Windows Personal Firewall Analysis

• What do we analyse?
• How do we analyse and what do we offer?
• Methodology reference
• Results of our analyses
• More about personal firewalls
• Design of ideal personal firewall
• Links
• Comparison of top five personal firewalls
• Introduction to Firewall Leak-testing
• Plague in (security) software drivers
• Leak-tests results

Results of our analyses

This page is outdated! Current information is available on pages of Firewall Challenge project.

In the first phase of our project, we have analysed five firewall families: ZoneAlarm, Kerio, Norton, Outpost and BlackICE. In the second phase, we have already analysed Comodo firewall and Kaspersky Internet Security. The summary of our results follows.

Kaspersky Internet Security 6.0.2.614 is clearly the best product among those we have already tested. KIS is a mature product based on quite a good multilayered security design, which quality is close to the quality of the design of ZoneAlarm Pro. Compared to the tested version of ZoneAlarm Pro, KIS does not suffer from that much serious and critical bugs. The multilayered nature of its protection limits potential attackers to gain a complete control of the system even if some security mechanism is bypassed. On the other hand, there still exists number of ways how to bypass the protection of this product completely. In spite of that, Kaspersky Internet Security is the only product we can recommend to end-users nowadays. We have been informed that future versions of KIS will have better anti-leak protection.

Comodo Personal Firewall 2.3.6.81, now Comodo Firewall Pro, is a firewall with very simple security design, which is far from being perfect and misses some important security features. But the simplicity is also one of the strongest qualities of this product because a potential attacker has not much chances to bypass the implemented protection. Comodo firewall offers the best anti-leak protection among over 20 firewalls we have leak-tested. Comodo firewall is free in its full version, this can be a strong argument for many end-users. Because of the design imperfections, it is relatively easy to bypass the protection that Comodo Personal Firewall 2.3.6.81 implements. However, the vendor of this firewall is working on its new series. We were told that this is going to be much more secure solution. First beta-versions of Comodo Firewall 3 should be available in a few months.

In the overall rating, ZoneAlarm Pro 6.1.744.001 is comparable with Comodo Personal Firewall 2.3.6.81. The main property of ZoneAlarm Pro is very good personal firewall design, the best design among all firewalls we have already tested. The design of ZAP is not perfect, but it is close to the ideal design of personal firewalls. The only reason, why this product is not the number one in our tests, is an excessive number of bugs in the implementation of its security features. This makes the protection of ZAP very ineffective and easy to bypass regardless the good design. Since we reviewed ZoneAlarm Pro 6.1, its vendor have noticeably improved this product, fixed many bugs we have reported and released ZoneAlarm Pro 7, which would probably score much better in our tests than its older version.

Unfortunately, all other products we have tested are parodies of personal firewall software.

Here is a list of exact product versions we have tested (sorted chronologically) and links to our reviews:

	ZoneAlarm Pro 6.1.744.001
	Kerio Personal Firewall 4.3.246
	Norton Personal Firewall 2006 version 9.1.0.33
	BlackICE PC Protection 3.6.cpj
	Outpost Firewall PRO 4.0 (964.582.059)
	Comodo Personal Firewall 2.3.6.81
	Kaspersky Internet Security 6.0.2.614

The following table summarizes values of tested features for already tested firewalls. Smaller values of overall ratings mean better products.

Feature / Product
Overall rating	16837	41308	36814	37491	19517	15656	11896
Leak-testing score	8250	4825	4600	5750	6675	9350	7950
Installation speed	100%	100%	50%	100%	100%	100%	95%
Trouble-free installation	100%	100%	80%	100%	100%	100%	100%
Installation easiness	100%	100%	95%	100%	100%	100%	100%
Reboot requirement	YES	YES	YES	NO	YES	YES	YES
Automatic database initialization	YES	YES	YES	YES	YES	YES	YES
Memory	24-29 MB	17-20 MB	43-49 MB	17-26 MB	26-33 MB	26-30 MB	14-17 MB
Disk	24 MB	13 MB	76 MB	10 MB	27 MB	17 MB	27 MB
Performance	78%	73%	78%	83%	58%	70%	73%
Easy of use	95%	95%	90%	90%	90%	90%	95%
Known program database	YES	YES	YES	YES	YES	YES	YES
Unknown process start control	NO	YES	NO	YES	NO	NO	NO
Modified process start control	YES	YES	YES	YES	YES	YES	YES
Process start with modified dependent module control	YES	NO	NO	YES	YES	YES	YES
Control of automatically started programs	YES	NO	NO	NO	NO	NO	YES
Directories protection	NO	NO	YES	NO	YES	NO	YES
Files protection	YES	NO	YES	YES	YES	YES	YES
Registry keys protection	YES	NO	YES	NO	YES	YES	YES
Registry values protection	YES	NO	YES	NO	YES	YES	YES
System service protection	YES	NO	NO	NO	YES	YES	YES
System driver protection	YES	NO	NO	NO	NO	YES	YES
Protection of static objects of different type	YES	NO	NO	NO	YES	YES	YES
Parent process control	YES-NO	YES-YES	YES-NO	YES-NO	NO-NO	YES-NO	NO-NO
Open process control	YES	NO	NO	NO	NO	YES	YES
Open thread control	YES	NO	NO	NO	NO	YES	NO
Control of function calls that can corrupt process integrity	YES	NO	YES	NO	YES	YES	YES
DLL injection control	YES	YES	YES	YES	YES	YES	YES
Inbound connection control	YES	YES	YES	YES	YES	YES	YES
Outbound connection control	YES	YES	YES	YES	YES	YES	YES
TCP/UDP port management	YES	YES	YES	YES	YES	YES	YES
Other protocols control	YES	YES	YES	NO	YES	YES	YES
Other protocols management	YES	YES	YES	NO	YES	YES	YES
Token privilege elevation control	NO	NO	NO	NO	NO	NO	NO
Settings protection	YES	YES	YES	NO	YES	NO	YES
SSDT hooks	show NtConnectPort NtCreateFile NtCreateKey NtCreateProcess NtCreateProcessEx NtCreateSection NtDeleteFile NtDeleteKey NtDeleteValueKey NtDuplicateObject NtLoadDriver NtLoadKey NtMapViewOfSection NtOpenFile NtOpenProcess NtOpenThread NtReplaceKey NtRequestWaitReplyPort NtRestoreKey NtSecureConnectPort NtSetInformationFile NtSetSystemInformation NtSetValueKey NtTerminateProcess NtUnloadDriver	show NtClose NtCreateFile NtCreateKey NtCreateProcess NtCreateProcessEx NtCreateThread NtDeleteFile NtDeleteKey NtDeleteValueKey NtLoadDriver NtMapViewOfSection NtOpenFile NtOpenKey NtResumeThread NtSetInformationFile NtSetValueKey NtWriteFile	show NtAlertResumeThread NtAlertThread NtAllocateVirtualMemory NtConnectPort NtCreateKey NtCreateMutant NtCreateThread NtDeleteKey NtDeleteValueKey NtFreeVirtualMemory NtImpersonateAnonymousToken NtImpersonateThread NtMapViewOfSection NtOpenEvent NtOpenProcessToken NtOpenThreadToken NtResumeThread NtSetContextThread NtSetInformationProcess NtSetInformationThread NtSetValueKey NtSuspendProcess NtSuspendThread NtTerminateProcess NtTerminateThread NtUnmapViewOfSection NtWriteVirtualMemory	show NtCreateSection NtOpenSection	show NtAssignProcessToJobObject NtClose NtCreateFile NtCreateKey NtCreateProcess NtCreateProcessEx NtCreateSection NtCreateSymbolicLinkObject NtCreateThread NtDeleteFile NtDeleteKey NtDeleteValueKey NtLoadDriver NtMakeTemporaryObject NtOpenFile NtOpenKey NtOpenProcess NtOpenSection NtProtectVirtualMemory NtQueryDirectoryFile NtQueryKey NtQueryValueKey NtReplaceKey NtRestoreKey NtSaveKey NtSaveKeyEx NtSetInformationFile NtSetValueKey NtTerminateProcess NtTerminateThread NtUnloadDriver NtWriteVirtualMemory	show NtConnectPort NtCreatePort NtCreateSection NtCreateThread NtDeleteKey NtDeleteValueKey NtOpenProcess NtOpenSection NtOpenThread NtSetContextThread NtSetValueKey NtTerminateProcess	show NtClose NtCreateKey NtCreateProcess NtCreateProcessEx NtCreateSection NtCreateSymbolicLinkObject NtCreateThread NtDeleteKey NtDeleteValueKey NtDuplicateObject NtEnumerateKey NtEnumerateValueKey NtFlushKey NtInitializeRegistry NtLoadKey NtLoadKey2 NtNotifyChangeKey NtOpenFile NtOpenKey NtOpenProcess NtOpenSection NtQueryKey NtQueryMultipleValueKey NtQuerySystemInformation NtQueryValueKey NtReplaceKey NtRestoreKey NtResumeThread NtSaveKey NtSetContextThread NtSetInformationFile NtSetInformationKey NtSetInformationProcess NtSetSecurityObject NtSetValueKey NtSuspendThread NtTerminateProcess NtUnloadKey NtWriteVirtualMemory ntkernel_service_11C ntkernel_service_11D ntkernel_service_11E ntkernel_service_11F ntkernel_service_120 ntkernel_service_121 ntkernel_service_122 ntkernel_service_123 ntkernel_service_124 ntkernel_service_125 ntkernel_service_126 ntkernel_service_127 ntkernel_service_128
Usermode hooks	- no hooks -	show kernel32.CreateProcessA kernel32.CreateProcessInternalA kernel32.CreateProcessInternalW kernel32.CreateProcessW kernel32.CreateRemoteThread kernel32.CreateThread kernel32.SetThreadContext kernel32.VirtualAlloc kernel32.VirtualAllocEx kernel32.VirtualProtect kernel32.VirtualProtectEx kernel32.WinExec kernel32.WriteProcessMemory urlmon.URLDownloadA urlmon.URLDownloadToCacheFileA urlmon.URLDownloadToCacheFileW urlmon.URLDownloadToFileA urlmon.URLDownloadToFileW urlmon.URLDownloadW user32.SetWindowsHookExA user32.SetWindowsHookExW wininet.InternetConnectA wininet.InternetConnectW wininet.InternetOpenA wininet.InternetOpenUrlA wininet.InternetOpenUrlW wininet.InternetOpenW ws2_32.bind ws2_32.connect ws2_32.socket	- no hooks -	- no hooks -	show kernel32.CreateProcessA kernel32.CreateProcessW kernel32.CreateRemoteThread kernel32.DebugActiveProcess kernel32.WinExec kernel32.GetProcAddress msgina.WlxActivateUserShell ntdll.LdrLoadDll ntdll.LdrUnloadDll ntdll.NtCreateThread ntdll.NtResumeProcess ntdll.NtResumeThread ntdll.NtSetContextThread ntdll.NtSetValueKey ntdll.NtSuspendProcess ntdll.NtSuspendThread ntdll.NtTerminateProcess ntdll.NtWriteVirtualMemory ole32.CoCreateInstance ole32.CoGetClassObject shell32.DllGetClassObject user32.CallNextHookEx user32.ChangeDisplaySettingsExA user32.ChangeDisplaySettingsExW user32.DdeConnect user32.DdeConnectList user32.DdeInitializeA user32.DdeInitializeW user32.EndTask user32.ExitWindowsEx user32.FindWindowExA user32.FindWindowExW user32.PostMessageA user32.PostMessageW user32.SendInput user32.SendMessageA user32.SendMessageCallbackA user32.SendMessageCallbackW user32.SendMessageTimeoutA user32.SendMessageTimeoutW user32.SendMessageW user32.SendNotifyMessageA user32.SendNotifyMessageW user32.SetForegroundWindow user32.SetWindowPos user32.SetWindowsHookExA user32.SetWindowsHookExW winsta.WinStationTerminateProcess	show kernel32.LoadLibraryExW ntdll.LdrUnloadDll	show kernel32.GetProcAddress kernel32.LoadLibraryA kernel32.LoadLibraryExA kernel32.LoadLibraryExW kernel32.LoadLibraryW pstorec.PStoreCreateInstance shdocvw.DllGetClassObject
SSDT GDI hooks	show NtUserMessageCall NtUserPostMessage NtUserSendInput NtUserSetWindowsHookEx	- no hooks -	- no hooks -	- no hooks -	- no hooks -	show NtUserMessageCall NtUserPostMessage NtUserPostThreadMessage NtUserSetWindowsHookEx NtUserSetWinEventHook	show NtUserFindWindowEx NtUserGetAsyncKeyState NtUserGetKeyState NtUserMessageCall NtUserPostMessage NtUserPostThreadMessage NtUserSendInput

Click on a product name for the product overview
Click on a feature name to get more information about it

First-phase reviews

Here is a list of available public product reviews:

• ZoneAlarm Pro 6.1.744.001
• Kerio Personal Firewall 4.3.246
• Norton Personal Firewall 2006 version 9.1.0.33
• BlackICE PC Protection 3.6.cpj
• Outpost Firewall PRO 4.0 (964.582.059)
• Comodo Personal Firewall 2.3.6.81
• Kaspersky Internet Security 6.0.2.614

valid HTML 4.01 · valid CSS 2 · optimized for you · design by martina · powered by jan · generated on May 12, 2008