Internal Defense Many homes and businesses use routers to share a broadband connection. Routers provide a basic firewall as a by-product of the way they handle Internet traffic and do a good job of defending against outside attacks. But some types of malware--such as worms, Trojan horses, and spyware--work from within. You need a PC-based software firewall to stop them. Earlier this year, PC World partnered with German security firm AV-Test to test several software firewalls. Here's what we learned. Who Goes There? A purely permissions-based firewall, the most popular type, alerts you when any application tries to communicate over the network and enables you to block it. This will draw your attention to potential malware programs before granting a program permission to access the Internet. As a convenience, the firewalls in Panda Software's Platinum Internet Security ($90) and in Symantec's Norton Internet Security 2005 ($70) automatically grant permission to many Windows applications to access the Internet. Doing so can be convenient, but it can also compromise protection if you don't monitor what permissions have been granted to make sure the firewall didn't overlook some malware program. In testing, Sygate's Personal Firewall Pro ($40) and Zone Labs' ZoneAlarm Pro ($40) did not grant carte blanche to other applications. Consequently, they give you great power to monitor your system. Some may say too much power. If you don't have the patience to ponder a security alert before clicking OK, you may put yourself at greater risk. Consider the Bagle worm, which hides its identity by injecting itself into the Windows Explorer application. When AV-Test infected a system with this worm, the Norton, Sygate, and ZoneAlarm firewalls asked if Windows Explorer could access the Internet. So did the McAfee Internet Security Suite ($80). Attentive users might wonder why the application was spontaneously trying to access the Internet and investigate a little further. Others might simply click the OK button without considering the implications. Worms, Worms, Worms Normally, you won't need a firewall to catch a worm or backdoor program; that's the job of an antivirus utility. But new threats usually go undetected until antivirus companies can update their databases to detect the latest viruses. Therefore firewalls are important in fighting worms. AV-Test challenged the firewalls with common worm attacks. For example, testers installed a program that attempts to mass-mail several hundred copies of itself as an executable attachment. Both the McAfee and ZoneAlarm firewalls stopped the action by using a throttling feature that warns of attempts to send messages to many recipients at once or to send a single message repeatedly. Panda thwarted the worm with a feature that blocks outgoing e-mail containing executable attachments. In addition to launching mass spam attacks from your PC, malware may try to expose a PC to outside threats by disabling security software. Panda, Sygate, and ZoneAlarm Pro resisted such attacks. But invading code shut down the McAfee and Norton suites and deleted their program files. In the end, we liked Sygate's performance and granular configuration options but found the program confusing. ZoneAlarm Pro's usability and performance earned it a PC World Best Buy. Mary Landesman is an antivirus researcher and consultant, and serves as the antivirus guide for About.com. Andreas Marx of AV-Test directed all firewall and antivirus lab testing.