Rising Personal Firewall V16 (24.00.56.56)

Status
Not open for further replies.

maka

Level 1
Verified
Jul 1, 2018
22
- RFW has someting like BB...I think so...it's option "Intercept network intrusion attacks" with 88 monitored action
At first glance it seems that this feature block some types of exploits. But in my opinion, it isn't very useful, since they seem to be very old exploits.
Anyway thanks for share. :)

In my opinion, this tool is quite outdated. I would recommend other firewalls like Comodo or ZoneAlarm. It worht mentioning other tools such as:
  • WFC (WFAS based)
  • Simplewall (WPF based - usermode) - Very simple - begginers tool
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
You need to enable that Ask me option.

Needless to say I had that option enabled when I ran my test. RF asked for some things (like RedEye and Crab) and not others (like some worms and a modified Tofsee). Also please remember that the malware I use tends to be a bit more aggressive in their actions.

CS we shouldn't expect a firewall to block worm, ransomware, fake process or alert for the new scheduled task! lets the AV do that.

I could not agree more! Too bad that this seems to be too much to expect as the bulk of Security solutions are oblivious to Worms (and other scriptor-like malware). God knows I've done enough videos on just this topic spanning a bunch of different products.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Hey everyone. Was looking this over, and I like it overall. I do have a question about creating a rule for svchost.exe though. I want to customize the rule and then add specific rules for IPs, especially for DNS servers and local. I am having 2 problems:

1. When I go to create the rule like this:

RFW1.jpg


RFW2.jpg

RFW3.jpg

The option for remote IPs is only for a range or for all IPs. Then when I try to add a range, the form will only accept two numbers inside the period breaks, where an ip can be 3 between each period break. So I can't enter my dns server since it's 209.244.0.3. I was hoping I could add the single ip twice into the range form boxes for a single IP, although my secondary IP is 209.244.0.4, so I could do a range for that. Here is a pic of the boxes:

RFW4.jpg


2. Remembering an allow from the alert will turn off the custom setting. svchost.exe goes back to allowing everything. I suppose that similar issues would occur with rules for a block, since they are created in the same way.

Thanks for any assistance...

BTW, I think Fort Knox gets around this by creating separate rules for a process. Have to set the rule to block and then create allow exceptions. It has other issues with this, though (inconsistent alerting). Going back to Private Firewall and Binisoft WFC, it seems like there is always something missing or broken. With Comodo it's possible to manage this but creating IP rules is clumsy and difficult and can't be done from an alert. It was the same thing with Private Firewall way back. Working on a deeper level with Windows process connections should be possible from an alert in my opinion...like access to a rule creation dialog for special exceptions. :)
 
Last edited:

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
and it appears that svchost.exe modules can be monitored also :)
Yes, but remember it's whitelisted by default - it might not give an alert (when misused, being hollowed by a malware) if not unchecked.
However, it (the legit one) gave me tons of alerts after login, I have it back whitelisted.
If RPF does compare hashes or some other technique to differentiate that would be really cool!

Did you edit the whitelist when trying "Start module access check"?

Good findings @ichito!
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Looking forward for your tests with it in MH if you add it as companion for tested AV product, thanks. :emoji_v:
So far, it seems compatible to TCPM.
I've whitelisted all processes of TCPM just in case.

One thing I've noticed:
While TCPM (and especially it's cloud) doesn't care whether I have my VPN on or not, Rising Personal Firewall cannot check for updates (maybe the chinese server(s) it connects to block VPN?).
Note I cannot access TCPM forums properly with VPN on, and I cannot access Rising page....

This may cripple some of the functions of RPF, using the cloud. Cannot confirm yet.
However, I get alerts on software trying to call out.

Windows 10 firewall control
If you talk about the one by Sphinx software:
I like it a lot!
Easy to use, lightweight, quiet when common used softwares are whitelisted.
However, it does whitelist Windows processes (like explorer.exe, wscript.exe,...), you need the paid versions to change the rules.
All other processes will be autoblocked (if you ignore the warning popping up, in which you can change the rules).
Apart from above mentioned limitation, a clear recommendation.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
Yes, but remember it's whitelisted by default - it might not give an alert (when misused, being hollowed by a malware) if not unchecked.
However, it (the legit one) gave me tons of alerts after login, I have it back whitelisted.
If RPF does compare hashes or some other technique to differentiate that would be really cool!

Did you edit the whitelist when trying "Start module access check"?

Good findings @ichito!
Yes...RFW whitelists or...saying better...it checks modules via its cloud (if option is enabled). Not every module is automatcialy allowed what I noticed in case of Chrome...see screenshot (BTW - I don't know why Chromium is not known by Rising's cloud?)
180804124953_2.jpg 180804125003_3.jpg
Each alert gives you time to decide what to do but I think it's also the time to check by firewall all detected modules...you can see in tab "Module info" that while checking some lines have status "Querying" ("Security level" column) befor they are considered safe of not.
Edit white list?... I've checked entries (modules) in each main rule but didn't notice someting suspicious.
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Yes...RFW whitelists or...saying better...it checks modules via its cloud (if option is enabled). Not every module is automatcialy allowed what I noticed in case of Chrome...see screenshot (BTW - I don't know why Chromium is not known by Rising's cloud?)
View attachment 194408View attachment 194409
Each alert gives you time to decide what to do but I think it's also the time to check by firewall all detected modules...you can see in tab "Module info" that while checking some lines have status "Querying" ("Security level" column) befor they are considered safe of not.
Edit white list?... I've checked entries (modules) in each main rule but didn't notice someting suspicious.
The cloud doesn't work for me as I sit behind a VPN (F-Secure FreeDome).
However, it seems to use some offline ratings, as many Windows services are shown as "trusted" (they are even, if they get hollowed by malware - that's the trick to watch out for - see for example RegAsm.exe being hollowed by sample io.exe - here: https://malwaretips.com/threads/3-08-2018-21.85688/).

I'm not sure yet, but it seems as if RF does check file hashes.
Though you might have whitelisted existing software (here: every .exe I found for Tencent PC Manager), as soon as their components get replaced (here: once a week, when TCPM offers to in-app-upgrade), it will again alert as the components try calling out.
rules.PNG
This can get pretty annoying by time.
For paranoid users however, a great plus in security. It seems to alert on every single process trying to call out (if not already whitelisted with it's current hash).

Sphinx Software Win10 Firewall control is much easier to handle. Once the .exe of Tencent were whitelisted, it did only alert when the upgrade was done and the installer tried calling out.
Note the free version of Sphinx will autoallow trusted Windows services as stated before.
It also does not seem to check #.
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
Im chinese (n)
Qihoo or Baidu are free and better:p
The software is in English, only the website is in Chinese. Baidu has not been updated a few a years, currently has major issues with false positives and has no firewall.
 
  • Like
Reactions: endsecure

blueblackwow65

Level 23
Verified
Well-known
Dec 19, 2012
1,243
About windows 10 firewall control from Sphinx, what is the best way to know which program to allow enable all or just allow outgoing or incoming ? Thks
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top