Personal Firewalls Tests: VirusMD Firewall

An analysis of mini-firewalls for Windows users

By Seán Boran

This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on VirusMD

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
• Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap ² scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

VirusMD Firewall

VirusMD Firewall ⁴ v1.1 tested on Win2k SP1.

Cost is not listed on the website, but it is available for download.

Features

• Online updates.
• A portscanner that scans all open ports on the localhost.
• Signatures for attack programs are stored in a ".DAT" file that can be updated online. It is unclear how these signatures are used.
• Up to 12 ports can be blocked, clicking "Protect" blocks these ports.
• Active applications can be listed, and manually killed if needed (like the NT Task Manager)

Security Effectiveness

None of our tests were blocked or logged.

Advantages

• No reboot needed after installation.
• Very simple

Disadvantages

• Too simple, not automated, limited features.

Summary

Perhaps useful to the advanced user who just wants to protect a small number of ports.

Difficult to recommend.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
2. Nmap
   http://www.insecure.org/nmap
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
4. VirusMD Firewall
   http://www.VirusMD.com

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.