Based on the many postings about WSA here, I assume that the Prevx forum is a good place to discuss Webroot SecureAnywhere (I guess Prevx was aquired by Webroot?). I'm evaluating WSA 8.0 and like what I've seen so far. One thing that concerns me a little bit is that when I ran Comodo's firewall leaktest (v.1.1.0.3) 15 of the 34 tests came back as "vulnerable". Is Comodo Leaktest a reasonable test tool? In case it's of help to anyone, the items that were classified as vulnerable were:
WSA doesn't have a real firewall , it just add a layer of protection and more more control over Windows Firewall. Comodo Leaktest is "good" for pure firewall with HIPS or BB
Except for the DNS test, these tests don't seem to be about network access so much as being able to use APIs or modify registry locations that malware often uses. From the marketing materials on WSA, one of the strengths of WSA is supposed to be that it isn't reliant on signatures, but looks at the program behavior to detect potential malware. Am I misunderstanding how WSA is supposed to work? Is the Comodo leaktest behavior being seen by WSA, but determined to be non-malicious (since I expect it isn't malicious) and therefore passed through normally? Is there some other testing that I should be looking to?
WSA does have a firewall, it is just only an outbound firewall and we use the Windows firewall for inbound protection. We have a full stack of network filter drivers/controls just like every other firewall. It isn't quite as user-facing as some others because we've built it to be cloud-driven and easier to use.
Can you suggest some tool I can use to test this kind of functionality, or is there a reasonable way for me to un-whitelist the Comodo tests?
It won't be possible to un-whitelist the leaktests locally as the cloud will override it for overall monitoring. I don't know of specific test tools which aren't whitelisted for the items you posted in the first post, but leaktests don't reflect the full picture of a threat so they won't be handled the same way as actual threats. However, some test tools like Zemana's keylogger will be blocked (silently) when typing into a browser, so it will be possible to test a subset of the functionality.