Troubleshoot Fort Knox Firewall

[AtlBo]

Anyone used FK lately? A member asked me if I knew anything about FK and linked a pdf with great information here:

http://www.fortknox-firewall.com/download/manual.pdf

It's about $22 for 5 lifetime keys, so I want to see if it's as good as the pdf makes it appear to be. Process defense looks possibly very good, but I really liked the ability to monitor Windows settings all in one place like sharing etc.

What I would really like is an application that monitored net facing elements of Windows like remote desktop and FTP and file sharing settings that made it possible to manage them separately from svchost or whatever like most firewalls seem to do. The usual way doesn't work. Monitoring the actual element of Windows would make it possible to enable with confidence even remote desktop (if certain protocols had to be met for a connection to complete). However, finding this is another story I guess for now...

 

[TairikuOkami]

Systems are always infected, either with scripts or malware in the browser cache or etc. AV or a sandbox can detect/stop it in this state. Outbound protection can prevent downloading the dangerous part, but the malware itself is still mostly harmless. So being infected is not really an issue, people just make a big deal out of it.

 

[cruelsister]

Please, please tell me you are being sarcastic! From, on a personal level, ransomware deleting irreplaceable photos of your dear deceased Grandmother and info stealers looting you bank or brokerage accounts, to Enterprise malware acquiring your credit card data, to Defense targeted malware bringing down your country's C&C as the Tanks roll in, malware is one of the biggest blights Society has seen, costing billions of dollars in remediation and God Knows how many lives.

And with a bit of knowledge one can keep systems totally malware free, as long as one has Eyes to See and Ears that Hear...

 

[shmu26]

Tairiku means that the payload is the bane, the dropper is not the bane.

 

[ZeroDay]

I'd pick Binsoft Windows firewall control over Fortnox all day every day.

 

[ZeroDay]

I honestly think that when or IF Comodo get Comodo cloud AV running as it should they will drop Comodo firewall and Comodo cloud AV will be either their only or main product. I also think that they want to get Comodo cloud AV running at it's very best so they can have it tested by AV-Comparatives and show them just how strong their sandbox is. Melieh definitely wants to rub AV-Comparatives nose in it so to speak. I have the lifetime license for WFC too. But I stand my ground when it comes to Fornox firewall, it's never been much good. I do really like WFC and I'd choose that over Fortnox. I'd personally like to go all in with Fortinet by using their AV and a hardware firewall and their sandbox appliance. I see people go on all the time about how good Eset's firewall is yet in default settings it gets bypassed on a regular basis in the Malware hub as would Comodo in default settings, but Eset firewall is bypassed a lot in the hub. Windows defender, WFC, SRP, SUA and Voodooshield and unless you're either unlucky or click happy you're set.

 

[codswollip]

I'll be releasing a Setup video this weekend (from starting the installer). Try my settings and if you have issues then you can berate me to no end.

In your video, please comment on the advisability of disabling Windows Firewall with CF installed (w/your settings).

 

[ichito]

The strength of Comodo is the sandbox. The Firewall is actually inferior to others as Comodo expects that either the HIPS or Containment will be used. NEVER EVER use only the Firewall!!!!! Trust me on this! I would rather have you use Anything else!

Sooo...why this thread is full of Comodo? Why people still try to compare other firewalls to Comodo?...it's...without additional modules/features...actualy more invalid than others firewalls...
FortKnox is maybe not wellknown but is solid firewall...as I remember it has Sygate roots (like Norton FW years ago) so can give quite/enough level of protection especialy if connected with its hardware (Netgate).

 

[ForgottenSeer 58943]

I tried Comodo FW last night. Vanilla, then with Cruel's settings from the video.

Both times I noticed degradation of network performance. Specifically, ping performance was atrocious in both configurations. ping -t to 8.8.8.8 went from 6-8ms up to 30-50ms. Pings to my COLO went from 9-11 seconds up to 60-90 seconds. Pings to the primary distribution node of my ISP jumped 4 fold. As soon as CF was uninstalled or the FWD was disabled, things went back to normal. The machine tested was a fresh WIn10 installation with nothing installed other than CF. Just for grins, I also tested with disabled WD and WF, same result.

To me, that makes it unusable. I'm not sure if it's the case of it not compatible with highspeed connections (1000Mbps), or perhaps it doesn't like the buffer bloat from my ISP or whatever. I wonder if it isn't localized and other people just don't monitor ICMP as aggressively, or even pay attention to it at all.

 

[ForgottenSeer 58943]

Systems are always infected, either with scripts or malware in the browser cache or etc. AV or a sandbox can detect/stop it in this state. Outbound protection can prevent downloading the dangerous part, but the malware itself is still mostly harmless. So being infected is not really an issue, people just make a big deal out of it.

It's becoming increasing difficult, and in some cases almost impossible to secure Windows Systems (at least without breaking a lot). We're finding this task growing harder by the month as traditional methods that don't cause great difficulty in the enterprise world are starting to become obsolete. There is some level of panic in the halls of places like Fortinet with exactly how to address all of this, the technology really doesn't exist to properly deal with it. This is likely the result of billions being spent weaponizing malware with far far less spent defending against it and developing new techniques/technologies to address it. We're at a stage when siege engines are pounding at the gate and we haven't came up with the idea of hot oil yet.

It's going to be fun...

 

[codswollip]

Both times I noticed degradation of network performance. Specifically, ping performance was atrocious in both configurations. ping -t to 8.8.8.8 went from 6-8ms up to 30-50ms.

FWIW, on a Win 8.1 x64 laptop with a mundane wireless connection, 8.8.8.8 pings out at 14ms w/CF running. Fine for me.

 

[shmu26]

I tried Comodo FW last night. Vanilla, then with Cruel's settings from the video.

Both times I noticed degradation of network performance. Specifically, ping performance was atrocious in both configurations. ping -t to 8.8.8.8 went from 6-8ms up to 30-50ms. Pings to my COLO went from 9-11 seconds up to 60-90 seconds. Pings to the primary distribution node of my ISP jumped 4 fold. As soon as CF was uninstalled or the FWD was disabled, things went back to normal. The machine tested was a fresh WIn10 installation with nothing installed other than CF. Just for grins, I also tested with disabled WD and WF, same result.

To me, that makes it unusable. I'm not sure if it's the case of it not compatible with highspeed connections (1000Mbps), or perhaps it doesn't like the buffer bloat from my ISP or whatever. I wonder if it isn't localized and other people just don't monitor ICMP as aggressively, or even pay attention to it at all.

I always turn off the web protection, not only because it is useless to me, but also because it slows down internet connection, as you wisely observed.

 

[shmu26]

Does Binisoft WFC do a better job than Windows Firewall at preventing malware from hijacking legit processes in order to get an internet connection?

 

[cruelsister]

Windows Firewall is oblivious to malicious outbound traffic. Yes, one can spend a lot of time setting up WF rules, but quite a few malware now have scripts embedded in them to allow the connection to Command or just disable WF (and no firewall will prevent hijacking- it will just be aware of and stop the connection from that hijacked process).

 

[AtlBo]

Revisiting this after a week. I feel Fort Knox is good enough to run in the place of the Comodo firewall element of CF. I can't explain exactly why I like it, except that it seems like a bargain to me for a program that was recently updated with clean up to date digital signatures and might be entering into a period of active development. It's only $23 for a key for 5 PCs, and I like where the program is already.

What I like
1. May seem like a simple stupid thing, but I like the WhoIs feature where the data is actually imported into the program. Miles better than having to open a web page or TCPView every time to see who is connection.
2. Web connections page-another small thing, but this presentation is clean and clear. Most importantly, the connections are organized in a sensible way...apps at the top and everything else at the bottom
3. Don't think it requires Windows Firewall to be on. Maybe this is not really a plus honestly, but I tried, and it can be turned on too
4. Password protectable settings
5. The log is clean and sensible and easy to read
6. The Options seem fairly good. Maybe they are underdeveloped at this point, but what if FK takes off and you have 5 lifetime keys LOL?
7. Not sure why but I feel like this application adds an extra sense of security to the system
8. Netgate is German and I feel good about Germany and German things in general

What I do not like
1. Absence of IPv6 monitoring (hopefully it will be added)
2. This is the big one for me. No support of IP ranges with rules creation. Really going to be hoping for this one.

If anyone has the spare change, and you are looking for a firewall application to fill out your setup, I think I would recommend taking a look at Fort Knox. Maybe it seems like a risk, but it's also 5 lifetime keys for a program that presents itself well and seems well written. Also, it seems to do the job. I haven't run into a situation yet where I would like to block a range of IPs, so...

 

[TairikuOkami]

2. This is the big one for me. No support of IP ranges with rules creation. Really going to be hoping for this one.

I wrote them about it and they replied, that they do not plan to add it. Pity, it would make a perfect firewall then, unlike the unprotected Windows Firewall.

I haven't run into a situation yet where I would like to block a range of IPs, so...

That depends, how strict are your rules. Since I do not use HIPS or a similar protection, a malware could hijack any process allowed in the firewall.
So I have limited their access as much as possible, like my email client only to my email domain, browser sync to its domain, time sync to NTP, etc.

Windows Firewall is oblivious to malicious outbound traffic. Yes, one can spend a lot of time setting up WF rules, but quite a few malware now have scripts embedded in them to allow the connection to Command or just disable WF

Indeed, that is why disabling scripting is the first line of defense (similar to noscript), also to prevent UAC bypass. I have disabled WSH/WMI, removed powershell.

 

[AtlBo]

I wrote them about it and they replied, that they do not plan to add it. Pity, it would make a perfect firewall then, unlike the unprotected Windows Firewall.

@TairikuOkami. Thx. Do you happen to know if the Windows firewall will still filter if I turn it on with a firewall like Fort Knox running? Maybe I could set some ranges that way. You have given me an idea about Windows firewall. Maybe NVT devs would consider adding a rule about turning off Windows firewall. That would be interesting. I also have a question about whether hosts are enforced even if the Windows firewall is off. If not, maybe that could be a reason for some to like to have it on idk.

That depends, how strict are your rules. Since I do not use HIPS or a similar protection, a malware could hijack any process allowed in the firewall.
So I have limited their access as much as possible, like my email client only to my email domain, browser sync to its domain, time sync to NTP, etc.

Does this mean you get an alert say if an attachment tries to connect out? Sounds really powerful when combined with some good underneath protection. Are you using OSArmor? I need to work with the rules some, but it seems to me like it might be powerful for your setup.

 

[TairikuOkami]

Do you happen to know if the Windows firewall will still filter if I turn it on with a firewall like Fort Knox running?

I do not think so, it is a standalone one, but you could try to combine it with Free Firewall, it can run alongside of WF.
Free Firewall is simple, only allow/block, then you could create advanced rules for allowed process within WF.

Does this mean you get an alert say if an attachment tries to connect out?

Unfortunately not, I have to painstakingly create rules by watching the network traffic, but once setup, it is a breeze, like:

netsh advfirewall firewall add rule name="POP Peeper DNS" dir=out action=allow protocol=UDP remoteip=156.154.71.3,156.154.70.3 remoteport=53 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
netsh advfirewall firewall add rule name="POP Peeper IMAP" dir=out action=allow protocol=TCP remoteip=94.100.176.0-94.100.183.255,217.69.136.0-217.69.141.255 remoteport=143,587 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"

Then again, WF creates rules at will, so I have to remove them daily, using:

netsh advfirewall firewall delete rule name=all

 

[KeZa]

Here on Xp with AVG full and the good but very old Sygate FW.

 

[SHvFl]

Yes, you can use it as firewall alone, I know people who do so, because it is light and effective.
You will have less bugs, I don't know if you will have zero bugs. @SHvFl would know better.

I have been using just the firewall for a while now and it works flawlessly for me. Didn't find any bug and i can do way more with the firewall rules than what i can do with windows firewall.

 

[shmu26]

I have been using just the firewall for a while now and it works flawlessly for me. Didn't find any bug and i can do way more with the firewall rules than what i can do with windows firewall.

@SHvFl: does Binisoft WFC have protections that Comodo firewall module is lacking?
Someone here said that binisoft has mitigations to stop malware from connecting out through a legit process, but if you use CF with only firewall, you don't have such mitigations (because CF is relying on HIPS and/or autocontainment to do that)