There is a blog posting floating around to the effect that the developer got hacked, I assume using the WIN firewall, and he created Glasswire as a result. Probably its best features are just that; adding security missing from the WIN firewall. Those are specifically, the various real time monitors listed below: System File - any changes to the hosts file. Device List - any changes to network devices or drivers. Application Info* - program version, publisher, certificate, or .exe changes ARP Spoofing - MAC address changes. Proxy - any changes to existing proxy servers. DNS Server - any DNS IP address changes. Don't think this covers any redirects? Suspicious host** - any application Internet connections to a suspicious host. * - this appears to have some type of HIPS functionality along the lines of AppGuard, WinPatrol, and the like. ** - haven't seen any alerts from this one. Suspect their blacklist is a work in progress. No where close to that present in Emsisoft's web shield. I haven't seen it miss a dial-out with alert yet. Showed me connections I didn't know of previously such as a dial-out at start-up of Process Explorer - go figure? Also this approach of monitoring w/alert and logging of outbound connections is a sound one. Gives you time to research connection before deciding to block something. Do wish it would show service that svchost.exe was using at dial-out but that one is tricky to implement. Maybe he can get together with the developer of Windows Firewall Notifier who appears to have cracked that nut?