Application Control

Hi Guys 'n' Girls,
Great Software by the way Jason,keep up the good work!!

On regards to the firewall,i am very tempted to ditch ZA and replace with jason's,but i'm a bit worried about app control.

Just how important is app cotrol

I ask coz with the trojans/viruses/rootkits we have these days,i know a lot of them can quite easily bypass most firewalls,and it just seems as though,in order to protect ourselves from trojans etc. we are forced to control legit appz too much,which in turn causes more trouble/work than good.

Anyway,just thought i'd get peoples opinion before i jump in.

 

Nothing Againt Ghostwall but why Don't you give Look'n'Stop a try? I Dumped ZA and Steady as she goes with LNS!! And one more thing NO yearly Fee!!

You also can trial it for a month!!

HTH

Cheers,

 

Hi Tony,

Some people, like myself, prefer other security applications to do "application control" rather than the firewall. The main reason for this is it's a waste of resources to dedicate one application to such a single task, when security applications allow you to do it globally.

So application control to someone like me isn't important in a firewall. Some people however, cannot live without application control in their firewall and they have valid reasons also for wanting it. If Look n Stop works on your system, it is the firewall I recommend for application control since it impacts the system the least of those type firewalls.

 

Jason,

You've done a great job with this, and I see a bright future for this firewall... so don't sleep on it.

I'd like to see this firewall progress into a basic firewall that most people can use.

What I mean is, well, I installed ghostwall and I quickly had to get rid of it. I can't live with the fact that every application on my PC has complete access to the internet. There needs to be some sort of application control/filtering. Even if it is very basic (allow/deny/prompt) that is still better than giving total access to every application.

I hope you take this advice, i'd really like to use this firewall in the future.

 

Same here. I tried it and since I am running a router with NAT, the new firewall without some sort of outbound control (maybe just a simple allow/disallow) is of not much value. I am currently running Outpost. Can't complain about the cost, but if it had a few more features such as application control and was very lite on resources would consider it. Just my 2 cents.

 

Another suggestion I have is the ability to password protect the program, or even have some sort of hot key that hides/shows the systemtray icon. I don't need my idiot friends/family screwing with my firewall settings

Also, when you press the "X" button to close the firewall there needs to be some confirmation that asks the user if they are sure they want to shut it down. I pressed "X" a couple of times because of habit and thought it would minimize to the tray... about an hour later I realized it wasn't even loaded

 

Hi Jason,

What do you use for app control? do you mean 'ProcessGuard'? I use PG (amongst other appz),is that enough?

 

now i'm getting confused here.

you can use processguard to control the execution of an app. but once you allow it to execute, processguard will not stop it from accessing the internet. right? so what does that have to do with anything?

and even further, ghostwall itself will not stop that app from accessing the internet either...

If you allow say HTTP connections and FTP connection with ghostwall, you are allowing those connection for every single application. So this means that if you get infected with some keylogger, this keylogger can send your password through ftp/http or any other connection you allow because there is no application filtering.

maybe i am just confused but if so, somebody please clear this up for me.

 

Well the thing is, you don't want to have trojans,viruses,worms, etc running on your system in the first place. So in my opinion its more valuable having applications which protect you from nasties in general rather than "is it accessing the network" type firewall protection. However I think some limited application control might be beneficial to GhostWall, even if it was only to the extent of "this application can have network access", etc.

The problem I see with most existing firewall vendors is that after quickly building the actual "firewall" they start spreading their wings into other areas because there is no where else to go with their product, all whilst affecting the speed of the network and system.

Are you really interested in the AV, AT, FIREWALL, etc all wasting resources only protecting small areas, with large amounts of overlap? It seems there are some people out there who think their computers main job is to run security software. When really, security software should do its job and not be noticed, allowing people to use their computers for productive things.

 

You're right about people not wanting trojan/viruses on their PCs in the first place, that's why we have AV, AT etc.. but that still doesn't mean something can't slip through your security right?

I was just using the keylogger as an example. But there are tons of software that I use that make internet connections for no reason. Wether it be phoning home, checking for updates, or doing some other things that I don't want it to do. For example, my disk defragger thinks its cool to send info back to the company about how my defragmenting is going along... I dont want this application to access the internet. All I want it to do is defragment my hard drive. Again, this is just an example, there are tons of programs which I am sure you know what I am talking about when I say I don't want them accessing the net.

Anyways, I have downgraded my security in the past month from all sorts of security apps to just the bare minimum. AV, FW and common sense. I don't need all the other crap.

The reason I like GhostWall is because it seems like it uses amazingly low resources and it does exactly what I need it to do. If you do decide to add in a basic application filtering then I will have to say I am sorry I purchased a 2 year license for outpost .

 

I am with all you guys on the app control feature. I think every firewall needs some sort of effective app control in order to be useful. I the app control feature couldbe added the firewall would be so much better and I could ditch ZA but until then I don't trust Ghostwall without app controls. The rule stuff is just a bunch of headaches and it took me forever to get the basics down to even get the firewall to work. It would also make the firewall a bigger success so please add these features that me and the rest of the members have suggested. Thanks

 

There are some applications that you may want to run that are perfectly legitimate but you may not want it to have network access, so I think a simple ask/allow filter would suffice, I do agree though that malicious applications should not be able to start to begin with (thats what programs like ProcessGuard and AntiHook are for.) but it'd still be nice to have, sometimes things do slip through no matter how good your security system is, and sometimes you may plain out just want to block an application from internet access (like internet explorer for example.)

 

Friends, I understand that the first reaction to rulebased firewalls is that it seems confusing and that one can be afraid of not being protected after you have created the rules... And you should be! Because if you by mistake create a rule where you allow every protocoll, or allow all traffic to all ports, inbound or outbound e t c, then you sitting in a "castle of air" (false security is the worst type I´m afraid...) But If you give it a try to learn and cope with SPI firewalls, I can almost guarantee that in most cases it is more secure than application based firewalls. As Jason himself said, that nowdays most of the firewalls have functions that is "redundant" since most of you already have software that are watching for malware. It only overlapps (=>conflicts) and wasting resources from your system. I personally have not tested GhostWall yet, but I have been using Visnetic firewall that also is a rulebased, SPI firewall, and its working perfectly with total controll over what type of traffic is passing threw which port etc. If you want some sort of manual how these type of firewalls works, you can download the pdf manual to Visnetic firewall from deerfield.com, different software but same working principals...

 

This is certainly not true, as most of commercial application based firewalls include also stateful packet inspection. The question here is just that: do you want to treat net access and application control using separate, specialized programs, or rather prefere "all in one" approach. As for redundancy with other security apps, watching for malware execution and behavour is one thing, watching it's outbound connection while it's already there, is another. There's no redundancy if it's just a basic application filter combined with rule based firewall.

 

What do you think is going on when you allow an application access in most warm-and-fuzzy super-easy-to-use GUI firewalls? The implicit rule is usually allow outbound TCP/UDP from any port to any port to any address. And with so-called 'server' access the same is allowed inbound, but perhaps with the condition that outbound traffic must have occured within a set time frame previously. Now, can you honestly say that the risk of producing a particularly 'bad' rule is that high, compared to non-explicit-rule-based firewalls?

 

I agree with the others here that GhostWall should have basic app control - ie. Allow Once/Allow Always/Deny Once/Deny Always. It would be handy if it could also stop apps from starting other apps which connect to the Internet (much like LnS can do).

 

I like the above with the ability to also detect any change in the executable since the last time the allow/deny policy was set (for that particular exec...).

 

That is a nice refeshing statement. Can I ask what a good minimal lite setup would possibly be Jason if one believed in what you say.

ie. ghostwall and reg defence . With maybe an online scan etc. I ask this in all seriousness for the average safe surfer . who doesnt stray to many unfamiliar sites etc . a safe surfer .

 

You can use software restriction policy to block/restrict apps in XP Pro instead of using third party app control program.
You can also use group policy to control apps. There is a setting in group policy which allow you to specify allowed apps or restricted apps. But when specifying allowed apps dont forget to specify group policy (gpedit.msc).

 

I tried Ghostwall,and liked it a lot,very light,easy to make rules,nice touch showing the country origin in the log (helps noticing easier persisting IPs) but another vote in favour of an application control,even if a simple one.This would become the worthy heir of Kerio 2

 

"Default Re: Ghostwall: final word - App. control in future releases or no ?
Quote:
Originally Posted by Jason_R0
need is app control what allows to go in and out. Which surprisingly enough there is Zero product on the market like that at the moment."

Just wanted to mention that there does exist such a product at the moment: System Safety Monitor 2.0.0 beta 1 it is located at http://syssafety.com/product.html

I have just installed it, so I can't really say how effective it really is overall. It does appear to really lock things down though. The only problem I see with it right off the bat is that it uses alot more RAM than I would like. It runs 2 processes; 1) SysSafe.exe which was using 6188K of ram (now increased to 8788K of ram after 20 minutes only =/, and also SSMService.exe using about 1240K RAM. The program is free. If there was something like this that used half the ram or less and didn't increase ram use over time, it would be a win.

 

This is starting to sound like the app control in syagte..which is exactly what im looking for now that sygate is gone...i hope this gets implemented into this firewall...

 

Hey Jason,

Are you considering incorporating some sort of APP control into GhostWall?

I know the newly released AppDefend, handles that department. But what about the people who don't want to use AppDefend?

I love ghostwall, but I feel naked when using it becuase of this small issue.

Do you have anything planned at the moment?

 

My opinion, which of course no one asked for, is this: GhostWall is freeware, and is designed to be an efficient, basic firewall. AppDefend isn't free, but it has a nice, simple, effective means of allowing/disallowing applications from accessing the network (though it does seem to lack "component control").

So maybe it makes me a selfish twat, but I hope Jason doesn't add app control to GhostWall. I'd much rather see him devote the time to enhancing his for-pay software, even if it means adding a new for-pay "ComponentDefend" portion to GSS.

I could explain further, but I'm sure no one wants my dissertation on the matter.

 

Actually I agree with you.. the firewall itself is more than adequate, the app control is going to take more constant fine-tuning, so better belongs in the paid app that pays the bills, which means is going to have more dedicated attention. Only so many things one programmer can do at a time, so he'll have to prioritize.. I would rather see that priority go towards the app control as needed. I don't think the deal between the two is unfair at all