SS's FW compatibility list and email scanning issues

My search for a good no hidden phone home FW continues. ZA Pro was eliminated in favour of CFW 2.4. I pulled CFW off my PC because it keeps fouling up my rules so I have temporarity put PC Tools FW Plus v25 in to ensure I have a FW. It is being developed in the "lab" so we can view it as a beta. I just found this list from Webroot so lets start with this one. Note PC Tools not on the list no doubt beta's are excluded as they should be. (IMHO). It's interesting the Webroot's own desktop FW is not mentioned. I tried it and it made my system unstable so I got a refund!

The following Firewall products have been tested by Webroot Software Inc. for compatibility:

Norton Internet Security 2007 rejected ( bloated)
McAfee Total Protection 2007 rejected ( bloated)
Windows Firewall (XP version rejected as a IN only 1 way FW)
Zone Alarm (rejected, due to hidden phone homes)
Trend Micro's PC-cillin
Panda AV + Firewall 2007
Sygate
Kerio Sunbelt
Armor2Net (omitted by technology or my error!)
Tiny (CA)
Commodo (testing of 2.4 deferred till V3 released)
AVG Internet Security

This produces my (mine, not yours ) shorter list:

1. Trend Micro's PC-cillin
2. Panda AV + Firewall 2007
3. Sygate
4. Kerio Sunbelt
5. Tiny (CA)
6. Armor2Net
7. AVG Internet Security

So, here is my question now to Stem and other open minded posters, which of these 7 meet the following criteria:

1) No hidden phone homes to the mother ship even if OFF options on auto updates are applied.
2) Solid 2 way FW for outgoing and incoming packets.
3) Stable and actively supported by vendor
4) Can easily backup rules and settings without reverting to a special script
5) Placed the router/modem in the "internet zone"
6) Allows user to apply universal blocked sites by table list that applies to ALL applications
7) Can allow disallow application access BY application browsing or scanning
Other, that I have forgotten


WEBROOT EMAIL SCANNING, FIREWALL WORKAROUNDS

The following email scanning work arounds were provided by Webroot. They are off interest to me since my BD assumes euro standard ports for email in out that differ from my ISP and I have to use SS to check outgoing email for me

"Some personal firewall applications may block Spy Sweeper connections, and one may not be able to send/receive E-mail messages. In this case, the user can try the following to troubleshoot the issue:

If the personal firewall provides whitelisting capability (the addition of Trusted programs), SpySweeper.exe and SpySweeperUI.exe should be whitelisted (Trusted and granted bidirectional access).
Uninstall the firewall product and then re-install it after the installation of Spy Sweeper (the order in which the products are installed may cause conflicts).
Disable the personal firewall (this may be a component of a larger suite). Only perform this task if a different firewall will be turned ON in place of the one that was turned off (such as enabling Windows Firewall if disabling a third party firewall, or if your computer is behind a router capable of providing firewall protection).
Disable Spy Sweeper's E-mail Attachment Shield if necessary. This can be done in two different ways, the first approach will literally turn the shield off while the second approach will render it incapable of accessing the commonly used e-mail ports:
To completely disable the E-mail Attachment Shield, follow the directions below which will result in a "X of X Recommended Shields OFF" message:
Open up Spy Sweeper and go to the E-mail Attachment Shield tab.
Remove check box from shield to disable.
To prevent Spy Sweeper from accessing the commonly used E-mail communication ports (25 and 110) for POP3 and SMTP traffic, follow the directions below. This will prevent access to these ports and render the shield inoperable (unless using AVG). Please be cautious when performing this change since no warning message will be presented that this shield is essentially OFF:
Open up Spy Sweeper and go to the E-mail Attachment Shield Options.
Change to the POP3 port from 110 to 10110, and SMTP port 25 to port 10025.
Modify the POP3 and SMTP ports used in Spy Sweeper's E-mail Attachment Shield to redirect communication to allow the shield to scan e-mail communication that may not be on the common ports of 25 and 110 (for example AVG redirects traffic from POP3 port 110 to 10110, and SMTP port 25 to port 10025, and the E-mail Attachment shield in Spy Sweeper will need to be modified to use these new ports). "

 

hi Escalader,
have you tryed online armour firewall?
http://www.tallemu.com/powerful_windows_firewall.html
lodore

 

Hi Escalader,

I have just installed Webroot Spy Sweeper with Jetico1, no compatibility problems.

Are you aware that Spy Sweeper, with default installation, will send back sweep reports to Webroot?

 

Hi Lodore!

No not yet but Shep suggested it as well! (i think) and if it is the same Stem had a thread on his work which I have yet to review! I'm trying to reduce my short list by exception getting rid of FW options if they are INCOMPATIBLE with SS 5.5 and BD 10! Can you confirm that? This is NOT a challenge just a tech question.

Is online armour firewall = Armor2Net on SS list? Is that the same as item 6 on my post? Sorry to be picky, but I like to know before throwing myself off the dock if there is water in the lake!

 

You could take a look at Outpost Pro.

And no, Online Armor is not the same as Armor2Net.

 

Hi Escalader,

Compatibilty between SS and OnlineArmor would need to be checked, as SS injects its own code into all running processes, and the last time I installed OA, this did the same.

No

 

Hi Stem:

Good, I will add Jetico to my short list. I posted my FW list question over on BD forum if you are posting there you may see that.

BTW just to be sure are you using SS 5.5 with AV option?

I have SS auto update turned off! Will that "stop" the sweep reports?

I was aware from other sources as well that SS might phone home how do you prevent that? I posted a series of questions on their technical support asking for the minumun set of hosts to allow for updating. All I have back is the list off SS applications to allow. I have allowed 2 of 3 so far not the third but they failed to answer or miss read my ticket. I attach the jpg I gave them for comment form you and the posters here ( it is from CFW 2.4 connections list)

 

No, I installed without AV

No, the "send reports" is an option within the custom installation, which I disabled. I did not look for this option within SS after installation. I have removed SS as it was making constant DNS lookups for site ref

 

Whoa... thanks Stem at a minimum I will uninstall SS, reinstall custom without the AV and the send reports feature.

What would be some possible reasons for SS to make site references? That flys just over my head, it sounds bad from an outbound control pov or is it just stupid programing and inefficiency?

 

I will re-check, but it is either lookups for its known "bad sites" (site blocker), or a check on the IP`s for the hosts file. (I will setup on a VM to re-check).

 

That's great Stem, there is no substitute for doing the actual tests as you do!

While waiting, I'll proceed with the custom reinstall of SS.

More later.

 

Stem:

Here is the answer to my question about BD 10's compatibility with other FW's

"Hello Escaladar

There isn't a list available. Till now there aren't any conflicts reported with other firewalls. Only that they weren't configured to let BitDefender update. That is only for BitDefender Antivirus 10."

 

Why does SS inject "dll's?" into every running process? Do other ASW's do this?

What is OA? a FW and a HIPS combo?
Rats! I think I'll revert to the revised current short list:

This produces a revised shorter list: all reported or tested compatible with SS.

1. Trend Micro's PC-cillin
2. Panda AV + Firewall 2007
3. Sygate
4. Kerio Sunbelt
5. Tiny (CA)
6. Armor2Net
7. AVG Internet Security
8. Jetico1

 

It does not inject a dll, it makes direct memory access and writes to other process memory with own code (it is normally decribed as "inject own code"). I see this with quite a few programs like SS.

Yes. I think having OA and SS installed would be overkill, and there may be underlying conflicts.
___________________

As for the DNS lookups, I can confirm this is checking the IP`s of the site entries in the hosts file.

As for outbound attempts by SS. This checks for updates on installation (72.5.172.201(products.webroot.com)). On reboot, there is attempt to connect to "verisign" (12.158.80.10 / 199.7.51.190 (crl.verisign.net, crl.verisign.com), this is just for signature verification. There was then another attempt to check for updates (64.78.182.201(products.webroot.com). After I disabled auto updates, these update attempts have stopped.

 

Here is my unordered "longer" short list. With the exception of #1 which I don't know yet, they all are indicated compatible with SS 5.5 and BD 10.

1. Outpost Pro ( does it play well with SS?)
2. Trend Micro's PC-cillin
3. Panda AV + Firewall 2007
4. Sygate
5. Kerio Sunbelt
6. Tiny (CA)
7. Armor2Net
8. AVG Internet Security
9. Jetico1

Stem et al: Which of these would you drop from this list given my boring and repeated concerns

1) No hidden phone homes to the mother ship even if OFF options on auto updates are applied.
2) Solid 2 way FW for outgoing and incoming packets.
3) Stable and actively supported by vendor
4) Can easily backup rules and settings without reverting to a special script
5) Placed the router/modem in the "internet zone"
6) Allows user to apply universal blocked sites by table list that applies to ALL applications
7) Can allow disallow application access BY application browsing or scanning
Can place rules on it's own application! ( recent Stem point)

 

As you have posted, there are no known (reported by vendor) conflicts with BD and firewalls (I would not really expect to see such problems unless a local proxy (and/or network driver) was installed by the AV,.. such as we have seen with KAV)

Needed, I, and others should expect rules by user to be enforced at all times

Most do now have an SPI and/or filter. Filtering of packets is needed, and personally expected.

Stable yes, but actively supported? We can look at Jetico1 or kerio 2, both no longer updated, but both with good filtering. I agree both have some shortfalls, but the user can add HIPS to these without much(or even any) conflict

This is a "must have"

There should be no problem if you do this. If a need to place routers/networks/servers into a trusted zone is needed just to enable internet connection, then this shows problems.

A "block" zone, yes, there is need for this (IMHO)

I am not 100% sure what you mean,... is this whitelists/blacklists?

Yes, certainly,.. I know of no firewall that actually requires direct internet access to function. (apart from such as KISS, and as hard_coded rules,... another suite I would not use)

 

Stem, Right, my number 7 was poorly phrased, it was so simple I screwed it up! All I wanted to say was when selecting applications to allow/block the FW tool lets me browse the program list to find them!

If I now accept the revised criteria, removing the actively supported point for reasons you gave, NOW here it comes:

Which FW's from my list survive after applying these criteria? or if it is easier which do not survive? I will try out the surviver(s) and report back to the forum on results good or bad as always.

 

IMHO, out of your list, 1 / 4 / 9 (but I would have to check compatibility with 1 / 4) add kerio 2

 

Hi Stem:

Thank you AGAIN.

A couple of clarifications please

These are the survivors in your opinion after all MY criteria are applied?

I only say MY to avoid posters assuming they are general purpose criteria unless in your view this "MY" is not required! In my way of thinking they should be general purpose but I have no desire to put you into that spot.
Your call of course.

Some posts back, 4, sygate was listed (by me) as tested okay for compatibility with SS, or are you in verification mode on that? 1 and 9 were not on their list.

Is kerio 2 not the same as 5 kerio sunbelt? just the latest version?

Given all that I seem to be left with:

1. Outpost Pro ( does it play well with SS?) survivor
2. Trend Micro's PC-cillin
3. Panda AV + Firewall 2007
4. Sygate survivor
5. Kerio Sunbelt
6. Tiny (CA)
7. Armor2Net
8. AVG Internet Security
9. Jetico1 survivor
10. kerio 2 survivor

With only compatibility with SS to be verified for 1 /4 / 10?

 

Hi Escalader,
I am going of your setup. With SS and BD installed (and behind a router/Alpha shield) I really dont see a need for a firewall with too much added on top of application/packet filtering. I havent done much testing with SS/BD but my thinking is just to just add a packet filter and you should be OK (less chance of problems/conflicts with SS).
Kerio2 is an application/ packet filter, I thought to add this as I cannot see this conflicting with anything on your setup. There is a need to set rules, but there are quite a few still using this, so if you where to use this, then you would find quite a few members replying to any question you have. It does not fit all your criteria, but I know it works quite well.
If Outpost is not on SS list, then remove this.

 

Okay Stem, thanks for all your help as usual you went way beyond the call of duty!

It was a good thread using criteria for vendors and a user and testing to reach an outcome! A bit of work though to say the least!

I will try out Kerio2 while waiting for CFW V3.

Comodo has a huge opportunity IMHO to match or exceed ZA's design models by producing a no secret phone homes, (trusted) layered, free easy to set rules FW. Waiting for something like that is well worth it!