Can the firewall black list include wildcards? Or more importantly, can a firewall use a white list instead of a black list? Nationally hosted ISPs have a two letter country identifier. You could then set your white list to only allow US-type sites like .com, .org, .edu, etc.
There are two problems with the entire concept of blocking the country:
First off, blocking by domain name suffix (which actually has nothing to do with ISPs and everything to do with domain registrars; you can easily register a .com anywhere in the world- I have a .com and I'm in Canada. Additionally, this precludes visiting any site with extensions like .ca, .uk, .co.uk, .bc.ca, and so on; even blocking only specific countries, like china, is to trust the representation of the statistics.
First, it's only really exploring a single facet; where viruses come from. This has the additional difficulty that it really doesn't define what metric they use to define "where they come from" chances are, they are in fact referring to the nation of authorship, in which case blocking these countries would do nothing anyway; most viruses are distributed through trojan horses, not through internet worms, and even if they were worms can go from network to network, so they could easily transmit from one countries network to another countries network and suddenly become trusted in the eyes of your firewall.
Personally, and I know this perception is certainly not a common one; I think Anti-virus and Firewalls and so forth are all a waste of time for the diligent computer user. sure, they can keep ol' gran from getting viruses through their e-mail, but why not, you know, teach gran about these things?
Personally, I operate with neither an AV nor a software firewall (my D-link router provides an adequate hardware firewall IMO). This is possible because I know what should, and shouldn't be running; I can use process explorer and process monitor, as well as specific registry key infection vectors, to determine the exact files infecting me, restart into a linux live CD (or recovery console) and delete the files in question. reboot. good as new. Or, I could run an AV that will purport to prevent the infection in the first place (I might add that my last infection was acquired before the virus itself was even in any virus database, so by the time my AV (if I had one installed) would have found it I would have already been screwed). The problem with AVs used in this manner is this give a false sense of security. You aren't really that much safer; sure, as long as an infectious virus meets certain hueristic requirements, it will be detected. but as low as their IQs get, virus writers are very persistent; it doesn't take a whole lot to get by the type of hueristic detection that is loose enough not to send out false alarms with nearly every file.
A classic example of a AV casting their net to wide is versions of Mcaffee; they will in fact flag an EXE as a "trojan horse" if it contains the string "software\microsoft\windows\currentversion\run" simply under the assumption that only bad programs will access the key. This is
almostsensible.
But guess what the virus writers did? they reversed the string. Now the AV doesn't detect the virus, but still flags legitimate programs like autoruns and so forth that are legitimately inspecting that key. It's a load of crap; blacklists are far too easy to work around.
Sure, as I said, there is hueristic detection, and so forth, but it's still programmatic and it's still a blacklist, even if it is modified, just as a regular expression is still a method to match strings. It's flat out impossible to programmatically determine from analyzing a programs flow wether it's a virus or not, and it wouldn't be hard to obfuscate anyway, so it's really a waste of time.
Now; this all really only applies to me; AV programs prevent a lot of problems and provide a security blanket for paranoid delusionals who believe that viruses can get onto their systems without user intervention. in a few cases, this has been true. however, from what I can tell, over 99% of all virus infections are acquired by running a trojan horse delivery.
These are downloaded, voluntarily, by users. an AV can detect the trojan, of course, but is there not something wrong with a user simply trusting some random site to actually be giving them the installer? This brings me back to the topic: when did the country of origin suddenly become a metric by which to measure code trustworthy-ness? You can't judge a good program by the domain suffix of the download page any more then you can judge a wise man by the colour of his skin, but people insist on suggesting these off the wall ideas based entirely on skewed statistics that are ambiguous in both exactly what they measure (who, cool, a pretty graph with country names on it) What are they measuring? They never say. And even if they did, blocking an entire country is hardly the solution. it doesn't matter what country they come from, if you think these sort of paranoid delusional preventative measures are somehow better then using common sense then allow me to illustrate a metaphor. Since there is a dogma around those of middle-eastern descent being "terrorists", should we exclusively deny (block) all such "threats" from entering our countries? No. because first off, not all middle-eastern people are terrorists and not all terrorists are middle-eastern, all you'd be doing is increasing tension between two peoples. You don't just block an entire sect of people just as you don't block an entire sector of web traffic; instead you "get smart" and actually learn how to detect exactly what it is that you don't want. For example, it doesn't matter what their race is, a person with a bunch of TNT wrapped around them will more then likely be a security threat. this same thing goes for computers. it doesn't MATTER where that funpictures.jpg.exe file came from, it's NOT a legitimate program. you need to learn to detect and stop what you DON'T want from entering, not making hand-wavy generalizations and blocking entire sections of web traffic based on some flawed statistics that say less then half of the worlds malware comes from them.
