PrivateFirewall vs Resources

How is PrivateFirewall on system resources? Would be using with XP.

 

Very light on resources, about 15 to 22 mb used between two existing processes.

 

Win 7 Ultimate here,don't know on XP.

 

Using PFW on one of our laptops W7 64 bit, averages around 26mb working set.
Very responsive

 

I run Privatefirewall on both an XP & Win 7 desktops. It is the lightest firewall I've used, small footprint size-wise and it consumes meager system resources. Add to that its effectiveness and you can't go wrong.

 

Is PF fairly easy to configure and get started with? I've used Outpost Firewall Pro for years and have things pretty well set the way I like them. Almost dread the thought of starting over.

 

I found it easy to setup to my specific requirements. Anyone who can read and comprehend what they read would have no problem tweaking this firewall to their liking. Plus in settings, depending on your comfort level, you have a 'Standard Control' option where the firewall make the decisions for you, or there is 'Manual Control' where your input will be required. One thing you need to be aware of, with this firewall whenever there is a program update you must first uninstall the current version to install the new version. It's the only quirk I know of.

 

I know exactly what you mean, Tom. I used Online Armor for nearly 4 years before I switched to Outpost Firewall Pro, but I've used Outpost the past 2 and a half years and am pretty comfortable with it. I am about to try Kaspersky Anti-Virus, and I'm considering PrivateFirewall because it's reported to be compatible with KAV where as nobody either knows or is willing to share if Outpost is compatible with KAV.

If you decide to give PrivateFirewall a try, please let me know what you think. I have a lifetime license for Outpost, but you and I are in a similar situation here....and since PrivateFirewall is free........

 

Don't mean to be negative here because I have liked the look of PFW from reviews of it. And I didn't feel like making a whole new topic for this but...never again will I put PFW on this computer. When I got the itch to try it in real time the reboot after install...frozen the computer was completely frozen. So I re-started again and it was still frozen. I had to go into safe mode and kill all processes on startup because I got the error that the uninstall service was missing... (cant remember the exact error, something to that effect) and then I could finally uninstall it.

 

The freezing you were experiencing do subside after a few mins,I believe PFW performs some in depth scan of your system when it is installed for the first time.

 

Mine runs about 30Mb on Win 7 x64 with around a .03% CPU sitting in the tray. Its not the lightest I have used (Look N Stop), but its also not the heaviest (Outpost).

 

Outpost and my computer are like 2 opposing armies and simply will not get on at all,so i never got to find out how light or heavy outpost was.

I eventually got round to trying PFW and it installed fine,but i could not stealth the ports and some ports were even open.Dont know if there is an issue with mobile broadband.

 

I've read a number of comments here from posters unable to pass stealth tests with PF. In the (2+) years I've been using PF the only red mark I get with those tests is a response to ping. But it isn't the pc responding to ping, it's my router.

 

Same thing here. I was getting response to pings until I started running my DD-WRT flashed Linksys WRT54GS. I have the ability to prevent responding to pings.

 

I recently installed Private Firewall. In the advanced settings I'm seeing an option for Process Detection which is Off by default. Is this the HIPS feature? Presumably it has to be enabled to detect and warn for unknown processes...?

 

No, it's related to the "training" feature. Power users leave this unchecked:

"System Anomaly Detection
This feature analyzes the normal use patterns of running applications and generates alerts as it detects unusual activity. The System Anomaly Detection Engine applies a sophisticated algorithm to establish a baseline of normal use based on several system variables such as CPU utilization, thread count, and others. These variables are monitored over a specific period of time, called the 'Training Period', which can be set to 7, 14, or 28 days within the Main Menu. The 'Enable Detection' checkbox, must be selected for Training to be active. Upon installation, Training is enabled by default and commences immediately upon installation."

The HIPS section corresponds to the "Process Monitor" tab.

 

Hi vojta, I think what you've quoted from the help file relates to the "System Anomaly Detection". Under this heading is a checkbox with "Enable Detection".

What Victek123 is asking about is the "Enable Process Detection" under the heading "Firewall and Process Monitor settings".

From the help: "The Advanced Tab of the Settings dialog enables you to enable or disable Process detection, System and Email Anomaly Detection and/or training, specify training duration and sensitivity thresholds and review and manage Detected Applications and Trusted Publishers."

I don't think these are the same.

I'm only testing it in a virtual machine at the moment but what I have noticed is that the only time I get a "process alert" prompt is with "Enable Process Detection" checked and the Process Monitor off. I don't then get a "process monitor" prompt.

With the Process Monitor on high, I get a "process monitor" prompt but not a "process alert" prompt...

I too would like a clearer explanation of what this checkbox does...

 

I would advise that you download the PF user manual and read it at least 5 times.

PF is software for users with advanced security technical skills.

As was posted previously, process monitor is the HIPS portion of PF. Once you set it on, you need to set at least your Internet accessible applications to untrusted.

 

You are right in that my quote from the help file was not referring exactly to "Process Detection" but, anyway, this is still related to the training mode and is aimed to people that want something closer to a "set and forget" usage.

 

Thanks for confirming, vojta.

I did search the help PDF and I think we're all aware that the Process Monitor is the HIPS section but thanks for clarifying that the process detection checkbox is indeed related to the training mode.

 

Also be leery of process detection i.e. training mode. It really should not bridge a reboot. PF trashed my dual boot configuration once with process detection set to "on" when I rebooted.

Also beware that PF needs to "adjust" after its settings have been modified. That includes firewall settings. Best to wait 10 mins. of so before rebooting or shutting down your PC after any settings have been changed. Otherwise don't be surprised when your changes have not been applied.

 

I've now had a chance to test Privatefirewall a little more.

The "Enable Process Detection" (EPD) checkbox is purely related to processes that start/run. There isn't any training involved if the checkbox is enabled only additional prompts/alerts (allow/deny/limit). If you want more alerts and control, EPD should be checked. Also, if you want to block apps from (simply) running then this checkbox is one way to do it.

As I understand it, there are two separate features Privatefirewall uses for dealing with processes:

The first, "Processes" (Settings->Advanced->DetectedApps->Processes), simply alerts when a process attempts to run. The second, "Process Monitor" (MainMenu->ProcessMonitor), only kicks in when a process tries to perform a function.

With EPD checked, when a process attempts to run, you will receive an alert and have the option to allow or deny (or run as limited). The application rule is then added to the Processes window. If you block the process, it obviously will not run or need monitoring and so will not make it into the Process Monitor window.

With EPD unchecked, applications can start/run without (process detection) alerts. Only once a process attempts to perform a function will the Process Monitor prompt with an alert (as long as the slider is not set to "off").

Hope this helps

 

is there a problem between PFW and mobile broadband.I can never get this firewall to pass the shields up or any other test.

I fancy a shot at this program.

 

There is a lot of confusion in how EPD and Process Monitor work. Maybe this will help.

View EPD like a firewall that that alerts the first time an unsigned process runs that attempts Internet access. However EPD is monitoring process execution; not Internet access. Notice I mentioned "unsigned" process? EPD by default uses signed publisher certificates stored within PF. Something to check out if your the type that doesn't trust publisher certificates or certain publishers. I for one have wondered how "safe" this list of certificates is since it is not dynamically updated like the certificates used by WIN 7 are for example. By using the trusted publisher feature however, EPD alerts are dramatically reduced.

Process Monitor is the HIPS that monitors all processes previously allowed by EPD for unauthorized system access. I have also found "glitches" in Process Monitor where some applications were set to "allow" versus "filtered" and vice versa. So those settings should be checked periodically. Again Process Monitor uses its own internal list of commonly used apps that are set by default to "allow". "Allow" in this context means Process Monitor is not monitoring the app. This might not sync with your individual security requirements.

One last important point. When EPD creates a process rule for a trusted application, its status is set to allow all safe activitity. You need to set all Internet facing applications to "limited" via Advanced Application settings.

Finally, if everything I posted above "sounds like Greek" to you, you should be using a different firewall.

 

View this posting as a FYI on PrivateFirewall.

PF was designed and marketed for a number of years as a commercial security product. Commercial security products are designed to be installed and maintained by IT security professionals. Given that background, things like lack of auto updating of publishers certificates that I mentioned in my previous posting are a mute point since this is a task the IT security staff would perform. Ditto for detail configuation of PF settings.

Next is the universal maxim that two of any identical resident security products is a bad thing. On the surface, PF can co-exist with most common in use retail AVs on the market. At least, no visible conflicts exist such as slow performance and the like. However as a few installers of PF have painfully found out when their PCs wouldn't boot and the like, PF conflicts can become immediately visible.

However, I have seen evidence that suble conflicts may exist when using PF with AVs such as NAV, KAV, and other mainstream products that have realtime protection, IPS, "embeded" HIPS capability, and behavior analysis and blocking. Something along the line of "opposing and equal forces" colliding. The result is they cancel out each other and the bad guy sneaks in.

PF has System Anomaly detection. That is the same as your AV's behavior detection. The mainstream AV's "embeded" HIPS protection is just that. In most cases, you can't overtly control it or disable it. It is part of the realtime protection of the product. If you disable that, you have no realtime protection from downloads, etc.. If your AV protects critical registry areas, system files, detection of keyloggers and the like, this is HIPS protection.