Jetico Personal Firewall vs Privatefirewall (vs Simplewall vs Windows Firewall Control)

Discussion in 'other firewalls' started by Lexor, Nov 29, 2017.

  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Yep. . . PFW 7.0 here as well, but as I said, with XP.
     
  2. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,051
    Location:
    United Surveillance States
    You're welcome. I just fired up my Windows 7 and XP VMs to see if there was anything interesting to share. The only thing I noticed is that I have the "Process attack" table disabled in both VMs. I have other HIPS installed on these machines, so that's probably why. The only advise I have is to try JPF first in a VM or at a minimum leaving the "Process attack" table disabled until you're more comfortable with the firewall.
    I didn't know Jetico was giving the firewall away for free now, that's a great deal!
     
  3. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    Thank you for your opinion. From what I read these features (reliability, lightness) are also advantages of JPF.

    As I said in first post, I was Kerio Personal Firewall user so HIPS is not so new thing for me.
     
  4. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    What kind of VM do you use?

    Yes, I mentioned in the first post of this thread that I'm thinking of trying VMware Workstation Player or VirtualBox for testing purposes - do you have any experiences with these or with any other free-to-use apps of this type?
     
  5. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,051
    Location:
    United Surveillance States
    I'm using Virtualbox. I've also used Virtual PC before. I think you'll find they are all fairly straightforward to use.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    I'm pretty sure it's the same as SpyShelter, they basically try to block malware from sniffing the browser. I believe that normally, in order to sniff the browser, apps should first perform code injection. But SpyShelter and probably also Private Firewall can only auto-block this behavior, they can not give the user the option to allow/deny. I believe that's what they mean with "log only", because it's not possible to pre-configure apps from sniffing. See link for more info about how malware use it to steal data.

    http://www.rohitab.com/api-monitor-tutorial-sniffing-internet-explorer-ssl-data
    http://www.rohitab.com/api-monitor-tutorial-sniffing-firefox-ssl-traffic
     
  7. jlg

    jlg Registered Member

    Joined:
    Apr 22, 2010
    Posts:
    10
    Since October, my installation of Privatefirewall has been disabled with every Windows security update as being incompatible, and I have had to manually start it to get any firewall in the system since Windows firewall won't start either if PFW is installed, and with December's security update I got rid of it altogether and was considering trying Jetico, until I went to their support forum and only found two posts from earlier this year, both complaining about the program.

    But back to speaking of Privatefirewall: HIPs will block any new programs without telling you until you reboot, which can stop you from booting into Windows, so you need to allow new programs that require reboots before rebooting, unless the new versions aren't listed in PFW yet, in which case you will find that out the hard way and have to boot into safe mode. I am still searching for a simple firewall compatible with Windows 7 ( Pro 64 )with or without HIPS, that will notify me of outgoing and incoming connections and the originating program or process, and will allow me to test the thing without having to pay for it first.
     
  8. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    Were that updates for Windows 7, 8 or 10?

    Yes, that's a common thing for Jetico - I think you just can't install it without any preparations / doing research first or you will complain.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,226
    Location:
    Canada
    Using rules in Indirect access and Process attack filters directed toward "Groups" of common Windows system processes will alleviate a tremendous amount of grief in the early stages of rules configuration in Jetico2. Attached are my exported Groups of common Windows 7 Ultimate Windows System processes as well as the more critical ones (svchost, rundll32, etc...) that are required for both Indirect access and selected Process Attack rules, as well as screenshots of the rules I've created for them. If you are running this O/S or similar you should be able to Import them into your ruleset after first changing the file extension to ".xml" (no quotes), if you like. I'd advise back up first but there should be no issues whatsoever. You can open it in a text editor such as notepad to view the executables in the groups. If one really wanted to, just using a path like C:\Windows\System32\*.exe will also work. These are protected directories so only elevated malware could write to them.

    System_indirect_rule.PNG Critical_System_Process-Attack_rule.PNG
     

    Attached Files:

    Last edited: Dec 17, 2017
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,752
  11. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141
    Jetico is an abandonware, it does not work in Windows 10, and it is very difficult to configure (network and process to block).
     
  12. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    @wat0114: Thank you for your attachments, they will help me a lot.

    It is not abandonware as Jetico is still offering it on their website as free to use app.

    I do not use Windows 10 so it doesn't matter for me.

    It is still functional and working after configuration step.
     
  13. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141

    Show your rules, I want to smile today.
     
  14. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    Yes, you can go smile - I am still learning and I am not a Jetico expert in any way so that will prove nothing.
    I'm just saying that Jetico still has its value.
     
  15. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    141

    So Windows firewall is for you, in public mode, nothing else.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,226
    Location:
    Canada
    You're welcome.

    Btw, if something doesn't seem to work right, you get system freezing or similar, then it's most likely due to something being blocked in either the indirect activity or process attack filters. There is a nice "trick' mentioned somewhere by @Stem that works great; you take the very top rule in both filters - the one that's un-checked", drag it all the way down to just before the "Ask" rule, enable the checkbox, and enable logging to "notice" or even "warning", re-boot the computer, log in and check the logs. You can then create rules from anything logged off those enabled rules. When you're done, un-check them and drag them all the way to the top again.

    I find that at least on Win7, Jetico works pretty much exactly as advertised. It may seem buggy at times, but it's really just just doing its job. Again, patience is a virtue with this firewall.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    It was one of the most interesting new features that was introduced by Zemana and SpyShelter. So I was surprised to see that PFW also offered anti-sniffing. In theory, it will interfere with banking trojans that are already active on the system.
     
  18. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    It took me a long time, but I'm back to tests of Jetico. :) First, I'd like to thank you for your advice to try VirtualBox as VM - it was my first contact with any VM and I needed to learn all the basic knowledge "how to properly setup one". Now, after trying VirtualBox I can not think how to not use snapshots, a lot of them (and it is paid feature in VMware Workstation Player) so VirtualBox is indeed the best choice for anyone who would like to try VM for the first time.
    What do you mean by "I have the "Process attack" table disabled" - I suppose it was auto-done by Jetico itself (when it found there is "other HIPS" present in the system) but how can I do that myself?

    I'd like to also ask you a few more questions about your "First JPF Setup For Dummies". :D
    Re 1. Jetico has a few steps of installation: A) Jetico install, B) some wizard thing, C) PC reboot - which "first post-install prompt" did you mean?
    I suppose it's first one after PC reboot (when I need to select my "first rule") but I'm not 100% sure.

    Re 4. In Optimal Protection policy I have (among many others) two tables named Indirect Access to Network and Process attack - both have top rule turned off. Do I suppose right I should turn it on here on this step or you did mean something different? I'm not sure about this because if I just "tick the top rule box on" then there is no "click Apply" you were talking about.
    EDIT: After more analysis I think I've found the proper answer! :D
    I should not expand Optimal Protection tree and go to Indirect Access to Network and Process attack tables - I should click on Optimal Protection directly instead - just like you said in 3! Now I can see Application filter: indirect network access and Process attack filter with bypass / learning mode options and even that Apply button!
    I'm so stupid. :p

    Re 5. Is the "first post-install prompt" always the same one on every system?
    I'm asking because you said "allow it" here and it looks like "always allow it, no matter what".

    Re 6. Do I understand it right that the easiest and proper way to do that is to clone both top rules I turned on in step 4, put them "on top" (over these from step 4) and just add a log? What "log level" should I select here?

    Re 7. How should I properly do that?
    EDIT: That's probably already answered above in my edit for point 4. :)

    Re 9. How should I properly do that?
    EDIT: I've just found this little gem:
    ...and, I think, this is the right way to do that.
     
    Last edited: Jan 17, 2018
  19. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    I'd like to make sure I'm doing this right way:

    step 1. Rename txt file to xml one, select File > Import:
    - Select all
    - Optimal Protection security policy to import these tables to

    step 2. Configuration > Optimal Protection > Application > New > Application rule:
    - select Event > indirect access to network
    - select Application > Add group > System32 & SysWOW64 executables

    step 3. Configuration > Optimal Protection > Process attack > New > Process attack rule:
    - select Event > critical registry modification + control process + control system services
    - select Attacker > Add group > Critical System executables

    I have the same OS like you (Win 7 Ult) but I don't have a few exe you listed, for example C:\Windows\SysWOW64\FlashPlayerApp.exe - is that normal?

    A few additional questions:

    Q1. What happens if I delete a group? Are the rules connected to this group deleted as well? Is there some way to rename a group?

    Q2. Do you use any Configuration Wizard's options during installation?
    This Wizard has created a lot of rules for many various files - it looks so messy. :D

    Q3. Do you have any tips for general rules I should create for antivirus software to "make it easier"? I'm testing Avast at this moment.

    Q4. What is the difference between File > Exit and File > Shutdown Firewall?
    Both options close JPF without any "Are you sure?" prompt. I think it is a little too easy to accidentally exit Jetico.... :(

    Q5. What does it mean if "turn on/off" tick box of some rule has red "!" inside instead of blue "✓"?

    Q6. Is there some easy way to revert all rules to factory settings? I tried to use @Stem's advice for JPF1 but there is no such folder/file nor menu option in JPF2.
    EDIT: I found a small workaround here - I think I'll just clone Optimal Protection tree and set new cloned tree as default one. That way I can always go back to previous settings and also I will be able to easily export whole tree to some file for fresh JPF setups in future. Will that work?

    Q7. I'm not sure about one thing. During installation, Configuration Wizard detected some groups of applications, for example: it detected Internet Explorer and added it to Web browsers group. After installation, there are only two groups under "Groups" tab: Web browsers and System services. Web browsers group is completely empty (there are no references to Internet Explorer inside) and under Configuration > Ask User there are two separate "→ Web browser" rules generated for two Internet Explorers (x86 and x64).
    Does that mean that Configuration Wizard does not use Groups function while creating its rules even when it detects Groups? I also think that I need to create rules for all these "default groups" by myself? Now when I'm adding some application to Web browsers then JPF is still asking me about it because Web browsers group are not used in any policy table by default?
     
    Last edited: Jan 17, 2018
  20. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    I've created whole set of Jetico 2 rules for svchost.exe based on post from Russian forum I mentioned earlier:
    - link to original post on Russian forum
    - English translation from google is in my post #35 of this topic

    Rules are attached to this post (rename extension to xml). I've included separate chains of tables for:
    - Application > Ask User > Service Host > DNS Client (source: top table from the Russian post)
    - Network > IP Table > RPC/DCOM (source: bottom table from the Russian post)

    Can some Jetico 2 user check if this was done right? :D
    EDIT: I've already found one my mistake in RPC/DCOM table: Порт получателя means Destination port, not Source port.

    And a few more questions (yes, again :p):

    Q8. Was it right to add redirection to Jetico 2 default DNS Client table at the bottom of my Service Host table?

    Q9. Can I somehow copy one rule from one table to another table? Draging & droping after cloning does not seem to work. Can I somehow export specific rule or I need to export whole table?

    Q10. Jetico 2 in-build import function works ok with my exported xml configuration file but Configuration Wizard can not see any of my Network / Application tables inside this xml - why? o_O Configuration Wizard can see Groups in xml file with no problem (like these posted earlier by @wat0114). I was thinking about use of Configuration Wizard during Jetico 2 installation to include all my own custom rules at once but now I do not know if this is possible...

    Q11. There are nine "log levels" in Jetico Personal Firewall: disable, debug, info, notice, warning, error, critical, alert, panic. First one, disable, is an obvious one, but can someone explain the differences between the rest?
     

    Attached Files:

    Last edited: Jan 17, 2018
  21. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,226
    Location:
    Canada


    Please note I don't use Jetico anymore. I've gone back to Windows firewall w/advanced security and added some rules to it using several I generated from using Jetico for 3 weeks. I'm just not comfortable using unsupported software even though it works fine so far on updated Win7. I also found Jetico's IPv6 does not work as expected.

    Otherwise...Yes, that procedure looks right.


    Sure that's fine. You could just remove any executables you don't have or even leave them as they won't cause any problems.

    no, you will get the problem you ask about in Q5 where you'll see the red "!" This happens because the rule is pointing to a parameter that is now missing. it won't, however, cause breakage or instability issues.

    I used it for only one or two rules, otherwise I don't bother with it.

    I would say just allow it to whatever http(s) port(s) it requres, and maybe place its executable in Groups requiring Process Attack and Indirect Access needs.

    not sure, but I believe exit shuts down the interface but leaves the service running. Shutdown closes both.

    See my response to Q1

    Q6. Is there some easy way to revert all rules to factory settings? I tried to use @Stem's advice for JPF1 but there is no such folder/file nor menu option in JPF2.
    EDIT: I found a small workaround here - I think I'll just clone Optimal Protection tree and set new cloned tree as default one. That way I can always go back to previous settings and also I will be able to easily export whole tree to some file for fresh JPF setups in future. Will that work?

    yeah, I don't like how Jetico's wizard creates rules. I just ended up creating them myself, including one for web browser where I paced all web browser executables in a Group and tied a rule I created myself to that Group.
     
  22. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    I know that. :) Still, even when you do not answer all of my questions I can't thank you enough because, as you can see, it's rare among users of this forum to have such "ancient knowledge" nowadays.

    Can you say something more about this?
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,226
    Location:
    Canada
    Whenever I checked the logs, I was never able to find blocked or allowed IPv6 IP addresses such as can be found in Event Viewer, for example:

    Code:
    ProcessID 1256
    Application \device\harddiskvolume1\windows\system32\consent.exe
    Direction %%14593
    SourceAddress 2001:56a:739f:3200:a836:78af:7759:908b
    SourcePort 50649
    DestAddress 2600:1409:12:38d::747
    DestPort 80
     
  24. Lexor

    Lexor Registered Member

    Joined:
    Nov 26, 2017
    Posts:
    43
    Location:
    EU
    For anyone else who's reading my posts: questions 8-11 are still not answered at this moment and I will be very grateful for any replies. :)

    Here are the next questions:

    Q12. I've noticed that sometimes I have System (just this word, no path, no exe in the end) instead of application name in Jetico prompt window - does anyone know what's that?

    Q13. If I import a few Groups from *.xml file when Groups with the same names already exist in Jetico configuration then what happens in such case? Are old Groups replaced by imported ones or there will be no Groups imported?

    I think I've found a nice way to deal with such programs with many services when we do not know much about them and we do not have any templates ready. Here it is:

    If you have any program which has many exe files and is making "a lot of troubles" then do not forget that Jetico allows to create many Process attack tables, not just one! You can put all exe files in separate Process attack table by using <folder>\*.exe mask in main Process attack table and If you put Ask rule at the end of newly created Process attack table then all exe prompts will be autosaved in new table.

    That way allows for very easy analysis of what all these exe files need and you can also very easy export such table for future needs. :)

    PS. I've noticed that <folder>\*.exe also deals with all exe files in subfolders of "starting" folder.
     
    Last edited: Jan 18, 2018
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,226
    Location:
    Canada
    Sorry I was tired last night but I think I can answer 8, 9 and 11...

    Q8: yes, that's fine. You can also add additional DNS addresses to the table.

    Q9: it is possible to drag & drop rule parameters into tables and I think even from table-table.

    Q11: Afaik, the only difference with log levels is font color used.

    It seems like you're quickly getting a good handle on the firewall :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.