimate
 
Almost TWICE the files scanned in less than half the time on a SLOWER system???
 
WHY??? 
My SSD system is MUCH faster (other than the obvious issues with WSA attempting to access non-existent drives/files wasting a HUGE amount of time)...
 
HOW CAN I FIX THIS?...
How can I stop WSA from looking for non-existant devices/files??? (seems rather silly for it to continue looking after they are not found even once)
 
Userlevel 1
Last scan: 4 Minutes and 3 Seconds...(yes I know still not "that" slow but on my SSDs?)
 
As I said it is slowly getting longer... and it is still looking for those external drives even when they are not connected (and none have been connected in 4+ days now)
 
Why are the removable/external drives even cached for future scans?
 
I mean really if I where to keep inserting USB sticks for instance?I can't even imagine how many now non-existent "drives" it would be trying to scan each time it runs... what gives?
 
And it is also still looking for that one local data drive file that flagged as a threat which has been deleted (and wiped)... it also no longer exists and yet each scan now keeps looking for it...
 
I have actually not even been on this box much this week busy with a new job etc...
 
Userlevel 1
Now I have more questions...
 
Seems that since I have done manual scans on my external drives and even cleaned a couple of threats off of them it seems the system scan continually attempts to access these drives, even when they are no longer attached...
 
I also had one detection on my local data drive which I resorted to simply deleting the file but now the system scans are also looking for that specific file even though it has been deleted and the free space on the drive wiped...
 
My original 14 second system scan has now become 3 Minutes and 27 seconds and it seems to keep getting longer... even with no external drives attached...
 
I could see where if I had added a bunch of new files or something but in the last scan it decided it needed to scan 27+K files when the original scan only wanted to scan 16+K... 10K more files = 3 minutes 13 seconds?
 
I am wondering if there is any way to purge the files/locations that WSA has decided it wants to scan in order to avoid these un-needed scan attempts? Or do these flagged scan locations fall away over time automatically? (if so how long does it take?)
 
Oh and another minor thing... There is now a "Personalized Security Report" pop up on every reboot?
 
Edit: The "Personalized Security Report" pop up has stopped...
 
Userlevel 7
@ wrote:
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Yes, when you manually allow a file, once the file is changed it reverts to blocked.  This is because each file has a unique "MD5" number.  This is basically a hash number, and again is unique.  The Allow/Block files works from the MD5, not the file name.  This is so that if a good file is altered by malware it of course will be detected and blocked.
 
As you say... a bit annoying for a developer, but very effective at the same time.
 
The major browsers are of course already set 'internally' in the Cloud to be allowed globally, as is much commercial software, so you do not need to change permissions when updating.  
 
I am glad you gave us your input, and I hope you are happy with it!  Any quetions or problems, come on back and we will be glad to try to help 🙂
Userlevel 1
Well here are my thoughts on WSA.
 
Very nice and light weight, nothing extra running, but still very reactive to threats.
 
A minor issue with application version changes: IE: I am a programmer and when my software builds the version number is incremented to denote the new version, WSA then reverts to blocking the same application (all be it with a newer version) in the same location it has been told to allow prior.
I again have to tell WSA that it is okay to allow it to access the network... and then again also tell it that it is OK to access the copy buffer... (for instance I manually copy my router log to the copy buffer (ctrl+c) to then process in my application and then output the results based on type of entry and/or source IP)
Not a huge thing but a slight annoyance when you are a programmer.
 
Note: This does not seem to happen when you update a web browser like FireFox for instance (which is open source)
 
Beyond that I have had no problems with the functionality and it has passed all the tests I have put it through!
 
Thank you for doing what is needed and not forcing me to have "features" I would never use.
Userlevel 7
@ wrote:
@ 
 
.........
 
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...
LOL!!!  Very good point 🙂
Userlevel 1
@ 
 
Yes I have only had these Port 0 attacks show up twice as I mentioned so it has not been a big issue if they persist I will obviously speak with my ISP. (I still find it odd that it only ever happened shortly after installing BitDefender and then again shortly after removing BitDefrender)
 
As to configuration my IP is configured as DHCP at the cable modem BUT... The cable modem is controlled by the ISP (including firmware version) and is serial number matched and locked with its physical MAC address to what is basically an externally static IP.
 
My router is configured to use the Modems provided local IP as DHCP so if I lose connection with my ISP(Internet) my local network (Intranet) is still functional and reverts back once the ISP is re-connected.
 
This seems to be a pretty safe configuration as the connection to the ISP is physically secured using the serial number and hardware MAC. Pretty hard to spoof something like that without having the actual Serial number and Physical MAC of the modem.
 
Even if something does get through the modem my router is then the second line of defense as I have Ping, FTP, uPNP, remote admin, wireless,  all turned off,  as well as having other specific address/site blocks set up on it.
 
Then if all of that fails each connected device still has its own firewall and anti-virus/anti-malware system installed and configured.
 
I feel I am likely much safer than many of the corporate/government networks that have outsourced their IT support... *cough* *cough* that's real safe...
Userlevel 7
Hi RussH
 
Interesting but they have been stopped and if your router did not stop them then I strongly suspect that the Windows Firewall (assuming that you have not replaced that with a 3rd Party one) would do re. that sort of attack.
 
I have checked what I am seeing in terms of the context of your investigation and would ask as to whether you have a static IP Address from your ISP or more like the rest of us you get a random one from a range, attributed to that ISP, on a first connect first give basis?  Reason that I ask is that in my humble opinion you should congtact your ISP  with the informagtion and get them to see if they can do something about it...especially if it is a static address you have.  IF randomly allocated from a pool it coul;d be that you have been allocated an address that has in the past been used by another subscriber in a way that has gotten it to the attention of hackers, etc.
 
This happened to nme a few years back and I reported it to my ISP who was happy for the info and took steps accordingly.
 
Just a thought for you .
 
Regards, Baldrick
Userlevel 1
@ 
 
In response to your questions...
 
Started with: [DoS Attack: WinNuke Attack] from source: 188.165.236.154, port 0, Monday, October 20,2014 22:07:56
Last attack: [DoS Attack: WinNuke Attack] from source: 77.37.7.105, port 0, Tuesday, October 21,2014 00:52:30
 
167 individual attacks from 92 unique ips (there are a few within their own same sub-net range)
 
They were shown as several "types" by my router:
[DoS Attack: WinNuke Attack]
[DoS Attack: FIN Scan]
[DoS Attack: SYN/RST Scan]
[DoS Attack: ACK Scan]
[DoS Attack: NULL Scan]
[DoS Attack: Xmas Tress Scan]
[DoS Attack: IMAP Scan]
 
All to port 0 which: “Generally speaking port zero traffic can be indicative of a possible reconnaissance attack, and may be a precursor to more serious penetration attempts”
 
Attackers can use such abnormal traffic to fingerprint operating systems and network security devices, because different OSes and network equipment can respond differently to port zero traffic, the researcher said. “This can enable the attacker to make a more precise attempt to compromise a network.”
 
 
 
Userlevel 6
Hi@RussH,

I'm glad that everything worked as you've expected.
Regarding your port 0 attacks; does your router give you any more information on those packets?
How many packets did you receive in that time? And do they all come from the same IP? Perhaps you can also see why the packets end up at Port 0; as Port 0 isn't a valid port.
Userlevel 1
Pardon my delay in getting back again...
 
I had about a 3 hour Port 0 attack again last night starting at about 10:07PM and lasting till about 1:00AM that was stopped by my router again...
 
This is only the second time I have had these port 0 attacks happen and not to point fingers but it seems odd that the first time (which lasted just short of 24 hours) was shortly after installing BitDeffender...
And then last night almost 14 days later exactly (and 2 days after removing BitDefender) it happens again...
 
Not that it affected anything on my machines as in both instances the router stopped/dropped all of the packets.
 
Beyond that everything seems to be running smoothly, though I have noticed some streaming content will buffer a bit at the start but it then smooths back out after several seconds.
 
Even my DiabloSport inTune updates worked fine (after allowing it through the firewall)
Yes I am a performance car buff too... :S
 
Userlevel 7
Hi RussH
 
How are you doing? Many thanks for coming back and providing an update. This helps us to checked that the advice, assistance, guidance, etc. provided is appropriate and correct.
 
Glad to hear that not one but two pf your systems have WSA covering their backs now...looking forward to whenyou advise that you have the full set moved over/sorted.
 
Please do come back and hang out/contribute what you can and when...this is the big part of what this Community is about...not just issues...but so much more.:D
 
Regards, Baldrick
Userlevel 4
Badge +10
Enjoyed this entire post! Paranoia vs Caution...I remember what it felt like to hang out, unprotected while removing old security---keeping offline till new security refused to go further without phoning home to validate my purchase and update definitions. All the while, holding my breath and hoping there was no breach of ports. (I was glad when RussH suggested that security may want to look at that weak link.) The others did a good job of addressing every point--explaining how WSA works well with most other security--so LAYERED security is the way around some vulnerabilities. And I learned more about how WSA works in the process. I can also identify with RussH when it comes to who controls the running processes. With a PC it was often me in charge but Mac has a different idea. I do think that computers are a lot better at handling resources today. And I can say that WSA is not a resource hog. I avoid frivolous or risky apps. The Webroot features mentioned are optional when it comes to Mac and would seem to be so for PCs too. Best wishes y'all!
Userlevel 1
Back again!
 
Well 24+ hours and no router issues with packet traffic, the second system has it installed now as well.
 
Firewall port testing came back good as well.
 
So far so good!
 
Userlevel 7
Hi RussH
 
Thanks for coming back and posting on progress.  I am not surprised at anything that you report, not even the "slight knee jerk reaction on my part was the 14 second initial scan".  A lot of people using WSA for the first time do that...the reason for this is the way that WSA works...the philosophy is that malware is only dangerous as and when it is active so WSA monitors for malware activity both using Cloud-based whitelisting, and heuristics both does nothing with any file  or app that is not active.
 
So you may have the largest repository of malware packages residing on your system but if they are all inactive/dormant then it will pay no attention to them...BUT...the merest sniff of activitty and WSA will pounce, analyse and block...in otherwords WSA does not waste time or resources on things that cannot cause damage etc., but rather focusses on those that can.  Particularly clever and effective is what it does if it cannot determine whether an active file is malicious or not...in that case it monitors/journals the file's activities (which it also limits as well) and if eventually determined to be good it then stops the monitoring/restriction, etc., but if bad it it rollsback back any journalled activity so to negate the impact of the 'now determined to be malicious' file. :D
 
I hope I have described the philosphy properly.  I am sure that with your background you have probably researched this but for more information please take a look at this previous post, especially the three vidoes, for more information on the unique way that WSA works to protect the system it is installed on.
 
Of course, post back if you have any more questions.
 
All that I will say more at this oint is sit back, relax...you are well protected.
 
Regards, Baldrick
Userlevel 1
Alrighty...
Well it took me a few to get BitDefender beat into submission but I finally won. The uninstaller is not very good and it left several things behind that I had to go manually remove. (surprise!)
 
Installing WSA took maybe 15 seconds for the authentication and download to complete as I have a pretty fast Internet connection (50Mbps)
 
I was very surprised by the light weight footprint of this product...
 
One thing that caused a slight knee jerk reaction on my part was the 14 second initial scan... Granted it decided that it only needed to scan 16k or so files...
 
I would think doing an initial system scan you would want to do a "complete" system scan. IE: scan all files to ensure there is nothing currently hidden anywhere but I guess the constant process monitoring should flag any threats and stop them before they get far enough to do any damage.
 
I am still wondering about the potential for TCP/IP communication issues causing my router to flag as unsolicited inbound packets but that remains to be seen and of course time will tell there...
 
So far so good a simple basic product that seems to only do what I really need.
 
So now I am off to go get my trusty Spy-Bot back...
Userlevel 7
Hi RussH
 
Well, that is a shame...and just our luck...so we cannot close the 'window of opportunity' as you are quite right that with what you are currently using you must uninstall and cleanse your system just to be on the safe side.  What a shame.
 
Still, given the specs of your system I can say without feasr of contradication that WSA will fly and that you will see quite a difference when compared to your current security solution.
 
Look forward to hearing how you get on and of course, we are here should you have any further questions or need further assistance.
 
Regards, Baldrick
Userlevel 1
@ 
 
Yes oddly you mention BitDefender...
It is the current "offender" I didn't want to give a specific product name but there you have it.
and no It does not play well with hardly anything else (it even forced me to uninstall Spy-Bot before it would allow the install to run)
 
My system...
3.4Ghz i7 (real quad core hyper-threaded to 8 cores)
12GB of DDR3 1600
240 GB SATAIII  SSDx2
1.5 TB 10K RPM SATAIII data drive
3 x USB 3.0 externals (2x500GB and a 4TB)  of course my externals are never connected other than when in actual use
Nvidia (EVGA) GTX 660 Ti OC 3GB PCIe
Creative Labs X-Fi titanium PCIe
RAIDMAX 850 Watt quad rail
A UPS for each PC as well as the Modem/Router having their own shared UPS.
Hardwire only GB speed network.
 
So I am expecting this product will run pretty well in this environment.
 
Anyway off to Best Buy it shows they have the 3 PC product in stock...
 
Again thanks to everyone and I will pop back and give you my thoughts once I get it installed
 
Userlevel 7
Hi RussH
 
You are most welcome...that is what we are here for in part (as well as having some fun, learning lots, and of course, making new friends).
 
I follow what you are saying, but would provide the following snippet.  Are you aware that WSA is designed to be compatibile/play well with all other major AV/IS products around...and it is 99% successful as far as I am aware.  I have run it successfully in tandem with KIS, and there are other members who have do ne the same with NIS and some other of the major players, all with no ill effects...but of course more drain on one's system (usually due to the other AV/IS used).  The only one that I am aware of that WSA does not play well with is BitDefender.
 
I am not aware of what yo are currently running but unless it is BitDefender I do not see why you cannot install WSA with your current security apps installed & running and then, once WSA is installed, uninstall your curent app.
 
Worth considering I would suggest and if you go with that then the 'window of opportunity' we were discussing is reduced to zero.  If you are tempted to try then let us know what you currently use/what WSA will be replacing and we can poll around the Community to see if anyone has any experience; positive or negative re. using both at the same time.
 
Regards, Baldrick
Userlevel 1
@
 
Well as far as the install you are correct but I do still need to un-install my current product and get it cleaned off in entirety prior to installing the new product and thus it would require a reboot (if not 2) to ensure all remnants of the prior product is gone for good...
 
During the un-install processes and reboot(s) prior to starting the new products install I do not want to have an open Internet connection.
 
I feel pretty confident that staying disconnected up to the point of the install complaining about the lack of connection will reduce the risk to bare minimum.
 
I guess I wish security software vendors would at least lock down connectivity and only allow traffic for their proprietary software to access the Internet during these "less than secure" windows during install/authentication processes... (I also do some MSI packaging)
 
Regardless I guess the proof will be forthcoming as I intend to give this product a shot. (thanks in a big part to the helpful and knowledgeable community here)
 
Userlevel 7
Hi RussH
 
I do completely understand the reasons for your caution and I think that you are exceptionally wise to have that sort of precious and sensitive data/source held on extrenal drives that are hopefully disconnected from the internet unless they need to be.
 
I also think that your approach of "run the install from CD off-line until it complains about no connection" does reduce the 'window of opportunity' but sadly by very little as when I trialled the disconnected install (prior to one of my posts) it was a matter of seconds, from clicking to run the installer, to the installer advising that it could not authenticate, and offerring to abort the install....but on the positive side...it will reduce the window by a few seconds more than if connected.
 
I do hope that you do take the plunge and do finally join our Community.  Please let us know what you decide either way.
 
Regards, Baldrick
Userlevel 1
"and by the way I have been in IT since 1982, and for many years a programmer and more recently a consultant"
 
Glad to hear there are knowledgeable folks helping users here!
 
1985 for myself working with both hardware and software development...
 
One of my major concerns is my huge source code repository I have built over the years though I do keep it on external drives.
 
Not to mention current client source and data that I do not want to have potentially exposed or infected...
 
Well from my perspective I suppose I can run the install from CD off-line until it complains about no connection for authenticating and then connect at that point to reduce that window of opportunity even further.
 
Thank you again for all of your insight and assistance!

Reply