Personal Firewalls/Intrusion Detection Systems

An Analysis of Mini-firewalls for Windows Users

By Seán Boran
www.boran.com/security/sp/pf/pf_main20001023.html

The complexity of Microsoft Windows and browsers/PC applications, and the pervasiveness of networking, have contributed to continual discovery of security weaknesses - which the typical user cannot be expected to follow or understand. Until now the standard tool for defending Windows was the antivirus scanner, but this is no longer enough. The personal firewall has made its debut and may become an essential tool for Windows users connected to hostile networks.

Recent updates: 16.Apr.02: Uzi Paz writes in with updates on Tiny/Kerio, Outpost and two testing tools: Outbound & Tooleaky. 5.Mar.02: NAI are no longer selling PGP. 12.Feb.02: Check out the eEye security alert ISS BlackICE Kernel Overflow Exploitable. Make sure you have it patched. It is a bad indication of software quality, perhaps more such bugs are lurking. Sep.01: Reader Comments, Change history, Fixed links after move from SP to boran.com (thanks Henry!) Aug.01: Minor fixes in Green Jun.01: ADSL analysis, Conclusions

1. Introduction
2. Product Tests
3. Comparison Charts
4. Summary and Conclusions
5. References
6. Appendix: Acknowledgements | Change history |
   Reader Comments | about the author

Each product is analyzed in a separate article, with the introduction, summary and conclusions in this document.

This report was awarded "Best Comparative Personal Firewall Review" [6] — thanks to those of you who voted. Help us keep it that way by continuing to provide us with detailed feedback/suggestions.

Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may also be rendered useless by dialup access weaknesses, encryption, VPNs, teleworkers connecting directly to the Internet from home, etc.

An interesting new breed of "personal firewalls" have surfaced that are installed on Windows and allow both beginner and expert users to protect their PCs. The risk faced by the home user on the Internet is analyzed in [4]. Basically, there is a significant risk of information being stolen or destroyed; of your PC being misused to attack others, or used to access sensitive (e.g., banking) software; or simply of PC/network resources wasted; and it needs to be addressed.

Benefits

• Protect Windows from network attacks when connected to hostile networks (like the Internet), especially those connected for hours or even days at a time (DSL or cable users). The longer you're on the Net, the more likely you'll be attacked.
• If an infected email should install a back door (like BackOrifice), the personal firewall will still prevent network access to the backdoor.
• When trying out new applications, you can see exactly what communications are needed, when.
• Teleworkers who connect to the corporate LAN via Internet VPNs may be exposing the corporate intranet. If their PC is penetrated, it could be used as a bridge by attackers to penetrate the intranet. With a personal firewall installed, VPNs on the Internet do not pose as much of a risk.
• Education: Become aware of just how hostile your network environment is.
• Ensure that your PC is not used to attack others.
• In a corporate environment, laptop users/Internet VPN users/home workers, etc. could be mandated to use a preconfigured personal firewall that prevents their PCs from posing additional risks to the corporate intranet.

Precautionary Measures

There are a few measures that Windows users should take, whether they install a firewall or not:

• Never run any executable file or script received by email unless you are very sure of its original and are convinced the originator has excellent virus/Trojan protection in place.
  
• Disable file and printer sharing.
  
• Disable the SMB/Microsoft protocols on the interface used to access the Internet. For example, on NT with a dialup connection, select Control Panel -> Network -> Bindings -> NetBIOS Interface, select the Remote Access WAN Wrapper entries, right-click and select "disable."
  If you use dialup for both Internet and intranet access, though, disabling SMB/Microsoft protocols might disrupt your intranet access.
  
• Install Windows, Explorer and Office security fixes/service packs: This is a tricky one as it can be very time-consuming and cause major headaches. For instance, one Outlook98 security patch was so restrictive as to make it unusable on intranets (in my opinion).
  
• Antivirus/worm/Trojan measures
  • Install a good antivirus scanner and keep it up to date. Scan email attachments before opening them.
  • MS Office: Switch on Word/Excel 97 Macro virus protection (Tools/Options/General/Macro virus protection) or run Word/Excel 2000 with at least medium security settings. This will ensure the user is presented with a dialog box when documents containing macros are opened. If suspect Word documents are received by email, open them in Wordpad rather than Word, since macros won't be understood by Wordpad. Set the file-permissions of "normal.dot" to read only, to prevent viruses or Trojans from infecting your Word setup.
  • If possible, configure your browser to ignore ActiveX and prompt when Java or Jscript or VBscript is run.
    
• Scan your system remotely to see what ports are open to the Internet [8].
  
• Don't stay connected to the network unless you need to.
  
• Don't connect to the network before tools like personal firewalls are active.
  
• Back up your system regularly.

Key Criteria in Choosing a Personal Firewall

1. Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
   
2. Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
3. Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of use.
4. User interface: ease of use, instructiveness, simplicity, quality of online help. Can rules be easily added/removed/checked? Does the interface suit the way you use your PC? Do you understand the questions the software asks and what it is doing?
5. Price: how much are you willing to pay initially, and each year for support/updates?

How Did we Test Effectiveness?

1. Ping and accessing shares to and from the test host.
   
2. A powerful, well-known "remote-control" Trojan (Netbus Pro v2.1) [3] was installed on the system on a nonstandard port (to make detection more difficult), he Netbus server started and attempts made to connect from a remote system.
3. The telnet server was enabled on the Win2K test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet; we do this purely for testing purposes.
4. An nmap [2] scan was run against each product (see below), to check that incoming ports were effectively blocked.

Note on Trojans

• One reader pointed out that the SubSeven 2.1 Trojan has a "wait until reboot" feature that allows the program to be downloaded to a system, installed, but not activated until the next time the system is started. This allows the Trojan to start before the personal firewall, so the firewall might view the Trojan as a "regular Windows application" and not issue an alert, leaving the system vulnerable. ZoneLabs released an updated version of ZA (v2.1.44) to correct this problem, but this may be an exploitable vulnerability in other firewalls.
• We haven't tested these products with SubSeven. You should be aware of this risk; if you are a vendor, make sure your product covers this issue!
• In the same vein, some firewalls start as services (on NT), others from the Startup folder. Beware! If the firewall does not start as a service, it is not active until logon.
• Trojans can also "leak" information by sending it out via standard ports that the firewall probably allows by default (e.g., port 80). Defense: detecting and controlling accurately which application (for example by the use of one-way hashes such as SHA-1) connects out on what port. In the Norton report, detailed "leakage tests" were carried out — a procedure is documented that can be used on any product.
• Vendors: Ensure that the firewall is started as a service, rather than in the Startup folder. Verify existing network connections when the firewall is started. Control network connections even prior to logon. Use strong hashing algorithms to identify applications and allow the user to easily see/change which application is allowed on what port.
• If your Win95/98 system does get taken over by a Trojan, a set of programs suggested by one of our readers that may help recovering the system is Toy Box [5].
  

Product Tests

Each test report is in a separate document, so that we can continue testing new products and updating the existing results.

McAfee Firewall
pf_mcafee20001011.html  

PGP7 Firewall
pgp7firewall20001006.html
NAI are no longer selling PGP (see also www.pgp.com)
"Network Associates recently announced the closure of PGP Security business unit and the integration of some of its product into other business units. PGP encryption is retained and continues to be the encryption engine within McAfee E-Business Server product line. PGP's Desktop Firewall and VPN client products are continuing as McAfee products. The bundle called PGP Corporate Desktop will be put into maintenance mode. PGPmail, PGPdisk and file, PGPwireless, and PGP Keyserver are also being put into maintenance mode." 

VirusMD
pf_virusmd20001023.html  

BlackICE
pf_blackice20001023.html

ZoneAlarm
pf_zonealarm20001023.html  

Norton (equivalent to Symantec Personal Firewall)
pf_norton20001023.html  

eSafe
pf_esafe20001023.html

ZoneAlarm Pro
pf_zonealarmpro20001108.html
Trend Micro and Zone Labs are involved in a joint venture, joining ZoneAlarm and PC-cillin together. This good news was brought to us by one of our regular readers.

Sygate
pf_sygate20001112.html

Tiny (see also Uzi Paz's remarks)
pf_tiny20001114.html

Conseal
pf_conseal20001221.html

Privacyware Personal Firewall
pf_privatefirewall20010316.html

TermiNET
pf_terminet20010327.html

Personal Firewalls Not Tested, Or Tests Abandoned

AtGuard by WRQ was purchased by Symantec, changed and resold as Norton Firewall, but the original AtGuard has a loyal following on the Net (i.e., despite its being over a year old users are convinced it is a very good firewall and worth discussing in detail). It can block incoming and outgoing connections.

• WRQ http://www.wrq.com
• AtGuard new home page (unofficial) http://home.pages.at/atguard
• AtGuard user message board http://www.hostboard.com/cgi-bin/forumdisplay.cgi?action=topics&number=233&SUBMIT=Go

PC Viper Personal Firewall (http://pcviper.com)
This only seems to be available for Win95/98/ME. At the moment I have NT4 and Win2K test PCs available, so no tests can be made of this product for now. A review can be found on http://www.dslreports.com/security/sec014.htm  

McAfee Firewall
This product is based on Conseal's Private Desktop (www.signal9.com). We only tested the McAfee product, since it is presumed that the Conseal product will no longer evolve. Note that Conseal's "PC Firewall" is a different product - see previous section.

Internet Firewall 2000/IF2K (www.digitalrobotics.com)
Although it installed without error on the test NT4 SP5 system, it would not start, giving the error "Internet Firewall 2000 Failed. Make sure you have full system privileges and try again." I was logged in with Administrator privileges. No further testing was conducted with this product.

Biodata's Sphinxwall Firewall (http://www.sphinxwall.com/) V1.0 build 599 was tested briefly:

• On Win2K/SP1 it installs fine and the GUI works, but the firewall has no effect. In fact, the network driver was not installed.
• NT4/SP5: After installing and rebooting, Sphinx does not automatically start, but when manually started, it asks which adapter needs to be secured (LAN or modem). The modem was chosen. The NT Network Bindings dialog is then shown without an indication as to what has to be done. Looking around, we find a "Biodata transport Driver" now listed in the protocols tab. Clicking OK, a dialog opens asking us to assign an IP address to the "Biodata Virtual Adapter." An address was assigned and another reboot was necessary.

After reboot, the LAN adapter was dead! No local communications would work, all bindings to the local LAN were missing, and all TCP/IP settings were lost.

De-installation was very painful. It was hours before the computer was fully functional again. The procedure that works best was: In Control Panel -> Network settings, remove the Biodata protocol, reboot. Then try to remove any Biodata adapters left, reboot. Remove your LAN adapter, reboot. Deinstall SPHINX, reboot. Search the registry for SPHINX entries and reboot. Add your LAN adapter again and set the IP address or other TCP settings, reboot. Check that TCP/IP is not disabled under the network bindings.

• No further tests were conducted with this product.

HackerTracer (www.neoworx.com/download/download.asp?product=HackTracer)
The trial version does not work on NT or Win2k, so no tests were carried out. An NT version is coming soon and we hope to test it. 

CyberwallPLUS-WS  (www.network-1.com/WSeval/index.htm)
This heavy weight runs on NT and Win2k. Evaluations can only be downloaded from  http://www.network-1.com/download/index.html. V6.03 was downloaded and installed on an NT4 SP4 system, but the tests had to be abandoned:

• I could not get any TCP/IP communications working with my 3c905 LAN ethernet interface. (NetBEUI worked unhindered).
• Dial-up adapters are not supported and hence continue working correctly after the cyberwall installation.
• Exiting the tray icon does not stop the engine. Stopping the engine in the NT services applet works, but communications will still not work.
• Even though I created a rule to allow ping in/out to all hosts, the situation did not improve.
• No log entries were posted.
• Impressions: This product looks like a "real" firewall, tuned down for the desktop. The GUI, while extensive, would be difficult for the non-expert user. There is no "learning mode" or wizards to help the newcomer.
• After installing and rebooting, my LAN interface disappeared from Control Panel->Network->Protocol->TCP/IP and the IP address could be found nowhere! The command "ipconfig /all" showed no IP address either.
• On de-installation, the TCP properties windows pops-up confirming the IP address was set (obviously the original TCP/IP settings and bindings are being restored)
• Summary: This is a extensive firewall, that had problems with my configuration, but does have potential for the expert user. It cannot protect dialup connections however.

Smoothwall v0.9.6   (sourceforge.net/projects/smoothwall)
"SmoothWall is a Linux cut down to a complete minimal automated installation, providing out of the box security & functionality as a router and firewall, managed by platform independent web browsers. No prior Linux experience required."

• This is a free Linux based firewall, which allows you to turn a PC into a Firewall/gateway to the Internet for your local network. It is designed to have a LAN connection on one side and a dialup Interconnection on the other. Basically you download a CD image, burn a CD, boot the PC with it and answer the questions to setup your firewall. It is much less daunting that setting up your own Linux /IP chains firewall manually.
• Test: The CD images was downloaded and a Dell Precision 410 Workstation booted with it. Unfortunately it could not find any disks in the system (there were two IDE disks - NT, Solaris and Redhat installed fine on the system -- OpenBSD did not). So it was a question of drivers. A second host, a Compaq Deskpro Exm/P800 was booted and installed, but on the final reboot after removing the CD, the system boots and displayed just "LI" on the screen (LILO problem?). No further tests were carried out, as our purpose here is to find and recommend firewalls that can be set up by beginners. This product does have promise though; the concept is good, and it is after all still in beta.
• Summary: It might work on your hardware. Nice concept. One to keep an eye on for protecting a small LAN from the Internet.

Freedom 2.0 (www.freedom.net)
This free tool from Zero-Knowledge sounds interesting. It contains a personal firewall, form filler, cookie manager, ad manager and keyword alert. It has a few unusual requirements though: no NT support (Windows 95, 98, 2000 and ME are OK) and Freedom will not work behind a firewall if it is configured to deny access to certain data ports (51100 TCP/UDP, 51101 UDP, 51102 TCP, 51107 TCP, 51109 UDP). This means it won't work in my existing test setup, but hopefully I'll get a chance to try it in the future.

Internet Connection Sharing
Windows 98 SE (second edition) and Win2000 include the Internet Connection Sharing (ICS) tool, which can be configured on a gateway PC between a cable modem and a hub of internal PCs. Apparently it provides some measure of protection against external attack, but no firewall is included. It hasn't been tested as part of this review, but is mentioned for reference purposes.

Another report examines integrity checkers and Trojan detectors:

Complementary products to Personal Firewalls
pf_other20001023.html

ADSL and hardware firewalls are covered in separate papers:

ADSL: Security Risks and Countermeasures
pf_adsl20010614.html

ADSL Firewalls: Product Reviews
pf_adsl_tests_20010627.html  
 

Tests of more Products

I had planned to test the following products but sponsorship has dried up, and I mostly use ADSL hardware firewalls now myself.:

• PC Firewalls: F-Secure Distributed Firewall (a new NT/Win2K release has been received), CyberArmor, Jammer, new version of Norton firewall.
• Integrity checkers: Tripwire, SMART watch, Cybersight lite.
• Check out newer versions of: Sygate, Norton.
  

Comparisons

Feature Comparison

Note: None of these products restricts JScript, VBScript or JavaScript in Web browsers. ZoneAlarm Pro does restrict them in email attachments.

Price Comparison

Usability Comparison

Corporate Features

There was a request to cover more aspects that interest use of Personal Firewalls in a business environment. Some vendors offer special versions for the corporate environment; these are indicated in brackets.

Other issues that may interest the corporate user are:

• the ability to export/save configurations and re-import them onto other PC. We didn't do any general testes in this area, but Norton, McAfee, Sygate, ZoneLabs are all problematic. Norton can export to a text file only. To secure against specific threats, or put holes for particular programs requires setting up each computer individually.
• Ideally products would export their rulesets, trusted address lists, intruder alerts and logs in a format that would allow quick sharing among a groups of PCs and allow importing into a database.

Summary and Conclusions

Summary

Personal firewalls are useful and should be considered by any Windows user who directly connects to hostile networks, such as the Internet. They have a role to play in both the corporate and SOHO (Small Office/Home Office) markets. Although many products are immature, there have been major advances over recent months. All these products need to be subjected to more scrutiny and given time to prove their security effectiveness. None of these products is provided with source code.

• There is a tendency for antivirus and personal firewalls to be integrated into the one product, which is not necessarily a good thing. It may make sense for the home user, but the corporate user may find his antivirus already mandated by a central IT organization, or may want the choice of separate tools.
• Personal firewalls can't just be installed and forgotten about. The user has to learn how to use them and understand their interface/consequences, for them to be effective.
• The main difficulties are making such products easy to use, being flexible enough for power users, and reducing false positives (a common ailment among intrusion detection systems).
• Personal Firewalls cannot offer 100% protection. For instance, they can be badly configured, or switched off; can start too late (e.g., after Trojans are running or long after the TCP/IP stack is active); they might not recognize all hostile traffic; they may have bugs; may crash, etc. It's a good strategy to have several barriers to attackers, e.g., antivirus tools, file encryption, good passwords, a well-configured OS. The underlying operating system also plays a role: security-conscious Windows users are advised to use NT or Win2K and configure them restrictively.

Conclusions

Free firewalls:

• Tiny Firewall and Sygate are my favourite "Free for personal use" products.
• Sygate has improved significantly. I would have been reluctant to recommend v2, but the v4 is good. (However, one reader had written in to say that on Win98, Sygate can slow down the Internet performance considerably).
• Other users have indicated that they like the ZoneAlarm GUI, so give it a try before deciding.

SOHO (Small Office/Home Office) users willing to pay:

• Sygate v4 is good. 
• ZoneAlarm Pro is effective, powerful and can check and quarantine emails with dangerous attachments.
• Norton is effective, but it is expensive and requires quite a bit of configuration. It has additional privacy features that may be useful. It is not easy to set up for corporate use and is unstable when used with certain VPN software. Norton does not document the list of "Trusted Applications," nor can the list be edited. If you are very worried about Trojans and information leakage, consider disabling "automatic rule creation."
• McAfee is good. Some users may prefer it to Norton, but it is not as effective and NT installation/de-installation is buggy.
• Tiny Firewall is not as full featured as some of the others, but simple and effective.
• PGP7 is an interesting firewall for advanced users or servers.
• BlackICE had been my favourite for many months, and is probably the best "intrusion detection system." It is simple, stable, easy to use and doesn't interfere much with daily work. It does not block outgoing ports, however and has had some worrying software quality problem - notably BlackICE Kernel Overflow Exploit. It may well be a good choice for many users, due to its simplicity and regular updating.
• Privatefirewall is cheap, simple and may suit some home users.
• TermiNET is available in 11 languages and has multi-user configuration.
• Experts may enjoy the extensive control over rules provided by Conseal, if they don't mind the hefty price tag.

Windows 2000 users may prefer Sygate, Norton or Tiny, until ZoneAlarm Pro, BlackICE and McAfee have sorted their problems out.

Laptop users may not like Norton or McAfee, which won't allow powersaving modes to be used (Sygate and Tiny, for example, allow Win2k to hibernate).

Corporate users would probably be interested in ZoneAlarm Pro, PGP7, BlackICE or Sygate due to their support for centralized configuration and rollout. Tiny Personal Firewall allows remote administration.

References

1. [SecurityPortal is offline]
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote-control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. [SecurityPortal is offline]
   
5. Toy Box (a collection of tools that may help clean a system possessed by Trojans)
   http://home.earthlink.net/~rmbox/Reticulated/Toys.html
   
6. Best Comparative Personal Firewall Review
   http://www.firewallguide.com/freeware.htm
   
7. ADSL: Security Risks and Countermeasures - Sean Boran
   pf_adsl20010614.html
   ADSL Firewalls: Product Reviews - Sean Boran
   pf_adsl_tests_20010627.html  
   
8. Free remote testing of your open ports:
   Neoworx port probe: http://www.hackerwatch.org/probe/

Other articles that may provide a different perspective:

Personal Firewalls Under Fire - Gary Bahadur
http://www.infosecuritymag.com/articles/july01/cover.shtml

Appendix

Acknowledgements

Many readers provided feedback and useful inputs. Thanks to Interceptor, Tom Chmielarski, Larry Adams, Geoffrey Kidd, Thomas Rude, Paul Rarey, Bill Curnow, Lissi Paffrath, Peter Klammer, Réjane Forré, Michael Semling, Nathan Legg, Lindsay Macauley, Jammie Czaplewski, Henry Markus, Harry Choughcon, John Ceddie, Eagle10, Roderick Davies and the readers specifically noted below.

Comments from readers  

• 14.Apr.02/ Uzi Paz
  • Tiny's developers departed from Tiny software, and now offer an upgraded version of Tiny personal firewall 2.0, under the name of Kerio Personal firewall (v2.1.3) www.kerio.com . For an official information about the split, see the first question on section 7 ("Other") on http://www.tpffaq.com/cgi-bin/faqmanager.cgi
  • Some programs which try to bypass outgoing traffic restrictions of personal firewalls may be found on www.tpffaq.com/cgi-bin/faqmanager.cgi. You may wish to test them on your firewall to see how effective they are blocked in your environment. e.g.
    A) Tooleaky, bypasses personal firewalls by using Internet Explorer to communicate (without any visible window). Since firewalls usually allow browsers to initiate a session, the communication is considered legitimate.
    B) Outbound which bypasses the firewall by directly using the network device interface driver (NDIS) to communicate with the outside.
  • On comp.security.firewalls there are recommendations for a relatively new personal firewall called Outpost www.agnitum.com 
  • An important aspect of personal firewalls, not discussed on your comparative review is how much they load the PC, especially for older machines on a fast connection (like ADSL).
    Comment: Yes, this is true. Products vary quite a bit as regards system load. Tiny or BlackICE were light on the system the last time I tested them. If you want to buy a firewall for a very slow PC, try out a trial version first, if you can. Alternatively, buy a small Hardware firewall, which won't load your PC at all.
    
    
• 13.Dec.01/bhendricks@fastq.com
  Zone Alarm Pro (newest version) on my NT4 sp6a server: ZAP was install after finding someone was abusing our FTP server. After installing ZAP it stopped the problem for about one day. Then I found this person(s) had again hacked the system, ZAP was set to block all port from 1 - 65xxx (don't remember the high port number), not to allow IIS to access the internet and these persons were still able to access the system. I killed the Internet access for now and will be installing a SMC Router/Firewall.
  Comment: The attacker has probably installed a backdoor, the system probably needs to be cleanly installed. ZAP is probably not configured to block outgoing ports. A separate hardware firewall should of course be better, if you restrict traffic tightly in both directions.
  
• 05.Nov.01/mike@web.net
  The PGP7 Firewall uninstall was anything but clean - it totally hosed my network so that I couldn't use the system. I eventually had to reinstall from scratch... I also noticed that it disabled my Windows 2000 IPSec interface while it was there, so that my local IPSec policy wouldn't work anymore. This is probably not going to make people happy, especially those who want to manage IPSec through Group Policy..
  
• 27.Sep.01/Roderick Davies: 
  I'm an ADSL user ... I noticed that downloads generally had dropped from 70Kbps to about 20Kbps ... trying various Command Line PINGs and TRACERTs, I started looking at various utilities - namely NeoTrace from www.neoworx.com so I could examine any potential bottlenecks on the internet. I took advantage of the excellent value NeoTrace & NeoWatch special $40 bundle, expecting to use the former but not the latter, as I am VERY picky about anything other than SYSTRAY and EXPLORER running, to keep gaming performance as smooth as possible - I believed that a firewall would have a small but noticeable CPU performace impact. Well - I have just been converted ..... So what? Well the cool thing is that when notified, you can launch an automatic Trace using (NeoTrace) and identify the source and detailed information, including geographical and Registrant information. Oh yes - one final useful snippett... have your readers test their PCs on the following Probe Test:- www.hackerwatch.org/probe
  
• 22.Aug.01/Monty Phister: Your review of Private Firewall says it costs $14.95 and has a trial version available for download. The price actually seems to be $29.95, and I find no trial version.
  
• 22.Aug.01/Anders Giertz:  I use BlackIce defender without problems with Windows 2000. When I upgraded to SP2 there was a problem, solved by downloading the upgraded version of BlackIce. I have a dual processor computer, BlackIce is the only firewall I have seen that is specified to work with dual processors, ZoneAlarm Pro is (at least was) specified not to work with dual processors. I stopped using Norton IS 2.5 when they launched an upgrade that crashed the computer (for other users also according to what I could see on their tech support pages). They did not fix this but offered a version upgrade for nearly the same price I had paid for 2.5 some months ago.
  Your comparison charts would become more useful if you specify the version reviewed.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.