A recent BlackICE purchaser was understandably concerned over my negative evaluation and recent experiences with BlackICE Defender. So he wrote to BlackICE Technical Support about his concerns and reportedly received the following reply:
Dear Customer, BlackICE Defender is not just a firewall. Its primary function is that of an intrusion detection system. BlackICE Defender is, in reality, a "hybrid" between intrusion detection and firewall protection. As such, it uses several entirely different methods to secure your system than the methods used by other "firewall only" products. The underlying technology of any "firewall only" product is the same. No matter which product you are using, the method used to protect the system is identical: block the traffic at the port level. BlackICE Defender combines firewall technology with intrusion detection technology. This means that BlackICE uses more than one method to protect your system. BlackICE monitors/inspects the actual traffic, as well as employing port blocking, in order to detect malicious traffic and provide more complete security for your system.
BlackICE does not currently prevent outgoing connections or traffic except in cases where these connections are caused by unsolicited incoming traffic, or are otherwise deemed "dangerous/suspicious" traffic by the BlackICE program. When the user (you) initiates an Internet connection, BlackICE assumes that you are aware of the exchange of information, and approve of it. In most cases, this assumption is correct (when you ask for information from a particular website for example).
The leaktest is a specific program designed to test the "User-Initiated Outbound Blocking" feature of certain personal firewalls. It is not a generic hacker test, nor it is a test of your computer's security. In fact, leaktest does not do anything malicious. If it was a hacker program, we would add it to the list of detected Trojans, just like we detect Back Orifice and SubSeven.
Because the user initiates the connection with the GRC site, BlackICE will not prevent information from being exchanged between your system and GRC, any more than it would prevent information exchanges between your system and any other website. (To do so would drastically interfere with your ability to "surf" the Internet freely.) What happens is this:
1) You contact the GRC site and ask it to perform the "leaktest".
2) The site asks you for certain information. This is the same information that any other website asks for when you ask it for information (when you do a search on Yahoo, when you download something from a friend's website, when you ask for a price from a travel site, etc.).
3) Your system sends the information it was asked for. (This information is rather like confirming your "return address". It is needed to allow the exchange to proceed smoothly.)
Under normal circumstances, you would then receive the information you asked for, and think nothing further about what just happened. With leaktest however, what you receive is this "dire warning" about how your system has been "compromised", when it was really just doing what it was designed to do!
Firewalls with outbound blocking only protect against Trojan horse programs, and then they only work if the user knows enough to recognize the program as a dangerous program. Standard personal firewalls without intrusion detection cannot stop 100's of other hacker attacks that do not use Trojan horses.
BlackICE looks at the actual incoming TRAFFIC (not just the name of the program) to determine whether that traffic is dangerous/suspicious.
BlackICE monitors incoming and outgoing traffic on your system, and analyzes that traffic looking for anything malicious that could compromise your system. This is the primary task of an Intrusion Detection System, and is something that simple firewalls cannot provide.
We have been considering adding "User-Initiated Outbound Blocking" (which is what leaktest is meant to check for) to BlackICE for some time. However, no date has been set for this addition. Part of the problem is that we want to be able to give our customers as much information about the outgoing transmission as possible (to keep novice users from having to "guess" about what to allow and what to block). This requires creating a user interface that is somewhat more sophisticated than the simple interface that most firewalls provide for this feature.
You should know that the "threat" that the leaktest program supposedly exposes can be GREATLY reduced by using "safe computing practices". These include not running any program sent to you by an unknown or unfamiliar source; not running programs sent to you by friends and acquaintances that you did not specifically request; exercising caution when downloading shareware or freeware programs, particularly from "catch-all" or "warez" sites; using passwords on all shared resources; and installing and regularly updating a good virus-protection program. Most (if not all) of theses programs gain access to a system by "conning" the USER into downloading them onto the system. Informing and educating yourself about these programs is still the first (and best) line of defence.
The "Shields Up" test that is available on the same GRC website is a much more comprehensive test of your system's security. Other excellent scan sites are http://www.dslreports.com/ and http://www.hackerwhacker.com:4000/startdemo.dyn?answer=firewall. Please let us know if you have further questions.
Regards,
Trish M.
BlackICE Technical Support
Support-L1@networkice.com
Knowledge Base: http://advice.networkice.com/Advice/Support/KB/
FAQ: http://www.networkice.com/html/faqs.html