available at https://europe.f-secure.com/exclude/is2004/index.shtml

usual warnings about beta software:

do not do this if you're not experienced with beta testing software, it can seriously f**k up your computer.... do it at your own risk..

ok now i have it installed. looks like it's the firewall that has been modified the most in this edition, the av is like it has always been.

looks like f-secure now features the much asked but not really so useful e-mail scanning, both out/incoming..

e mail scanning can be configured with this screen

another new feature is the ability to schedule scans directly from the gui

the gui looks a bit like mcafee.. doesn't it?

the firewall looks like this:

you can acces this screen by clickin the advanced button in the main gui

rules can be added with a wizard

thanks for the info

i recently tried f-sis 2003 and ran into some problems with the firewall. would be nice to know if the following features have been changed or added
-ability to see whats connected to where
-application rules (in 2003 there you could only choose allow/block and not create rules based on templates)
-i found no way of creating a custom rule that allows mirc ident
-component control/dll injection??
-activex filtering/blocking

thanks in advance

the irc problem should be solved at least, i'll check the rest when i have more time( luchbreak now..)

one more screen

from the help files: Verify
Application only Only verify that the application is the one for which you allowed the outbound connection initially. If it is, allow the connection. Otherwise, perform the selected action.

i assume that this verification performs some kind of checksumming to see if the application has changed...

could not find anything related to dll injection though.. i'll contact f-secure

@illukka

It is said, that FSIS 2004 doesn't use the F-Prot engine anymore, but instead a new (?) engine called "Libra"... :o
(you can see this by taking a look at the report after a scan.)

Do you know or can find out something about this (especially the new engine)?

thanks _anvil, i just noticed.. i must check this if i can find any info on it

Does FSIS 2004 still use backweb for there updates?I remember using it once and when i went to delete the trail version i had a hard time trying to get that backweb off of my computer.

I know that it should be save--them using it for there updates---but companies like backweb made there money from secretly installing there spy sofware on people computers----but thats another story

these are the components used in f-secure is 2004. new build of f-secure backweb is used. it can be disabled from the gui

How's the performance? Any faster than previous versions?

for me the past versions have been fast enough( with optimal settings of course) but it has a slight effect on performance... i'm not too keen on the firewall, think i'll uninstall it after the beta test and go back to zapro...

illukka,
Can you uninstall the firewall or only disable it?
I have the 2003 version and had terrible problems with the firewall, as always after I bought it.
I only wanted to use the virusguard and not install the firewall. F-secure didn't help after many e-mails.
Bob

when i installed it gave me the option to choose which components to install: av only or both.
looks like i'll have to uninstall the complete package if i want the firewall removed and then install av only

edit: just got an answer from mr m.sinkkonen @ f-secure about the libra engine "We do not have yet official documentation available on Libra scanning engine, but basically it is a new scanning engine which will replace F-Prot engine from Internet Security 2004 product. It will not compromise on the detection rate."

-{ Quote: " quoting: illukka link=board=24;threadid=15272;start=15#msg95768 date=1066999385]
when i installed it gave me the option to choose which components to install: av only or both.
looks like i'll have to uninstall the complete package if i want the firewall removed and then install av only

edit: just got an answer from mr m.sinkkonen @ f-secure about the libra engine "We do not have yet official documentation available on Libra scanning engine, but basically it is a new scanning engine which will replace F-Prot engine from Internet Security 2004 product. It will not compromise on the detection rate."
" }-

That's good, I have not so fond memories of the included firewall giving me a BSOD on every boot.

hi

now after some days of use i can give some opinions on the av:
seems to use quite a lot of resources, this pc has 900mhz pentium with only 128mb ram.. and it slows...
don't know if it's only the beta, but the e-mail scan can't be disabled.. this is IMO the main culprit for the slowdowns.. seems to update daily 24/7 automatically.. THIS is a very important feature unlike e-mail scan..

i don't think that the firewall is something special.. it has the main features needed, that's it. been stealth is all tests i've ran, i intend to test it soon with some leak tests..

so far the av has nailed anything(known nasties) i've tested on it, some even heuristically.. (backdoors) some brand new nasties have escaped..although some with warnings( unable to scan...)

seems that the av part is something f-secure can really be proud of, the e-mail scanning has been much sought after and asked in some magazine reviews, well now it's there.. IMO you can't go wrong if you buy it (the av) if your pc can handle it, on this pc an increase in ram would do marvels..

hi
tested the firewall against some common leaktests, found 'em on this site: http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html
security level was set to high

tested: result: pass/fail
leaktest passed
tooleaky failed
firehole fails when ie is set to allow,passes when set to ask
yalta passed
pcaudit failed
awft 0:10 failed
thermite failed
copycat failed
wallbreaker failed both

check the site, no commercial fw available passed all of these...well tiny was not tested..
of course, before even posting here i sent the info to f-secure, after all this is a beta release, it can still be fixed..
BTW, the software updates itself(including exe's), i received a new software package today at 11.18.

cheers

illukka

Hi

I installed it yesterday and so far I have to unload it to get mail in Outlook.
From the screen shot posted here by another poster, you will see all the check boxes are grayed out and not adjustable. In this beta they are not changable.

outlooks works fine with me, no problems

hi

new test, changed the settings a bit after i got e-mail from f-secure
leaktest=passed
tooleaky= passed when ie set to ask
firehole=passed when ie set to ask
pcaudit=passed, but this test crashed fsis2004
yalta=passed
awft=passed 6-4
thermite=passed when ie set to ask
copycat=failed
wallbreaker=passed when ie set to ask

Thank you for publishing these interesting results, illuka! :)

One question about the firewall though: if set to ask the v2003 asks for every connection attempt, i.e. multiple times for accessing one web page. Has this been fixed in 2004?

@illukka

What do you mean with "passed when ie set to ask"? Does it mean, that there is no allow-rule set for IE (or another browser)?

Then, I wouldn't call it 'pass', but 'fail', because...:
All these leaktests rely on the fact, that there actually _is_ an "allow (almost) all"-rule for at least one process, which is normally the browser. They rely on the fact, that no user is paranoid enough to let the firewall ask for every connection of the browser... ;)

That's why these tests are quite pointless, if you have no allow-rule for your browser - it is impossible for these leaktests to bypass the firewall in this case (which makes me wonder, how FSIS could fail Copycat and partly AWFT under these test conditions... ::) )

So, the interesting question is: does the firewall has something like 'dll-athentication', 'application start control' or whatever to block the known leaks, or is it 'only' a simple paketfilter without any sandbox components, which is quite easy to bypass?

AFAIK no firewall seems to pass awft if the browser is not set to ask, if it is zapro wins awft 10-0.. on my home machine i have actually my browser prompted avery time i start, and when a new component(dll) loads, i'm prompted about it. i use zapro and sygate on my home pc...

i'm going to test the f-secure firewall a little further, the leaktests are just that, tests. next i'll try some real life threats, like optix beast asassin etc, trojans with fw kill or fw bypass capabilities... i suppose that it is killable, atleast copycat did crash it.. i have some brand new trojans which im eager to try on it...

and check the site where i d/lled those leaktests.. NO firewall passed all leaktests!!!!! ???

-{ Quote: "AFAIK no firewall seems to pass awft if the browser is not set to ask" }-

According to gkweb's test results, at least Outpost 2 and Look'n'Stop are able to do so in their "highest settings." This does _not_ mean, that the FW asks for every browser connection! But something like dll-authentication is surely active, cause this is a 'reasonable' (not too annoying) way to block dll-injecting leaktests.

-{ Quote: " if it is zapro wins awft 10-0" }-

Yes, of course. :)
All the 'advanced' leaktests make the browser connect instead of themselves. So, if there is no browser rule, the FW will always prompt and 'defeat' the leaktest... but is isn't considered as a 'practical' procedure for the 'average Joe'. ;)

-{ Quote: "next i'll try some real life threats, like optix beast asassin etc, trojans with fw kill or fw bypass capabilities..." }-

Yep, do it. :)
But since those FWB-trojans usually are based on the leaktest methods, the results will hopefully be the same. ;)

-{ Quote: " i suppose that it is killable, atleast copycat did crash it.." }-

Well, and Copycat isn't even intended to kill anything! :o ;D

-{ Quote: "NO firewall passed all leaktests!!!!!" }-

Tiny would probably pass all of them, but with its full sandbox, it is quite another story... ::)

got more mail from f-secure:
at present there is no activeX controls, but this will be there in the future..
the applications are hashed and the checksums are monitored but dll authentication feature as such is not there..
i hope that there will at the least be password protection for the firewall, to protect it against fw-killers..
am i right that sygate and zapro are the only unkillable fw's out there?

zapro actually stops all connections when it's *killed*, tried it last week(not password protected), and the only connection it allowed through was to zone labs help site..

still haven't found anything negative about the av.... it_will_be_a_contender...it has almost all features one would possibly want to have + superior detection abilities

f-secure fw is still a beta so hopefully the release version has all these extra security measures to protect it's users..

tiny is a completely different thing, probably not for everyone... at least i had problems with avp updater when i trialed it...

Sygate Pro is a very good firewall. I've switched to LnS but still have my option to return to Sygate.

I've been tempted to try the f secure beta but the beta ends on November 30 and, I assume, after that time antivirus updates end. I'd prefer not to be online without current updates. Wish I'd looked at this thread earlier.

you can't rely on the firewall of this beta protectionwise..
i remember something about 60 days of use license when i installed it.