Firewalls That Fight
While the line between antivirus and antispyware protection has blurred recently, software firewalls are still distinct animals, monitoring inbound and outbound network traffic and flagging suspicious behavior. The firewalls of the ten suites we tried all let you set some sort of general security level, whitelist and blacklist individual applications, and enable specific ports and network protocols.
Great firewalls can differentiate between good and bad traffic, alert you to serious trouble, and provide enough detail about detected activity for you to make an educated decision about whether to allow it. Subpar firewalls pipe up so frequently with undecipherable information that you may end up blocking traffic you need--or worse, turning the firewall off.
We tested the suites' firewalls for their ability at default settings to block attacks from outside sources, as well as from malware apps already on the PC. The CA, Microsoft, Symantec, and Zone Labs products each scored 100 percent in our inside-attack tests: Malware was unable to deactivate the firewall in memory, delete it from the hard drive, or steal the rights of legitimate programs (some malware, for example, will be dressed up to look like Internet Explorer and will try to grab all the rights that you have granted IE). And back-door applications placed on our test computers both before and after we installed each of these four suites weren't able to access the Internet.
At its default settings Aluria's firewall failed all of our inside-attack tests, but at its high setting it passed both the stolen-application-rights test and the back-door test. Aluria says that the suite's default security level, which leaves open network ports 80 and 443, is purposely set to minimize the number of initial firewall alerts a user will receive. "We want our customers to be able to configure the product the way they want to," says Jack Dunston, product manager for Aluria Software.
We also tested the firewalls to see whether they could spot malware attempting to smuggle data out of the PC. Zone Labs' firewall was again 100 percent successful, passing all 17 leak tests, with Microsoft's in second place, passing 7 tests. The other products earned very low scores, and Panda's passed none of the leak tests. Keep in mind that AV-Test.org runs standardized leak-test utilities available to security vendors. Zone Labs, for one, builds its products to pass all leak tests; Panda, on the other hand, says that it doesn't optimize its software for leak tests, instead relying on its TruPrevent behavior-based technology to decide whether a piece of code is malicious.
In our tests to evaluate the products' response to outside attacks, the packages from CA, F-Secure, McAfee, Panda, Symantec, and Zone Labs received scores of 100 percent. These suites blocked all standard and stealth port scans. They halted Internet traffic trying to enter the PC through ports opened for SMB-based file sharing, which suggests that they can differentiate between good and bad traffic on your home network. They also did not reveal data about our test PCs' operating systems. Once again, however, Aluria's firewall failed two of the four tests at default settings, though it would have scored 100 percent at its high setting. Both Trend Micro's and BitDefender's firewalls did not block open SMB shares--and neither did the Microsoft firewall, which also rendered the OS guessable to port sniffers.