The Incredible Lighthtness of Being, Jetico I Rediscovered

Several years ago I ran Jetico I. It was in beta at the time and back then I did not understand why anyone would develop a firewall that responded to non network related events. Then came the leak testing craze and now many firewalls respond to non network events.

I am not very enthusiastic about the way leak testing has become the dominant factor in firewall performance evaluation. None the less, Jetico I has decent, but not perfect leak test performance. One might observe that with LUA/SRP every leak test once downloaded by your browser will fail to run without elevating to administrative rights first. What about that zero day trojan game you just have to run? Well, you might have your firewall or HIPS turned off or install mode to install it. The reality is its not that hard to protect a computer against inadvertent program execution or drive by attacks, but there is really no automated way to protect the user against his own intentional actions.

How about light? The question of a light firewall AV or suite comes up on a weekly basis around here. I don't know if all these people have P III's or just like snappy performance. Constantly people post screen captures of the task manager with the "mem usage" circled and they are completely missing the point. All that proves is good memory management, not lightness. On XP where you really need to look is on the performance tab, physical memory, available. And this has to be done on a before and after basis. A change that frees up 20 MB of mem usage might result in 40 MB of available physical memory.

Matoused uses some test to measure the effect of a firewall on certain system tasks. Some of his published results ranged from a less than 20% slow down form ZA Pro to over 40% for Sunbelt. He must not be measuring the right thing because ZA Pro takes the cake for bloat with all sorts of non firewall features including a barely functional anti spyware scanner and record breaking mem usage.

Ever enable the CPU Time column in task manager? You might start to throw out some software after you do. Comodo 2.4 uses very few CPU cycles until a P2P application is running, and then it goes nuts. Most people just look for CPU spikes, but this measures cumulative work of the CPU. A firewall that uses 1% on a cumulative basis may not seem like much, but it kills battery life on a notebook. ZA Pro uses at least 1% at idle, more with P2P running. Jetico I, Look 'N Stop and PC Tools use almost nothing at all.

Its not just the line items in task manager for the firewall services you have to be looking at. Modern firewalls with HIPS change the CPU and memory utilization of other services as they run. Available physical memory magically shrinks. Seemingly unrelated services like touchpad drivers start to chew up CPU cycles in a big way. Sometimes it helps to give these trusted application status.

Anyway, Jetico I passed every category with flying colors. I must be smarter now than I was then, because it has quieted down after a few hours, and I can see how to make it quieter if necessary. It runs in LUA without any problems. If you are on the creative side it has a lot of flexibility as it is rules based. If you must have the ultimate in leak proof living, add a hips or LUA/SRP. Remember security is a process, not a program.

 

I run it with the Process Attack table disabled and couldn't be happier. Between Jetico and GeSWall, I can't see nor measure any slwodowns.
If it runs in LUA without issues, it makes LUA even more interesting to me.
EDIT: Why did you create this thread on the polls section?

 

An excellent post, Diver. I am particular picky about CPU Time. Especially since i do p2p, which makes most firewalls sweat.

P.S: You can add Kerio 2 to the list of the firewalls that stay at virtually zero CPU Time even with heavy p2p.

 

jetico is agood and light firewall
someday i installed it , but it made me crazy , it showed me hundreds of popups per minute
many many many pop ups which need the one to do nothing but click on these lots of alerts
i couldn't deal with this firewall neither i couldn't configure it
it needs very advanced experienced user
for example , when i open opera , every website i open in my browser it show me alers
i click yes , remember my answer , but invain , it continue its pop ups again and again , then i was turned to the lazy click syndrome
doing only this :
answering
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
please remember my answer !!!!
it really made me crazy

 

I might try it but with so many other FREE choices I don't think I will keep it.

 

Firewalls that control inter-process operations are relatively new stuff, so the current focus on leak-tests is understandable. As is the case with all trends, this one will also diminish eventually.

I tend to agree. To me, the term 'light' has nothing to do with memory usage. I thought using RAM is a good thing, isn't it? Since it's incredibly fast, I certainly want my processes and all their running threads in it. An app that uses alot of RAM AND performs bad is simply a piece of bad code to me and I try (and succeed ) to steer clear from ZA and the likes.

Yes, I have ditched some CPU "grinders" over the past few years. Task Manager aside, Sysinternals has some damn fine tools for hunting down various CPU, HDD, network and all kinds of "grinders".

LOL. True. A good firewall must be able to mantain a few hundred connections without problems. I'm not gonna use it to filter browsing/mailing only.

Jetico will popup for protocol/port but also for every IP you're connecting to. If you click "allow" only, you create a rule for every damn IP you're onto and your ruleset quickly becomes a bloated mess. Jetico is simply not designed to be treated only with "allow" or "deny" clicks as many would expect.

v1 comes with preconfigured rulesets/tables for common apps and system services, instead of clicking "allow" you just need to point your popup to appropriate table. 2 clicks and you're set. You don't have to be an "advanced experienced user", that's a very loose term

Cheers,

 

I probably would have gone back to it myself, but it does not co-exist well with pg2 (peerguardian)

 

You were creating rules for every IP/site that you were browsing. Rule-based firewalls don't work this way. In Jetico, you should use a predefined table (Browsers), build your own table or make a rule.

 

A few more thoughts. @eagle creek, did I post this under polls, I did not mean to. Thanks for moving it to where it belongs.

Jetico's default rule making will result in a mess, especially if you start up a bittorrent app. Its one of those things where you sort of have to know what the rules will look like from experience. The browser table is a good one to start with. I also set up a table allowing TCP out on all ports to all destinations for applications that need more than 80 and 443.

There are a couple of long threads on Jetico on this board, and I found them informative, not that I followed all of the recommendations.

Short of disabling the process attack table completely, its possible to make rules for things like your printer driver that will allow it to be "attacked" by any application, rather than needing a separate set of rules for every possible application that prints. Just leave the name of the attacker blank. If you don't want to mess with global hooks, a rule with both applications blank would probably disable that one.

There is another little thought on this. Just because something is not the latest and greatest does not mean it is obsolete. Jetico I was finished two and a half years ago, but it works on my notebook that has a zillion nasty drivers and is compatible with WPA2. As for Kerio 2.15, that was my favorite for a long time. It is the gold standard for an easy to use rule based firewall. Its rule editor can not be beat.

True, there are other free firewalls, and everyone is encouraged to try all of them. There is more to this world than Comodo 3.

 

I completely agree Diver,

When i tried comodo 3 i was totally overwhelmed by defense+ and its overloaded gui.

these firewalls namely looknstop, pctools and jetico offer a light alternative. And like Diver said, add a HIPS like eqsecure if you're worried about leak-tests.

 

Perhaps an argument could be made for the importance of Private bytes, because excessive numbers here could indicate a memory leak, but in the end all that matters to me is I can use my pc without slowdowns, lagging, herky-jerkyness and slow browsing, which to me indicates a "light" resident program profile. All numbers in the Task manager or Process explorer mean very little - within reason of course - as long as the engine is purring along.

However, how about a show of hands from those who feel just a little bit better when they find a different firewall, av or whatever that they really like and it uses less working set, private bytes, cpu time, cpu cycles...etc to boot than their previous product. It makes me feel better

 

It's always nice to find light apps with good performance. For me on this older PC, that's what it's all about. Less is more...

 

I got infected by Diver's cry and dropped Comodo for Ghostwall. Ah, what a relief! You can really feel the difference in browsing and system speed.

 

So what sort of level of CPU time activity would be considered light, e.g. how many seconds/minutes of activity per hour of System Idle CPU time?

 

Lets see, 48 seconds for fwsrv and 80 seconds for System after 20 hours of CPU time (two processors @ 10 hours each). Thats with several hours of Bittorrent downolads. Guess what, firewall drivers use CPU cycles and do not show as separate services so the work ends up in system. Zone Alarm needs over 1% at idle (at least 12 minutes in 20 hours) and lots more for P2P. The firewall component in Symantec Endpoint Protection is similar. Some of the new HIPS equipped firewalls cause various services to consume unusual amounts of CPU cycles.

1% may not seem like a lot, but it has a noticeable effect on notebook battery life.

 

Just trying out PC Tools FW, massive difference in speed compared to my previous. My PC feels like it has been unleashed

 

You should see with Ghostwall... Anyway, i am running PC Tools firewall too right now. It does run very light, although browsing speed is decreased compared to Ghostwall. But on the bright side it has outboung protection and doesn't eat more CPU Time with p2p (GW doesn't either, but most firewalls do).

 

I switched two weeks ago to PC Tools firewall.
Before I tried Comodo for one month. I didn't feel that much slowdown, besides at windows startup, and generally I liked the design and the Defense+ feature.
However, I felt it is still to buggy and it was interfering with several of my must have tools, that I can't just live without (e.g. ultramon, and even firefox in my case).
I was posing like crazy about that in their forum, but I felt it became just worse with every new release. And now with the new anti virus scan, I feeling it is getting bigger and bigger, and the number of possible issues is growing proportionally.

So I switched to PC tool firewall. And I really like it. It is very light and also easy to use (probably more easy than the other light alternatives such as Jetico or LockNStop). It's simply a real firewall, without all that leak test stuff.

As HIPS, I am using Winpatrol free now; it's replacing Defense+. I guess it isn't a real HIPS and probably not that leek proof , but I guess there isn't any lighter
It is checking every two minutes for new startup entries and drivers --- and thats just fine for me.

 

I have always liked Jetico from the early beta of version1, even though this can be a little problematic now with its interceptions within the "attack table".

The latest version (2), is for me (IMHO) just a need from jetico to chase after the "Holy Grail" of leak prevention. Certainly on my own installations of Jetico2 over the last several months/builds I see a number of problems (either related to the indirect access (for leak prevention) or possibly due to attempts for better compatibility with Vista).

At this time, I just wait for further builds (V2) to see if it improves.

I would also at this time like to put forward the fact that this thread is about "Jetico". It is not a comparison thread or any other.

Please respect the original poster and the thread title.

Regards,

 

Off topic post removed.

See above post.

Regards,

 

I have a few thoughts to add. There is a very long (over 700 posts) thread dealing with Jetico I on this board. While the information is good the size of the thread makes it somewhat tedious.

Stem, in the thread mentions that he turns off the process attack table and recommends using SSM free instead. I have not used SSM free, so I don't know if that will produce fewer or more pop ups. It probably results in a more secure system as SSM free appears to cover more bases than Jetico. Alternatively one could just leave the process attack table unchecked to have less noise, or make a few rules that state the attacker but not the attacked program to in effect create a partially trusted program.

Another point that keeps coming up is the effect of allowing network access. I must have about 5 times as many applications that have asked for network access than applications that go the next step and ask for an outbound connection. Some have suggested making a rule with no application name that would allow network access to all applications to cut down on the pop ups. Granting network access will allow an application to use any rule that is not bound to an application. The best examples would be listening on ports and DNS. The closest thing that I could find to a definitive answer was in the Jetico support forum. They said with ordinary programs it does not matter, but with malware that is attempting a firewall bypass the network access pop up might be the only chance you get. In other words, you get a quieter firewall at the expense of reduced leak prevention.

I am going to see how it goes over the next few days before deciding to do any of these things, other than the partially unbound process attack rules.

 

Hello Diver,

If the thread is what I think, then I can agree that anyone could lose interest without seeing the info contained. I did think about editing the thread to only contain specific/good info, but it would/could cuase feedback of "why my post was removed from thread". I certainly know firewalls and Jetico, but for me to attempt to edit that thread is not possible.

From the point of Jetico1, then yes. I do know I have made posts to show that disabling the "attack table" within Jetico1 and to install a 3rd party HIPS is (IMHO) better. For the specific HIPS, well, the best to use depends not only on the HIPS, but olso on the user (to undertand).

Jetico intercepts access to create socket (winsock)) this is not the same as an application making any attempt of internet comms, but it is a possible bypass

 

@Stem,

I should have been a bit more precise in quoting you on the HIPS. I think your advice was more like SSM free would work, not that it was the one of choice. Some others have come along since then. There are a lot of alternatives, free and otherwise in the Other Anti-Malware forum of this board. Its not a good thing for me get into right now as I have no experience with any HIPS that is not part of a firewall.

If there is anything that is fundamental to using Jetico I it is dealing with the defaults of the rule editor that specify both the port and IP address thereby producing a large number of rules if one does not edit to allow all remote IP addresses, and in the case of P2P applications ports 1024-65535. The next enhancement is to create tables for applications that do not work with the web browser table so those are available. Another hint is when creating tables from existing application rules for an application that has multiple rules delete the application path in the rule after the table is set up. This both allows the table to be used for other applications and facilitates using the table for updates of the application it was created for.

The fastest way to get up and running is to check "handle as" and select web browser. That will get most applications other than P2P going.

 

Kerio 2.1.5 is one of the lightest firewalls you can get, and is very effective.

I haven't tried Jetico, so I can't directly compare them. The free version of SSM is very light, but will produce quite a few popups until its configuration is finished. The combination of SSM free and Kerio 2.1.5 is one of the most effective security packages you can run, and easily one of the lightest.

Taken on my 98SE testbox with both Kerio 2.1.5 and SSM free running:

At the moment, I'm monitoring CPU usage with Process Explorer while opening web pages. Kerio has stayed under 2%. SSM free is staying under 1%. Security software can't get much lighter than that.
Rick