Proventia Desktop firewall stymies malware
Newest version of host-based firewall proves capable with well-equipped feature setFollow @rogeragrimes
By default, anti-virus and anti-spyware signatures are checked and updated every hour. Updates come from centrally located update servers on the local network or from ISS's Web-located servers if the network update servers are unavailable.
Mixed feelings about buffer overflow protection
Proventia Desktop's Buffer Overflow Exploit Protection feature is not turned on by default, which I found unfortunate. Even when enabled, it only initially protects a limited set of common applications, including AOL Instant Messenger and Yahoo Messenger; VPN clients; Netscape; and Microsoft Office, IE, Exchange, and ISA and SQL Server. Thankfully, you may include additional applications using folder path or filename, or exclude other applications by filename.
The feature does exactly what its name says: exploitation protection, not buffer overflow protection. Proventia Desktop does not attempt to prevent buffer overflows from occurring in the first place; it leaves that to Windows Data Execution Protection or no-execution enabled CPUs. Instead, Proventia Desktop monitors potentially malicious system calls originating from memory areas that are likely to have resulted from a buffer overflow.
Proventia's limited buffer overflow protection is questionable in my book because it allows the buffer overflow to occur and it doesn't protect all applications. But it did successfully stop many of the most popular buffer overflows from causing further damage, including Blaster and Slammer. I wouldn't buy Proventia Desktop for the buffer overflow
Click for larger view.
Logging is slightly above average. Events are listed by intrusion name or intruder IP address and are color coded to summarize criticality, and admins may customize the criticality and colors. Each event can be right-clicked to block or allow future traffic from the involved traffic origination point (see Figure 2 at right).
Involved remote host IP addresses can be converted to their DNS or NetBIOS host names with a feature ISS calls Back Tracing. All connection information and packet data can be logged to a file -- a great feature not included with many host-based firewalls. Management Console Reporting can be integrated with ISS' SiteProtector, a central management and reporting console.
A capable firewall
I put Desktop Proventia through its paces in a small test lab and also out on the road when connecting my laptop to several public networks over a period of two weeks. It performed well: All attack types and unknown probes were logged as expected. Proventia Desktop also stopped most tested worms and viruses, but a few new rootkits and programs archived with uncommon packers were not recognized (they were not recognized by other popular anti-virus programs as well). I was pleasantly surprised at the minimum performance hit.
Overall, ISS offers a capable host-based firewall with some additional functionality not included in other stand-alone firewall products. I especially liked its simple, clean interface. Make sure that you understand what Proventia Desktop can and can't do, especially concerning the default outbound exceptions and its buffer overflow exploit protection limitations.