Sunbelt-Kerio issues / Need new desktop firewall advise

OK, I had it with the Sunbelt-Kerio firewall! It has been a fine firewall,
but the latest versions have been quite disappointed.

The firewall configuration window has always freeze when using P2P programs.
Now the latest version shows more control on application-behavior blocking,
but for some reason it terminates the communication with my Outlook when
checking for email after a while. Even more, every new upgrade fails to
import the previous version rules I exported just before updating. To make
things worst now Firefox does not even register on the Network Security
Module window (yeah, but it allows the traffic any way...oh please!). I do
not now if this last issue has to do with the Avast Web scanner module (part
of Avast Antivirus).

I think the product lost its magic after it was sold (so typical!).
Anyways....I had it with Sunbelt-Kerio!

I'm using Windows XP SP2, and I always have my computer in Stealth mode. So
I repel unsolicited traffic and I have only allowed 6 applications that can
legitimately access the Internet: my Web-browser, antivirus, email client,
IM, P2P, RSS reader, and Newsgroup reader. I have even blocked the nasty
"svchost.exe" (who does who knows what). I just enable it for few minutes
once a month to do windows updates.

Does any one know a desktop firewall with a well-design engine? I have heard
about Outpost, WinRoute, and ZoneAlarm. This last one I'm not sure, because
the little things I have read. Any objective opinion/advise will be
appreciated! Thanks!

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

>
>
> I'm using Windows XP SP2, and I always have my computer in Stealth mode.
> So I repel unsolicited traffic and I have only allowed 6 applications that
> can legitimately access the Internet: my Web-browser, antivirus, email
> client, IM, P2P, RSS reader, and Newsgroup reader. I have even blocked the
> nasty "svchost.exe" (who does who knows what). I just enable it for few
> minutes once a month to do windows updates.

Svchost.exe does nothing on its own. It host other programs that's its job,
and programs use svchost.exe on their behalf. Svchost.exe is the messanger
and only provides the means. Should you kill the messenger or should you
findout what's using the messanger and kill that?

A personal packet filter or persaonl FW reples unsolicted inbound traffic by
design. It never needed the so called *stealth* to do it. However, if you
want the computer to be stealthed, then put the computer behind a NAT
router, and the computer will be *stealthed* then, because unsolicted
inbound traffic will be blocked by the router. The traffic will never reach
the computer where the O/S and personal FW will have to react to it.

>
> Does any one know a desktop firewall with a well-design engine? I have
> heard about Outpost, WinRoute, and ZoneAlarm. This last one I'm not sure,
> because the little things I have read. Any objective opinion/advise will
> be appreciated! Thanks!

They all got trial ware I would suspect, Try them all and pick the one that
bests fits your needs.

You might want to look at a cheap NAT router and use a PFW solution behind
the router that doesn't have a lot of snake-oil in them that will stop
applications from working.

http://www.homenethelp.com/web/explain/about-NAT.asp

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

"Mr. Arnold" wrote:

>> I'm using Windows XP SP2, and I always have my computer in Stealth mode.
>> ............................................................ ........... I
>> have even blocked the nasty "svchost.exe" (who does who knows what). I
>> just enable it for few minutes once a month to do windows updates.
>>
> Svchost.exe does nothing on its own. It host other programs that's its
> job, and programs use svchost.exe on their behalf. Svchost.exe is the
> messanger and only provides the means. Should you kill the messenger or
> should you findout what's using the messanger and kill that?

Thanks! My earlier findings showed that "svchost.exe" was being used only by
the OS (Windows XP SP2). If anyone knows which parts of the OS or services
are using this program, I'll appreciate it, so I can disable them (hopefully
MS allowed that to be done). I tried to filter by ports but this exe uses
hundreds (if not thousands) of ports.

I have identified some uses of svchost.exe like trying to synchronize time
on my PC, do Windows Updates, etc. But some others I just cannot explain,
nor didn't have the time. I just feel that Microsoft is just "calling home"
constantly, because I cannot understand why this exe is so persistent in
connecting to the Internet through so wide range of ports (even on fresh
installs of Windows XP).

That's why I have been using software firewalls. Maybe, one day, after I
understand how to properly overwrite all these default-open connections on
my computer, I'll stop using them and just use a NAT router. But until them
I still have to fill so many holes in my understanding of these things.

> A personal packet filter or persaonl FW reples unsolicted inbound traffic
> by design. It never needed the so called *stealth* to do it. However, if
> you want the computer to be stealthed, then put the computer behind a NAT
> router, and the computer will be *stealthed* then, because unsolicted
> inbound traffic will be blocked by the router. The traffic will never
> reach the computer where the O/S and personal FW will have to react to it.

I do not trust any application that connects to the Internet without first
knowing the motive. I beleive these motives should be part of a very so
limited list. Even for software that you pay big $$$ bucks, from Microsoft,
Sony, Adobe, Altera,... they all first connect to the Internet on startup
and/or constantly keep connecting. I will never understand/accept these bad
practices, but the "industry" is just adapting this as the "good behaviour."
The fact that an application starts and open a channel to connect to another
network without your knowledge is just so wrong. Especially when this
network is untrusted like the Internet.

>> Does any one know a desktop firewall with a well-design engine? I have
>> heard about Outpost, WinRoute, and ZoneAlarm. This last one I'm not sure,
>> because the little things I have read. Any objective opinion/advise will
>> be appreciated! Thanks!
>
> They all got trial ware I would suspect, Try them all and pick the one
> that bests fits your needs.

I tried the latest versions of Kerio, Outpost, and Comodo. Below my
experience, in case it may be of help to anyone.

I tried Sunbelt Kerio Personal Firewall 4.5.916, I really liked the previous
version, but the new version just didn't work as well as before, as I
explained previously.

Then I installed Agnitum Outpost Firewall Pro 4.0.1025.7828 (700).
Installation was a breeze. I liked the interface and usage, but it was
lacking of the application / network-monitoring console with columns for
permissions and to allow block/unblock. Of course you can do this, but it
just wasn't as a console; it didn't have this to-the-point feature I really
like. Outpost seemed pretty refined and has many options, but its UI needed
it to be more time-efficient for users to do the basic allow-this-on-this.
There seemed to be some issues with my P2P and Avast program, but I did not
bother to investigate more on this.

Then I tried Comodo, the installer was less than half the size of Outpost's.
I did not like the installation though, too long, many steps, but works
great once installed. No issues so far. It does have that application /
network-monitoring console that I like. The console does not freeze when
using P2P (unlike Sunbelt-Kerio).

> You might want to look at a cheap NAT router and use a PFW solution behind
> the router that doesn't have a lot of snake-oil in them that will stop
> applications from working.

Not sure what "snake-oil" means. Hopefully, these "techniques" have not
became a standard for software firewalls out there.

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

"Nando" wrote in message
news:en2ri.379576$p47.55335@bgtnsc04-news.ops.worldnet.att.n et...
> "Mr. Arnold" wrote:
>
>>> I'm using Windows XP SP2, and I always have my computer in Stealth mode.
>>> ............................................................ ...........
>>> I have even blocked the nasty "svchost.exe" (who does who knows what). I
>>> just enable it for few minutes once a month to do windows updates.
>>>
>> Svchost.exe does nothing on its own. It host other programs that's its
>> job, and programs use svchost.exe on their behalf. Svchost.exe is the
>> messanger and only provides the means. Should you kill the messenger or
>> should you findout what's using the messanger and kill that?
>
> Thanks! My earlier findings showed that "svchost.exe" was being used only
> by the OS (Windows XP SP2). If anyone knows which parts of the OS or
> services are using this program, I'll appreciate it, so I can disable them
> (hopefully MS allowed that to be done). I tried to filter by ports but
> this exe uses hundreds (if not thousands) of ports.

Svchots.exe can be used by any program, inculding malware on its behalf.
Again, svchost.exe does nothing own its on. Svchost host other programs and
those programs are the ones that are opening ports NOT Svchost.

>
> I have identified some uses of svchost.exe like trying to synchronize time
> on my PC, do Windows Updates, etc. But some others I just cannot explain,
> nor didn't have the time. I just feel that Microsoft is just "calling
> home" constantly, because I cannot understand why this exe is so
> persistent in connecting to the Internet through so wide range of ports
> (even on fresh installs of Windows XP).

You can use Process Explorer, go to the View menu/Show Lower Pane/Show all
Dll(s), and click on any given Svchost.exe and look at all the programs the
Svchost is hosting, which the tools is being explained in the link.

http://preview.tinyurl.com/klw1
http://www.microsoft.com/technet/sysinternals/default.mspx

I hate to say it, but someone who knows the O/S and knows what is happeing
would not stop Svchost.exe from doing it's thing. And if Svchost.exe is
providing the means for a dubious remote IP connection by a program (it's
the program that is making the connection malware or not), then he or she
goes and find that program.

He or she doesn't shoot the messagenger. Svchost.exe is just the messenger
don't shoot the messenger and find out what's using the messenger and shoot
that, if need be.

>
> That's why I have been using software firewalls. Maybe, one day, after I
> understand how to properly overwrite all these default-open connections on
> my computer, I'll stop using them and just use a NAT router. But until
> them I still have to fill so many holes in my understanding of these
> things.

A personal FW or personal packet filter is not a firewall. What is a FW?
What does a FW do? That FW can be a FW router, FW appliance or a host based
network FW (we're not talking about a personal FW) running on a gateway
computer. A personal FW is not a FW. It's only a packet filter running at
the machine level.

http://www.vicomsoft.com/knowledge/reference/firewalls1.html
>
>> A personal packet filter or persaonl FW reples unsolicted inbound traffic
>> by design. It never needed the so called *stealth* to do it. However, if
>> you want the computer to be stealthed, then put the computer behind a NAT
>> router, and the computer will be *stealthed* then, because unsolicted
>> inbound traffic will be blocked by the router. The traffic will never
>> reach the computer where the O/S and personal FW will have to react to
>> it.
>
> I do not trust any application that connects to the Internet without first
> knowing the motive. I beleive these motives should be part of a very so
> limited list. Even for software that you pay big $$$ bucks, from
> Microsoft, Sony, Adobe, Altera,... they all first connect to the Internet
> on startup and/or constantly keep connecting. I will never
> understand/accept these bad practices, but the "industry" is just adapting
> this as the "good behaviour." The fact that an application starts and open
> a channel to connect to another network without your knowledge is just so
> wrong. Especially when this network is untrusted like the Internet.

Sorry, I am not trying to be a smart ass here. But I don't know what you're
talking about. You're concerned about everything else under the Sun. In the
meantime, a serious piece of malware has compromised the machine, and you
missed that, because you're blinded by looking at all the pop-up messages
and clicking with a response.

>> You might want to look at a cheap NAT router and use a PFW solution
>> behind the router that doesn't have a lot of snake-oil in them that will
>> stop applications from working.
>
> Not sure what "snake-oil" means. Hopefully, these "techniques" have not
> became a standard for software firewalls out there.



The snake-oil is anything in the solution that's preventing the connection
from happening, and you don't know about it nor can you fix it, other than,
try to find a lesser solution that has less snake-oil.

And the "techniques" you're talking about are unfortunately the standard on
the MS platform with PFW(s) having an abundance of snake-oil in them trying
to protect you from you, and they cannot do it.

The solutions have lost their way in the job they were intended to do,
which is filter inbound and outbound traffic/packets to/from the machine at
the machine level and not all this other junk/snake-oil in them trying to
protect you from you.

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

"Mr. Arnold" wrote:
> You can use Process Explorer, go to the View menu/Show Lower Pane/Show all
> Dll(s), and click on any given Svchost.exe and look at all the programs
> the Svchost is hosting, which the tools is being explained in the link.
>
> http://preview.tinyurl.com/klw1
> http://www.microsoft.com/technet/sysinternals/default.mspx
>
> I hate to say it, but someone who knows the O/S and knows what is happeing
> would not stop Svchost.exe from doing it's thing. And if Svchost.exe is
> providing the means for a dubious remote IP connection by a program (it's
> the program that is making the connection malware or not), then he or she
> goes and find that program.
>
> He or she doesn't shoot the messagenger. Svchost.exe is just the messenger
> don't shoot the messenger and find out what's using the messenger and
> shoot that, if need be.

Thanks I'll find out using the Sysinternal's Process Explorer you suggested,
but I can assure you that I have no spyware or malware :) I'm convised it is
the OS and/or services, now I have the means to prove it. Great!

> A personal FW or personal packet filter is not a firewall. What is a FW?
> What does a FW do? That FW can be a FW router, FW appliance or a host
> based network FW (we're not talking about a personal FW) running on a
> gateway computer. A personal FW is not a FW. It's only a packet filter
> running at the machine level.
>
> http://www.vicomsoft.com/knowledge/reference/firewalls1.html

Hmm.. Seems I'm lost in the concept, I have to review that.

>> I do not trust any application that connects to the Internet without
>> first knowing the motive. I beleive these motives should be part of a
>> very so limited list. Even for software that you pay big $$$ bucks, from
>> Microsoft, Sony, Adobe, Altera,... they all first connect to the
>> Internet on startup and/or constantly keep connecting. I will never
>> understand/accept these bad practices, but the "industry" is just
>> adapting this as the "good behaviour." The fact that an application
>> starts and open a channel to connect to another network without your
>> knowledge is just so wrong. Especially when this network is untrusted
>> like the Internet.
>
> Sorry, I am not trying to be a smart ass here. But I don't know what
> you're talking about. You're concerned about everything else under the
> Sun. In the meantime, a serious piece of malware has compromised the
> machine, and you missed that, because you're blinded by looking at all the
> pop-up messages and clicking with a response.

This may have nothing to do with security or intrusion detection by itself,
but I also care about privacy. There is no need and I will always be
suspisous of any program that connects to the Internet without telling me
first. Because there is no need. They suppose to run locally, that's it!
Taking into account what I have learned so far, the fact that it connects to
the Internet implies that it opens a port on my system that can be attacked
(can I say that?). Then I see it as a security matter.

Most of the freeware and shareware connect to the Internet to check for
updates, log the number of runs, collect and transmit users' system
information, etc. Some actually allow the users to change this behavior
during the setup or under menu\options. I try to avoid these applications.

But the truth is that most of those applications don't even make the users
aware of these events. Even worst, applications such as the ones I mentioned
above (Sony, Altera, Pinnacle and many others) do in fact abuse of the
Internet. These legit, paid and costly applications violate privacy of the
individuals and connect. Without applications such as Kerio or Comodo I
wouldn't even know this was happening. No hijacking or popups. I have tested
this using Virtual Machine on virgin copies of Windows. Nothing to do with
malware (unless I consider Windows to be one of them :)

"You have zero privacy anyway" -Scott McNealy (chairman, Sun Microsystems)

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

<
snipped>
>>
>> I hate to say it, but someone who knows the O/S and knows what is
>> happeing would not stop Svchost.exe from doing it's thing. And if
>> Svchost.exe is providing the means for a dubious remote IP connection by
>> a program (it's the program that is making the connection malware or
>> not), then he or she goes and find that program.
>>
>> He or she doesn't shoot the messagenger. Svchost.exe is just the
>> messenger don't shoot the messenger and find out what's using the
>> messenger and shoot that, if need be.
>
> Thanks I'll find out using the Sysinternal's Process Explorer you
> suggested, but I can assure you that I have no spyware or malware :) I'm
> convised it is the OS and/or services, now I have the means to prove it.
> Great!

Maybe and maybe not that you have spyware. The only way to know for sure is
to start looking for yourself with other tools, because malware can and they
do circumvent every last bit of software to detect it.

>
>> A personal FW or personal packet filter is not a firewall. What is a FW?
>> What does a FW do? That FW can be a FW router, FW appliance or a host
>> based network FW (we're not talking about a personal FW) running on a
>> gateway computer. A personal FW is not a FW. It's only a packet filter
>> running at the machine level.
>>
>> http://www.vicomsoft.com/knowledge/reference/firewalls1.html
>
> Hmm.. Seems I'm lost in the concept, I have to review that.
>
>>> I do not trust any application that connects to the Internet without
>>> first knowing the motive. I beleive these motives should be part of a
>>> very so limited list. Even for software that you pay big $$$ bucks, from
>>> Microsoft, Sony, Adobe, Altera,... they all first connect to the
>>> Internet on startup and/or constantly keep connecting. I will never
>>> understand/accept these bad practices, but the "industry" is just
>>> adapting this as the "good behaviour." The fact that an application
>>> starts and open a channel to connect to another network without your
>>> knowledge is just so wrong. Especially when this network is untrusted
>>> like the Internet.
>>
>> Sorry, I am not trying to be a smart ass here. But I don't know what
>> you're talking about. You're concerned about everything else under the
>> Sun. In the meantime, a serious piece of malware has compromised the
>> machine, and you missed that, because you're blinded by looking at all
>> the pop-up messages and clicking with a response.
>
> This may have nothing to do with security or intrusion detection by
> itself, but I also care about privacy. There is no need and I will always
> be suspisous of any program that connects to the Internet without telling
> me first. Because there is no need.


You do know that malware can circumvent all of it, set its own rules, punch
through the PFW and you wouldn't even know it.

> They suppose to run locally, that's it!

Yes a program runs local on the machine. The program is locally running on
the computer. But that doesn't mean that the program will not have a valid
reson to access the Internet.

> Taking into account what I have learned so far, the fact that it connects
> to the Internet implies that it opens a port on my system that can be
> attacked (can I say that?). Then I see it as a security matter.

No, you can't say that. There are two types of inbound traffic that a FW
even a PFW/packet filter deals with when opening ports to traffic.

1) Solicted inbound traffic -- is inbound traffic that has been solicted
due to a machine running a program that has sent outbound traffic to a WAN
(Wide Area Network)/Internet IP or to a LAN (Local Area Network) IP -- a
machine connected to the router using a local IP -- from behind a FW.

That FW can be a router or FW appliance, host based software solution
running on a gateway computer or PFW/packet filter, even if the PFW/packet
filter is being used and is in a WAN or LAN or using both situation. The FW
will open the inbound ports to let the traffic back to the machine and to
the program that is listening on the port.

2) Unsolicted inbound traffic -- is any inbound traffic that has not been
solicted, like up above, is going to be blocked by the FW the port is not
open.

There is a third condition that is there too where unsolicited inbound
traffic must reach a program that is listening that has not sent outbound
traffic.

That would be a case where a Web server behind a FW mist allow your browser
to make contact with the Web Server. It's called port forwarding, where as a
port is opened on the FW to let unsolicited inbound traffic past the FW.

http://www.homenethelp.com/web/explain/port-forwarding-dmz.a sp

>
> Most of the freeware and shareware connect to the Internet to check for
> updates, log the number of runs, collect and transmit users' system
> information, etc. Some actually allow the users to change this behavior
> during the setup or under menu\options. I try to avoid these applications.

I think that should be the least of your concerns.

>
> But the truth is that most of those applications don't even make the users
> aware of these events. Even worst, applications such as the ones I
> mentioned above (Sony, Altera, Pinnacle and many others) do in fact abuse
> of the Internet. These legit, paid and costly applications violate privacy
> of the individuals and connect. Without applications such as Kerio or
> Comodo I wouldn't even know this was happening. No hijacking or popups. I
> have tested this using Virtual Machine on virgin copies of Windows.
> Nothing to do with malware (unless I consider Windows to be one of them :)

In the meantime, the software has gone out and made contact with the site,
because it beat the PFW to the connection during the boot and login process
well before the PFW could get there and protect the connection, because the
O/S is not waiting on a non integrated solution like a 3rd party PFW before
the connection is made active.

>
> "You have zero privacy anyway" -Scott McNealy (chairman, Sun Microsystems)

So why worry about something that is trivial like that. It's much to do
about nothing.

What you should be concerned about is someone hacking the machine with
software that has compromised the machine and using the information against
you to do serious damage, like identity theft. And it circumvented and
defeated all the snake-oil solutions and snake-oil solutions in software
running on the machine that you and they never saw it coming, because you're
leaning on the snake-oil like a crutch. Sorry, I hate to be blunt but
sometimes it's needed.

Here is another link about FW solutions, and a PFW is not a FW solution.
It's only a machine level packet filter protecting the machine at the
machine level, which is doing way too much in trying to protect you from
*you* that it cannot do that well.

http://www.more.net/technical/netserv/tcpip/firewalls/

Re: Sunbelt-Kerio issues / Need new desktop firewall advise

"Mr. Arnold" wrote:

> Maybe and maybe not that you have spyware. The only way to know for sure
> is to start looking for yourself with other tools, because malware can and
> they do circumvent every last bit of software to detect it.
>
> You do know that malware can circumvent all of it, set its own rules,
> punch through the PFW and you wouldn't even know it.
>
>> They suppose to run locally, that's it!
>
> Yes a program runs local on the machine. The program is locally running
> on the computer. But that doesn't mean that the program will not have a
> valid reson to access the Internet.
>
>> Taking into account what I have learned so far, the fact that it connects
>> to the Internet implies that it opens a port on my system that can be
>> attacked (can I say that?). Then I see it as a security matter.
>
> No, you can't say that. There are two types of inbound traffic that a FW
> even a PFW/packet filter deals with when opening ports to traffic.
>
> 1) Solicted inbound traffic -- is inbound traffic that
> ............................
> 2) Unsolicted inbound traffic -- is any inbound
> ............................
> There is a third condition that is there too where unsolicited inbound
> traffic must reach a program that is listening that has not sent outbound
> traffic.
>
> That would be a case where a Web server behind a FW mist allow your
> browser to make contact with the Web Server. It's called port forwarding,
> where as a port is opened on the FW to let unsolicited inbound traffic
> past the FW.
>
> http://www.homenethelp.com/web/explain/port-forwarding-dmz.a sp
>
>>
>> Most of the freeware and shareware connect to the Internet to check for
>> updates, log the number of runs, collect and transmit users' system
>> information, etc. Some actually allow the users to change this behavior
>> during the setup or under menu\options. I try to avoid these
>> applications.
>
> I think that should be the least of your concerns.
>
> What you should be concerned about is someone hacking the machine with
> software that has compromised the machine and using the information
> against you to do serious damage, like identity theft. And it circumvented
> and defeated all the snake-oil solutions and snake-oil solutions in
> software running on the machine that you and they never saw it coming,
> because you're leaning on the snake-oil like a crutch. Sorry, I hate to be
> blunt but sometimes it's needed.
>
> Here is another link about FW solutions, and a PFW is not a FW solution.
> It's only a machine level packet filter protecting the machine at the
> machine level, which is doing way too much in trying to protect you from
> *you* that it cannot do that well.
>
> http://www.more.net/technical/netserv/tcpip/firewalls/

Thanks Mr. Arnold! It is going to take a while to read and exercise all the
valuable information. Thanks for your assistance. I think I'm on the right
track now. The links will also help a lot. This is dark but cool stuff.
Hopefully I'll eventually learn to protect myself correctly, and maybe (one
day) I can build firewall equipment. :)