Private FW in bed with ExeRadarPro

Discussion in 'other firewalls' started by bellgamin, Mar 28, 2012.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    For now, I do not run an antivirus in real-time. My only real time security apps are PFW & ExeRadarPro (ERP). ERP is an antiexecutable app.

    Is anyone else running a PFW/ERP combination in real-time? If so I would very much appreciate your comments about any overlap in the coverage by these 2 apps.

    Namely, I have noticed that, so far, PFW has alerted me to EVERY situation that ERP has alerted me to. Therefore, I have begun to question the need for running ERP alongside of PFW. It seems to me that PFW is very effective as a *sort* of antiexecutable (over & above its FW & HIPS capabilities). So I am thinking of dropping ERP from my real-time coverage.

    QUESTION (for those who know about both PFW & ERP) -- When running PFW, does ERP offer any significant additional protection?
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No have not run them together, but I would say the process protection part of PFW does the same as Exe Radar Pro.
     
  3. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I also think erp is not needed with pfw......drop erp and go with pfw alone:thumb:.......
     
  4. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Part of PFW's functionality is an anti-exec (the Create Processes function). So you're basically running two anti-exec's if you also have ERP.
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    THANKS to all who commented. I have dropped ERP from real-time. For now, PFW is my only real-time security app. Of course I image often, so PFW certainly isn't the only brick in my security wall.

    Running PFW solo makes for a very zippy computer. :thumb:
     
  6. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Just my 2 cents.

    Yes, there is a duplication between PFW and ERP regarding anti-execution protection. IMO, there are 2 solutions:

    1. Disable the PFW's "Process Detection" and let ERP do the antiexec job (not preferable by me, since i consider PFW as my main security component). After ERP has allowed an execution, "Process Monitor" will come into play.

    2. Configure ERP the way you want, set up the appropriate "Rules" and select the "Trust Mode" policy. I 've noticed that ERP kicks in before PFW. As a result, if an ERP's BLOCK "Rule" is triggered, "Process Detection" will keep resting.
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I gave PFW a spin again. It has become more user friendly compared to old Dynamic Security Agent. The auto rule assignment is surprisingly granular for auto rule creation. The downside of most user friendly auto rule creation is that they are set so wide that the security level is lowered (sometimes to much for my taste, as for instance with PC Tools firewall). With PFW IE is allowed to change protected file storage (you don't want that) when I checked it on the process guard.

    Tip for members running Admin on XP with PFW I would advise to combine PFW with EdgeGuard Solo of BlueRidge. Just add all your Office software, PDF reader, Media Player, E-mail client and browsers to EdgeGuard Solo and you will be very secure on an XP setup running Admin. Download EdgeGuard Solo for free at http://www.blueridgenetworks.com/support/products/edgeguardsolo/download.php.

    With EdgeGuard Solo there is one limitation when using Chrome: You need a Chrome version which installs in C:\Program Files (so use the off-line installer of Google, or full installers of Iron Browser or Comodo Dragon). When you use Chromium, unzip it in C:\Program Files. EdgeSolo works flawlessly when the guarded programs are in the admin space (Windows or Program Files folders).

    When running LUA (or using SU-RUN) on XP or Vista/Win7 with UAC there is no need for Solo.
     
    Last edited: Mar 31, 2012
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I use FF or Iron, not IE. Also, I browse using DropMyRights. Real-time security is PFW only. Safe enough?
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DMR +PFW = top, don't worry. DropMyRights is same principle as EdgeSolo, it compensates for registry and file access to admin space (Windows + Program Files). Only advantage of Solo is when some other malware launches your webbrowser, it is always run in a kind of DMR mode. It uses near zero CPU time.
     
  10. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    @ Bellgamin

    Could you share your current Private Firewall settings? I'm thinking myself to go without an AV on my fake a.k.a virtual machine. :D.

    Thanks.
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    My settings. . .

    Main Menu>Internet Security>slider to Custom
    Main Menu>Network Security>slider to Custom

    Applications>Right Click any application. On resultant drop-down menu, click "Advanced Application Settings">Processes tab>right click an internet facing process (e.g., firefox.exe). On resultant drop-down menu click "Limited" (repeat this for ALL internet-facing processes)

    Process Monitor>slider to High

    File>Settings>Basic tab>click boxes as follows: Manual Control; Always display alerts; Disable startup splash

    File>Settings>Advanced tab>click boxes as follows: (Under Firewall & Process)Enable Process Detection, Enable Training, 7 days; (Under Email Anomaly) Enable detection, Training 7; (Under System Anomaly) Enable Detection, Sensitivity 60, Training 7
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    I am not responsible for any problems that may result from following my advice. This includes, but is not limited to, computer failure, erectile disfunction, PMS, the heartbreak of psoriasis, or your daughter running off with a biker gang. Follow my suggestions at your own risk. ;)
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Thanks for this tip!

    Since i'm now 100% sold on all sorts of alternative off-the-cuff & completely Portable browsers, with an occasional Firefox install now and then, LoL, i think i'll set up EdgeSolo for them since running XP Admin as mentioned.

    A pure LUA w/(Su-Run) is spectacular security without a doubt but since stumbling on an alternative method to cap driver loading with a simple Samarai driver file, that vector is completely locked down.

    Offers more relief time from other full security apps without sacrificing security overall.

    ProcessGuard has served very well as an anti-process/anti-injection/anti-driver too, but in a quest to streamline to bare-minimum bare-bones resources with top notch protection, i would like to offset that app with another anti-ex of some sort.

    Maybe some suggestions? ;)

    I'm divided right now between PFW & ComodoFW-D+. I also favor PFW and found it quite efficient.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well, it couldn't be resisted. I took the initiative in favor of PFW as opposed to ComodoFWD+.

    I've had very good success before with PFW and besides it does offer some neatly arranged configurations, which is a dream for fine-tuners.
     
  14. clubhouse

    clubhouse Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    180
    I keep trying various combo's of security layers without active av's, trouble is although I've never had a alert from an av I didn't expect in the past 4 years I still feel uncomfortable without one.....Gotta say PFW does seem to 'trap' almost everything.....I've just dropped Avast and reinstalled Edgeguard Solo as per Kee's recommendation...Both his and Bellgamins' posts and advice always influence my choices.....I'm gonna try my best to stick to PFW, EdgeGuard and MPVS hosts for at least a month!:D
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I've nearly earned the odd reputation for being known as piling on the security apps all at one time even when others have tried it and system conflicts then ensued. But after all the heavy armour, testing, trying this one and trying that one again, it seems for me to always boil down that a very select few choice and seemingly insignificant or unpopular apps at the time end up proving to form the most favorable shielding of all, and so once again i come full circle.

    Bellgamin and Kee's have been through this same route before too, and more times then not you'll find that they're choices are testaments that prove certain select apps & setups will withstand the test of time while keeping within a very reasonable margin of system safety.
     
  16. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Bill must be getting a bit more lax or trusting these days...:eek: :p

    In addition to "Manual Control" I also have "disable auto-response" and "disable trusted publisher feature" ticked so as to have the most control over PF's responses.
    (The "disable trusted publisher feature" is a new option in the most recent version.)

    In the end I suppose it's just a matter of balancing security with convenience and finding your own comfort level. As in most things, I defer to Bill who has forgotten more than I'll ever know and has helped me immensely via his posts along the way.
     
  17. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    Doesn't the installer come with a default list of 'Trusted Publishers'? I, on the other hand, don't see any entries in the 'Trusted Publishers' dialog box. I wonder what wrong could be at my end. o_O


    Not to get off topic, but that was a good laugh. - LOL :D
     
  18. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Yes...if you go to 'advanced settings' there is a button there that opens up the box with trusted publishers listed in alphabetical order...

    ...but, if you'd previously deleted the entries and then saved, exported and subsequently imported your rule sets, the box will be empty.
    (There had been a bug in the export/import of trusted publishers that was recently addressed in one of the updated versions of PF.)

    You'd need to either add them via notepad and then import the updated settings, or start with a default installation to the best of my knowledge.

    I've PM'd you with the list so that you can annotate your saved file, PF-Settings.xml with the trusted publishers list and then import into PF if you choose to do so.
     
    Last edited: Apr 12, 2012
  19. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    Thanks a lot, Blues, but I have disabled the feature anyway. Now my settings are exactly the same as yours.
     
  20. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    You're quite welcome. I had edited my post above to reflect that I already sent them, so you can either save for future reference or discard. :cool:
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I have one question for those familiar with PrivateFirewall i like help on. Where can you find the setting to untick the Remember This Setting alertbox?

    Or like in EQS HIPS, can you simply set it up to just press block (for now) without rule? Does the selection Training, temporarily allow/block?
     
  22. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    When the box pops up you can have the program remember your choice or only take the action at the given point in time.

    Rules that aren't set to be remembered going forward via the options offered will be gone upon reboot.

    You can get all the info you need by either saving or reading the following:

    User Guide
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I downloaded the guide last evening thanks, but yet to study thru it entirely. In EQS HIPS you can load any executable and an alert box will open immediately like PFW, only without the setting ticked 'remember this setting' as in PFW. A user might not want PFW to 'remember this setting' right now, but seems it's ticked by default.

    When you untick that setting in PFW, then proceed to press BLOCK, naturally it does not open as expected. However, on subsequent attempts to open that same program again or any other executable for that matter dealt with by selecting BLOCK after unticking PFW's alert 'remember this setting', the program is now blocked altogether.

    I was just understandably curious of the nature by which PFW differs in this respect. I understand going forward that a reboot will flush the temporary rule but you can avoid that altogether by going to PFW's Main Menu -> under File select Settings -> Advanced -> Detected Applications -> Process and simply choose to remove the blocked app to return it back again to a neutral file unmonitored untill launched again.

    All of this process to me just seemed like an extra long hike around the block to accomplish what might be simpler if the BLOCK function operated differently.

    Anyway these form of HIPS rituals are right up some of our alleys. It makes for some interesting discoveries while tightening the gaps between actions made on our systems to improve airtight security.
     
  24. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Those interested in EdgeGuard Solo by Blue Ridge Networks should read the EdgeGuard Solo Support Page very
    carefully to familiarize themselves with the limitations, capabilities, pros and cons of EdgeGuard Solo.

    The current version displayed on the Support page is: EdgeGuard Solo Beta, Version 1.2.4.0
    The Version displayed in the downloaded installer is: Version 1.02.0007
    EdgeGuard Solo setup.exe is not Digitally Signed: Version 1.02.0007

    There are too many workarounds that involve disabling and then re-enabling EdgeGuard Solo security in order to
    perform certain tasks such as operating system updates, application updates, and simple print jobs to Adobe Acrobat.

    The EdgeGuard Solo Support Page boldly warns to be very judicious about choosing to disable EdgeGuard Solo security
    protection, alerting that common attack vectors are to trick end-users into installing seemingly innocuous software.
    In contradiction, the only workarounds are to disable the Blue Ridge Networks EdgeGuard Solo security.

    In my advisement, if security must be disabled to allow events, the battle with Malware is already lost.

    According to Blue Ridge Networks EdgeGuard Solo Support Page, the only operating systems supported are:
    Microsoft Windows XP SP2, Microsoft Windows XP SP3, Microsoft Windows Vista, and Microsoft Windows Vista SP1

    Also according to Blue Ridge Networks EdgeGuard Solo Support Page, EdgeGuard Solo exists conflicts with third party
    client software that does not conform to Microsoft Windows XP and Microsoft Windows Vista programming guidelines.
    Stating that EdgeGuard Solo may inhibit normal application operations when these guidelines are not followed.


    EdgeGuard Solo Support Page:
    http://www.blueridgenetworks.com/support/products/edgeguardsolo/index.php


    Installing Privatefirewall by Privacyware as an standalone firewall is effective firewall security by its self.

    For effective and reliable computer security, only the latest updated consumer retail versions of security software
    that are Digitally Signed should be installed in the operating system, whether Free or Paid Subscriptions.



    HKEY1952
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Yesterday i installed EdgeGuard Solo and also took notice of their cautions they made it point of passing along to us. For me Solo just didn't offer any useful real-time INFORMATION! to be assured internet-facing apps are indeed protected. Not to say that they're not by anyway, but whether it's a paid product or free, as a focused end-user, it's necessary for me that any security app keep me abreast whether thru alerts or opening up the app for reviewing reports, Edge-Guard did neither so untill time something else surfaces, all my Browsers are launched thru Sandboxie where i know they are contained.
    Don't care for driving at night with the lights off.
     
Loading...
Similar Threads
  1. Overkill
    Replies:
    5
    Views:
    737
Thread Status:
Not open for further replies.