[ Jump to bottom ]

index -- intro -- rules1 -- principles1 -- tweaks -- hints1 -- articles1 -- software1 -- security -- links1 -- config1 -- glossary -- projects -- diverse -- events16 -- about -- sitemap

Security 1

Web tadej-ivan.50webs.com

sponsored links

Updated: 01.12.2016

View My Stats

The contents of this site's pages are protected with a Copyscape.  Copyscape Website Content Copyright Protection
Copyscape site's mission is to offer a website plagiarism search and content copyright protection.

As far as I am concerned in case of privacy and security issues and how to protect yourself (when connected to the Internet of course), a good firewall software is the only and trully important thing to run, also see the "software.html" page. Though on the other hand I must say that I already made Internet Explorer pretty safe with disabling many dangerous features (see below), with various security-related modifications with gpedit.msc, and additionally with various registry hacks (policies restrictions and others), but especially with disabling many options under Control Panel - Internet Options, the Advanced tab, and with setting the right settings (to some racional level) under other Internet Options applet's tabs, like Security and Privacy. Note that I do not recommend others to not to use Microsoft's patches (like me, hehe) or not to update/patch Windows at all (again like me), I am just saying that you just need to use some good anti-virus software (not like me, currently running without any anti-virus program), and especially I certainly do recommend to use some well-known, trusted and good configured firewall software (and as the most important), but rather see the rest of the page for details. Also see my posts in these three threads, first here on Winforums: Winforums 12 x 12 pixels icon Do we really need software updates?, then here on Wilderssecurity forums: What is really sensible in terms of PC security?, and finally on "Ars Technica" forums: Ars Technica 12 x 12 pixels icon Let's Talk Security, and here: Ars Technica 12 x 12 pixels icon Is there a Good, Free anti-virus with small footprint. Of course, I can play with security, because of my great computing knowledge. I know well, what I am doing and what is going on in the background (processes running, software installed, libraries used etc.), and also because of my particular situation, i.e. single-user PC, dial-up modem connection etc. So I hope, you can imagine that I can afford all this, hopefully you also understand why is it so. Please don't try to take advantage of my un-patched system, and hack me only to "punish" me for not using updates, and to prove my I am wrong. I know well, I can be hacked, but I am also convinced, it's not worth all the bandwidth and reboots, if I would like to keep my sistem "up-to-date".

NAVIGATE:  next --> security2.html


Well, as you might guess (because of numerous references) I use various monitoring tools from Sysinternals site, written by the author Mark Russinovich, and all of them are "non-setups", i.e. just an .exe file, the "form" I prefer. I have a lot of respect for Mark (and we've exchanged many e-mails so far, so he knows me and my various "theoretical" questions and discoveries quite well), in fact, it was the Sysinternals website and the utilities available there that are the reason for me starting to explore how the Windows opearting system works on a bit "lower levels". And also I was one of the most regular "bug discoverers" (I'm referring here to bugs in Mark's tools), for example, I found many Process Explorer's bugs and glitches (in an early stage of its developement), like that tooltips and priority-column glitches, the "UserObjects" consumption bug in Autoruns utility, Tokenmon's "Stand-By" and "filtering non-working" bugs, and finally the Regmon's 6.1 "bad pointer passed into a registry call" bug, which was quite a serious bug actually causing a BSOD. Anyway, as first, here is the definitely most important one (in my opinion of course) from all the utilities from Sysinternals, i.e. I am talking about the Windows Taskmanager replacement Process Explorer: http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx program. Well, there is another programs called Autoruns: http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx which displays several auto-starting locations and what programs are configured to run during system bootup or login including the ones in a startup folder and various registry keys. It is also totally crucial security related program, however, it's not a monitoring programs in standard meaning. And finally with TCPview program: http://www.microsoft.com/technet/sysinternals/utilities/Tcpview.mspx I monitor established and non-established active TCP/UDP connections, their endpoints (IP or hostname) and optionally close process which established a connection or only close a separate connection to some server with a line/entry TCPview's UI. Each process usually has many opened/established connections at a same time; for you to imagine what I mean. Regarding other Internet related monitoring programs I also used (but not anymore), there are also programs like TDImon: http://www.microsoft.com/technet/sysinternals/utilities/TdiMon.html which monitors activity at the "Transport Driver Interface" level of networking operations in the operating system kernel, and Portmon: http://www.microsoft.com/technet/sysinternals/utilities/Portmon.html which monitors and displays all serial and parallel port activity on a system. While regarding non-Internet related monitoring programs I used (but I also don't use them anymore), there are programs like Tokenmon: http://www.microsoft.com/technet/sysinternals/utilities/Tokenmon.html which monitors Logon/logoff, Enabling/disabling privileges, Impersonation, Process creation/exit, then DebugView: http://www.microsoft.com/technet/sysinternals/utilities/DebugView.html which monitors a debug output on a system, but especially useful ones are Regmon: http://www.microsoft.com/technet/sysinternals/utilities/Regmon.html which monitors and displays registry activity on a system and Filemon: http://www.microsoft.com/technet/sysinternals/utilities/Filemon.html which monitors and displays file system activity. Not to mention Mark's commandline programs (see the "cmdline.html" page here on my website) although they are not so security related, rather related to system maintenance in general.

And as a related news: in 2007 (at least if I recall correctly) the Sysinternals as a whole was aquired by Microsoft, see "New! Sysinternals TechCenter": http://blogs.technet.com/sysinternals/archive/2006/11/06/new-sysinternals-techcenter.aspx (the announcement-page) while here at this link: http://www.microsoft.com/technet/sysinternals/default.mspx to what is now the main Sysinternals site's location; by the way, I have already updated most of the links here on my website. Oh and yes, don't forget to check out a totally new Process Monitor: http://www.microsoft.com/technet/sysinternals/utilities/ProcessMonitor.mspx program, which is a "Process Explorer", "FileMon", and "RegMon" applications combined together. Oh and yeah, if you want to check out the ** FAQ: Common ProcessExplorer Issues ** thread: http://www.sysinternals.com/Forum/forum_posts.asp?TID=4469&PN=1 that actually mentions me; it's below under instructions for Dependency Walker application, while my username is "Ivan" on Sysinternals forums. While not a Sysinternals application, I would like to mention the Asviewer: http://www.diamondcs.com.au/downloads/asviewer.zip, which is yet another "startup programs manager" (very similar to "AutoRuns" from mentioned/linked above), an there is also the APT program (APT means "Advanced Process Termination"): http://www.diamondcs.com.au/downloads/apt.zip on the same website that enables you to terminate a running process with no less than 9 different methods; both programs are from DiamondCS site: http://www.diamondcs.com.au (the authors of famous programs like TDS, Port Explorer, Wormguard etc), also see here for other freeware programs: http://www.diamondcs.com.au/index.php?page=products.


In this section, I first need to mention the xp-Antispy program, a small "non-setup" application which eliminates many security risks, useless features built-in to Windows etc. If you prefer the "other" way, there is also a commandline version available, currently it is version 3.93, and you can get it here: http://www.xp-antispy.org and also I use two other security/performance settings "tweaking" programs, namely SafeXP: http://www.theorica.net/safexp.htm and GameXP: http://www.theorica.net/gamexp.htm from Theorica site: http://www.theorica.net site. Further there are various Merijin's security-related applications like the famous HijackThis, a crucial BugOff, then CWSShredder, StartupList etc. Here is Merijin's homesite: http://www.spywareinfo.com/~merijn/downloads.html, and if this link above is offline, then try here:

I also use a bunch of small, compact "non-setup" applications from Gibson Research Corporation, shortly GRC. They "patch" various security holes, things that can be easily exploited, disable various potentially dangerous OS features and similar, like one disables DCOM, another one disables UnPnP, another one "open" NetBIOS over TCP, then another raw sockets etc. They are mostly 10-30 kB in file-lenght "non-setups", coded in assembler/assembly, the most important are XPdite, UnPnP, DCOMbob, NoShare, Socketlock, ShoottheMessenger etc., here are few GRC's links. First GRC's main/intro site: http://grc.com, then GRC's main/default page: http://grc.com/default.htm, and GRC's site's page with free popular applications listed: http://grc.com/freepopular.htm. And the best thing is that you only need to apply it once, and it's done till next Windows installation (or till someone change this setting, burried deep inside registry) I do recommend them to everybody, ehm, even if there are folks out there, that don't like Steve Gibson and his work. There is actually some sort of "community" out there, see here: http://grcsucks.com, where people are complaning about Steve's position on RAW packets ion Windows XP etc. The rest of the page describes other important applications I use, mainly they are listed and described separately, but there are also others, that I don't describe at all, nor with basic descriptions like Merijn's and GRC's applications.

Further, it is important to mention that I do use famous JavaCool software application called SpywareBlaster, and I am 100% you should use it too. The programs is "spyware preventer" and not "spyware cleaner", meaning that it keeps the dangerous stuff away from your computer. So you see, it doesn't scan and fix problems when malicious stuff (a file or data in registry) is already existing on one's computer like with mentioned spyware cleaners (for instance the well-known Ad-aware and Spybot S&D), but rather see few paragraphs below on what I think about them. Instead it simply adds various dangerous sites to the Blocked Zone in Internet Options, and prevents the dangeruos cookies to become resident files on your hard-disk. Additionally it blocks ActiveX controls known for exploits with the so-called "kill-bits" (a character 0 - zero added into the ActiveX's registry value) etc. It works with Internet Explorer, Mozilla 1.7 and higher, and Firefox 0.9, 1.0, and higher. Here is its homepage with other programs too: http://www.javacoolsoftware.com,however this one requires an installation-procedure.

I also started using Mozilla Firefox as my default browser (and Mozilla Thunderbird as my default e-mail client); one of the reasons for downloading it in the first place was that back then it was still available also in "non-setup" form at that time (zipped archive, no installation routine); however, that unfortunately changed and personally I certainly don't like (actually I kind of hate it) that Mozilla Foundation has discontinued .zip files as a major releases. Optionally see for yourself the banal reason why they did it on chase's blog: http://weblogs.mozillazine.org/chase/archives/2005/03/wondering_why_t.html, then also check the related From the 1.0.2 release on, Thunderbird will NOT be available in zip package anymore thread I've opened on "Ars Technica" forums: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=742005342731&r=742005342731 and the other one titled Will be Thunderbird 1.0.2 available in .zip package ?? (also opened by me): http://forums.mozillazine.org/viewtopic.php?t=239047 on MozillaZine forums. Anyways, basically Firefox is much safer than Internet Explorer, because it doesn't use ActiveX controls (also called COM/DCOM components), OCXs, but in addition it even contains a popup-blocker, has powerful Java/JavaScript management etc. Here are Mozilla's main links: http://www.mozilla.org, and http://update.mozilla.org, then particularly Mozilla - Firefox's link: http://www.mozilla.org/products/firefox, and finally Mozilla - Thunderbird's link: http://www.mozilla.org/products/thunderbird, although it is true - personally I don't like (actually I kind of hate it) that Mozilla Foundation has discontinued .zip files as a major releases because of a pretty banal reason, for details please see my events page, the date of related entry/article is 23.3.2005.

And as almost the most important thing (at the time of writing this), I am using the ZoneAlarm Pro as my firewall. Check the main ZoneLabs website here: http://zonelabs.com, and also see the Release History of ZoneAlarm here: http://download.zonelabs.com/bin/free/information/zap/releaseHistory.html. For me, this is the best release/version ever released, and surely one of the last non-bloated, and "resources friendly" ones. Check the Why ZoneAlarm sucks vs. why ZoneAlarm doesn't suck ?? thread here: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=946004849631&r=946004849631, I opened about Pros and Cons on ZoneAlarm being a personal home-user firewall solution, compare to other firewalls. It is pretty simple, ZoneAlarm firewall's Java/ActiveX protection, cookie, mobilecode, MIME, adds control, and other protection, prevents all undesired things that can happen. Note that I wrote "at the time of writing this" at the beginning of this paragraph; this is because lately I don't use any third-party firewall programs anymore. I get use to stick to Windows XP SP2's in-built one; it's simply enough for my dial-up connection and outbound filtering is just plain stupid.

My humble opinion on Ad-aware 6, Spybot S&D programs and similar spyware "cleaning" programs (with all the respect to their authors), I used both mentioned (and huh, installed previously) in the line above for occasional scanning on my previous Windows installations, and it is true they are both good and trust-worthy programs, but I actually do not use them anymore (at least I haven't installed it yet, on this Windows installation) , simply BECAUSE IN THE END, THEY DIDN'T FIND ANYTHING for almost A YEAR, except few "spyware cookies, and I can simply manually delete those. You see, I certainly got bored of scanning the machine, and nothing being discovered ever. Also I do not like all this "paranoia" that's around hijackers, spyware, scumware, crapware, or whatever paraniods want to call them. And about all those anti-spyware, not "cleaning-oriented" programs, like already mentioned Ad-aware, or Spybot S&D, but those "real-time" oriented (monitoring programs execution, and other file-access actions), like for instance Spysweeper, or SpywareGuard, that I used both and run them for some period in past - they are completely useless, at least in my case. As mentioned, I ran Spysweeper in past (cause of its real-time monitoring thing), also SpywareGuard and all, but in the end (running for more than few months), I noticed - in all that time, they didn't prevent ANYTHING AT ALL, but why?? Because Spysweeper is not needed at all, because of both, my firewall (cookies filtering) and my anti-virus (worm/trojan execution) has already in-built that kind of protection, while the other program, SpywareGuard, is also not needed, because of anti-virus protection (worm/trojan execution)


Further, not so far ago I discovered this amazing Naoko Proxomitron software-proxy application; you can download the .exe installer or .zip package here: http://www.proxomitron.info, or http://www.proxomitron.info/files/index.shtml, or http://www.geocities.com/srl_list/index.html (guess what, it's a FREEWARE "non-setup" program), as I was suggested to do on some forum. The last 4.5-j release is just something completely "revolutionary" for me from various reasons. It actually looks like more "low-level oriented" software, but it doesn't even use drivers or something, just one zlib.dll library as a part of program, of course beside those two for SSL. I can already say that Proxomitron programs in particular, and "proxy principle" in general just ROCKS. Sadly enough, the author of this amazing programs passed away this year (May, 2004), and therefore software developement is finished. Though filters (the "core" of proxy) are still updated regularly. Like in case of alternative shells, I just can't understand what I was missing all this time, it is whole new world for me. To put it into the inperspective, Naoko Proxomitron is FREE, non-setup (no installation required, all required files are in one .zip file, you just extract to somewhere, set proxy settings under: Control Panel -- Internet Options -- Connections, and yeah, all this time I thought that proxy is something you need to purchase (software, or maybe even to buy some special "proxy hardware", like in case of router), make some agreement with some domain to be connected through their IP etc. But as the most important - I thought it is only available for cable, LAN, or whatever high-speed connections (with stacionary IP), and not for analog telephone dial-up modem connections, as with my 56K Win Lucent Modem adapter, but NONE of this is true.

I don't know for you, but as a dial-up user myself, for a better security I use DNSKong program: http://www.pyrenean.com/?page_value=-1, a personal caching/filtering psuedo-DNS server application. It's about those few potentially dangerous sites that I *might* visit, and also for faster web experience (i.e. to avoid all the load of also potentially dangerous banner-ads and other similar "threats"). See the "events1.html" page (the event on 30.3.2005). Further, click on this link to read the article (it's a kind of review) that I wrote for Wikipedia regarding DNSKong program: http://en.wikipedia.org/wiki/DNSKong, then click over DNSKong's homesite and look there for a link to pre-set filters packed to file "taygas.zip"; the link is somewhere on the main-site, and also see this website for a good information and introduction into the DNSKong program: http://accs-net.com/hosts/DNSKong.html. Anyway it is quite similar to hosts-file blocking with few awesome advantages. The main principle is pretty simple - you have two basic configuraton files named.txt and pass.txt, while the named.txt file contains all the bad stuff, I think pass.txt has a self-explanatory name. There is also another file called presets.txt, and this one is the same as common hosts file, i.e. it contains the right/resolved IPs for the respective host-names. To be able to use DNSKong to resolve DNS requests, you need to have Windows "DNS Client" service disabled and set the the "Default and Alternate DNS Server" settings in Internet Options under Control Panel. DNSKong in fact offers to do this automatically in its IP Info configuration dialog (options/checkboxes to "Set DNSKong Server IP on Start" and/or "Unset DNSKong Server IP on Stop"), compare to manually setting it in Internet Options as mentioned above. Further, DNSKong's name requests serving can be conveniently started/stopped with the options in its tray menu. The Stop option prevents DNSKong from serving any name requests and releases the storage used for Named.txt and Pass.txt filter entries (however, this option does not close the DNSKong program and is useful if you want to temporarily stop using DNSKong), while applications may continue to obtain domain names from other DNS IPs configured for your network properties or through a DHCP server. It is possible to configure your system to prevent any other DNS server from being active unless it is a DNSKong proxy. If you do use hosts file already, then you might try the mentioned eDexter program and its "Auto Pac" feature. Oh and yes, DNSKong also supports filtering by the string only (only a part of full host-names), so for instance to block all the doubleclick servers, full host-names are not needed - you can enter only the word doubleclick, or to block all the servers containing the words ad or ads, you would enter them in the named.txt, and pass.txt works in the same manner.

Finally yet two more things; as first DNSKong uses an internal memory structure for the cache and filters (the presets are also stored in the same list), and the cache is cleared each time you stop and start DNSKong. As the author wrote in of his friendly responses to my questions: "think of the memory structure as a list of domain names along with the IP, Dnskong looks up the name in the list and then uses the stored value for resolution although it is a bit more complicated than that."; and as second thing, DNSKong also supports the so-called Proxy DNS feature - you can choose up to five preferred DNS servers (ISP's Name Server IPs), and DNSKong will send each proxied IP your domain requests and will use the first successful response. Also, there are two "modes" or "ways of usage" that are the most commonly used. One mode is to "block-all" the traffic (with adding .com, .net, .org etc. into the named.txt file), except for those few sites that you visit on day-to-day basis, and you've added them to pass.txt file. And another mode is to "pass-all", except for those malicious strings/host-names that you've added to the named.txt file. As the DNSKong's author wrote in an e-mail: "the program uses a fast lookup method (a data structure being a completely balanced AVL tree) along with a dynamic cache in the computer heap storage to maintain the filter data. DNSKong uses an internal memory structure for the cache and filters. The cache is cleared each time you stop and start dnskong. Think of the memory structure as a list of domain names along with the IP although it is a bit more complicated than that. Dnskong looks up the name in the list and then uses the stored value for resolution. Presets are also stored in the same list. Essentially the idea is to minimize the number of lookups needed to find an IP for a domain. The time to lookup a name is proportional to the order of log base 10 of the total number of entries in "presets.txt" and "named.txt"files combined (i.e. "O(log(N))"); basically, we can compare performance using this. Since "log(1000) = 3" and "log(1000000) = 6" we would expect lookups to take twice as long for a million entries as they do for 1000 entries. If need be, I can increase or decrease the granularity for lookups to either conserve memory or to increase the lookup speed". Oh and optionally also look for eDexter from the same author, which is used to replace the empty boxes, that occur if you use the "hosts" file to block host-names of well-known advertisement serving servers. Or a bit longer expplanation: eDexter acts as a local-only HTTP server on your computer and it is used to replace the empty boxes that occur when you use the hosts file to block ads by puttin one of its own images into the box that would have been occupied by the advertisement. This way, you will not have large, empty boxes in your browser and will instead have an image where the box used to be. For its page, check this link: http://www.pyrenean.com/?page_value=-2, and same as above - for the introduction this one: http://accs-net.com/hosts/eDexter.html, they are both security-related programs both running as a local-only HTTP servers, both are available also in the "no-setup" form.

/UPDATE: Recently I started to use the OpenDNS service: http://www.opendns.com in a cooperation with the DNSKong application that I am using for quite some time now; please see the "events-entry" on date "26.9.2006" on the "events9.html" page, and also page "diverse.html" for more information about it.


As first, please visit the Why ZoneAlarm sucks vs. why ZoneAlarm doesn't suck ??Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/946004849631 thread that I created on Ars OpenForum quite a while ago. Basically, it was because I've read a lot of posts (on "Ars Technica" website's forums, and on other forums), stating that ZoneAlarm sucks as a personal firewall solution, must admit, I've never seen clever/acceptable argument or explanation/reason why. The thing is that I am just through a period of testing more or less all currently popular available firewall software. And back then I ended again installing IMO the best version of ZoneAlarm Pro ever released, compare to versions above it, with bloat of useless or at least not-needed features. So it's the version:, and I tried and one version before (few crucials missing, and serious bug not fixed), and one version after (hogging "OpenProcess()" control monitoring, "My Vault" and other bloat added), and that was simply because each of the other software firewalls I've tried has one or more things that bothered me, or in worst cases, preventing me to use the program. And I did register to Sygate and Outpost forums, asked all the questions about my issues there. But still, beside many "official" issues (described in Readme.txt, in "sticky threads" on forums), there are some that are not generic, but are specific to a single user (or few users) and its hardware/software setup, like for example in Sygate's case, the errors on installation, the error after installation, when "drwatson.exe" is hogging "smc.exe" process and overall system-performance, etc., and these were the ones that made me changed my mind. Therefore I tried also other firewall programs, even if they were already almost acceptable.

Here are the short conclusions shortly describing the three other popular firewalls that I've tested so far:

1. The "Kerio" firewall, which I quite liked, but I didn't like few things on how it process the rules, and I also didn't like its GUI-style, then it requires three process to run (i.e., runs with three processes, this is my personal opinion, I don't expect any of you to agree), as a matter of knowing that all is OK, i.e., all the processes running as they should. Also I don't like the "Trialing" principle, meaning that it becomes "mutilated" (features dimmed and locked I suppose), after that trial period is over. Also with Kerio running as a firewall, I still had problems with my shell at that particular time (as with ZoneAlarm,so it is possible, now I wouldn't have them anymore), for details see My shell's uncommonly high CPU usageArs Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=322003488631 thread. Well, to be more precise, it was a problem with BBSystemBar, a particular plugin of Blackbox, as I discovered later.

2. The "Sygate" firewall, which I also liked since runs with only one process, etc., but it was running at 20 % of CPU all the f**king time, when I wasconnected to internet (4-8 % when not connected), therefor slowing process creation/closing, windows opening/closing, and general performance and stability. Also there sould be an option to set a refresh time for the traffic-graph on GUI. And a major problem is that since I do not run Explorer.exe as my default OS-shell, the option to exit firewall from tray (or from GUI) is greyed-out. Sure, it is a protection "feature", but if you intentionally do not run Explorer, it is annoying, since you can't exit it. Btw., the Sygate service also cannot be stopped (a security-feature also), and there are other issues also, related to specific configuration options. In FREE version, it has disabled options from PRO version by default. I guess unlock key unlocks them.

3. The "Outpost" firewall that was the best for my taste/needs from all listed. Runs with only one process, has nice rule-presets, and overall rule-processing is thought-through. And the best thing is: you download small FREE version package, which is only 2.7 MB in lenght, no need to download huge PRO package with most its features disabled as in Sygate's case, or wait till the trial is over like in Kerio's case. The only thing whatsover I didn't like is that each plugin firewall uses is a kernel-mode driver itself. So the program installs at least 5 or 6 kernel drivers, even if you don't plan to use them. But as I said, the overall feeling about Outpost was good, so maybe I will actually use it in future.

For download-size comparision of installation packages (and few other things), see my post in the Software firewall solutionArs Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/ubb.x/a/tpc/f/99609816/m/360000939631 thread.

And finally there is "ZoneAlarm" firewall, which I've btw., used most of the time in the past, I can say that it is light on resources (main filtering process "vsmon.exe", running at 0-1 % of CPU average), the best-rated on all the "leak" tests sites, it's popular (therefor potential "bugs" discovered soon, and program itself maintained/updated regularly), and also it runs just as I want it to run - one process being GUI, and the other being filtering/protection service. And well, I've never experienced any serious problems with it. Except occassional database-corruption, but you solve that simply by deleting files in "%SYSTEMROOT%\Internet Logs\" directory and rebooting. And I just love the feature, when vsmon exits (for whatever reason), ZoneAlarm block all the access to internet for a certain period of time, or till next reboot. I think we can all agree (those who had tried at least two of those listed above), all these firewalls work on a pretty same principle. And ZoneAlarm PRO is not missing any of the crucial features.


As far as anti-virus software, rather see the Pros and Cons of anti-virus software thread: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/936004638631 on "Ars Technica" website's forums, while for other related threads, see here: /script/collection.html, although the link might be outdated so rather take a look at "OPEN or GET" drop-down menu on "diverse.html" page. Here below is a bit modified post from one of such threads that I created (I did that ony more than one forum), but important thing is that it contains all the important facts/stuff. Note that somewhere in between I changed various my articles to be obviously visible as forum-posts (i.e. with the use of "<blockquote>" element), however, later I decided to revert them back as they originally were.

While any of the three well-known and trusted anti-virus programs, beginning with the letter "A": AntiVir, Avast! or AVG, however, for my needs and computing principles, the AntiVir is far best from these three. It's a FREEWARE and more and more popular and trusted anti-virus programs from H+BEDV company, located somewhere in Germany, Europe; to download the installation package and to get more information, you may check this website here (the main/official program's site): http://www.free-av.com, which turned in the end to be the best for my personal needs. My story with anti-virus programs goes like this. First I used EZ eTrust a SHAREWARE anti-virus programs from Computer Associates for quite some time, but later I discovered that this particular version of EZ eTrust anti-virus program, and probably its driver-level protection was causing an annoying FILE_SYSTEM BSOD on every shutdown/reboot/logon/logoff (see paragraph below for details). Of course, I first blamed other software and it has driven me to countless installations/un-installations, modifications, tests, reboots, etc., before I realised it was EZ eTrust's fault. So I first switched to FREEWARE version of AVG 6, but it was just at the time of upgrading the programs to version 7, and then I somehow didn't like this new AVG 7 version's interface. Therefore I switched once more and started using a Personal Edition of AntiVir program.

Now I just couldn't live without its three crucial features listed below (again, at least crucial for me personally):

1. The "Filters" feature, which enables you to exclude up-to 12 processes from real-time scanning/protection. I think that this one doesn't require further explanation on why it is useful.

2. The "Write / Read only", i.e. an option for its real-time scanning that enables you to monitor only file-write or only file-read file-system operations (of course; or both)

3. The "Activate/Deactivate" feature through the system-tray icon; compare to for instance first invogking the GUI and then un-checking all the real-time scanning options in AVG. Generally I disable the real-time protection when I am offline (quite often as a dial-up user), before defragmenting hard-disk, before software installations, driver-updates and all the similar "low-level" procedures.

4. The "Scheduler" feature, another awesome AntiVir's feature that is not only an "internal one" (updating its virus-definitions), but it actually works as a "full Windows scheduler", i.e. it's capable to execute arbitrary programs.

In regard to which programs to exclude from the on-access/real-time protection (i.e. to exclude them from an on-access scanner driver's filtering of the file-system operations); I exclude processes from those programs, for which I know that under normal circumstances are not "affected" by viruses; for instance DNSKong programs (a caching, filtering and blocking "local-only" DNS server, for details see the pages "software.html" and "security.html"), Folding@Home programs related processes, AntiVir's updating-feature related process are few programs/processes of this "type". And further, programs for which the above is true (i.e. they're not "affected" by viruses), and additionaly for which I know that they write to files a lot (so to put some stress of the AntiVir's kernel-mode filtering driver); for instance again the DNSKong program, which constantly writes to its "dnskong.log.txt" log-file and to its "presets.txt" config file (IPs resolved to host-names), then similarly Folding@Home "core" processes etc.

Here is a complete list from my "Avwin.ini" file (I splitted it because of the width so that it wouldn't ruin the page's outlook):



While for my p2p application Soulseek ("slsk.exe" process) with which I only download very huge multimedia files, i.e. .mp3s, .avis and .mpgs, then for WackGet programs ("WGET.EXE", it's a WackGet's sub-process, beside the main WackGet.exe one), with which I download only setup files from known programs (my favorite ones) and occasionally .pdfs, and for other programs too; I could simply scan those files with an on-demand scanner (I wrote "could" because I don't), and also I am not as paraniod as I was, and that is of a great significance here.

So now I use it for more than half a year, and I have no complaints at all. Infact I've never got any BSOD since running it and there were various "stressful" situations where I might have expected it. While its VDF files (virus definitions/signature patterns) are updated on almost daily-basis and the best thing is that other programs files (like scan-engine library, shell-extension libraries and main-program files) are also updated/patched by this online procedure, so you don't need to download full package too often. AntiVir is simply the best anti-virus programs for my personal needs. If anyone is interested; I wrote more "extended" review about AntiVir titled "AntiVir PE Review" for the CastleCops website (a shorter one): CastleCops 12 x 12 pixels icon http://castlecops.com/reviews-241.html, and the second one for The Geek Culture forums titled "Review: H+BEDV AntiVir program" (a longer one): http://www.geekculture.com/cgi-bin/ultimatebb/ultimatebb.cgi?ubb=get_topic&f=8&t=000635.


This second part was just predicated as "/UPDATE:" (a part of the above one) for a long time, but later I realised that it's so long that I rather made a separate section/article out of it. Anyway, as I wrote in the Top Antiviirus Start Of 2006 thread: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/groupee/forums/a/tpc/f/99609816/m/614003567731 on Ars Technica where I linked the A note on why I don't use AntiVir anymore thread: CastleCops 12 x 12 pixels icon http://castlecops.com/t146389-A_note_on_why_I_dont_use_AntiVir_anymore.html thread that I've opened on CastleCops forums, I started using an Avast anti-virus program instead of AntiVir one. However, I can already say that it's definitely MUCH more resources unfriendly (of course, this applies only to "On-Access Protection") than AntiVir that I've used before for quite some time. For example opening my most used files like various .doc and .html documents (even .txt ones), takes-up up to two seconds more than previously with AntiVir running as a resident anti-virus software. It's of course the same when launcing .exes, and there are many other similar cases; for example opening a "Process Properties" sub-window in Sysinternals Process Explorer causes various Windows system files to be checked by the Avast's main service "ashServ.exe" process (I assume this is its "Standard Shield" provider's fault), while additionally, I also noticed that Avast is also MUCH more unfriendly to the hard-disk, i.e. again, compare to AntiVir program it writes and reads stuff into/from various files, namely into/from its own configuration and various database files, as well as Windows system files.

Secondly, I also later discovered that it causes that "svchost.exe" process (the one hosting RPC service) writes constantly *smething" into the files (namely "OBJECTS.DATA", "OBJECTS.MAP", "INDEX.MAP", "INDEX.BTR", "MAPPING2.MAP" etc.) located under the "D:\WINDOWS\system32\wbem\Repository\FS" directory. I clearly see all this hard-disk related stuff with the Filemon program from Sysinternals; also see these two posts (i.e. the link points directly to the post); one in the Best NON-OBTRUSIVE antivirus software. thread: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/720006558731/r/942005858731#942005858731, and the other in best antivirus for XP? thread: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/698009867731/r/881009377731#881009377731 both on "Ars Technica" forum. And also, as I wrote in the Avast and excluding processes/paths thread: http://forum.avast.com/index.php?topic=19808.0 on Avast's official forum, I am also thinking about something for a long time. The thing is that I've started using the free variant of Avast anti-virus program instead of also free AntiVir PE; however, AntiVir had a feature that was crucial to me, i.e. an "Exclude processes" option (called "Filters"), which is used in a way that you exclude and so any files that this program read from/writes into are not scanned by real-time/on-access protection engine. You see, that way I was able to exclude a Buzzsaw program that I use to "on-the-fly" defragment my D:\ partition, excluding a set of paths doesn't help in this case, since this program monitors/defragments the whole D:\ partition, and so it's almost imposible to predict which separate paths to exclude under Standard Shield's settings; and even if I would, then those directories would be vunerable to viruses. So my "mission" is to achive at least similar results with Avast; of course, if it is possible at all.

But why switching in the first place?? As mentioned, I previously used SHAREWARE Computer Associates EZ eTrust anti-virus, see this website here: http://www.my-etrust.com, the one that suited me the best for a long time. It basically offers scanning with "on-access", or also called "real-time" protection (opening, closing, even only browsing through directory, which contains a worm), and includes also normal scanning, called also "on-demand" scanning, i.e. scanning of drives, like Ad-aware or Spybot S & D, not real-time kind, it includes boot-sector scanning, heuristic scanning etc. It was all because I found-out that this particular version of EZ eTrust anti-virus (that has driven me to so many modifications, tests, reboots etc.) was causing that damn FILE_SYSTEM BSOD, on every shutdown/reboot (and usually not when logging-off, but sometimes also...), after the "Saving your settings", and also few seconds after the "Windows is shuting down" popup window appears at least on my computer, which is set to "classical logon". First I thought it is hard-disk, IDE or some other device causing the error. And I especially speculated at that time, it is probably a hard-disk related problem causing it in the end, particularly the bad clusters on my D:\ partition. Then I also thought, it is some software conflicting or interfering with it, and I actually "blamed" (and un-installed) so many other "low-level" applications that were using/installing drivers, and similar (apparently non-problematic in the end), but as mentioned, I was wrong. It didn't stop appearing. But then, after I un-installed Computer Associates EZ eTrust anti-virus, it stopped appearing imediately, and I haven't seen them ever more since then.after un-installing it. But it was a really big mistery anyway all that time. Though it is true, CA EZ eTrust anti-virus, I was using for the past few years, is pretty strong anti-virus software. It's actually enough to browse through some directory that contains a virus, trojan or worm, and it catches it (alerts me, cause I've always set it to deny access, and not to clean/desifect, or delete it automatically), so you see, no need for actual execution of that particular malicious file. And in the end, I must mention that I am actually seriously considering not to use any anti-virus software at all, since "great" developement of my knowledge. It is because, I haven't got any virus, trojan or worm (except those, I saved from e-mail attachments to encrypted directory for "personal archive"), or whatever malware thing in all the time using my computer. And seriously, who would want and dare to attack me a dial-up home user?

NAVIGATE:  previous --> security1.html

Copyright © Tadej Persic. Some Rights Reserved.

Disclaimer: The opinions expressed on my website and in my files are mine, or belong to other individuals/entities where so specified. Each product or service is a trademark of their respective company. All the registered copyrights and trademarks ( and ) referred in this site retain the property of their respective owners. All information is provided as opinions only. Please, also see the more complete version of it on "disclaimer.html" and "policy.html" pages.

All the pages on this website are labeled with the ICRA label.  ICRA label
The website is maintained solely by its author and is best viewed with a standards-compliant browser.

The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.