This section allows you to define how the Firewall engine manages traffic on your computer when connected to a network. It also provides advanced module customization options which allow you to set the module to match your own security needs or your network configuration.
It can be accessed through BullGuard’s main window, by clicking on the menu button (…) from the Firewall section and selecting Settings.
The information present in the Security tab is directly related to the network attack protection offered by the BullGuard Firewall. The options in this tab will provide you with means to customize the Firewall attack detector to your network’s specifications.
Continue to apply Firewall rules when BullGuard is closed: This will enable the Firewall to function when the main application is closed. Note that this can cause issues with applications which are not in the Application list trying to access the network.
Because BullGuard is shut down and only the Firewall engine is running in the background, there will be no user interface loaded and no visible Firewall pop-up questions.
As you only have a limited period of time to answer the pop-ups and you won’t be able to see them on account of the interface not being loaded, the Firewall will take the default action and block the programs that don’t appear in the Application list. Of course, if you have a well-defined application list, then the Firewall will not block necessary applications.
Enable attack detection: Will enable or prevent the BullGuard Firewall from blocking network attacks. We recommend you to keep this option enabled at all times.
Detect when programs get modified: This feature will enable BullGuard to see when a program from the Application list has been modified. Therefore, it will ask you whether to keep allowing or to block the application.
This option is extremely useful as it will prevent hijacked applications from connecting to the internet without your consent. It works best in conjunction with the real-time scanning module from the Antivirus, by creating security layers that maximize the computer’s safety.
Also, the Firewall will detect when an application is trying to modify a program connecting to the internet and will ask you whether to allow it or not. You should be aware that software updates can modify executable files (such as the periodic Windows updates) and in such cases, you should keep allowing the modified files.
The attack detection system is the heart of the Firewall.
Attack detection settings
BullGuard will block a wide variety of network attacks. However, due to specific network requirements and equipment configurations, some information received from the internet might trigger a 'false positive’ attack warning. This is why you can edit the Firewall attack parameters to match your network’s characteristics.
Configure button for Detect Port Scans, Single Port Scans and Denial-of-Service attacks: allows you to edit the sensitivity level of the Firewall for these types of attacks.
Configure advanced ARP protection settings: allows you to edit the sensitivity level of the attack detector for ARP scans.
Exclude trusted hosts from attack detection: all IP addresses listed in the trusted hosts list will be exempted from the attack detector checks.
Ban intruders for (seconds): for each detected attack, you can set the Firewall to ban the source IP for a specified amount of time.
Detect Port Scans: allows the Firewall to detect port scans, which are not actually attacks, but a common action preceding an attack - an attempt to see what ports are open on your computer.
Single Port Scan attack: A type of attack that tries to see what ports are open on the target computer. Not an attack by itself, but a common action preceding an attack.
Detect Denial of Service (DoS) attacks: allows the Firewall to detect and prevent an attack that will render network services and resources unavailable to their intended users. There are various means through which DoS or DDoS (Distributed Denial of Service attack) occur: Teardrop attacks, ICMP attacks, Nuke attacks, distributed attacks. And there are some tell-tale signs of these attacks: low network performance, inability to access network resources (servers, printers, shared files, network tools/applications), low computer performance. In some cases, DoS attacks cause high CPU activity, making the operating system crash.
Detect IP Address Spoofing: Will detect and block any network packets from attackers trying to impersonate legitimate computers by forging the network packets’ source IP address.
Detect IP Address Stealing: Will protect your computer from attackers who could duplicate IP addresses from the network in order to cause operating system hangs or crashes. They could also deny the victim computer access to the network resources or services by sending false ARP packets by which they would actually steal “the identity” of the attacked computer.
Detect ARP Scans: allows the Firewall to detect ARP scans, by which an attacker posing as another computer/server tries to trick the target into sending it information. This type of attack generates delays in data transmission or a denial of service on the affected equipment because of the ARP spoofing. Important and sensitive data (chat sessions, e-mails) can be intercepted this way.
Fragmented-ICMP Attack: the Firewall will detect any attacker trying to send ICMP packets that are fragmented in an attempt to bypass security measures.
Fragmented-IGMP Attack: the Firewall will detect any attacker trying to send IGMP packets that are fragmented in an attempt to bypass security measures.
Short-Fragments Attack: makes sure the Firewall detects the types of packets used in DoS attacks. The packets are intentionally modified to have a smaller size than regular packets so that they will go undetected by security systems (hardware or software Firewalls).
1234 Attack: allows the Firewall to detect ICMP-type attacks based on sending faulty ICMP time-stamps.
Overlapped-fragments Attack: the Firewall will prevent attackers from sending fragmented packets that have information overlapping each other in hope to weaken the system and make it vulnerable to an attack. Usually, this kind of procedure is used in Teardrop attacks.
WinNuke Attack: this option will protect your computer against an attack sending an OOB (Out of Band) packet which would result in a computer lockdown and a BSOD (Blue Screen of Death). This attack would not damage any data from the computer disk, but it would cause the loss of any unsaved data prior to the attack. This kind of attack was specific to early Windows versions (Windows 95, old NT versions and Windows 3.11).
Teardrop Attack: enables the Firewall to prevent attackers from sending custom resized fragments that overlap each other. An exploitable bug in the TCP protocol generated a bad handling of such packets. It is an attack specific to Windows 3.11, 95 and old version of Windows NT and Linux.
Nestea Attack: protects your computer from a Linux specific network attack similar to Teardrop attack. This type of attack would exploit the network packets defragmentation bug from older version of Linux.
Ice Ping Attack: this option allows the Firewall to detect if Windows mishandles ICMP packets split into a large number of small fragments. Usually the computer crashes when assembling the smaller packets.
OpenTear Attack: the Firewall will keep your computer safe from a type of attack using random spoofed IPs to flood random ports from the target computer with random fragmented UDP packets that will cause operating system crashes on Windows 95, 98, NT 2000.
IGMPSYN Attack: enables the Firewall to handle this common denial-of-service technique.
Malformed IP Options: the Firewall prevents attackers from sending a packet with a large IP Options field that generates a buffer overrun in the TCP/IP stack. This results in the possibility to run malicious codes on the target computer and increased network activity slowing the network traffic to a crawl.
Moyari13 Attack: protects your computer from ICMP-type attacks through which the attacker sends an illegal ICMP time-stamp. Upon receiving this packet the computer crashes (the network stops responding). It is used against Windows 95/98.
FAWX Attack: enables the Firewall to prevent a type of IGMP denial of service attack that would freeze operating systems like Windows 95, 98 or NT.
FAWX2 Attack: the Firewall protects your system from a type of attack that sends random junk packets flooding port 139 causing blue screens under Windows 95, 98 or 2000.
KOX Attack: this option allows the Firewall to detect a type of IGMP denial of service attack that would freeze operating systems like Windows 95, 98 or NT.
Attack detection parameters
This section allows you to fine-tune the sensitivity of the Firewall regarding the attack warning triggers for Port Scans, Single Port Scans and Denial-of-Service. This works as follows:
The more sensitive the Firewall, the faster an attack warning will pop up and the attacker IP will be banned for the default ban period (300 second), although this may increase the chances of 'false positive' attack detection.
The less sensitive the Firewall, the longer it takes for an attack warning to be triggered and the 'false positive' rate is close to zero. However, a too lax security can jeopardize the computer integrity.
The default setting of the Firewall will provide a balance between a tight security system and a low rate of false positive detection and almost no network traffic hampering. Due to the continuous network traffic filtering, you can expect the connection speed to be a little slower. However, in case of major speed differences, we advise you to contact the BullGuard Support Team.
The port scan attack warnings are triggered based on scores. The ports are designated a specific weight (importance) that will determine their sensitivity. A port scan attack will be triggered when a specific scoring (the default or the user set value) is reached.
This method presents advantages as it will make the Firewall customizable so that you can set it up in order to avoid false positive attack detections.
By default, the ports have specified values in the attack detector. An open port has 0 weight (importance) as no one can be accused of illegal port scanning when this is targeting such ports (even some websites can do fast port scan on the user computer’s for data transfer for example). A closed port (the Firewall will keep sensitive ports closed or in stealth mode) has 1 for weight (importance), or more. Usually, all unused ports are kept closed by the Firewall.
The attack warning is triggered based on a time limit and on the total score over the specific time limit.
Time limit: If the conditions are satisfied over a predetermined period of time, the warning message is triggered. The default is 600 ms, but you can chamge it.
Scoring: When a computer/server scans 6 closed ports in less than 600 ms, the action is considered to be malicious and the port scan warning is issued. When port scans occur from a computer/server, the Firewall will check whether the ports are open or closed and make a sum of the added weight of the scanned ports. If the grand total will exceed the default weight (6), the port scan warning is triggered.
When configuring the attack detection parameters, you will have the opportunity to set custom values for sensitive ports to which BullGuard will pay more attention. Basically, this means that if an attack targets any of the designated sensitive port, the warning is triggered sooner and the attacker is blocked faster.
To edit the sensitive ports list, simply click on the Configure button from the attack parameters editing window.
To add a new port to the list, click on the + button, select the protocol type, enter the port number and assign it a weight (importance) value.
Configure advanced ARP protection settings
This feature allows BullGuard to detect attacks by compromised computers or servers and further enhances the computer security level.
Block unsolicited ARP packets: This is another security feature that will block all potentially dangerous ARP traffic packets that have not been previously requested by any application from your computer. Usually, unsolicited ARP packets are sent by infected computers or by attackers who are impersonating servers or other computers from your network and are trying to trick the computer into opening communication ports.
Protect against hijacked gateways: Will protect you against compromised Gateway servers.
Protect against IP address duplication: When a new IP address is set for a computer in a network, the computer will broadcast this information on the network. BullGuard will read such traffic and if the IP address is exactly the same with the IP on your computer it will block the information packets. Some operating systems will ‘hang’ when trying to read those traffic packets and BullGuard will prevent the information to reach the operating system to be decoded.
Detect when applications are modified
This feature will enable BullGuard to see when a program from the Application list has been modified and will ask you whether to keep allowing or blocking the application. This option is extremely useful as it will prevent hijacked applications from connecting to the internet without your consent. It works best with the real-time scanning module from the Antivirus engine, creating security layers maximizing the computer’s safety.
Also, the Firewall will detect when an application tries to modify a program connecting to the internet and will ask you whether to continue to allow it. You should be aware that software updates can modify executable files (such as the periodic Windows updates) and, in such cases, you should keep allowing the modified files.
Manage firewall rules
This section allows you to review, modify, create and delete Firewall rules. You can read more about this section in the Application Rules, Advanced and Low Level Rules and ICMP rules guides. (links)