Is Firewall Working Correctly?

OK very clear TH, thanks. Can you try something? Please delete a few entries but do not run these applications. Then run another scan. I am curious whether these entries will be back after scan. Thanks for your patience with me

 

The test passed!

TH

Blocked


Allowed



And what you ask me to do and still Blocked after scan!

 

Thx TH but probably due to my illness, I caught flu, I don't understand

I meant, for instance delete entry of Firefox and Opera which are on default Allowed (do not run these applications then). Run a scan and check whether the Firefox and Opera entries are back in the list of processes with action Allowed.

 

OK they didn't come back after scan, only when I wanted to Open them then it asked my permission.

TH

My Setting and removed Opera, IE9x64 & IE9x86 and did a scan they didn't return.



Until.

 

Thx TH for your kind and thorough assistance much appreciated, indeed. Now I know everything what I wanted to know.

 

Anytime.

TH

 

Thanks to your guidance I am now using option "Warn if any process connects to the internet unless explicitly allowed" with removed a few entries to my liking and waiting for the access prompts I am really enjoying now the firewall entries, I am blocking, deleting, then again allowing ... everything just for a fun and testing WSA firewall efficiency ...

 

That's how we get to know how the whole program works The only thing that needs to be done is remove the Timer to Allow and let the user make the decision!

TH

 

Exactly, I have seconded your idea at the Webroot community.

 

The settings on the front screen is what I'm referring to, rather than the configuration of individual processes "below".

 

"We have told you to continue to use LNS with WSA as I do because they work together very well with no issues."

That means running two firewalls "bloatware"
I believe in keeping my system lean & mean
That's the reason I brought a AV only

 

IYO it's Bloatware IMO for me it's not and love it!

TH

 

He's not referring to bloatware in relation to memory usage though. Software bloat means different things to different people.

 

"Software bloat means different things to different people."

CORRECT!!!

What does IYO stand for?

 

IYO - In Your Opinion

 

Well, since I was a paying customer I think my opinion
should count for something, thanks for telling me what
the company thinks of it's customers

I'll remember IYO when it comes time to buy new software

 

I don't work for the company I'm a long time user of Prevx and now WSA and try my best to help users and Yes I said In Your Opinion, I didn't shut you down and tell you your dead wrong we all have our own Opinions and I respect that, I'm sorry you took it the wrong way!

TH

 

Sure, but most of your posts are about complaining about WSA.

Maybe you should do right now, i feel you are not "happy" with WSA actually, try to get a refund and move to another product.

 

Wait, wait...

How does enabling a code path through existing code to add security count as bloatware?

Did I miss something here?

This thread is honestly more than confusing. The WSA firewall is not meant to be a full firewall. It's a firewall extender. It's not meant for access controls and if you can get it to work for that, then more power to you, but that's not its primary purpose or even its intended purpose.

So run a true network firewall and WSA AV. There is zero good reason not to, and you are supposed to anyway.

The firewall in WSA is there to specifically kill traffic from threats that are connected. If a downloader is grabbing more junk to load up your system with and triggers a network endpoint detection because of that, its network lines get chopped. That's a thing that doesn't happen if the firewall isn't enabled. Since the code base is there to begin with, it's adding zilch to the system to bog it down or anything else. it's just another valve on the pipeline to the network that can be closed if the program sees the need.

Don't treat the WSA firewall as a firewall.
Pretend it's not there as a firewall at all, just treat it as AV network awareness.

Or feel free to give me a logical reason that it's a bad thing and bloat, as opposed to an opinion. :/

 

"Sure, but most of your posts are about complaining about WSA"

I brought a AV only, and now I don't have it


"Maybe you should do right now, i feel you are not "happy" with WSA actually, try to get a refund and move to another product"

Not a bad idea, but I will not hold my breath about getting a refund

 

You can still disable the unwanted features,anyway they don't add more resources usage.

 

The difference with WSA is that even if you don't have the firewall component visible (like in the 2012 release), it is still active and monitoring exactly the same way as it is now in the 2013 release. We just didn't offer the user-facing configuration previously - the behavior monitoring and network event correlation has always been active.

So, there is zero additional "bloat" from the monitoring - you're still using the same software with the same functionality. You can use it alongside any other firewall or by itself if you prefer; you won't experience any conflicts if you didn't experience any with the 2012 release as the drivers are the same.

 

"bloatware" or not I'm not going to run whats "seems"
to be two firewalls

Actually I didn't call WRSA by itself "bloatware" but running two
firewalls or two firewall UI's or whatever you want to call it
is something I'm am not going to do

 

As explained its not about having two firewalls. Its about applications control options in WSA. Before this feature was built-in in WSA without any specific control from the user. Now it is visible in the GUI and can be manipulated. Not more not less.

 

OK, after a very extensive testing of WSA firewall with the setting "Warn if any process connects to the internet unless explicitly allowed" and fiddling with setting Allow/Block under Network Applications, here's my conclusion.

First of all, if you apply the said firewall option WSA loads all allowed processes/applications which are allowed by the cloud heuristics and are present on your particular system. The list of these processes can be seen in Network Applications.

I changed a lot of applications from Allow to Block and tried every one to test if they can get out on the internet. The result was half-successful.

Some processes which were set to Block couldn't pass on the internet (for instance IE9, Revo, Picasa etc.). That's fine and what I had hoped.

On the other hand, some of the blocked processes could connect on the internet. Just to name a few ... Opera, Outlook, Webcam, VLC etc. I have to admit I am quite concerned especially for Opera and Outlook! Strange as IE wasn't able to connect.

Joe explained a few posts above that such applications (which went on the net even if being blocked) probably use another process for the outbound connection. If that is right and not just a firewall failure there has to be another prompt or whatever else that will warn a user about this fact and will let him/her to act accordingly (Block or Allow).

So my result is that if a process is alone connecting to the internet, i.e. don't use another one to do that, and you block this process it shouldn't be able to get on the net. However that is not the case for a process that use another one to connect out. In such a case you end up in surprise that the process is able to connect out even if set as Blocked.

So all in all, I don't think WSA firewall is bad but it needs to be more polished to ensure 100% success in blocking the outbound traffic.

Thanks & regards,
pegas