PrivateFirewall: Share Your Firewall (And Process Monitor) Settings (XP)

Over the past few years I've had the opportunity to use PrivateFirewall as my main FW/HIPS/Anti-Logger app with a few hiatuses to test out other highly recommended alternatives.
I always seem to come back due to its effectiveness, small (unbloated) size and low resource consumption.

Additionally, though some complain about its user interface being somewhat dated, I've always found the app to be more intuitive than most of its competitors.

Since I always ensure that I export and save my settings, I rarely have a problem with reinstalling and picking up where I left off...and any new apps or processes are easy enough to add to the mix.

One area where I'm not particularly savvy is in making changes to the firewall settings once the larger overall protection levels are set via the user interface.

The default firewall settings (for "System" and "System Services") can be seen (for XP) in the following post:

https://www.wilderssecurity.com/showpost.php?p=2044408&postcount=27

I was wondering if some of you might want to share your own tweaks to any of the settings to enhance security...and if so, please be specific as to why you made the change and how, specifically, to go about making the change. (Consider discussing changes to svchost and services.exe)

In addition, if you wish to share any customized tweaks to apps listed in the "Process Monitor" section, (internet facing apps, etc.) please feel free to share those with us as well. (Again, providing the reason for the change and the specific rules which were modified.)

Thanks in advance for taking the time to respond. Hopefully this thread can become a good resource for those using PrivateFirewall as one of the mainstays of their computer security.

 

137 reads and no replies (thus far)...okay, I concede...maybe not my best idea for a thread...

 

I think it's a great idea. Sadly I don't use it but I'm going to test it before moving to 64 bit when I'll need to replace MD. So, I'm also interested in any feedback from users using it.

 

Thanks, tomazyk...I just knew there was somebody out there who would think it was a good idea.

BTW, I'll be interested in seeing how you like PF when you test it. You can use it pretty much as a classic HIPS just by setting the Process Monitor to High, electing "Manual Control" (with disabled "auto-response"), "Alert to all new outbound connections" and "disable 'trusted publishers' list". (This is how I keep mine set, by the way.)

 

I played with PF briefly... I rather like it. It's quite user-friendly, and lighter than Online Armor or Comodo.

My tack was to run it with (almost) everything set to maximum, and use training mode when installing applications or starting them for the first time. Kind of like a low-powered budget version of AppArmor. I've tried several ways of using HIPS, and IMO this is the correct one.

Anyway my settings were:
Process monitor -> high
Alerts -> manual, no auto-response
Process detection -> enabled
Anomaly detection -> disabled

If I were to be really serious, I would probably enable anomaly detection, and also disable digital signature detection entirely - training mode should probably be able to take up the slack from that.

(Just make sure you don't have training mode enabled when you plug in someone else's USB stick...)

 

You don't seem at all like you deserve that moniker, "Gullible"...

As mentioned in the other PF thread, the following are the settings I use...
...(though I hope that other members will chime in with the more granular advanced settings they have found to be of use in both the firewall/process monitor venues).

As you see, mine are very similar to what you outlined:

Internet and Network Security sliders set to "High".

Local Network Site set to "Untrusted"

Process Monitor: High

Manual Control (auto-response disabled).

Alert to all new outbound connections.

Disable "Trusted Publisher" feature.

All "Advanced Settings" enabled.

All internet facing apps have been set to "Limited" in advanced application settings.

I have reviewed the "Parents" list in advanced application settings and denied access to various programs that I didn't want to connect out to the net via other trusted apps.

 

Right, I did that too (forgot to mention).

Hmm? Would that be the "notify on all outgoing packets" option? I didn't enable that because I figured it would be too chatty. OTOH training might take care of that too, dunno.

Probably a good idea at this point!

Not sure what you mean by this, since I don't have the UI in front of me right now

I hadn't even looked at that! Didn't know such presets existed. Sounds like PF has gotten a lot stronger over the past few years.

I would think this feature would also be valuable for preventing a compromised application from launching persistent nasties. (e.g. disallowing the browser from launching anything.)

What you describe is rather a lot of setup, though, and I don't really like doing that much configuration just for security.

 

I don't know when the last time you tried PrivateFirewall was but you are right, Greg Salvato and company have done a great job incorporating features that I and other users have been requesting over the past couple of years.

 

This one bothers me. If your not connected to router, this is the correct setting.

If your PC is connected via a router, Local Network setting in PF should be set to "Trusted" for your subnet only e.g. 192.168.1.1/255.255.255.0 if the address assignment for your router begins at 192.168.1.1.

 

What would be the downside/repercussions of it being left untrusted? (I don't require file/printer sharing.)