PC Tools Firewall

Discussion in 'other firewalls' started by 337, May 10, 2008.

Thread Status:
Not open for further replies.
  1. Artur

    Artur Registered Member

    Joined:
    Mar 11, 2008
    Posts:
    6
    I am very impressed with Pc Tools Firewall Plus. Is a great, fast and light program.

    PC Tools Firewall Plus + ThreatFire is a excellent combination.

    Greetings
     
  2. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    Unplug your network cable and it will still claim to leak, so there appears to be a problem with the program itself. Are you using Vista?
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can anyone tell me how can I get pop up alerts for System process outbound? Or it,s just hard coded ALLOW?

    Thanks
     

    Attached Files:

  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I tried this firewall and it looked very promising, but it didn't shutdown (End Program popup), while I rebooted my computer and yes, I have UPHclean running under "Processes", but that didn't make any difference, what else can you expect from M$.

    Sygate Personal Firewall Pro didn't have that shutdown problem, so I installed this firewall and everything was back to normal.
     
  5. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    This firewall is the only one that on my PC is on par in performance with Kerio 2. Everything seems very light, even browsing while doing heavy p2p. Unfortunately, it seems that it is a cause of random reboots on my PC. Otherwise, it's a great lightweight firewall. :thumb:
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    U missed the 'h'.
     
  7. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Thanks Aigle. :thumb:
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi aigle,

    I installed about an hour ago,

    I do not think the system is hard coded as I currently have it blocked with no record (in the firewall) of data sent (I enabled netbios to see if that would bypass) but have not had time to fully check/test.

    Have you unchecked the "automatically allow know applications", and check the access rights for "services and controller app" in the applications.

    I will have a little time tomorrow to check further, as I also want to check the SPI
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Hoodied,
    The results are quite strange.
    I know there was a problem some builds ago, where there was no correct checking of application already given access (by checksum verification, which is the main point of the test), but that was fixed.
    I did run the test, and did get the result of a failed although the attempt of outbound was blocked and logged.
    I did rename the test file /renamed to firefox (and replaced firefox with the test file). I was surprised to see a popup asking me if I wanted to allow the connect, as I would normally expect a popup warning of a changed application.

    PC firewall as always been quite minimal of its packet filtering ability, so I dont know why you would say it is "extremely good". But I will look at this tomorrow to see if there is any improvement on what I have seen in the past.
     
    Last edited: Jun 7, 2008
  10. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    I just installed this not too long ago, and like it a lot.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi Stem! Thanks for reply. Yes I unchecked "autonatically allow known applications". Not sure whether access rights for "services and controller app" is checked or not. I wil check and then post back.

    Thanks
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I am curiuos on your findings/opinion on SPI capability of PC tools FW

    Regards Kees
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Here are my settings. Sytem still connected without alerts. Automatic allow is not checked.

    2008-06-10_052136.jpg
    a (1).jpg
    a.jpg
     
    Last edited: Jun 9, 2008
  14. wat0114

    wat0114 Guest

    @aigle,

    "System" shows as connecting to 192.168.1.255, which is a broadcast address only. As long as that's the only ip address it connects to, I don't see a problem. Maybe you have NetBIOS enabled? If you don't need it, try disabling it to see if System stops connecting to 192.168.1.255. Still, there should be no problems with this; it's not connecting to the Internet.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, thanks for explaining all this. I have no knowledge of FWs n Networking. But i can understand that the alert is benign and is the only alert for system I get but i was just wondering if PC Tools FW should also give an alert like this or not.
     
    Last edited: Jun 10, 2008
  16. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    Aigles' question is a very good one I think, and I was hoping for an answer as well. Even though the connected IPs are "only" broadcast and deemed harmless, what if "system" by virtue of an infection is trying to call home? Will there be any alertso_O

    In Aigles' setup with Generic Host, LSA and Windows NT Logon having full access, if these were used to call home, there would be no alerts because they are allowed to do so.

    What I don't get is what "system" is as far as an exact process executable that some rules can be applied to, to make sure an alert is given when a bug is trying to go where it shouldn't.

    So, how do you ensure the firewall will alert with a popup requiring user intervention, if "system" tries to access the internet?
     
  17. wat0114

    wat0114 Guest

    I'm hoping Stem or someone can jump in and elaborate because I'll admit I'm not completely sure what goes on with that broadcast address, but I think it relates to ff:ff:ff:ff:ff:ff and is all part of the "question asking" process of "what MAC address belongs to 192.168.1.1?" (ARP), so in aigle's case, who looks to be behind a router, this broadcast is looking for the ip address belonging to the router. So the pc NIC interface will ask: "who has 192.168.1.1, tell 192.168.1.10" (for example), the router will then reply 192.168.1.1 is at a5:41:b6:7d:01:a3 (for example).

    Again, hopefully someone can explain and correct me if I'm wrong on this. And I agree it is a good question by aigle, because even if it's harmless, as it looks to be, why can't the user have some control over it?

    I'm curious too about what exactly "system" is. Maybe it's the NIC?? That's my guess, anyways :)
     
  18. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    "System" (or PID 4) is NT kernel. It is not a single process but a set of drivers (network ones too) communicating with windoze TCP/IP driver on kernel level. That is why a user cannot have control over it.

    On data link layer, broadcast will do that. On network layer, it is also used by DHCP. I don't know if PCTools works on data link.

    A NIC driver?
     
  19. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    Thanks Seer,

    That nails it as the answer :thumb:

    So it seems it depends on the firewall whether it will alert you to any external outbound attempts by "system" then.

    Referring to this post by fcukdat (man, you have to be careful when typing out that name eh?) https://www.wilderssecurity.com/showpost.php?p=1256584&postcount=243
    Kerio (old 2.x version I think) did alert to "system" phoning home by Rustock C.

    Wonder if PCTFW would do the same? Anyone willing to sacrifice a computer to Rustock C to test PCTools Firewall?? :D
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    That was exactly the reason I asked. CFP alerts about this benign System activity so i assume it wil alert in case of Rustock as well.
     
  21. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    IIRC- I believe PC Tools lets you set a specific IP. I am trying to decide whether to go back to PC Tools or try Comodo again.
     
  22. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    Yes, the PC Tools FW does seem to have excellent application advanced rule making capability. I'm trying it out on an old laptop. Comparing to Kerio 2.15, it does seem to be lacking the ability to set local ports on outgoing connection rules though, but still can control protocol, direction, IP (single or ranges), and ports.

    As far as Comodo, no idea.
     
  23. nhamilton

    nhamilton Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    61
    Why do you want to set the local port on outgoing ? This is a port choosen by the operating system. I can not see any benifit on being able to control the local port on outgoing. Only see that it would cause the end users more problems in trying to set it.
     
  24. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    Just a finer level of control. It's something I picked up in researching rules for Kerio. The system apparently should be functioning locally on the 1024 - 5000 range, and this is the range I set up for most apps and services in the Kerio rules. Exceptions are DHCP and netbios.

    If an alert is raised for some app using a different local port, it could be cause for further investigation I guess. I've never had it happen, but at the same time have suffered no ill effects from doing it.

    I suppose the merits of doing this could be expanded on by those more knowledgeable than myself. On the other hand, my comment was just an observation in a difference in the two firewalls. The old-time Kerio folks put the capability in for some reason :)
     
  25. nhamilton

    nhamilton Registered Member

    Joined:
    Jul 31, 2007
    Posts:
    61
    Before PC Tools firewall had automatic NDIS rules, there was rules that allowed that range on the local port. (the range is also different on vista). The one problem that did occur was if you used P2P you could burn through the port ranges, and the the OS would allocate beyond that, based on the rules then all your traffic would now become blocked.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.