Proventia Desktop firewall stymies malware
Newest version of host-based firewall proves capable with well-equipped feature setFollow @rogeragrimes
Click for larger view.
Unfortunately, over 180 default exceptions are automatically allowed out even when Application Control is enabled. These include many programs that use network services to communicate out, default Windows applications (such as explorer.exe, rdpclip.exe), and various antivirus vendor files.
Direct network connections to these excepted applications can be blocked, but if another process attempts to communicate on the network by using an API hook or call into the same application, that application will be able to use the network through that application regardless of the setting in Application Control. This can be used by malware to bypass the firewall. (Users can examine the default exceptions stored as a comma-delimited file stored in the Proventia home directory.) It would be nice if ISS listed the default exceptions in the GUI and also allowed these exceptions to be easily removed.
Seek and destroy
One of ISS' long-time strengths is intrusion detection and prevention. Proventia Desktop includes a ton of intrusion prevention signatures, including Ping sweep, NetBIOS share enumeration sweep, and TCP probe. Custom IDS signatures can be added though ISS’ OpenSignature functionality. Exceptions to the intrusion detection list may also be added for the computer it is on or other IP addresses, as well as defining which events to ignore and which IP addresses to trust. This comes in handy for known legitimate computers that cause false-positives.
Proventia Desktop integrates BitDefender anti-virus and anti-spyware features, and scanning is performed on access or on demand. Instead of using only normal, signature-based analysis, Proventia complements it with executable behavioral inspection, running suspicious code in a limited virtual environment.
By default, scanning is not enabled on all actions except when files are being written to disk -- ISS calls this Behavioral Virus Prevention. Proventia Desktop can also scan e-mail (Outlook, POP, SMTP, and IMAP clients) along with file attachment archives and self-extracting (packed) files, IE plug-in installs, and Microsoft Office documents when opened.
Although you cannot define the types of archive files or packed files to be, you can define how "deep" the scanner should look, such as the number of files or how many bytes per archive it should examine, the amount of time to spend scanning per archive, and how many nesting levels deep it should go).
When malware is noted, the system takes one of five actions (correctly called reactions in Proventia Desktop): Clean, Prompt, Delete, Quarantine, or Report. I especially like the multiple levels of reaction that can be defined for various entry points.