GlassWire

Discussion in 'other firewalls' started by Feandur, Aug 23, 2014.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    There is a blog posting floating around to the effect that the developer got hacked, I assume using the WIN firewall, and he created Glasswire as a result.

    Probably its best features are just that; adding security missing from the WIN firewall. Those are specifically, the various real time monitors listed below:

    System File - any changes to the hosts file.
    Device List - any changes to network devices or drivers.
    Application Info* - program version, publisher, certificate, or .exe changes
    ARP Spoofing - MAC address changes.
    Proxy - any changes to existing proxy servers.
    DNS Server - any DNS IP address changes. Don't think this covers any redirects?
    Suspicious host** - any application Internet connections to a suspicious host.

    * - this appears to have some type of HIPS functionality along the lines of AppGuard, WinPatrol, and the like.

    ** - haven't seen any alerts from this one. Suspect their blacklist is a work in progress. No where close to that present in Emsisoft's web shield.

    I haven't seen it miss a dial-out with alert yet. Showed me connections I didn't know of previously such as a dial-out at start-up of Process Explorer - go figure?

    Also this approach of monitoring w/alert and logging of outbound connections is a sound one. Gives you time to research connection before deciding to block something.

    Do wish it would show service that svchost.exe was using at dial-out but that one is tricky to implement. Maybe he can get together with the developer of Windows Firewall Notifier who appears to have cracked that nut?
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Correction! Dang, I was looking at peak memory usage. It actually uses around 38 MB + 5 MB for conhost.exe when idle. Strangely its memory usage drops to 12K when browsing? A bit more acceptable. I corrected my prior posting.

    What is a bit strange is both the monitor and service are using quite a few WIN 7 crypto modules. Makes me wonder if it is decrypting SSL browser traffic? Hopefully, that activity is just for site certificate checking.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    So what is the verdict? It seems like you're quite positive about GlasssWire overall, do you recommend to install it? I'm currently using Win Firewall Control 4, I'm quite happy with it, but I do miss having a quick visual view of allowed and blocked apps, like I had back in the days with ZoneAlarm.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I uninstalled it. Actually uninstalled clean. You do have to reboot to get it's legacy driver entries out of the registry.

    Just couldn't live with relatively new and obscure software running a local host proxy on my PC and filtering all my Internet traffic through it. That's way to much power for my liking.

    Also the proper place for network filtering add-ons is to include them with your network adapter files.

    It is a nice tool to install and use to check out suspicious traffic but see no need to keep it permanently installed. Overall, TCPView takes care of most of my needs.

    - EDIT - I did have to reset the WIN 7 firewall back to default values to get rid of the Glasswire program from it although I had scrubbed my registry of refs. to it previously. Probably a good idea just to reset the firewall anyway to play it safe.
     
    Last edited: Mar 22, 2015
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    OK thanks, for now I will stay away from it. BTW, do other firewalls do the same thing?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I know Avast used to and I assume still does, but not sure, for its web filtering processing. It was a hot topic in their forum since it caused problems with most firewalls at the time. Rules had to be created to allow for it in those firewalls.

    Also rules have to be created in the WIN 7 firewall; Glasswire added one for its inbound and outbound processing.

    - EDIT - Another interesting observation is I have UAC set at it's highest level yet the Glasswire installer was able to modify my WIN 7 firewall settings w/o a peep from it.
     
    Last edited: Mar 22, 2015
  7. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    So bad it doesn't work on Windows Vista :( Any similar program recommended? I find GlassWire interesting but....
     
  8. Not quite the same, but have a look at crowdinspect http://www.crowdstrike.com/crowdinspect/
     
  9. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Thank You. It is a great tool but doesn't have IP geolocation service in GlassWire.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Gonna try this out, especially since I have a data cap now.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Just tried it out. Nifty little app that doesn't install. Would classify it as a jazzed up version of TCPView. It has no firewall functionality whatsoever like Glasswire has.
     
  12. No it checks outbound process at VT and for dll-injection (and checks reputation at MHR and WOT)
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    But I assume it doesn't block anything like full version of WOT does? Would be great if it did for .dll injection at least.

    -EDIT- Also CrowdInspect dials-out to home on port 433 at start up.
     
    Last edited: Mar 30, 2015
  14. No does not block anything, just analyses
     
  15. 142395

    142395 Guest

    Proxy based monitoring won't be intrusive unless they use MITM for SSL/TLS connection, and if they do you can see its cert in your SSL connection. Kaspersky and many other AVs or parental control/web filtering programs also rely on proxy.

    The program itself seems interesting and useful, but I'll wait until it (& dev) establishes robust reputation and product matures.
     
  16. billy13

    billy13 Registered Member

    Joined:
    Oct 2, 2009
    Posts:
    49
    Is GlassWire 1.0.40b compatible with Win8.1 X64 ? I use Bitdefender AV PLUS 2015. Will it work along with Bitdefender?
    Thanks.
     
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Using it along with PRTG now, and they work great!
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Are you not bothered about the things that itman mentioned?
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Specifically regarding PRTG? I'm not sure what you mean.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Oh, so it's hard to uninstall and way too intrusive for his likings... Well I don't really mind it for now, but I'll have to look into it.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Let me elaborate on the dangers of using any product that performs protocol and web filtering using a local host proxy.

    Starting with Vista and all subsequent Windows operating systems, protocol and web filtering are done by the Windows Filter Platform:

    https://msdn.microsoft.com/en-s/library/windows/desktop/aa363967(v=vs.85).aspx .

    Microsoft does not recommend nor advises that any external software be installed that in any way interferes or intercepts network traffic being monitored by WFP.

    The following are two excerpts from Eset's Smart Security 8 User Guide:

    4.3.3 Protocol filtering

    Antivirus protection for the application protocols is provided by the ThreatSense scanning engine, which seamlessly integrates all advanced malware scanning techniques. The control works automatically, regardless of the Internet browser or email client used. For encrypted (SSL) communication see Protocol filtering > SSL.

    Enable application protocol content filtering – If enabled, all HTTP(S), POP3(S) and IMAP(S) traffic will be checked by the antivirus scanner.

    NOTE: Starting with Windows Vista Service Pack 1, Windows 7 and Windows Server 2008, the new Windows Filtering Platform (WFP) architecture is used to check network communication. Since the WFP technology uses special monitoring techniques, the following options are not available:

    - HTTP, POP3 and IMAP ports – Limits routing the traffic to the internal proxy server only for the corresponding ports.
    - Applications marked as web browsers and email clients – Limits routing the traffic to the internal proxy server only for the applications marked as browsers and email clients (Web and email > Protocol filtering > Web and email clients).
    - Ports and applications marked as web browsers or email clients – Enables routing of all traffic on the corresponding ports as well as all the communication of the applications marked as browsers and email clients on the internal proxy server.


    4.3.3.1 Web and email clients

    NOTE: Starting with Windows Vista Service Pack 1 and Windows Server 2008, the new Windows Filtering Platform (WFP) architecture is used to check network communication. Since WFP technology uses special monitoring techniques, the Web and email clients section is not available.

    Again, from what little info I have been able to find about Glasswire and its developer, he supposedly wasn't satisfied with the protection WFP provided. I find that a stretch in that the developers of an established and highly regarded security software like Eset decided not to interfere with WFP's operation.

    Personally, I would seriously question any security product that is using its own internal proxy server to do protocol and web filtering including Avast.

    Now if you are still using XP, Glasswire "might" be of value; that is if you're fully confident that your network activity is not being monitored or altered.
     
    Last edited: Apr 11, 2015
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Thanks for the insight.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Here's another link that shows the components of Windows Filtering Platform:

    http://sourcedaddy.com/windows-7/understanding-windows-filtering-platform.html

    The proper way to interface with it is via the third party API. A good read on how to get started is provided by none other that the infamous Komodia web site. Remember Komodia was a major player in the recent Superfish debacle .....:

    http://www.komodia.com/wfp_hl

    The important thing to note is by using the WFP API, you are incepting the data after it has been unencrypted.

    Thanks, but I will pass on anything using a local host proxy.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    I noticed that the Pro version has gone live. IMO he's thinking too big. And then I'm talking about the pricing scheme, way too expensive compared to other tools.

    https://www.glasswire.com/features/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.