Sunbelt Kerio Firewall - Cautionary Information - Protect your Web Privacy!!!

SUNBELT KERIO FIREWALL - CAUTIONARY INFORMATION - PROTECT YOUR WEB PRIVACY!!!
One of the main reasons for having a firewall is to help keep your private information private. With that in mind, I consider it rather serious when a firewall does things that actually generate detailed files reports about your system configuration, intalled programs and surfing habits and offers to upload these files. It’s almost just as bad to find out after a month or to, that while you have no entries when you check your UI for logs, but when you go to the programs installation folder you find a log folder with 350 pages of the most detailed web records I have ever seen...just sitting there...in plain text, with no protection whatso ever! Anyone could see not just the sights, but what you searched, what you clicked on, what you downloaded, what you installed. Unbelieveable.

TO RECAP
- I intallation causes your settings in “startup and recovery”, “system failure” to write complete dump file. It does this silently asking no permission to do so. later should you experience a crash, you are told (while it is writing the file that it wants permision to sent the dump file which they caution could be quite larege - up to 1.2 GB (yeah! Thats Large!). I deleted the file.

-I also believe (but am not sure) that if you do experience a crash, the huge log will not be generated, but your settings will be modified so that the next time a dump file will be generated .

- Check your program files/sunbelt...../logs folder and see what’s there, and if you’d really like anyone to be able to see it. Like most people I do not save my browsing historys, I don’t even save them during the browings session. Why would anyone, much less a firewall producer, think I’d be okay with 350 pages of unprotected descriptions that are far more detailed that the history files that I have deleteted at browser shut down, if not sooner?

LEST YOU THINK I AM EXAGGERATING ABOUT THE LOGS....
I have just re-installed SKPFW. I have a licence, so I have access to all the settings.

I only have used the web once to query google about a service. here is the textfile generated:

[06/Jun/2006 17:30:40] "Web" method = 'GET', url = 'www.google.com/complete/search?hl=en', subj = 'referer', value = 'http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial', action = 'removed'
[06/Jun/2006 20:42:33] "Web" method = 'GET', url = 'www.google.com/complete/search?hl=en', subj = 'referer', value = 'http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial', action = 'removed'
[06/Jun/2006 20:43:16] "Web" method = 'GET', url = 'www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=does+sunbelt+kerio+personal+firewall+need+network+connections+service&btnG=Google+Search', subj = 'referer', value = 'http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial', action = 'removed'
[06/Jun/2006 20:43:18] "Web" method = 'GET', url = 'www.google.com/complete/search?hl=en', subj = 'referer', value = 'http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=does+sunbelt+kerio+personal+firewall+need+network+connections+service&btnG=Google+Search', action = 'removed'
[06/Jun/2006 20:43:28] "Web" method = 'GET', url = 'www.computergripes.com/keriofirewall.html', subj = 'referer', value = 'http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=does+sunbelt+kerio+personal+firewall+need+network+connections+service&btnG=Google+Search', action = 'removed'
[06/Jun/2006 20:43:29] "Web" method = 'GET', url = 's93548071.onlinehome.us/gripefooter/grfooter.php', subj = 'referer', value = 'http://www.computergripes.com/keriofirewall.html', action = 'removed'

If you think that’s bad, it actually is much, much, worse...I just don’t see the need to go beyond this point. You either share my concerns, and takes whatever steps to protect your privacy or you don’t.


-HandsOff


P.S. - No, I haven't contacted Sunbelt yet, and yes I will, but I actually wanted to put the info out so that in the mean time others could do some damage control if it is import to them.

 

Why not just set you're log file size to 0? Or am I missing something?

 

Which log are you talking about. The only relevant one I can find it khips.log and that does not contain the same sort of info.

 

Well as I said, the problem is: when I looked in the log contents using the user interface they were all empty. More than that, in the interface only five separate catagories of logs are listed (Network, nips, hips, behavior, and web). When you look in the folder there are actually nine different catagories that are logged (debug, error, hips, ids, khips, network, system, warning, and web) that are logged. That just seems weak. How do they expect you to know the other four are there?

I will eventually do as you suggest, however know that I've found them, this is like a new resource to me, and since they are not empty they are of interest.

After re-installing, and running the program for a few ours, inspection of the log files has the following results: in the UI the first four items say that there are no items in this catagory to display, and the last one, "Web", does show 31 items and seems consistant with the one viewable in the folder. The most interesting deviation is "khips.log" which shows some puzzling entries that I need to figure out. for example:

6.6.2006 17:17:17 HookPatchMemory: Invalid memory pointers as arguments
6.6.2006 17:17:44 NtkOpenProcess: Unable to open process: pid: 0x0, status: 0xC000000D

All in all, this log thing might not be so bad. Questions remain. do you have any control of the logs that aren't listed? will their size be zero when you set the one's in the ui to zero....but definitely you might want to check just to make sure you want that data just sitting there. my former (much maligned) firewall encrypted the logs so it wasn't something you really had to watch like a hawk.

-----------------

No comments about S-K taking it upon itself to change my start up and recovery settings? Really, am I being unreasonable here? I don't even think Microsoft screws with these settings once the user has set them. and with good reason. the computer user should have a choice about sending reams of information about his computer to anyone on the internet. If Microsoft just stepped in and changed those settings then started sending huge files to themselves, I bet that would not go down so nicely.

BTW, did I mention the when I re-installed, SKPF changed the settings again? Also, in one other situation. Never asking at any time for permission to create these files. From a program that is supposed to protect your privacy?

Am I missing something


-HandsOff

 

hi djg05 -

that one is the web log. I was really sort of startled by the detail of the logs, and of course the fact that i did not know of their existance. Maybe its working now though. Maybe its just me, but I'd like to see the logs encrypted and accessed through the user interface (which can be password protected). Maybe it's just because that's what I am used to.


-HandsOff

 

I that log (khips.log) the following is typical of the contents and pretty meaningless to me

>4.11.2005 21:09:39 NtkOpenProcess: Unable to open process: pid: 0x888, status: 0xC000000D
4.11.2005 21:21:44 NtkOpenProcess: Unable to open process: pid: 0x924, status: 0xC000000D
4.11.2005 21:31:00 NtkOpenProcess: Unable to open process: pid: 0x970, status: 0xC000000D
4.11.2005 21:45:54 NtkOpenProcess: Unable to open process: pid: 0x520, status: 0xC000000D<

I have 4.2.2 and in free version status.

 

Just to give closure to anyone interested in the memory dumps setting issue, here is the response from Sunbelt:
***************************
No private emails posted on the forums please. - Ron

***********************************

Well, there you have it, and I guess its considered okay for
the software to change these settings and not let you know.

Persnonally, I don't agree. For all they know you may be screwed if you have a 1.2 G.B file written. You might not have it to spare, it might cause fragmentation, whatever. But I'll just let this one go. I am really starting to not like this firewall, for a variety of reasons. I'm looking to try something else!

-HandsOff

 

In other words, if you simply load and forget like the average user then SK will be able to collect a nice history file from your machine when it crashes. Sounds like rather thinly disguised data mining to me.

 

Hi Doug!

Always nice to meet another pragmatic soul, such as myself.

To all concerned, I'm sorry I slipped up. I didn't reallize it was against the rules, and I just did not want to misquote anyone. As to the issue of data mining, sort of...There's a good chance that they really need the information. S-K is earning a reputation as a crash prone program, and obviously they want to change that. It could in the end just be a case of sloppiness. And I don't hate the program, or anything....yet...

When you install Sunbelt Kerio personal firewall their is a check box right alongside "automatic updates" that is check to allow crash dumps, and yes, it is set for allow, by default. I'm actually not too bothered by that, the request is there, and I can uncheck it if I wish (assuming I notice).

The thing I want to be very clear about is this: You can uncheck that box, but you should understand that the setting has already been changed on your computer (go to start, right click my computer > properties > advanced > crash and burn (or whatever they call it). Unchecking the box in kerio will not revert this to no dump, or small dump, if those were your chosen settings. So guess what? next time your computer crashes, it's going to compose a record that could exceed 1 GB in size, and lord only knows, there is a very strong chance that information could end up communicated to someone not even related to the software that was the entity the caused it, and did so without the user's consent.

Just and example scenario: Kerio sets up dump. User sees box in Kerio and unchecks it and thinks its a dead issue. some windows component crashes. Kerio does not get the info, user has not authorized it, it is all sent to Microsoft! Nice, huh?


-HandsOff!

 

1 GB of dump- are u sure? Sorry to say, it seems insane, how can be crash dump so big.
BTW, this problem is there with the Kerio version also or only with Sunbelts, version.

 

This would depend on windows settings and size of installed memory (win setting: Full memory Dump)

 

I am repeating what sunbelt Kerio said. Up to 1.2 GB is what they actually said. And I sort of felt that sounded sort of rediculous.

Anyway, I have read that the latest version is having this problem. And actually there are a couple mitigating factors. I have more reservations with their way of putting their needs before the needs of the end user. I could be more forgiving if this was a pinball program or a word processor, but this is a security program. They are supposed to be protecting privacy, Right?

And then top it off by pretending you are too stupid to understand what I was trying to point out to them....For Their Benefit, Not Mine! I understand the issue, it is easily negated. I wanted let them know their policy is irresponsible. Maybe they are just trying too hard.

- HandsOff

 

Kerio was bashed without mercy when they came out with V4. They did manage to fix most of the bugs but by then it was too late - like a 67 Corvair. I think that is why Kerio dumped it.

One thing that has always irritated me about AV's and firewalls is the cryptic user interface and pathetic documentation. I've been using KPF V4.0.8 since it was released in 2003 and I still don't know how some things work.

Your experience with the crash dump issue is an example of what I mean. Security software is supposed to make you feel secure. Finding this kind of thing happening in the background is not reassuring. Plain English documentation that explains the process would go a long way toward inspiring some confidence.

 

I totally agree! It's as though they are describing the installation that would be the simplest, and result in the fewest emails to support.

I am thoroughly discusted by the the constant repetition that "Advance mode is not for beginners..." Screw them! How do they guess a beginner becomes a knowledgable, competent user? I'm guessing it is not through smug, self-serving paternalistic put-downs.

As soon as I figure something out, I think...Why didn't you just say so!

I also believe that .chm and .htm help files are basically bad signs. a pdf can be viewed as a whole, pages can be accessed directly by page number. Do these writers really think I want to spend my life searching for terms and guessing what index applies? It's a real shame that there is no correlation between worth of a product, and usefulness of its documentation.

A computer program itself, it the epidemy of structure and organization. You'd think that would allow for the same approach in documentation wouldn't you?!

P.S. - A confession: I re-installed because I wanted to compare (the stability of) the simple mode and advanced mode. Ha, ha, the jokes on me! you do NOT have to re-install to change modes. If you know why, (it is in the manual, somewhere) is makes the distinction between the two modes all the funnier!

-HandsOff

 

There was a time when all software documentation was horrible. It was bad because it was written by the same people that wrote the software. People that understand computers often don't understand people.

Good AV's and FW's mostly come from small companies that can't afford a tech pubs department.

I believe one reason for Microsoft's success is the effort they put into writing good manuals in the late 80's.

 

I will repeat my Q.

 

Sorry agaile - I cannot answer, since I only have this version.

Doug --- I am surprised by your assesment. Maybe it's just me, but considering the astronomical cost to develope code (where I once worked (not the most efficient place in the world) the director of software engineering said it cost about $200 per line of documented code to develope a program. Now, try to imagine all of time and expense to write a firewall program....How could you turn around and negate all that time and money by not hiring someone to put together a decent (not htm) manual? It seems like suicide to me!

BTW - I am not a big fan of microsoft manuals. Ironically the docs I like (like for User Profile Hive Cleanup) seem to be written by, you guessed it, the person working on the program).


-HandsOff

 

Thats one thing I never have liked about some of the firewalls. Is all the logging that is done anymore. Outpost Firewall does a lot of logging also.

I guess its supposed to be for our benefit, but I'd rather not have it. I tried setting Kerio to 0kb, but it still logs, although its much smaller. I'm not sure if its temporarily writing to the disk or not. But I think its just stupid to log web surfing.

 

If one does not like all the logging then one simply turns it off. Outpost Firewall has a simple check to disable the logging (tools menu). Version 3.5 added the capability to "do not log this activity" for individual rules and an option to log NetBIOS broadcasts for a local host or subnet.

 

I agree it is stupid! However, I have not determined that Kerio still logs when you set log size to zero. We have to make a distinction here between the display within the user interface and the actual text file of the log which is kept in a subfolder of Sunbelt in the Program Files folder.

My objection to those files (which doesn't seem to bother anyone else, I've noticed) is that they are not encrypted or protected in any way, and that seems reckless to me.

Since it is a new program I have been letting it (recklessly) log events so that I can check if it is doing what I think it should be doing. I am sort of a firewall newbie myself, however what does this mean (it is right beneath the box where you set the logfile size limit:

Log to syslog (checked by default)

I am just guessing, but some things will be logged (maybe in windows event viewer) though probably not network traffic, I would hope. Anyways, I just unchecked that, and set log size to zero and I guess I will see what happens...BTW...Thanks for reminding me it was still logging


-HandsOff

 

Penny-wise and pound-foolish is one way of looking at it. Small companies are run by the same engineers that do the programming. And engineers hate documenting their work.

I once worked on a team that had to reverse engineer our own company's designs. The customer refused to pay the last $2M until they received documentation for a project we delivered four years earlier.

 

I can guess what a nightmare that was. I only wrote programs and games for my own use, and still I remember being completely puzzled looking at my own programs a few weeks later. And I thought I was making it "self-documenting" with meaningful variable names and modular design.

All that aside, I have long believed that most large high volume commercial programs have a carefully designed learning curve and shelf life. There are a couple of big plusses to making programs "just hard enough" to learn. The most obvious is the demand it creates for training courses. Since I enjoy tales of largess, think about this one. Our company paid $300 per person for a training class that took one day off site (a few miles away). There were about 15 people per class, so...$4,500. Your going to love this: The instructor was paid half and her employer received half. If she worked anywhere near full time, she and her employer were each making over $500,000 per year. But I'm guessing that is not the main reason...


-HandsOff

 

This may be a new low...Quoting myself! anyway, to follow up, after I set my log size to zero it was surprised to see that it did indeed continue to write to the text file logs in its log folder. However, when I restarted the files were deleted.

The logs in the user interface continue to be written to, however there is a separate "clear" button to clear them. I guess that one would need to clear these logs coninually, though they probably have a small size limit...However...they do go back beyond the last reboot and so I think I would have to say that this has the potential for being a nuisance to someone who is not wanting to leave tracks (though less so than the text files. I have to guess again that you could password protect these if you password protect your settings with that option, Can users of the free version do this?

This is getting to be a lot of questions and actions to take in order be sure you are not leaking internet tracks like a sieve.

In my view it should be the other way around, but, this is the annoying trend with programs it seems. I mean what is so damn hard about, ...oh....say...a checkbox for "enable logging" and then not logging and also clearing the data in the UI logs based on that? So advanced its simple...and highly unlikely.


-HandsOff