Privatefirewall 5 released

Oops - I am putting across the wrong attitude - it was not meant that way. Agree with all your comments, and are any others finding problems with this f/w?

 

Outpost doesn't ask too many questions IMO, because the prompts are clearer than with Private Firewall.

 

I do not think anything wrong with your attitude,.. you have protection that you trust, so why a problem with stating that. I fully agree PG gives excellent protection.

This for me is not compulsory, I am here to help where I can,.. I make mistakes as others.

Well,.. time will tell,.. after installing on a system with other applications, I find some "problems",.. thats why its good to have feedback from many installations.

Regards,

 

Stem, thanks for clarification

 

No problem,.. (I did check at the time with a change of program "re-name",.... well just to make sure)

 

BTW, thanks for showing me how to get PrivateFirewall to pass Yalta. I'll remember that for if I install it again. I think I'll see how things progress before thinking about giving Privatefirewall another try, though.

 

Disabling the learning mode only shows you the execution of "Yalta", it does not stop the (default) leaktest, which is localhost comms (localhost(127.0.0.1)), I have yet to find a way to disable localhost comms,... even placing this in the blocked zone still allows these comms,... Local network within settings only show the 0.0.0.0. + Lan. This is a possible risk! (maybe localhost is hard-coded)

 

Hello all,

We appreciate the interest in Privatefirewall 5.0. I will try to address/answer some of the questions/comments posted in this thread:

1) We will review the option to place IP addresses within Application rules, thanks for the suggestion

2) We tested Privatefirewall 5.0 against all the leaktests from the FirewallLeaktester site and Privatefirewall 5.0 should pass all of them out of the box either via the Application Alerts or Process Monitor alerts. Regarding the Yalta test, an alert is generated when an actual Internet/Network IP was used for the test as opposed to a loopback IP of 127.0.0.1. According to the authors of Yalta, you should:

"...Enter the IP address of the computer to which the text shall be sent..."

Also, we were unable to run the 'MB Test' leaktest as it continually crashed.

3) Privatefirewall 5.0 costs $29.95 per license and it is a one time fee. There is no renewal necessary.

4) The 'prompting' process MVDU mentioned is most likely referring to our Tray Alerts, which appear in the bottom right portion of the desktop for a short period of time and then makes a decision to either allow or deny on its own if the user does not make a choice. All application/process related alerts default to 'Block' if no choice is made, and all behavioral alerts (System Anomaly and Email Anomaly) default to 'Allow' if no choice is made.

If you attempt to launch an application/process that was previously blocked, you will see another tray alert informing you that the application was previously blocked. You can either Allow or Deny access at that point.

Also, if you see a tray alert and would like additional information, you can select 'Details/Options' to see the 'Full' Alert, which are the larger alerts that we have traditionally used in previous versions of Privatefirewall.

One of the reasons we designed the tray alerts was to provide users with less information initially with the option to get more details. Compare this to our previous designs (and the design of most other desktop security products), which is to provide a large amount of information all at once in a large alert. We have found that most users are primarily interested in the executable name and type of activity, which is what we include in the tray alerts. Also, for those who prefer the previous design, Privatefirewall 5.0 does provide the option (for most sections) to not use the tray alerts and have only the large alerts appear. This can be enabled by selecting the "Require user approval for each alert" option in the desired section.

5) The Training mode that STEM refers to is for our Process Detection feature, which records all running processes during the training period and then prompts you if you attempt to run a new process after the training period is completed. This is not an 'Internet/Network' related feature and is separate from the Process Monitor feature in the Main Menu. Please note that during our testing, we did NOT have the feature enabled when passing the leaktests. We kept it in training mode and still passed Yalta (for Internet IPs) and the other tests. The leaktests were tested with Privatefirewall's default settings, so nothing needs to enabled or disabled.

6) As mentioned by VELNIAS, the process monitor is rules based, and it maintains a list of detected processes that are filtered for potentially malicious system API calls.

***

I see a couple of you find the new alert design/logistics a bit cumbersome. Can you give more detail as to what you would like to see to improve this aspect of Privatefirewall?


Thanks again. I look forward to the continued dialogue.

Chris Iannicello
Privacyware - Privatefirewall Product Manager

 

Hi ciannicello,
Thank you for your interaction, could you give a solution to block localhost(127.0.0.1/) comms, (trojan/malware comms on localhost, due to possible use of localhost proxy)

And could you confirm the interception of "windows comms", is this indeed "sig based?

Regards,
stem

 

Thought that I would take another look in case I had missed something.

I cannot find any way of saving settings, except I suppose copying the files across to another area.

Also I cannot get through to my other computer. Is is on a router and I am running Win 2k. I do use Netbios to communidate with it. Thought that I might have corrupted some settings so reset back to defaults.

Also could not get it to recognise Mozilla running through Proxo. Neither was flashed up. Had to manually insert both.

 

My fault with local network - should have checked the other end first - sorry. The others bits, I think, still apply.

 

I don't really understand this f/w.

I have been playing around with the setting on Network Security. If you set it to high it says this blocks all shared drives/printers. Presumably this is inbound, but either way I can still connect from either computer to the other. If I put the traffic light to red it is stopped or enter the address in the blocked addresses. These settings were made the same on the home, office, remote profiles.

I would have expected that if it is on high then it would still allow any addresses you put in the allowed box.

 

I have now set up on W2K. From my earlier post, there is a problem due to what may be hard_coded rules to allow localhost comms,... the firewall did pick up (alert on) access by proxo for outbound connection, but no alert to firefox using this local proxy (I have removed all rules to allow firefox), which gives rise to the possiblity of malware gaining access to the internet through localhost. Even placing the localhost(127.0.0.1/255.255.255.0) in "blocked sites/IP addresses" does not block these localhost comms.

I would not advise anyone to use this firewall while running a localhost proxy (such as "proxo").

 

I enabled netBIOS to check this out,.. the netBIOS was blocked, but then found internet connection where also blocked, and then problems/errors showed from winmgmt.exe. A re-boot and still problems with any out/in connections. I will need to re-install later (if time) to re-check.

 

Thanks Stem for all the work you are doing.

I had to get rid of it in the end. It does not seem to sit happily with PG. PG was producing all manner of alerts that I have not seen before. One was services.exe wanting to modify other files, and there were others. Simply do not know enough to say whether it should be allowed or denied. I did allow the f/w full permission in PG.

Also on shutting down or rebooting it was causing other programs to crash out rather than closing cleanly. Also when I uninstalled it, it caused a BSOD. A pity since I was getting to like it.

 

It does conflict with SSM,.. but even with a clean installation of W2K, there where some windows errors showing. (It doesn`t seem to like W2K,... I didn`t see the problems in XP as with W2K)

As you use "proxo" you are better to leave this firewall anyway.

 

Thanks Stem

Thought it was me so good to have it confirmed by you as well.

 

@stem
Sorry to bother you I know you work your butt off for us:

I was wondering whether this is worth another look, particularly in view of the integration of Pfw and DSA ??

The Pfw has just rated well at Matousec (love em or hate em) but only average with gkweb in comparison (answered own question??)


Any comments if you have time.
Thankyou.

 

Hi Longboard,
I know "Leak test Prevention" does mean a lot to many user. I am a little sceptical as to the ability of this firewall being able to actually intercept the actual communications made by the leaktest. As mentioned by "ciannicello"

now this is from a member who claims to be the "Privatefirewall Product Manager", I did ask for confirmation of this

I asked, as if the leaktests are being intercepted due to that applications signature, then it is the application attempting the "Leak" that is being intercepted, and not the actual leak.

 

It is me or this FW is not blocking leaktest 1.2 !!!

 

Stem,

The Process Monitor is rules-based, not signature-based. I should have clarified that when I said that Privatefirewall "maintains a list of detected applications", that list is created when an alert related to that Process is generated and answered by the user. The list of applications is NOT part of the internal security design.

Process Monitor alerts are triggered by the **type of activity** not by any signature-based information specific to an application or process. So when you see an Process Monitor alert during a leaktest, that leaktest is trying to perform some function or exhibiting a behavior that Privatefirewall is coded to alert the user about.

As for Windows Comms, it depends on what type of activity is happening at that moment. I think it is possible for Windows Comms activity to trigger several different types of alerts (Application, Process Monitor, Process Detection, or even Behavior-Based System Anomaly Alert (based on CPU usage and/or thread count)).

Let me know if you have any more information or questions.

Sorry I did not get back to you guys sooner!

Chris Iannicello
Product Manager, Privacyware
www.privacyware.com

 

This one ?
http://www.grc.com/lt/leaktest.htm

It's only you, just take a look and judge for yourself:

http://img162.imageshack.us/img162/9459/sshot1gv0.png​

 

If you really want to test it properly, do something like this (from my own experience with other firewalls)

First I gave Opera internet access, then...

Renamed the original Opera.exe file (/Program Files/Opera) to ORIG_Opera.exe
Placed the leaktest.exe in the Opera folder
Renamed leaktest to Opera
Double clicked on the "new" Opera icon and it was passed to the internet without question.

Like I said this was with another firewall, not Privatefirewall 5. I have not tested it.


edit> If you don't use Opera, just use a file that you have already given internet access to. Don't forget to get rid of the fake file and rename the real file when you finish your test.

 

Oh!, yea just an issue I got.... anyway i will stay with KIS

 

Hi ciannicello,

Thank you for clarification, better late than never.

Regards,
Stem