Hi, I just downloaded the brand new ESS final after betatesting all the previous releases, but to my surprise, when running in automatic mode I was able to obtain a HighID with eMule, which means ESS is allowing incoming connection in this mode, Is that possible or there is a bug there??

131 views and no one can tell me if there is something wrong??

Check the port that you use for emule here: http://www.grc.com/x/ne.dll?rh1dkyd2

If it's open with emule running, then yes, there positively is something wrong. :)

Dont you understand that 90 % of participant here care and complain about GUI gliches. When it comes to "real" questions (like you asked) none care :lurking:

A quote from the help file:

Automatic mode
The Personal firewall will automatically evaluate all network communications. This will allow all standard outgoing connections and block all non-initiated incoming connections. This mode is suitable for most users.

{QUOTE-> A quote from the help file:

Automatic mode
The Personal firewall will automatically evaluate all network communications. This will allow all standard outgoing connections and block all non-initiated incoming connections. This mode is suitable for most users. <-QUOTE}

actually how does Automatic mode work?

is it like windows firewall that will allow all out connection, and prompt for opening ports? or even ports will be auto open for applications? what means "non-initiated incoming connections"? when at Automatic mode i see no options to add manual rules for applications.

Yeah - i want to know if the firewall can be configured to stop programs 'phoning home' ?

{QUOTE-> A quote from the help file:

Automatic mode
The Personal firewall will automatically evaluate all network communications. This will allow all standard outgoing connections and block all non-initiated incoming connections. This mode is suitable for most users. <-QUOTE}


That is the problem, exactly. It doesn't do what the help file says. With the automatic mode enabled, the port which uTorrent uses is open for incoming connections when the client is running. In the same time, another p2p client, Shareaza, can't accept incoming connections with the firewall in automatic mode. Does ESS enforce a whitelist of some sort in automatic mode?

@galloot - it can, in interactive mode.

In automatic mode, all incoming communication is blocked. If an application connects to a remote computer, the incoming communication from that computer will be allowed. Given that the firewall acts differently, I assume the p2p clients work differently as well. Otherwise the firewall wouldn't block the incoming communication and allow it for the other client in automatic mode.

{QUOTE-> A quote from the help file:

Automatic mode
The Personal firewall will automatically evaluate all network communications. This will allow all standard outgoing connections and block all non-initiated incoming connections. This mode is suitable for most users. <-QUOTE}

How is this mode suitable for most users ... in Automatic mode this thing is actually worse than the windows XP firewall .... before granting in/out acces to an app. Does ESS perform some kind of check as to determine which application to grant acces?? (trusted - untrusted I mean) or it just grant access to whatever asks for it. ....
BTW in automatic mode there are no rules editor, does this mean that the rules created for certain apps in Automode are temporary rules that are only inforced while the app is running and then are deleted??

{QUOTE-> In automatic mode, all incoming communication is blocked. If an application connects to a remote computer, the incoming communication from that computer will be allowed. Given that the firewall acts differently, I assume the p2p clients work differently as well. Otherwise the firewall wouldn't block the incoming communication and allow it for the other client in automatic mode. <-QUOTE}

That's what I'm saying - a port checker shows that the port is open in automatic mode. This is not a connection requested by the client, it's an unsolicited port probe: http://www.utorrent.com/testport.php?port=12345 (replace the numbers with the actual port.). The firewall must not act differently depending on the application in automatic mode. What's the guarantee that it won't decide to act differently if a trojan slips through the antivirus and wants to listen to a port?

@MasterTB - there are no prompts in automatic mode, are there? You can't create rules for apps in Automode. The rules are - allow outgoing, block unsolicited incoming, regardless of the application or the port. At least the help file says so.

{QUOTE-> What's the guarantee that it won't decide to act differently if a trojan slips through the antivirus and wants to listen to a port?

@MasterTB - there are no prompts in automatic mode, are there? You can't create rules for apps in Automode. The rules are - allow outgoing, block unsolicited incoming, regardless of the application or the port. At least the help file says so. <-QUOTE}

You are right, there is no guarantee. There are no prompts at all. And unless Marcos tells us that ESS checks the application to see if it is Trusted or Untrusted Automaitc mode is not an option in terms of security and IMHO should not exist at all.
When I read Automatic mode I assume that the firewall will not allow Incomming Connections, I mean you can relatively allow outgoing but incoming should never be allowed without the users consent or at least a warning that is being allowed so that the user can decide wether it will allow or not, and that option is not there yet.

fully agreed this is what i thought about it when i tested it i could not use automatic mode at all. it did me no good and allowed many incoming connections. i had to run in manual mode at all times

So what is your suggestion for automatic mode? How should it ideally work for you?

i would myself like to see maybe what outpost does or used to do (not sure if they still do) it setup a list of known apps on the system it was installed on and then simply added them to the list. after this that list could be adjusted to suit my needs. while still applying rules if i wanted to. but maybe this is just me. but def still allow rules to be applied while in auto mode for the items that need them. or maybe offer a few different types a "settings" with different rule sets to pick from. like a p2p setting or "stealth" etc... for the people that dont want to mess with rules i think this would be very helpful to get them started. again maybe this will end up just my opinion though. but this way i am not bombarded with pop ups upon starting the firewall and on the other hand at least it still shows me whats going one unlike the auto mode in ess

{QUOTE-> So what is your suggestion for automatic mode? How should it ideally work for you? <-QUOTE}

Well if it was up to me automatic mode would allow all outgoing connection since there shold be no risk there. As for incoming connections I would allow them only for certified (Trusted) applications and deny all others unles told otherwise by the user.
It would also be nice if all the rules created by the firewall under Automatic Mode were recorded so that if the user would change to Interactive or Policy Based, the firewall would already be configured.
Bottom line I would never allow incoming traffic unsolicited or otherwise unless allowed by the user or by Trusted software certified by ESS.

MasterTB, you are incorrect by saying automatic mode should allow all outgoing connection since there shold be no risk there. What if a bot landed on your computer, was undetected (unlikely) by NOD 32, and phoned home to the botmaster? And sent tons of spam? Or a Trojan employs your computer for a DDOS attack? Or captures banking info and sends it home? One could go on.....

One should have complete visibility of what establishes outbound connections and be able to have it screened by a whitelist, or logged for your inspection and rule creation.

Can anyone say if automatic mode has this capability? Does it exist in manual mode?

{QUOTE-> MasterTB, you are incorrect by saying automatic mode should allow all outgoing connection since there shold be no risk there. What if a bot landed on your computer, was undetected (unlikely) by NOD 32, and phoned home to the botmaster? And sent tons of spam? Or a Trojan employs your computer for a DDOS attack? Or captures banking info and sends it home? One could go on.....

One should have complete visibility of what establishes outbound connections and be able to have it screened by a whitelist, or logged for your inspection and rule creation.

Can anyone say if automatic mode has this capability? Does it exist in manual mode? <-QUOTE}

Surely what you are asking for is already in interactive mode where all inbound and outbound activity has to be allowed by the user ?

{QUOTE-> MasterTB, you are incorrect by saying automatic mode should allow all outgoing connection since there shold be no risk there. What if a bot landed on your computer, was undetected (unlikely) by NOD 32, and phoned home to the botmaster? And sent tons of spam? Or a Trojan employs your computer for a DDOS attack? Or captures banking info and sends it home? One could go on.....

One should have complete visibility of what establishes outbound connections and be able to have it screened by a whitelist, or logged for your inspection and rule creation.

Can anyone say if automatic mode has this capability? Does it exist in manual mode? <-QUOTE}


I don't see where it does. I was hoping the forewall would have soft rule set like Look n stop, I don't want something calling out from my computer with out me knowing. Trojans come to mind & phone home ie-apps like ZA...auto is well too auto. should have a soft set of ok's for apps & added to rules. At least where you would be able to chg or reconfigure...

Guys, at least install the program and see what it does before you discuss what would have been nice. It's already there in interactive mode. We're discussing the automatic mode here and application control is not among its functions.

On Marcos' question - it's good the way the help file says it is - the problem is that it doesn't do that. On the other hand, that would be no different than the Windows firewall, which makes it useless. It could be done so that it allows all outgoing and asks for the incoming, thus creating rules for the incoming connections only. But to me, the outgoing control is crucial, so I'd always go for the interactive mode anyway.

I do not run auto mode because it seems to be the same as Window's firewall. However, there are IDS options and Application modification options. If these apply during Auto mode, then it is certainly better than Windows firewall. However, Interactive mode is still more secure, since you have an idea of what's connecting.

{QUOTE-> So what is your suggestion for automatic mode? How should it ideally work for you? <-QUOTE}IMHO Automatic mode should work just as you have already described.
For those that wish to have an approval process before allowing communication, they should make use of interactive mode as that is what it is for.

Cheers :)

{QUOTE-> MasterTB, you are incorrect by saying automatic mode should allow all outgoing connection since there shold be no risk there. What if a bot landed on your computer, was undetected (unlikely) by NOD 32, and phoned home to the botmaster? And sent tons of spam? Or a Trojan employs your computer for a DDOS attack? Or captures banking info and sends it home? One could go on.....

One should have complete visibility of what establishes outbound connections and be able to have it screened by a whitelist, or logged for your inspection and rule creation.

Can anyone say if automatic mode has this capability? Does it exist in manual mode? <-QUOTE}

Well, first of all If a bot landed on your pc and phoned home since I request that rules created should be recorded, the user would have an option overide the rule. In any case, even in todays auotmatic mode, you have the option to disable a connection even from the connections windows so there should be no harm there.
Second, as I said you DO have complete visibility over established connection even today so I don't see the problem there.

@larryb52 ZA's auto records the rules created, and that is the difference with ESS because with ZA you can edit them at will and that is what I suggested for ESS automatic mode. which would be a great improvement and would make automatic mode more trust worthy.

I've been using Automatic mode since Beta 2 but now with the final build I have decided to switch to Interactive Mode which is no hardship as I don't have that many apps which require access. So once I've allowed and created rules for them there's no problem. I acutally feel more secure now using Interactive mode as at least when anything attempts to phone out or in I get to know about it first so I can choose to allow or deny.

Perhaps what the firewall needs is an autolearn mode like other firewalls have. What I mean is if it is initially set to automatic when you first install, then for about a week any rules which are created automatically will be saved. Then after switching back to interactive mode you will only be alerted about any news connections. I guess this is what other posters are saying.

{QUOTE->

Perhaps what the firewall needs is an autolearn mode like other firewalls have. What I mean is if it is initially set to automatic when you first install, then for about a week any rules which are created automatically will be saved. Then after switching back to interactive mode you will only be alerted about any news connections. I guess this is what other posters are saying. <-QUOTE}

That is more or less what I meant. Thanks for putting it so easy;)

Rules cannot be created automatically unless there's a whitelist.