Security programs seem to get more bloated with every release. Firewalls in particular now have so many 'features' that your system files can't even cough without triggering an alert or writing a registry entry somewhere. If, like me, you already have a well protected browser and adopt safe surfing practices, then maybe you neither want or need this level of system strangulation.
Up to and including XP, Windows users had plenty of excellent freeware firewalls to choose from, but since Windows 7, and in particular the x64 release, most of these programs are no longer compatible.
So then, what are the options?
Well, unless you want something bursting at the seams with HIPS, behavior blockers, weather reports and a built in media player... not very many! In some ways this is good because it is forcing users to confront the possibility that Windows Firewall might be just what they're looking for! OK, so we all knew about the limitations of the XP firewall but this all changed with Vista and Windows 7. There's even a freeware program from Sphinx Software which adds another layer to this process. Windows7 and Vista Firewall Control does not 'control' the Windows Firewall as its name suggests. It is in fact designed to work in partnership with the Windows Firewall.
How Firewalls Interact
This is the explanation provided by the vendor to illustrate how the two firewalls interact.
"WFP is the traffic processing engine, i.e. stores the rules and matches the traffic to the rules. Windows Firewall and Windows7 FirewallControl are just authoritatively equal 'clients' of the engine, they mostly can't see each other as they act at different (but priority-equal) 'spaces'. The purposes of the both are equal - the rule management, just the usability is different. The priorities are determined by WFP only. Any blocking rule (set in any 'space') blocks immediately. Any enabling rule is just a reason to iterate through the rest of the rules."
One of the main features of Windows 7 and Vista Firewall Control is that it installs no third party drivers which Sphinx Software claim provides 'unbeatable' stability and system compatibility.
A Lightweight But Secure Alternative
Building around this combined firewall package I'm going to suggest a few other programs which together will give a lightweight but secure alternative to some of the more bloated 'final solutions'. In terms of overall resource use you might not end up saving that much, if anything, but in terms of system usability this form of layered solution nearly always 'runs lighter' and is less inclined to cause problems.
Sticking with the network for now, let's just appreciate that most infections are net born so you must connect to somewhere in order to get one. It makes logical sense therefore to restrict these connecting options. OK, so third party firewalls do this anyway by restricting ports and the applications allowed to use them, but as a lot of malware uses standard ports, blocking them altogether is not an option.
There is though another way of attacking this problem.
You can prevent connections to a whole range of bad destinations and/or allow those to safe ones without disrupting your port and program settings at all. One way of achieving this is to use a program called PeerBlock, especially if you use P2P.*
PeerBlock acts like a database for good and bad website addresses. It comes with a choice of default options which will download and update the corresponding address lists for you. Alternatively, you can add your own lists from the many variants available online, including spyware, ads and web exploits. Some of these are 'block' lists and others 'allow' so there's plenty of scope for customization. In addition, changes to individual addresses can be made from entries in the program's log. With a couple of clicks you can choose to allow or block for 15 minutes, one hour, or permanently, so a very fine degree of tuning is possible. For example, after applying my own list choices I couldn't open the BBC News website. There was first one, and then a second address listed in my blocked log after I tried the page again. I merely set both to 'allow permanently' and the page opened fine. For individual report links on the main page which wouldn't open I chose to 'allow for 15 minutes'. Of course you won't always encounter issues like this, and mostly they are soon fixed anyway.
Although the end result of running this application is simplicity itself, setting it up does require a little thought and research. Choosing the wrong list for instance might stop you connecting to a range of sources you like, need and trust. Yes, you can always adjust this manually as detailed above, but a little research beforehand can save a lot of trouble later on. You also need to take care where you obtain your lists from. Just as some P2P up-loaders are regarded as 'safe' or 'trustworthy', then so the same applies to the authors of these lists.
Note this very useful reminder posted there about the dangers of online software piracy.
Today I ran into a rather interesting keygen for a Corel application. A part from being infected with a passwordstealer, this keygen actually might work perfectly. Unfortunately I could not install Paintshop Photo Pro X3 as the installer kept complaining that it could not stop the WIA service it started a few seconds before. While you're peacefully cracking PaintShop Photo Pro X3, the keygen is collecting and sending out usernames and passwords from different applications and games (see list below). The program also disables the UAC on Vista.
The torrent was actually hosted on a well known site with plenty of folks seeding the next batch of greedy suckers.
Adding to the Mix to Strengthen Overall Protection
So, now we have a highly effective firewall working alongside a third party program restricting connections to bad sites. What can we now add to this mix to strengthen our overall protection?
Next up, some form of 'alternative' detection. And here you can't get much better, free or paid, than WinPatrol which displays a mountain of system information about startup items, services and other stuff. More importantly WinPatrol advises about system changes, some of which might be malware generated, and allows you to block if necessary.
See my HIPS review article for more information and a screenshot.
Last but not least, a little program which isn't a security defense in itself but will help to safeguard your system valuables in the event that it becomes compromised. My Lockbox enables you to password protect almost any folder on your computer. The protected folder (lockbox) is hidden from all users and applications on your system, including 'Administrator' and 'System' itself. It is impossible to access the lockbox without the password not only from the local computer, but also from the net. The program even has a range of skin options.
Note: Be sure to read the install instructions in full before you start this process as it requires administrator privileges.
Alternative DNS Services
In response to visitor comments I'm also adding details here about options for using an alternative DNS service. This is also covered along with some other suggestions in my other article here.
The DNS or Domain Name System is what your computer connects to every time you request a page on the internet. By default, these requests will be routed through the servers used by your ISP but there are some alternative free services which offer better security, more configuration choices and maybe faster processing speed depending on your location and proximity to the chosen DNS server.
OpenDNS is probably the best known, although recent developments mean that you only get full malware protection with their premium paid service. The content filtering and other options though still make this a worthy choice.
Comodo is also a well known name within the security industry and they too offer a free DNS service.
Symantec also provide a free service under their Norton brand.
There are others but those above offer a wide enough choice of options. The best policy is to check out the individual features for each one and then decide which best fits your own personal needs.
None of these services require the installation of additional software and the necessary changes to your system settings can be made easily and quickly by following the instructions given on the respective websites.
More DNS resources here:
- Your system is now unshackled from the demands of a complicated third party firewall and will undoubtedly run more easily as a result.
- The variety of lists now available for PeerBlock give you a real chance of avoiding bad destinations altogether.
- WinPatrol is a hugely popular and highly effective alternative to an all out HIPS program. The author, Bill Pytlovany frequents this site on a regular basis and is always ready to advise about and support his program.
- If your system is compromised but your important data folders are stored in My Lockbox then the contents remain secure and the situation will be much easier to recover from.
- Changing to an independent DNS service will usually offer improved security and more options than using the standard service from your internet provider.
Please rate this article: