Sunbelt-Kerio issues / Need new desktop firewall advise

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
OK, I had it with the Sunbelt-Kerio firewall! It has been a fine firewall,
but the latest versions have been quite disappointed.

The firewall configuration window has always freeze when using P2P programs.
Now the latest version shows more control on application-behavior blocking,
but for some reason it terminates the communication with my Outlook when
checking for email after a while. Even more, every new upgrade fails to
import the previous version rules I exported just before updating. To make
things worst now Firefox does not even register on the Network Security
Module window (yeah, but it allows the traffic any way...oh please!). I do
not now if this last issue has to do with the Avast Web scanner module (part
of Avast Antivirus).

I think the product lost its magic after it was sold (so typical!).
Anyways....I had it with Sunbelt-Kerio!

I'm using Windows XP SP2, and I always have my computer in Stealth mode. So
I repel unsolicited traffic and I have only allowed 6 applications that can
legitimately access the Internet: my Web-browser, antivirus, email client,
IM, P2P, RSS reader, and Newsgroup reader. I have even blocked the nasty
"svchost.exe" (who does who knows what). I just enable it for few minutes
once a month to do windows updates.

Does any one know a desktop firewall with a well-design engine? I have heard
about Outpost, WinRoute, and ZoneAlarm. This last one I'm not sure, because
the little things I have read. Any objective opinion/advise will be
appreciated! Thanks!



Re: Sunbelt-Kerio issues / Need new desktop firewall advise

Quoted text here. Click to load it

Svchost.exe does nothing on its own. It host other programs that's its job,
and programs use svchost.exe on their behalf. Svchost.exe is the messanger
and only provides the means. Should you kill the messenger or should you
findout what's using the messanger and kill that?

A personal packet filter or persaonl FW reples unsolicted inbound traffic by
design.  It never needed the so called *stealth* to do it. However, if you
want the computer to be stealthed, then put the computer behind a NAT
router, and the computer will be *stealthed* then, because unsolicted
inbound traffic will be blocked by the router. The traffic will never reach
the computer where the O/S and personal FW will have to react to it.

Quoted text here. Click to load it

They all got trial ware I would suspect, Try them all and pick the one that
bests fits your needs.

You might want to look at a cheap NAT router and use a PFW solution behind
the router that doesn't have a lot of snake-oil in them that will stop
applications from working.

http://www.homenethelp.com/web/explain/about-NAT.asp



Re: Sunbelt-Kerio issues / Need new desktop firewall advise
"Mr. Arnold" wrote:

Quoted text here. Click to load it

Thanks! My earlier findings showed that "svchost.exe" was being used only by
the OS (Windows XP SP2). If anyone knows which parts of the OS or services
are using this program, I'll appreciate it, so I can disable them (hopefully
MS allowed that to be done). I tried to filter by ports but this exe uses
hundreds (if not thousands) of ports.

I have identified some uses of svchost.exe like trying to synchronize time
on my PC, do Windows Updates, etc. But some others I just cannot explain,
nor didn't have the time. I just feel that Microsoft is just "calling home"
constantly, because I cannot understand why this exe is so persistent in
connecting to the Internet through so wide range of ports (even on fresh
installs of Windows XP).

That's why I have been using software firewalls. Maybe, one day, after I
understand how to properly overwrite all these default-open connections on
my computer, I'll stop using them and just use a NAT router. But until them
I still have to fill so many holes in my understanding of these things.

Quoted text here. Click to load it

I do not trust any application that connects to the Internet without first
knowing the motive. I beleive these motives should be part of a very so
limited list. Even for software that you pay big $$$ bucks, from Microsoft,
Sony, Adobe, Altera,...  they all first connect to the Internet on startup
and/or constantly keep connecting. I will never understand/accept these bad
practices, but the "industry" is just adapting this as the "good behaviour."
The fact that an application starts and open a channel to connect to another
network without your knowledge is just so wrong. Especially when this
network is untrusted like the Internet.

Quoted text here. Click to load it

I tried the latest versions of Kerio, Outpost, and Comodo. Below my
experience, in case it may be of help to anyone.

I tried Sunbelt Kerio Personal Firewall 4.5.916, I really liked the previous
version, but the new version just didn't work as well as before, as I
explained previously.

Then I installed Agnitum Outpost Firewall Pro 4.0.1025.7828 (700).
Installation was a breeze. I liked the interface and usage, but it was
lacking of the application / network-monitoring console with columns for
permissions and to allow block/unblock. Of course you can do this, but it
just wasn't as a console; it didn't have this to-the-point feature I really
like. Outpost seemed pretty refined and has many options, but its UI needed
it to be more time-efficient for users to do the basic allow-this-on-this.
There seemed to be some issues with my P2P and Avast program, but I did not
bother to investigate more on this.

Then I tried Comodo, the installer was less than half the size of Outpost's.
I did not like the installation though, too long, many steps, but works
great once installed. No issues so far. It does have that application /
network-monitoring console that I like. The console does not freeze when
using P2P (unlike Sunbelt-Kerio).

Quoted text here. Click to load it

Not sure what "snake-oil" means. Hopefully, these "techniques" have not
became a standard for software firewalls out there.



Re: Sunbelt-Kerio issues / Need new desktop firewall advise

Quoted text here. Click to load it

Svchots.exe can be used by any program, inculding malware on its behalf.
Again, svchost.exe does nothing own its on. Svchost host other programs and
those programs are the ones that are opening ports NOT Svchost.

Quoted text here. Click to load it

You can use Process Explorer, go to the View menu/Show Lower Pane/Show all
Dll(s), and click on any given Svchost.exe and look at all the programs the
Svchost is hosting, which the tools is being explained in the link.

http://preview.tinyurl.com/klw1
http://www.microsoft.com/technet/sysinternals/default.mspx

I hate to say it, but someone who knows the O/S and knows what is happeing
would not stop Svchost.exe from doing it's thing. And if Svchost.exe is
providing the means for a dubious remote IP connection by a program (it's
the program that is making the connection malware or not), then he or she
goes and find that program.

He or she doesn't shoot the messagenger. Svchost.exe is just the messenger
don't shoot the messenger and find out what's using the messenger and shoot
that, if need be.

Quoted text here. Click to load it

A personal FW or personal packet filter is not a firewall. What is a FW?
What does a FW do? That FW can be a FW router, FW appliance or a host based
network FW (we're not talking about a personal FW) running on a gateway
computer. A personal FW is not a FW. It's only a packet filter running at
the machine level.

 http://www.vicomsoft.com/knowledge/reference/firewalls1.html
Quoted text here. Click to load it

Sorry, I am not trying to be a smart ass here. But I don't know what you're
talking about. You're concerned about everything else under the Sun. In the
meantime, a serious piece of malware has compromised the machine, and you
missed that, because you're blinded by looking at all the pop-up messages
and clicking with a response.

Quoted text here. Click to load it

<snipped>

The snake-oil is anything in the solution that's preventing the connection
from happening, and you don't know about it nor can you fix it, other than,
try to find a lesser solution that has less snake-oil.

And the "techniques" you're talking about are unfortunately the standard on
the MS platform with PFW(s) having an abundance of snake-oil in them trying
to protect you from you, and they cannot do it.

The solutions have lost their way  in the job they were intended to do,
which is filter inbound and outbound traffic/packets to/from the machine at
the machine level and not all this other junk/snake-oil in them trying to
protect you from you.
 


Re: Sunbelt-Kerio issues / Need new desktop firewall advise
"Mr. Arnold" wrote:
Quoted text here. Click to load it

Thanks I'll find out using the Sysinternal's Process Explorer you suggested,
but I can assure you that I have no spyware or malware :) I'm convised it is
the OS and/or services, now I have the means to prove it. Great!

Quoted text here. Click to load it

Hmm.. Seems I'm lost in the concept, I have to review that.

Quoted text here. Click to load it

This may have nothing to do with security or intrusion detection by itself,
but I also care about privacy. There is no need and I will always be
suspisous of any program that connects to the Internet without telling me
first. Because there is no need. They suppose to run locally, that's it!
Taking into account what I have learned so far, the fact that it connects to
the Internet implies that it opens a port on my system that can be attacked
(can I say that?). Then I see it as a security matter.

Most of the freeware and shareware connect to the Internet to check for
updates, log the number of runs, collect and transmit users' system
information, etc. Some actually allow the users to change this behavior
during the setup or under menu\\options. I try to avoid these applications.

But the truth is that most of those applications don't even make the users
aware of these events. Even worst, applications such as the ones I mentioned
above (Sony, Altera, Pinnacle and many others) do in fact abuse of the
Internet. These legit, paid and costly applications violate privacy of the
individuals and connect. Without applications such as Kerio or Comodo I
wouldn't even know this was happening. No hijacking or popups. I have tested
this using Virtual Machine on virgin copies of Windows. Nothing to do with
malware (unless I consider Windows to be one of them :)

"You have zero privacy anyway" -Scott McNealy (chairman, Sun Microsystems)



Re: Sunbelt-Kerio issues / Need new desktop firewall advise

<
snipped>
Quoted text here. Click to load it

Maybe and maybe not that you have spyware. The only way to know for sure is
to start looking for yourself with other tools, because malware can and they
do circumvent every last bit of software to detect it.

Quoted text here. Click to load it


You do know that malware can circumvent all of it, set its own rules, punch
through the PFW and you wouldn't even know it.

Quoted text here. Click to load it

Yes a program  runs local on the machine. The program is locally running on
the computer. But that doesn't mean that the program will not have a valid
reson to access the Internet.

Quoted text here. Click to load it

No, you can't say that. There are two types of inbound traffic that a FW
even a PFW/packet filter deals with when opening ports to traffic.

1) Solicted  inbound traffic -- is inbound traffic that has been solicted
due to a machine running a program that has sent outbound traffic to a WAN
(Wide Area Network)/Internet IP or to a LAN (Local Area Network) IP -- a
machine connected to the router using a local IP -- from behind a FW.

That FW can be a router or FW appliance, host based software solution
running on a gateway computer or PFW/packet filter, even if the PFW/packet
filter  is being used and is in a WAN or LAN or using both situation. The FW
will open the inbound ports to let the traffic back to the machine and to
the program that is listening on the port.

2) Unsolicted inbound traffic -- is any inbound traffic that has not been
solicted, like up above, is going to be blocked by the FW the port is not
open.

There is a third condition that is there too where unsolicited inbound
traffic must reach a program that is listening that has not sent outbound
traffic.

That would be a case where a Web server behind a FW mist allow your browser
to make contact with the Web Server. It's called port forwarding, where as a
port is opened on the FW to let unsolicited inbound traffic past the FW.

http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp

Quoted text here. Click to load it

I think that should be the least of your concerns.

Quoted text here. Click to load it

In the meantime, the software has gone out and made contact with the site,
because it beat the PFW to the connection during the boot and login process
well before the PFW could get there and protect the connection, because the
O/S is not waiting on a non integrated solution like a 3rd party PFW before
the connection is made active.

Quoted text here. Click to load it

So why worry about something that is trivial like that.  It's much to do
about nothing.

What you should be concerned about is someone hacking the machine with
software that has compromised the machine and using the information against
you to do serious damage, like identity theft. And it circumvented and
defeated all the snake-oil  solutions and snake-oil solutions in software
running on the machine that you and they never saw it coming, because you're
leaning on the snake-oil like a crutch. Sorry, I hate to be blunt but
sometimes it's needed.

Here is another link about FW solutions, and a PFW is not a FW solution.
It's only a machine level packet filter protecting the machine at the
machine level, which is doing way too much in trying to protect you from
*you* that it cannot do that well.

http://www.more.net/technical/netserv/tcpip/firewalls /






Re: Sunbelt-Kerio issues / Need new desktop firewall advise
"Mr. Arnold" wrote:

Quoted text here. Click to load it

Thanks Mr. Arnold! It is going to take a while to read and exercise all the
valuable information. Thanks for your assistance. I think I'm on the right
track now. The links will also help a lot. This is dark but cool stuff.
Hopefully I'll eventually learn to protect myself correctly, and maybe (one
day) I can build firewall equipment.  :)



Site Timeline