kerio 2.1.5 (last freeware version), strange behaviour, related to port logger and svchost.exe

How Kerio 2.1.5 works or doesn't work is totally dependant upon your rule set. If something's not working, then your rules are to blame. As a starting point, you might try BZ's rules. You can find them here:

Read the thread and download the rule set and then modify them to suit your own personal needs. Kerio 2 is great if you know what you're doing, but if you don't, you can create a complete mess..

I use Kerio 2.1.5 on my other Win98 machine but I remember reading somewhere that it has some type of security flaw. Is it still safe to use?

I used default rules, maybe something went wrong with kerio's installation. (I recall a prob instaling). But even with everything else fine, kerio is odd. Does the port logger pick up your smtp and pop? Perhaps there are times when you can mix a deny with allows, if the deny rule denies a subset of what an allow rule allowed. Or vice versa. But, this wasn't the case here. I'm was just testing a free PFW that might to rival sygate. no contest. back to the win fw.

I am having NIC problems - each one i install soon suddenly fails. But with kerio when i disabled it the internet problems went. (the new NIC installed yesterday failed 10min later ;-) so NIC prob is not related to kerio problems. I'll figure out what voodoo is going on against my NICs, but my point is that it's not related to kerio. I do recall kerio having a prob installing though.

I'll install the latest vesion of kerio . I hadn't realised it has a fairly functional free version.

say it "replaces sygate" in the title ... of skeptically hope it has sygate's gui /features without sygate's security flaws

In Windows 98 you don't need a "Personal Firewall". Just unbind any network services (beside "TCP/IP", of course) from your external interface. For that case, right-click on the network interface and remove anything beside "TCP/IP".

Kerio is not the worst of all "Personal Firewalls". But it has its flaws, and you don't need it.

Yours, VB.

is there any PFW that lets you filter HTTP or SMTP content?

the windows firewall certainly doesn't let you.

Why do you want to do that?

Yours, VB.

to save a clumsy user from themselves.

also, blocking certain http content is relevant to the argument that blocking certain outgoing can be useful.

I suppose the client application can be configured to do the equivalent. But, no doubt FW appliances can do it, Leythos mentioned it as useful.

What if the client app doesn't have the capability to let only the administrator set that. Then a FW appliance would be useful. Also , it'd be useful merely as an extra precaution beyond setting the apps., so it'd deal with a user putting his own browser or email client on there. Users could transfer files without administrative assistance, between themselves through the network. But files in email attachments are often suspect.

Could you please outline a scenario and make clear, what are you seeing as a problem?

Yours, VB.

user downloads web content , it has some malicious activex, or maybe javascript, or maybe java.

user receives email with malicious attachment, opens and runs attachment. (maybe a windows xp limited / non root account isn't enough protection).

"Don't use Internet Exploder. You can use a Virus Scanner in a sensible way, filtering incoming traffic."

Yours, VB.

in a case of "end user" and administrator. The end user could use mozilla with an active x extension. It could still run java. As mozilla gains popularity it could be cracked. An end user could run whatever browser they wanted off of offline file storage (cd, usb key) on a limited account, could probably even put it on the drive itself.

And regardign email, would you be happy with end users opening any old EXEs just because a scanner OKs it? I've often heard of virus scanners not getting the latest viruses, and email is where the latest viruses may be circulated.

Of course, "end users and administrator" doesn't apply to my case at home. Currently,for my windows computer. I like internet explorer because a)it's there when you install windows. b)It's just there,and it's there on any system. c)unlike other browsers, I don't find myself tweaking anything in the gui, the gui is fine. And I haven't had any problem with it since 5 years ago when I first got some browser hijacker malware, I didn't know what it was at the time, but I did after removing it. In the rare occassion where I'll be viewing strange links, then i'll use mozilla. Internet explorer has all the features I need, easily accessible, and it loads with a speed that is very satisfying. In the rare occasion that i'd use another browser, it'd be Opera , or if I need some mozilla extension, then mozilla. Or if I want to amuse myself, "links or lynx", I guess i'd use them in *nix CLI.

I use an administrative account, because i may be installing programs several times a day and i'm not going to keep logging off and on. I could do runas admin, but then there are other things I like the administrative accoutn for. If I had an error and I have to view the log, all the options are just there. If I want to set up a server and thus amend a firewall setting too. So, I'm administrating at any moment.

I use netstat often, and would probably spot a trojan . And if it slowed down the connection, that'd bother me alot, and i'd notice it and take action. But I should notice it anyway.

I do backups, so i've got my data.

If I get compromised from time to time then good, it keeps me a bit up to date dealing with it!

Of course, if this was in a business then I wouldn't be so relaxed, I wouldn't use internet explorer. e.t.c. I am interested in what to do to be more cautious and i'm interested in how things would be set up in an environment of end users and an administrator. So, I wouldn't want you to think that my using IE here means i'm not taking in any advice!

Just noting here that I did recall that early version of kerio giving an error on installing. similarly the latest version give an error, "KFE initialization failed driver not found". i've uninstalled it. Maybe i'll try in another few months. Then some solutions to that may be better documented. i'm not experimenting with it now.

Using ActiveX is the problem.

Yes, of course. But what do you want to tell me?

Sorry. Using IE in the Internet means a high risk of infection. If you want to get advice, first please think about this fact.

Yours, VB.

What you are looking for is what is sometimes called an application level firewall. Or more simply a proxy with content filtering. For HTTP, there is a tool called Squid. Squid has "plug-ins" that will allow it to do some filtering. Typically you would run Squid on a dedicated box (so not a PFW). Something like Smoothwall is a firewall system (for a dedicated box) with squid integrated in it.

For SMTP, I'm not sure what you are after. You'd only need an SMTP proxy if you are running an SMTP server. Many places that had to run an Exchange server, would set up a small postfix or exim SMTP server facing the Internet to protect the Exchange server from direct attacks.

But I don't think this is what you mean, and it certainly isn't a PFW.

-j

If you run your own SMTP server, you can tack on something like MIME-defang, which will dispose of (quarantine, reject, or delete) things with dangerous file extensions). If you don't run your own SMTP server, then it's trickier.

I suppose that if you access your email by POP or IMAP that a virus checker and filetype scanner could be put into a POP or IMAP proxy. I don't know if there is a product out there to do it. But it sounds like a good idea. Anybody want to throw cash at me to start up a .com to produce such a thing?

-j

That is exactly what I mean, thank you. I didn't think there would be a PFW that'd do it since it is fairly advanced for a PFW.

Perhaps a Watchguard FW appliance would do it too. I'm glad to know/see what software would, that is very interesting and useful.

of course, you asked for a problem scenario

i'm telling you that your idea of a virus checker won't solve that problem scenario.

But it's ok. JG said a PFW won't do app layer filtering. But he mentioned a filter for HTTP and for SMTP.

It all depends what site you go to. Sensible browsing has kept me safe for years. And i'm not afraid of getting malware and removing it. I'll probably be reinstalling windows once every few years anyway. And the first and almost the last malware I had was 5 years ago. I even learnt a little whilst removing it, the next time I got malware was more as a test. I removed it in 2 minutes thanks to what I had learnt. And those skills helped me fix a friend's computer in a few minutes over the telephone when he had malware. Also, if you look at any family that uses internet explorer, the computer goes down because of a site that a teenager went to. The middle-aged parent browses safely and so doesn't cause problems. So sensible browsing is safe, even with IE. And of course I back up my data. As mentioned, If I was in a business environment, I'd not use IE. A)to be extra safe B)to set a good example and not a bad one.

So a suggestion is easy here: don't use ActiveX in the Internet.

Ah - you're meaning, you want to filter out executables at all. This is not as easy as it looks like, though. Maybe you have to filter out any attachement completely, and this is not enough: one can encode (i.e. with uuencode) anything into a plain looking E-Mail - tunneling again.

So IMHO a virus scanner can be sensible, while filtering out all executables cannot work and therefore is not a goal which should be tried to be achieved.

Why is this my opinion?

While I don't like goals, which cannot be achieved, I like goals, which can be achieved, even if the goals are not perfectly what I'm trying to really reach.

"Filtering out any executable" is an impossible goal. I don't like it. "Using a virus scanner to detect already known viruses in already known encodings" is a goal, which can be achieved.

You may call this sophisticated, but I think, this is really important. If you're lying to yourself, then maybe one day you'll detect, that you're insecure, because you're living in a lie.

No. Not at all.

"Being secure" does not mean "I'm not secure, but I'm only driving very smoothly and avoiding public roads". The latter does mean the opposite from the first.

;-)

No. (see above)

Yours, VB.

Using internet explorer and only browsing safe sites is more akin to saying "I am secure, because I don't drive into minefields"

see, unlike public roads, which one shouldn't avoid since they are useful. I'm not interested in driving into minefields, and minefields don't make up the majourity of the useful internet either!

Just as you don't open attachments you're unsure about .

But if I did for some reason want to drive into a minefields, then internet explorer is simply the wrong tool for the job, I wouldn't use it. I'd use Opera as my preference there. Ideally i'd use a vmware virtual machine/sandbox.

And the term minefield i'm using to make the argument is an exaggeration, you can bring a computer back from the worst malware attack, as good as before it or better.

it's true! Not necessarily because windows or its software is buggy. But even because the HDD gets clogged up.

it's like you only running executable attachments you're sure about. It may be called "sensible email attachment opening" and it doesn't mean that's like avoiding public roads!