TinyWall Firewall

Discussion in 'other firewalls' started by ultim, Oct 12, 2011.

  1. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I linked to the thread, because the responses are as important as the article. Sandboxie really isn't necessary for Chrome, only sometimes for what you download and manually execute.

    Like I said, it needs exact path rules of existing files. Those files can be any EXE, doesn't matter if changed or temporarily non-existent. When you update Chrome, it creates new files which are sandboxed instead of overwriting your old installation. That is how Sandboxie works unless you create File Access exceptions. Now that those files are in a different path, TinyWall doesn't have rules for them.
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I have an extra need to run also Chrome SBIEd since I dont have those proxy shields running in Avast and its real time protection is based very much on them, on that feature in AvastSvc.exe. It is running, just not those shields in it. Makes also my connections window more clean for active connections.

    Chrome might be safe against viruses and stopping spreading them cause of its own sandbox. But better safe than sorry :)

    Was there in that too technical thread for me any that it is less protective running Chrome inside Sandboxie than without? Or it is just sort of redundant.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I don't see what Avast shields have to do with browser sandboxing? Avast's protection isn't based on its Web Shield, which actually is mostly redundant if you have the File System Shield, Network Shield, and Script Shield. It might find infected HTML pages (if URL not blocked by Network Shield) that almost always targets outdated versions of Internet Explorer, but those need a executable payload that will be monitored by the other shields. Of course the usual downloads are always scanned by File System Shield.

    Note that this will change in Avast 2014 when they combine all shields to only three: File System, Web, and Mail. I'd recommend "Scan Traffic from well-known browser processes only" instead of disabling Web Shield altogether, because I'm not sure how integrated it will be with the less redundant Network and Script Shield.

    As for using Sandboxie on Chrome, it's redundant and potentially provides more attack surface for browsing. When downloading, you could just run it in Sandboxie anyways, or sandbox Windows Explorer if you think there might be exploits on file previews or something (probably more likely winning the lottery unless you don't update Windows). Sandboxie is useful at preventing Chrome or its extensions from making changes to your profile/system and hardening with Restrictions. You could make it point to a RAM Disk for privacy. In the end, although Sandboxie is a great software, the need to run everything virtualized is overblown.
     
  4. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Yes of course I have other shields except the proxy ones running. Anyways Sandboxie does not slow down my surfing in anyways, so even if redundant and possibly more "attack surface", it stays also for Chrome. Thank you for the reply.
     
  5. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    About Hosts-file.

    You can check it by this path in your resource explorer or what that right click thing from left down start button is called in english (my Win 7 is in finnish language):

    %SystemRoot%\system32\drivers\etc\hosts

    Last time I checked it was still in july state, that MVPS.org file. We have got to known ultim's absence a few times and laziness in updating it.
    So I disabled 'Enable blocklists' and also unchecked it in Manage first tab in TinyWall.

    After rebooting my computer later I saw TW give a popup asking to make changes running my limited normal user account. And as I guessed it was to that Hosts file, it was returned to my original nothing doing except comments containing Hosts file.

    I like this behavior and I guess this was saved from before enabling TW downloading Hosts file. And I guess TW still keeps guarding that Host file from changes. :)

    So no bugs found this time.

    I guess as a wishlist wish since i sometimes check the traffic speed clicking repeatedly TW icon that the gui controller 'Quit' option was behind an OK confirmation.
    Also the speed monitoring don't work on my USB stick connection only in my cable modem one. Might be because USB connection has another program running that has that feature too.
     
    Last edited: Sep 25, 2013
  6. Seven64

    Seven64 Guest

    The way I update the host file, without TW changing it back is:
    Uncheck "Automatically check for updates", "Domain-based malware and ad blocklist", and in Special Exceptions tab uncheck "TinyWall". I left "Prevent modification to host file" checked.
     
    Last edited by a moderator: Sep 25, 2013
  7. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I have never used hosts file as my security. TinyWall is not a HIPS so it makes me wonder where is the hosts file protection if you can manually update it? And have that option checked.

    Valuable information given by you for those that use other sources for updating it I must say :)
     
  8. Seven64

    Seven64 Guest

    Host file protection must be having "Domain-based malware and ad blocklist" checked, because it reverts back to the older host file when checked.
    Doesn't make sense to me.o_O Hopefully Ultim will get back to us with the facts.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    The HOSTS file provided by TinyWall is MVPS HOSTS. Although they claim to keep it updated, that is not the case within a reasonable time frame from my experience. You'e better off doing it manually. I still use port-based malware blocklist though.
     
  10. DeerDance

    DeerDance Registered Member

    Joined:
    Apr 19, 2013
    Posts:
    6
    For people using Avast! and TinyWall.
    Theres an option in the web shield settings that makes it all work again, without you needing to turn off the web shield:
    Scan traffic from well-known browser processes only

    http://i.imgur.com/m8K07sx.png
     
  11. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    It works fine with avast, it is only that checking it does still allow some other things besides browsers imo.

    About host file protection, I had that check mark on for it 'prevent modifications to hosts file' and I could not copy manually a new file to there and was told that some other program is using it, under my windows 7 user account. So I guess it works as intended.

    Regarding Avast and its Software Updater. Some Flash update i think. I asked avast to Fix what was "critical". Some google updater showed being blocked and I unblocked it on Connections window. Next thing was Tinywall went gray and I suppose the TW service went corrupted. No error log in in TinyWall folder was found to send to ultim. And I had it put to folder exclusions in Avast. So it might have been that Chrome sandbox.

    Rebooted, TW did not come back alive not also in admin account. I needed to reinstall TW. Glad I was behind a cable modem router/firewall when that happened since I think I was without any Windows firewall protection.
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    TinyWall rules

    Continying my studies starting with https://www.wilderssecurity.com/showpost.php?p=2282195&postcount=768
    post I finally grouped all the ultim's 'Recommended Special Exceptions' into a spreadsheet for the latest 2.1.4 version of the firewall controller. Those rules can be seen in this picture:

    http://www.saunalahti.fi/~jarmos3/TinyWall_rules.jpg

    It is for me to start study them and what they mean. Notice the rightmost column that has the Exception names as they appear in TW. The first column shows the rule names as they appear in Windows firewall.
    Asterix * means all ports, IP addresses, programs or services.

    It was a bit tedious job, so forgive me if I made some mistakes.
    ICMP rules are not shown completely for the protocol types, them you have to check yourself.

    EDIT: Click the picture to make it display larger.
     

    Attached Files:

    Last edited: Oct 4, 2013
  13. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I am having really some problems with Avast Software Updater module and maybe some other programs too.

    It showed Google Chrome being needing of update. TinyWall's Connection windows shows that blocked is C:\Users\useraccountname\AppData\Local\Update\GoogleUpdate.exe.

    If I unblock it from Connections window, either Avast or Chrome corrupts TW install ! And I have to uninstall and reinstall TinyWall :(

    'Whitelisting by Window' does not work.

    From Manage/add application it is not practical since Appdata folder is hidden and I want to keep it that way and also I have to write the whole path down to remember if I followed that route.

    'Autolearn' firewall controller state is not safe, except in my case since I am behind a router, but not in general.

    What would be good is remove the 'Unblock' option from Connections window since it seems unstable and add instead an option to copy the filename to Clipboard from where it could be added to Manage/add application IF that is more stable.

    Now as it is the best option for that kind of update program path seems to me to just 'Allow outgoing' firewall state.

    I think also straight updating from Chrome did not work with 'Whitelisting by Window'. Don't know if that is because my Windows 7 in in Finnish language.

    EDIT: The normal update path in my admin account would have been: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe But Avast's Software Updater asked to update Chrome in all user accounts and I tried that first in my normal user account. Where it did not work was then in admin account Chrome had somehow adopted that alternate path. Just to make it clear.
     
    Last edited: Oct 4, 2013
  14. younameit

    younameit Registered Member

    Joined:
    Aug 19, 2013
    Posts:
    33
    Location:
    UK
    TinyWall problem with mapping a network drive

    I have added a network drive to my computer. I had to switch TinyWall to autolearn in order to be able to do that. The network drive works fine when TinyWall is in autolearn mode. However, I cannot access the network drive when I switch TinyWall back to normal mode.

    Thanks for your help with this.
     
  15. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    ultim is away and I have no LAN network. So just a few lines.

    Try check 'File and Printer Sharing' in the Special Exceptions. If that does not help you could use the option 'unblock LAN traffic' you have pressing the GUI icon. It should disable the firewall for the local network and allow it to filter only internet traffic.

    If you are skilled, you could make your own rules too that would allow what the default or added Special Exception rule don't do. You can make rules for say svchost.exe limiting it to needed Windows service and restricting that to only local network. But lets hope the above ready made solutions work in your case. :)

    Remember Autolearn means no firewall is on, so naturally all would work. That is no permanent solution in anyways.
     
    Last edited: Nov 2, 2013
  16. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
  17. ad67

    ad67 Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    31
    I used TinyWall for about 11 months with Windows 8 and I don't recall a single problem, but since I have installed Windows 8.1, I have experienced TinyWall becoming disabled on a few occasions. One time rebooting solved the issue, but 2 or 3 other occasions, I have had to uninstall and re-install. Anyone else experienced this?
     
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Do you remember the situation(s) when that happened? I am not using W8.1, so I have no experiences of that system with TinyWall unfortunately.

    The only times I have experienced TinyWall service getting corrupted have been when trying to unblock a blocked program from Connections window. The programs have been legitimate programs, Java update and Google Chrome with Avast software updater.

    Results were that like you told TinyWall had to be uninstalled and reinstalled. The other bug I know is related to password protecting the settings and then loosing the GUI, but not the service.
     
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    I like this firewall concept but it has a problem.
    Usually after Windows updates arrive the software brakes ,stops starting randomly and so on.Seen this at various times with various versions and in 3 W7 installations on 3 different machines.
    Not very robust front end for long term usage.
     
  20. ad67

    ad67 Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    31
    I only recall the specifics for the last occurrence. I recently installed Chrome and had opened the "About Google Chrome" window and saw the message that Chrome was unable to update. I then went to TinyWall and changed the mode to "Autolearn". It was at this point that TinyWall became unresponsive and locked in Autolearn mode.
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    To me it seems TinyWall is not very stable with its GUI options. They seem to leave the service vulnerable. For me I have learned to like it a lot. I used it first time in some more early version and was not able to accept that no popup concept.

    Now I have accepted and learned to appreciate it. I think the firewall rules are quite well made (for a basic user), I don't know any about LAN since I don't have one.

    The unblock from Connections window problem in my case and in your case the Autolearn change, might be because of some other software. I know I had only Avast antivirus with its behavior monitor option running. TW has no driver.

    Anyways if you want to keep it, I would suggest unblocking what is blocked in Connections window using 'Whitelist by window' or 'Whitelist by process'. I think updating Chrome works fine with the window option, but the process option is quite easy too.

    Still I have not experienced any problems with Windows updates. I think us who use TinyWall need to be behind some router protection like my cable modem has. Just for those cases it might fail. It is not for everyone.

    I like too much its packet filtering service to change to other options :)
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Well, I've gotten sick of the bugs and removed TinyWall a month ago.

    The bugs included outdated MVPS HOSTS, can't unlock locked configuration without exit, incomplete Avast Special Exceptions that required a dummy file to add avast.setup (and other recurring temporary files), cannot uninstall properly without running installer in elevated command prompt, difficult if not impossible creating rules for VPN like CyberGhost (reroutes connection for all internet-facing executables), inability to unblock iTunes WiFi Sync and Home Sharing even with no restrictions and learning mode (HOPOUT always blocked), and messes up Windows Explorer thumbnail viewing (loading loops until eventually unresponsive).

    It all adds up, even if specific to my system. So TinyWall is gone, I never really had any benefits with using outbound firewalls throughout the years anyways.
     
  23. ad67

    ad67 Registered Member

    Joined:
    Dec 16, 2006
    Posts:
    31
    I like TinyWall for it's simple approach to block everything unless I allow it and to use the Windows firewall without adding additional software and potential conflicts. When I had the last issue with TinyWall, I completely uninstalled and removed all references in the registry and rebooted and installed PrivateFirewall (which I have used successfully for years on another computer running XP). When I rebooted to Windows, my computer froze and repeated attempts had the same result (had a difficult time getting back to normal).

    The only issues I have had with TinyWall have been since I installed Windows 8.1 and I still have to change to Autolearn mode in order to update Windows, which updates fine in Autolearn, but when I change back to "Normal", I cannot update - tried allow processes, whitelisting by window, etc. There is something about Windows 8.1 updating that is different - never had the problem with 8.0.
     
  24. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    As I told, TinyWall is not for everyone. I could not care any about MVPS Hosts file not updated. I am not using it.

    You J_L I think are better off with default Windows firewall settings allowing all outbound or maybe some Comodo for you lol to mess up with all your tweaks if you have not messed up your system already?

    Avast 2014 I think now does not anymore need that file you mentioned.
     
  25. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I have Windows updates set to check for updates but not to install. You never get that with W8.1 Any message that updates are available? And what to install? You are sure that the rule for updating them is not working anymore for W8.1? There might always be a few days delay.

    In that case we are really missing ultim back here.

    EDIT: You should be able to make your own rule in that case, if it really uses some new windows service.
     
    Last edited: Nov 19, 2013
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.