Do they know if the SMTP server uses any ports outgoing, or does it always use the SMTP port?

Why not have a system that blocks outgoing mail by protocol (and port), and only except it when/if you happen to use that protocol to do any mailings; then you can still accept incoming SMTP or any other mail types.

My favourite firewall ever was Conseal back in the Win98 days, it was excellent!

If something has gotten in already and installed itself, then it’s possible it will be able to hide even from process scans - but if the system is being properly monitored to begin with then the initial attempt by the trojan rootkit etc to install itself will be noticed, because it will need to either just install, or it begins to alter the core kernal settings so it is not monitored once it’s installed.

Another thing that could be useful is to have a system resources display, that shows percentages of resources used per process - then you can compare those in total to the overall respurces used. If it’s significantly higher use for overall than the known processes total, then you have hidden processes running.
Again - if these are in packaged app’s then it’s up to the coders and interface designers to be specific about the basic settings and configurations, if their target customers are folks that aren’t interested in having to read a whole book just to secure their system.

I don’t know that a firewall can’t tell the difference between unwarranted downloads or not? That’s not very difficult to spot. In general, if it’s not from the same url (and its IP) you’re visiting then it shouldn’t allow it (that should include ad’s and links on the page!), also even if it is from that url it should flag it prior to download.

Rogue packets can be spotted that way too, because they won’t cohere with the legit websites packet numbering;
related to that would be more of what I’d meant about how cookies can be a way in - some of them are pretty large, and even ones that aren’t can combine in various ways (depending on what they are written to do) once they are in.

I’m not too up on how an individual machine can be hijacked to mail out spam, without invoking a mailer client of some kind (which means a bg or obvious process has to run). Other than using bandwith from it, in which case the mail isn’t actually coming from the IP or the machine itself, it’s that the machine has become part of a zombie botnet that is sharing its bandwidth with the spammers mail servers.
But with this kracken one it’s saying the networks IPs are being used to mail the spam out - isn’t the point there that it needs to use IPs that are recognised as legit, that’s how its spam gets through the filters.

I use Linux as a client for surfing to the more dangerous areas. Like I said, AtGuard was the best of breed software firewall for me. I have yet to find a software firewall that matches it for functionality OR smallness of memory footprint.

The software firewalls for windows (XP/Vista) have never been my favored options, mainly due to software incompatibility or stupid little network troubles (they simply block the most basic stuff and will send you on a wild goose chase to solve the problem).
Like Bogwitch I employ a dedicated linux firewall, you could argue it’s just another ’software’ firewall but it definitely works better than the likes of ZA.

I have played with software firewalls, I was particularly keen on AtGuard and was sad to see it being sold to Norton. Now, I have no software firewall. Ont he off chance that my Windows machine picks something up, I have a bandwith meter to give me an immediate indication that something bad is happening but I don’t do dangerous things with my Windows box, that’s what Linux is for.