Hello,

as I am in the process of updating my "Firewall leak tester"'s tests, I am requesting you which software personal firewall (with application filtering) would you like to see tested in addition to the popular ones ?
I cannot assure you that every requested firewall will be tested, but I'll do my best to test as much as possible.

To the moderators, I hope this post is ok regarding forum rules, I was not sure at first.

Regards,
gkweb.

I would like to see all of the firewalls tested previously, with perhaps the beta version of KIS? Maybe Prevx1 in expert or pro mode since it does have an outbound control. Filseclab and Netveda.net would be good additions, because you might be able to make those companies get their act in gear :P

Thanks for the time you put into testing, many appreciate your effort.

Alphalutra1

{QUOTE-> To the moderators, I hope this post is ok regarding forum rules, I was not sure at first. <-QUOTE}

Be our guest, Guillaume ;)

regards,

paul

I would like to see CoreForce, Netveda and Tiny Firewall in that test.

NetVeda, Filseclab, and know the info about the free versions of Kerio and ZoneAlarm... ;)

mcafee personal firewall
mcafee desktop firewall
black ice pc protection
webroot desktop firewall

Hi gkweb,

That would be great to have different tests - or a comment on their different results - for Free/Full FW versions (ZA and Kerio), and maybe BlackIce and FireBall could be tested too?

Cheers,
nicM

There aqre other things to consider than passing a leaktest . Fireball is a big letdown . Do not know if it will pass all the leaktests as I never got that far . It looked good but , nope . Not to be . Just remember . Passing leaktests are only part of the puzzle . It will be great for gk to do this . Certainly helpful . But , do not choose based soley on this .

Hi,
All firewalls you can come up with.
Mrk

Filseclab Pro....and possibly all the firewalls that you can grab to in the net. Please, kindly includes free firewalls coz I think some of them works fine like the paid ones. :D ;) 8)

Netveda, filescab.

Sunbelt Kerio 4.2.3 free and paid (with advanced, not simple settings)
ZA free and Pro
Outpost 3.5
KIS 6 beta release candidate (most recent version at the time of testing)


Good luck with this. A lot of work but it has been helpful to many so thank you ahead of time.

Please test Comodo personal fw.

Can you test Jetico as now it's out of Beta and you had it as a beta in your last tests!?

gkweb-
That's very cool, looking forward to a good read. I have more of a question than a request. Do programs like AppDefend, Safe 'n' Sec, and Prevx1 have a place in your testing since they are not traditional firewalls?

Se7engreen,

I am testing personal firewalls, which are more and more adding "sandbox like" features to overcome their weaknesses. Because of this new trend(?), I am taking this in count by now in my next tests.
A perfect example is for instance Outpost, which is a personal firewall, but which has added a generic memory modification protection to block leaktests such as Copycat.

However, a product which is above all a system sandbox/pure application monitoring, such as mentionned AppDefend/PrevX/ProcessGuard etc... will not be tested in the scoreboard, even if there is a part of the product dealing with network (as with Appdefend and basic outbound requests).
These kind of product are evaluated differently and rewarded in the "4 - Rewards" page (that I will also update).

There is a difference between a firewall warning you about a network access, and a product asking you if you whish to allow a global hook using a "mysterious" DLL. The gap is becomming everyday thinner, so the rules may change in the future.

I hope it answers your question :)

@All
Filseclab and Netveda will be tested

Tiny Firewall
McAfee Personal Firewall Plus
Netveda
Filescab
Webroot Desktop Firewall

I am unable to find a trial version of "McAfee Personal Firewall Plus", it seems that you can only buy it.

{QUOTE-> I am unable to find a trial version of "McAfee Personal Firewall Plus", it seems that you can only buy it. <-QUOTE}
check here (http://download.mcafee.com/us/eval/evaluate2.asp) fot the trial download. and heres teh trial for mcafee desktop firewall (http://www.mcafee.com/us/downloads/evals/default.asp)

Thanks you very much ;)
Do you know the difference between the both version ?

nope, i never used mcafee personal firewall plus tho i did try desktop firewall once.

antihacker from kaspersky?

Kerio Personal Firewall 4.23

I realy like it.;D

Coreforce and Filsclab. Thanks.

Za
Outpost
Kerio
Kaspersky
Trend Micro

Free and Full

Thanks for your good work !

Well I think you will have to throw in the very popular Windows XP ;D just to show me what it's doing.... or not doing.

Cheers Webby

{QUOTE-> Sunbelt Kerio 4.2.3 free and paid (with advanced, not simple settings)
ZA free and Pro
Outpost 3.5 <-QUOTE}

i'd really like to see those! good nominations :P also..adding onto the list: Windows Firewall (set on its best settings) so that the public and users of Windows Firewall can get a good sense on just how well protected they are when using it. note: we all know windows firewall is pretty bad, but lets see a few facts that will prove its effectiveness--like test results!! [besides shields up].

{QUOTE-> Hello,

as I am in the process of updating my "Firewall leak tester"'s tests, I am requesting you which software personal firewall (with application filtering) would you like to see tested in addition to the popular ones ?
I cannot assure you that every requested firewall will be tested, but I'll do my best to test as much as possible.

To the moderators, I hope this post is ok regarding forum rules, I was not sure at first.

Regards,
gkweb. <-QUOTE}

When you are going to complete it.

{QUOTE-> Hello,

as I am in the process of updating my "Firewall leak tester"'s tests, I am requesting you which software personal firewall (with application filtering) would you like to see tested in addition to the popular ones ?
I cannot assure you that every requested firewall will be tested, but I'll do my best to test as much as possible.

To the moderators, I hope this post is ok regarding forum rules, I was not sure at first.

Regards,
gkweb. <-QUOTE}

When you are going to complete it. I am interested to see about

Jetico
ZA free
ZA pro
Kerio free
Kerio pro
Norton firewall
Outpost

Hello,

I'll give my full list:

Zonealarm, Sygate, Kerio 2.1.5, Kerio 4.2.3, Jetico, Netveda, Filseclab, Kerodo, Outpost, LnS, Tiny, Norton, Webroot, Lavasoft, TDI (open source), Ghostwall, CHX-I.

Mrk

{QUOTE-> Hello,

I'll give my full list:

Zonealarm, Sygate, Kerio 2.1.5, Kerio 4.2.3, Jetico, Netveda, Filseclab, Kerodo, Outpost, LnS, Tiny, Norton, Webroot, Lavasoft, TDI (open source), Ghostwall, CHX-I.

Mrk <-QUOTE}

just a small edit, free and proversions should be tested separately, like ZA free and pro, Kerio free and pro...etc. It will give us an idea that where is the place for free versions of commercial products?

Hi,

Salut Guillaume,

As a consumer, i always defend the largest choice.
If Outpost and LnS are among the best firewalls, there's also other interesting and very effective firewall.

-Injoy firewall, one of the most efficient for filtring incoming packets: http://www.fx.dk/firewall/

-Deerfield: http://www.deerfield.com/products/visnetic-firewall/

-Protoport, a recent firewall by a russian programmer, seems like a little outpost (but is affected by some bugs) http://www.protoport.com/index.firewall

-TermiNet: http://www.infotecs.biz/Soft/terminet.htm

-NetOP: http://www.crossteccorp.com/netopfirewall/index.html
Effective firewall, specially if we consider this demo;D : http://film.netop.com/

-NetFirewall: http://www.ntkernel.com/w&p.php?id=18

-The GreenBow (a good choice for beginners): http://www.thegreenbow.com/fwp.html

-BitGuard: http://www.tryus.dk/bitguard.asp

Regards

maybe gkweb can answer this, but would packet filters be worth having in this test? could they actually pass leaktests?

Smoothwall
IPCop

{QUOTE-> maybe gkweb can answer this, but would packet filters be worth having in this test? could they actually pass leaktests? <-QUOTE}

Currently not. Packet filters only firewalls (such as CHX) have no outbound application filtering, and thus cannot be tested.

I am taking a look at this very long list, should be I hope at least 15 firewalls, more if others firewalls I haven't looked yet fits the test criteria ("firewall" is a term used to define very different products).

Thanks you for the answers so far.

{QUOTE-> Hello,

as I am in the process of updating my "Firewall leak tester"'s tests, I am requesting you which software personal firewall (with application filtering) would you like to see tested in addition to the popular ones ?

Regards,
gkweb. <-QUOTE}
Judging from some of the responses, I think the above portion that is highlighted is being missed. Checking the site to see which ones ALREADY are being tested would probably be a good idea....

bitdefender?

There will be very good suprises in the next update... Do not miss it :)
Should take time anyway to achieve most of the tests, I have no ETA for now, still too much things to do.

I will bump this thread when the update will be out (do not expect it soon anyway).

I hope that you've also includes some more details on how and why the firewalls pass or failed the test. Maybe, it can be more better if the detailed "highest" settings that you've done on the firewalls can be also understood even by an ordinary surfers. Coz how can we use that firewall to pass the same test like yours if we didn't even know how it should be done? ::) ??? I mean, it's okay even if we just copy your settings... or at least we have some kind of "default gkweb" settings on the firewall so that ordinary surfers like me to have something to start with to make them right for what it really does to be. ;)

I am glad that someone like you has put a time to make this things really possible. :D

{QUOTE-> I hope that you've also includes some more details on how and why the firewalls pass or failed the test. Maybe, it can be more better if the detailed "highest" settings that you've done on the firewalls can be also understood even by an ordinary surfers. Coz how can we use that firewall to pass the same test like yours if we didn't even know how it should be done? ::) ??? I mean, it's okay even if we just copy your settings... or at least we have some kind of "default gkweb" settings on the firewall so that ordinary surfers like me to have something to start with to make them right for what it really does to be. ;)

I am glad that someone like you has put a time to make this things really possible. :D <-QUOTE}


Sweater makes a valid point, as with a major brand firewall in the last firewall leake tester. The firewall failed a number of tests but by puting a single check in a box, the firewall passed almost all tests. Sure i know its up to us to read the firewall manual but with some simple instructions it can make all the difference...

Since I'm using the paid version, I also would like to see a test of Sunbelt Kerio 4.2.3.

LnS
ZA
Outpost
Norton
McAfee
;D
Kaspersky 2006

Filseclab pro. (it is free despite sounding $$)

Jetico

Netveda

Filseclab

Sunbelt/Kerio 4.2.3 both Pro/$$$ version and the freebie that you are left with after the trial.

Please consider importing the rules set that is commonly referred to as the "BZ rules set" : http://www.dslreports.com/forum/remark,8023708~mode=flat

I imported those and basically left it alone accept for adding some apps that I wanted to give specific rights to. I passes pretty much everything at the test site accept for pcaudit and another one. I think that the freebie version of Kerio 4.2.3 with this rules set in place is pretty secure... Whatever the firewall didn't alert me to first, Norton shot down or the MSAS antispyware took care of.

How about the firewall on Online Armor?

Dunno if this one qualifies or not and is still in early beta actually but it is another all-in-one suite type of program. Maybe on the order of a System Safety Monitor but it's claim is it's a firewall plus registry/applications permissions firewall.
CoreForce (beta) (http://force.coresecurity.com/index.php?module=base&page=main)

btw kareldjag, hit 'em hard and heavy pls ;D Everyone here can benefit greatly from these type findings and especially the vendors. We need for them to close up any soft spots.

I'd like to see iSafer Winsock (http://winsockfirewall.sourceforge.net/), which is an open source firewall.

How about Blink?
http://www.eeye.com/html/products/blink/index.html

{QUOTE-> Hello,
as I am in the process of updating my "Firewall leak tester"'s tests, I am requesting you which software personal firewall (with application filtering) would you like to see tested in addition to the popular ones ?
I cannot assure you that every requested firewall will be tested, but I'll do my best to test as much as possible.
To the moderators, I hope this post is ok regarding forum rules, I was not sure at first.
Regards,
gkweb. <-QUOTE}
Hi gkweb,

I happen to run both ZA Free and PC-Cillin Internet Security which although primarily an AV comes with its own personal Firewall that is tightly coupled into network virus and worm detection - i.e. if you disable it, you lose that part of its protection. ZA Free stealths all of the ports and adds the outbound notification - and I'm sure it lacks any other of the advanced capabilities that you have documented on your website. Since I'm a bit unclear on the line between so-called advanced firewall capabilities and a HIPS capability, I also run Prevx1R to help fill any gaps. I could use some advice in this area because I'm not sure where I'm vulnerable.

It would be instructive (at least for me) to see how the two together compare to others.

I don't suppose you'll be able to do any combo testing such as this, but I'll look forward to the test results you get.

I was not able to download Copycat because it was not zipped, and in order to download it I would have to disable my AV that now quarantines it. If it were zipped, I could at least configure the AV to ignore it, and be able to test it on my system and perhaps be able to complete some of the other tests from your website as well. Just a constructive suggestion if you have the time.

-- Tom

As well as other firewalls mentioned. I'd like to see these freeware firewalls tested.

Comodo Personal Firewall
Sonar
GhostWall
Filseclab Personal Firewall Professional Edition
SensiveGuard
Wyvern Firewall
SoftPerfect Personal Firewall

The Injoy firewall looks interesting !

http://www.fx.dk/firewall


StevieO

Ges wall
Core force
sensive guard
Jetico

kareldjag suggests BitGuard. I second that but if I remember, GK did look it over some time ago and decided it was more a sand box rather then a firewall.

You would have to do a search here for BitGuard.

controler

Supposedly, Kaspersky ISS 6.0 has a vastly improved firewall. I think including it in the testing (if possible) would be beneficial to Kaspersky users.....

I'd be interested in Prisma firewall.Seams pretty good.

Bitguard is no more available for buying/downloading (see their website).

Tests are mostly done, I will not add more firewalls for the moment.
I'm sorry in advance for not including every firewall people asked, I have tested more than finally included, mostly were simply packet filters only, and do not check for application activity.

The update will come in March.

Thanks you very much for your feedback :)

Regards,
gkweb.

CoreForce
Comodo

Website finally updated :
http://www.firewallleaktester.com/news.htm

Regards,
gkweb.

thanx for taking time and doing teh tests. jetico did very well maybe ill try it when the next version comes out. as with the last test both outpost and looknstop did very well, however now theyre tied. lastly i find it weird how the two mcafee firewalls performed so differently.

Thank you gkweb for putting in your time and effort into this new test :)

Im using Jetico right now and from these tests I am happy that is the top rated firewall out of those other 14 :)

Im dissapointed in Sunbelt Kerio thought is would do much better, but o well ;D

Interesting... thanks for the testing gkweb...

Thanks for taking the time to test these products.

I'd like to see you test some of the HIPS programs such as Prevx1, Cyberhawk, Anti-hook. I've personally downloaded and tried to run all of the leaktests on a system with only Prevx1 Pro active. Only one program was able to launch without getting blocked (Firehole).

Creekside Rogue

Thanks for theses tests, gkweb :) .

But I think the new testing criteria are penalizing a lot Kerio, compared to others. With this methodology, several leaktests, although passed with flying colours by Kerio, give it only 1/2 point each :ouch: (it seems the same goes for PrivateFirewall, but I didn't test this one ever, because I got BSOD on BSOD as soon as it was installed on my computer).

I understand the reason of this new criteria, you prefer to see a connection attempt blocked than a code injection detected; but as you say on your Leaktest scoreboard explanation, it can be seen as a more safe blocking method, since it does block the "threat" more soon during execution.

And the fact that this method can require more knowledge can be discussed too, I think : Between a firewall that does alert about DLL injection, and another clearly alerting about a "blocked code injection", I'm not sure the first one is easier to interpret :-\ .

Furthermore, the same could be stated about connection attempts vs code injection : I've never got any false positive by Kerio's HIPS ???

Cheers,
nicM

Hello,

Between asking the user about a global low level mouse hook, and asking about a network access, I think it's clear that the later is easier.

Moreover, using such features (API hooking) will ask the user about application having no network code at all, and which consequently will not access the network.

That is the difference between the block (generic hook), and the pass (network access warning)

But don't get me wrong, I am not against HIPS, I advise them. This is just that in the context of a leaktest (being a concept), to claim "passing" the network test, by "cutting" an unrelated network API, is the same as claiming to secure a computer by cutting the wire :)
It works, but it's not the spirit of the test.

Finally, people have of course the right to have their own opinion and point of view, and that's why the leaktests are available for download, for you can check your setup, based on your personal criteria.

And thanks you to the people for their support, these tests ask a lot of time, and requires some hours and coffee (don't ask me my coffee bill :-X)
I will try to update the results more often.

Regards,
gkweb.

{QUOTE-> lastly i find it weird how the two mcafee firewalls performed so differently. <-QUOTE}

Sorry I don,t find McAfee firewall in results. Is the name different.

gkweb included both the consumer (personal firewall plus) and corporate (desktop firewall) mcafee firewalls.

http://img90.imageshack.us/img90/7056/firewalls8tz.jpg

Thank you for doing the tests gkweb, hopefully you'll do them again next year!

Yes, as others have said....thanks as well for conducting these tests as well, gkweb. Your hard word, time and effort to provide these results are very much appreciated. :)

Just one question regarding the outcome and results: Did you properly configure and/or tweak each and every firewall to the manufacturer's "suggested" settings or tightest level of security? Or did you perform them on the individual firewalls primarily as they are presented to the customer "out of the box"?

@gkweb

IMHO you have an obsolete conception.

{QUOTE->
Between asking the user about a global low level mouse hook, and asking about a network access, I think it's clear that the later is easier.
<-QUOTE}
I don't know what could make you think this. We can easily lead this to a specific choice: trust or not trust an application.

{QUOTE->
Moreover, using such features (API hooking) will ask the user about application having no network code at all, and which consequently will not access the network.

That is the difference between the block (generic hook), and the pass (network access warning)
<-QUOTE}
Of course, but that's not the point.
If we want to be precise, a firewall should open/close ports for incoming/outgoing tcp/udp(/igmp) traffic from/to another host. That's all. Only this.

If you admit "application firewalling" capabilities then you cannot separate them from "proactive actions" capabilities: if something injects something into another process, we are already at a network-unrelated level. We are at "system-level", so an "application firewalling" application should also work at "system-level".

{QUOTE->
But don't get me wrong, I am not against HIPS, I advise them. This is just that in the context of a leaktest (being a concept), to claim "passing" the network test, by "cutting" an unrelated network API, is the same as claiming to secure a computer by cutting the wire :)
It works, but it's not the spirit of the test.
<-QUOTE}
The fact is that most (not all) of these leaktests work at "system-level". They don't access the network: they "injects something" making *other applications* to access the network. So they are not "network API" tests because they work at another level so, as I've aleady said, an "application firewalling" application should also work at another level.

Just my 2 cents :) (and excuse me for my bad English :p )

Very good test, appreciate the hard work you have put into this. I found this to be very informative. Thanks.

@ekerazha

Just check out the results for Jetico firewall, or best, try it yourself.
Disable completly it's "process attack table", so it won't warn you about any injection/DLL whatsoever, but still warns you about the network access.
As you can see, this "obsolete" point of view seems rather effective :)

Of course you need to check at system level what is happening to link the activities to the network activity.

But at the end, as I often say it, you can disagree and test yourself your setup the way you want, what matters is that you are secured.

Regards,
gkweb.

{QUOTE-> @ekerazha

Just check out the results for Jetico firewall, or best, try it yourself.
Disable completly it's "process attack table", so it won't warn you about any injection/DLL whatsoever, but still warns you about the network access.
As you can see, this "obsolete" point of view seems rather effective :)

Of course you need to check at system level what is happening to link the activities to the network activity.

But at the end, as I often say it, you can disagree and test yourself your setup the way you want, what matters is that you are secured.

Regards,
gkweb. <-QUOTE}

Where's @JRCATES???

{QUOTE-> Yes, as others have said....thanks as well for conducting these tests as well, gkweb. Your hard word, time and effort to provide these results are very much appreciated. :)

Just one question regarding the outcome and results: Did you properly configure and/or tweak each and every firewall to the manufacturer's "suggested" settings or tightest level of security? Or did you perform them on the individual firewalls primarily as they are presented to the customer "out of the box"? <-QUOTE}

{QUOTE-> @ekerazha

Just check out the results for Jetico firewall, or best, try it yourself.
Disable completly it's "process attack table", so it won't warn you about any injection/DLL whatsoever, but still warns you about the network access.
As you can see, this "obsolete" point of view seems rather effective :)

Of course you need to check at system level what is happening to link the activities to the network activity.

But at the end, as I often say it, you can disagree and test yourself your setup the way you want, what matters is that you are secured.

Regards,
gkweb. <-QUOTE}
This is not the point.
The point is that you are confusing "firewalls" and "application firewalls" (look at this other reply: http://www.wilderssecurity.com/showpost.php?p=703549&postcount=67 ).

;)

I am for sure not confusing both, may be I am not clear instead.

But make yourself your own opinion ;)

Regards,
gkweb.

{QUOTE-> I am for sure not confusing both, may be I am not clear instead.
<-QUOTE}
So you should not make differences between things detected by "proactive modules" and "not proactive" modules ;) That "0.5 points instead of 1.0" is not very logical... but this is only my opinion ;)

That's not because it's not your opinion that it's not logical.
I cease this endless discussion, and let other people to continue.

Have a nice day.

Regards,
gkweb.

{QUOTE-> That's not because it's not your opinion that it's not logical.
I cease this endless discussion, and let other people to continue.

Have a nice day.

Regards,
gkweb. <-QUOTE}
Ohh... but this isn't only my opinion... this is the opinion of most people :)

gkweb,

did you know if Jetico will remain free?

Thanks

No, but they are discussing a lite version. see here below!


http://www.wilderssecurity.com/showthread.php?t=122810

Do you know if we can disable the inbound protection on Jetico?

Suppossedly if you rename bc_filter.sys in the system32 folder to change the filename(preferably the extension so it doens't load), it disables packet filtering. I had weird results with this though and Jetico wasn't doing anything, Steve Gibson's leaktest even got through? It was on a new install too, so I don't exactly trust this disabling method. There may be a better way, and if there is I am game :thumb:

Just a warning, the configuration is a little weird at first but you get used to it. Wonder if anyone else has found a better way at disabling the Inbound filtering for us CHX-I users ???

Alphalutra1

{QUOTE-> Hello,

Between asking the user about a global low level mouse hook, and asking about a network access, I think it's clear that the later is easier.

<-QUOTE}

Hi gkweb,

I'm not sure this example is pertinent in the case of Kerio, since all code injections blocked by Kerio simply show a popup about the event, without any allow/deny choice ;) ...Then there's no question about the easy nature or not of this user choice : there's simply no choice at all.

That's why I did talk about DLL injection popup vs Kerio's "code injection blocked" popups : other firewalls will prompt the user for a decision (what can be difficult, as you stated), but Kerio only notify about it. The same goes for connection prompts, which can be sometimes hard to deal with.

One more time, I understand why you've made this choice in your testing criterias, if we take ie Jetico, it can let the process run (I mean the process injecting code in another) but can block its connections... when Kerio can't block it once the process is allowed to run (if we disable HIPS). Thus a better note in the tests. I can stand that ;D

However I think the "hard way", which consists in blocking processes before their connections, is finally more safe, or at least the same, for the user, isn't it?

Cheers,
nicM

{QUOTE-> Just one question regarding the outcome and results: Did you properly configure and/or tweak each and every firewall to the manufacturer's "suggested" settings or tightest level of security? Or did you perform them on the individual firewalls primarily as they are presented to the customer "out of the box"? <-QUOTE}
i most certainly doubt that gkweb would use default settings but i cant find any specific details on teh website.

{QUOTE-> i most certainly doubt that gkweb would use default settings but i cant find any specific details on teh website. <-QUOTE}
Yeah, I believe he got a little sidetracked from my question, due to his ongoing debate with ekerazha....but I PM'd him, and he replied with the following:

"Yes I have tweaked the firewalls to their highest settings, every feature was enabled, everything maxed out. Global filtering rules removed if any, to be sure to be asked about any network activity.

Out of the box settings, generally and depending of the firewall, are weaker. Out of the box settings are generally purposefully not set to high to not ask too much popups to the user."

Thanks for bringing that up, though, Fuser...because others may have wanted to know the answer to that one as well. ;)