Why ESS does not monitor such activity as process launching? so this firewall can be easily passed for example with writing some data to html file in the form and sending it via JS. That seems to me very strange - maybe i couldn't find such an option?
The firewall controls inbound and outbound network connections. It is the role of the real-time scanner to check if files perform malicious actions or not.
OK. What do you think about such option in real-time scanner? By the way, "The firewall controls inbound and outbound network connections": a creation of an htm file with a content like ... <body onload="f.submit();"> <form id="f"> <input type=text value="private gathered information"> </form> ... is a way to bypass a firewall with use of browser launch. So, such detection must be the work of firewall too.
If the html file was malicious it would/could be detected by the real-time scanner and other protection modules (ie. on-demand/startup/web/email scanners). It's not a role of firewall to detect suspicious html files.
Firewall inspects packets at NDIS layer. Basically its role is to control communication at the lowest level.