Private Firewall Updated (again)

Forgot to mention (as I'm sure you know but perhaps others may not) that to achieve that 91% score Matousec does not use the "default" settings.

One has to set the Internet & Network security to "high", make the local networks "untrusted" (at least that's what I do), set the program to "manual" and disable "auto-response", and make sure that you tick the box to be alerted to all "new" outbound connections.

Finally, the "Process Monitor" must also be set to "High".

 

I have seen that pf comes with rules (quite detailed ) for many programs by default, like a local whitelist, also I have seen that there is trusted vendor list.

So is the difference btw the manual control and the standard control that the manual does not use this predefined rules?

Gives many popups with the process monitor in maximum compared with the default?

 

I believe you are correct and that you must answer the pop-ups and have the program remember what you allow as opposed to relying upon predefined definitions.
Standard control also utilizes auto-response which gives about 30 seconds to allow or deny or seek further info before the rule is implemented by the program (whether allow or deny).
I use "manual" without auto-response though you can also leave "auto-response" enabled for applicable scenarios.

Their User Guide is probably the best resource to fully answer those questions.

I haven't found the pop-ups too taxing by and large. (And I always make sure to export my settings for future use.)

 

Thanks but
For what is the "enable process detection"? only works when the training mode is active?

I can't find the answer in the help file

I see now that the predefined rules that I saw are product of the automatic training mode during the first start of Pf

 

I have the Process Detection feature enabled without ticking training mode.
(It is not required and I know that Greg personally is not a fan of training mode for his own usage from what he has told me in the past.)

 

Ok, but what does this setting when the training mode is disable?

 

I like how this HIPS works, in the standard mode works like Comodo with the trusted files (or viceversa) so you can avoid a lot of popups.
And in the manual mode you have full control like the paranoid mode in Comodo.

I also like how fast you can access to the most advanced settings for each process.

Although needs more ram (not a problem at all) its extremely light and the interface is fast.

I'm happy to see that there is a real alternative to Comodo HIPS+Firewall so when I get tired of one I can change to the other

 

I have been playing with Private firewall win7x64 using this settings:
Internet Security: High
Network Security: High
Local Sites: "Untrusted"
Manual Control Mode
Disable Auto-Response
Alert to all new outbound connections
Process Monitor: "High"

Using Comodo leak test the score was 250/340

Then I tried with the spyshelter test I just allowed the first popup, requesting to execute the process (I mark remember box) and then I check in the process monitor that all the rules for the test file were set in "Ask", then I started the different leak tests and Privatefirewal wasn't able to block any of them.
Then I blocked the first popups and still the spyshelter test was able to open and private firewall wasn't able to block a single test.
In one last try I checked all the rules in deny I opened the leak test of spyshelter, I press on block on 1 popup of private firewall and still private firewall wasn't able to block any of the leak test.

All my other security app's where disabled.

Anybody had the same experience under win7x64?

 

I can't answer your questions (I run XP Pro) but I would urge you to share your info with support at Privacyware.

You will get back a quick and helpful reply from which you can explore your options.

I know that Bill (Bellgamin) stated that he ran the SpyShelter tests on his XP setup and PF nailed them all.

 

Yes I'm already in contact with the pf support, they are quite fast.
Probably the protection in x64 is not as good as in x86 usually happens with most of HIPS, let see if they can fix it.

 

I've experienced PF + SpyShelter on W7 x64, of course you must run the Premium version of SpyShelter.

After couple of days i uninstall SS because i noticed some slowdown of my pc and i think two HIPS it's a little bit too much.

So, after i test PF with the SpyShelter test and same result as guest, it's failed.

Maybe PF keylogger module protect only x86 environnement on a x64 based Pc, and i think Kernel PatchGuard on x64 is the major problem.

PF is installed in Programfiles x86 on 64 bits system.

Rules.

 

Yes, and I also fails with the Zemana tests available in the website on win7x64.
They told me that they are looking to add webcam and sound protection and they may take a look to the zemana and spyshelter fails although it was not in their plans.
Probably is an issue of the x64 version only but is almost like to be without HIPS.

For now I have uninstall it

 

I'm using Windows 7 64bit too, so I hope this gets sorted out.

 

You must remove Zemana signature from "Trusted Publishers" section. Than it can pass all Zemana tests except webcamlogger and soundlogger.

I removed all Trusted Publishers list, resetted privatefirewall and opened google chrome, it didn't allow google chrome internet connection and it didn't show any popup about internet connection. Some odd behaviors. And i tried grc firewall leaktest, its hips sometimes alerted me, its firewall sometimes alerted me, sometimes pass and sometimes fails. Thats why i uninstalled Privatefirewall and went back Comodo. Sorry for my English.

Edit:my OS is Windows7 x86

 

I wasn't using the Trusted Publishers list while I was testing them, I was using the best settings recommended by pf dev, to test the HIPS, and those settings don't use the Trusted Publishers list.

Right now I'm using SpyShelter that is able to block any leaktest public available (Comodo, Spyshelter and Zemana)

 

I've used SpyShelter in the past and it seemed like it had some nice features.

However, after having removed it I tried to reinstall it (a second and later a third time) and it continually prevented my keyboard from operating (amongst some other issues). Glad it's working our for you.

 

You can report the bug/problem to ss support if you want.

 

I believe it was reported at the time.

I'm not gonna try my luck again, however. I intend to leave well enough alone since everything runs and plays nicely on my system as currently configured.

 

I again ran the SpyShelter & Zemana tests against PFW. Again, it passed all except webcam & sound. I also ran these tests against Outpost, which I keep on a separate image. OP also passed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In checking a FW's ability to pass these tests, I had to be careful as to how I responded to alerts...

+ If I responded "normally" (see Note 1 below) to the FW's initial alerts, the FW put the entire test into purgatory. This meant the FW passed all the tests because I made it refuse to play.

+ If I carelessly did a "remember this" Allow, or put the FW into training mode when responding to any alert, the FW put the entire test into a "let it do what it wants" status. This meant the FW failed all the tests because it believed the test was a trusted app. Once I carelessly got a POC test into trusted status, I had to dig around a bit to discover how to revert the test to UNtrusted status.

+ In other words, I had to carefully read the DETAILS of FW's alerts & reply in such a way that I only disallowed the truly nasty actions ONE time or else I could throw the entire test into purgatory. And vice versa!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Note 1: In the real world, if these POCs were REALLY malware & not just toys to play with, they would have been killed upon my seeing the FW's first alert. Any app that tries inappropriately to elevate its privilege, or open a channel, or mess with memory, etc, is DEAD on first blink. I do not wait to see what the little bugger is up to. Thus, in order to play with these POC tests, I must react differently to my FW's alerts than I would do in actual daily practice.

 

@bellgamin you OS is x86 right?

 

I fully concur, Bill. During the course of any normal activity on the net or elsewhere...if I am not intentionally installing, upgrading etc., any such alert out of the blue will be met with a very jaundiced eye.

 

@bellgamin, i know how to use privatefirewall. Lets say i made a mistake from beginning while i was doing test. But i put it right after that. I was using manual mode. I can assure you that privatefirewall has some odd behaviors. And i definitely assure you that i know how to use it.

 

Yes, I still run XP 32-bit.

Daffynitions:
Bit: 12½ cents
32-bit machine: a computer selling for $4
64-bit machine: a computer selling for $8

I'm glad that you do. I was merely reciting what I learned from my own first/fumbling experiences in using POC tests -- because many new PFW users ( or potential users ) visit this thread from time to time.

The problem with learning by experience is that you get the final exam BEFORE the teacher gives you any instruction.

 

I have a question about learning mode. I know when you install PFW it goes into learning mode for ten minutes. I opened everything on my computer during this ten minutes to keep from getting pop-ups. I rebooted the computer and immediately start getting pop-ups fro apps I had already opened. So what is the point of learning mode. It doesn't seem to be remembering what I do so maybe I am misunderstanding the point.

 

I have been talking with a Private firewall workers, they have told me that they will take a look to all those fails in the x64 version in the Comodo leak test, spyshelter test, and Zemana tests, since it fails in almost all of them, and they will try to make the x64 as good as the x86 version.