Not based on any information from the software giant, my bet is that Microsoft will release to manufacturing (RTM) some time in August. Microsoft is going to want to prime the pumps as early as possible for the holiday season this year. The earlier it ships, the more time it gives OEM PC makers to put together an array of Windows 7 models that are well designed for the new operating system.

In fact, RC1 is so put together that a late July release is not totally outside of the realm of possibility. If the economy begins to pick up even a little this summer — as some economists predict — PC makers may see some pent-up demand for new computers begin to reveal itself. Microsoft has a much better chance to compete against Windows XP and Macs from the lower end of the model lines with Windows 7 than with Windows Vista. So if the economy shows any real signs of improving, expect Windows 7 to get hustled out the door. But I hope Redmond sticks to its guns and gets Windows 7 as right as possible. Even an early September RTM is not the end of the world, but I doubt it will go that late.

I have so far installed Win7 RC1 on only Vista-class hardware, but I will soon be installing it on older hardware to make the XP comparison. In case you missed my earlier assessment, Windows 7 is hands-down better than Vista. But what if you want to clean install a much newer version of Windows on fairly powerful XP-era hardware? I think that’s something more people may be considering than was typical in the past. So I’m going to assess that (as I have done with earlier releases of Win7). But that will have to wait for a later post. I’m working on it.

Zoom in on RC1

Usually when we get to the second major release of a new version of Windows, most of what I’d be writing about is features, features, features. But Windows 7 isn’t really about features. It’s about fixing what’s wrong with Vista and a general refinement of the operating system that appears to be XP-like in its attention to detail. Please be clear, Win7 isn’t really much like XP. That’s not what I’m saying. But Microsoft spent a lot of time getting XP right, and rather than adding lots of features, Microsoft has been focusing on getting Win7 right. This is what reviewers mean when they say that Windows 7 is what Windows Vista should have been.

For those of you who want to know in some detail what’s new in Windows 7 RC1, you’re in good hands with my friend and colleague Preston Gralla, who was among the first to release an indepth review of Win7 RC1. As you’ll see when you read that story, the what’s-new quotient is not that impressive — in my book, that’s not only okay but preferable. The last thing needed is any more bloatware. What Vista needs most is to go on a diet and follow a workout regimen aimed at getting smaller, lighter, faster. Windows 7 doesn’t go as far down that path as I’d prefer, but it’s very clearly a large step in the right direction.

There is one surprising new feature recently announced for Windows 7, the Windows XP Mode add-on that will be offered in the more expensive business- and geek-oriented versions of Windows 7: Professional, Ultimate, and Enterprise. This feature is a version of Virtual PC that comes with Windows XP that will be specially crafted to work as invisibly as possible in Windows 7. Its purpose is to allow business users to install apps that might not be compatible with Windows 7 in an XP virtual machine that appears to be running in Windows 7. Although it has not been released yet and is not part of Win7 RC1, Microsoft has created some web pages that give you a visual sense of Windows XP Mode.

I doubt that Windows XP Mode will be installed by default. It’s being developed, in part, by a different team at Microsoft and a version of it will probably be an optional add-on that might not even be part of the Win7 installation process. Of course, OEM PC makers might choose to pre-install it. But by developing it that way, Microsoft will not slow down the release of Windows 7. Microsoft will need some way to update it, as a result, and update it selectively based on version of the OS you purchased. Perhaps that method is Windows Update, and if so, I could be wrong about it not being an installation option. The key point: As a fairly late add-on to an otherwise minimalist version of Windows from a new-features perspective, Microsoft will likely not have lots of test data on this feature by launch date. So expect early updates.

The addition of XP Mode is a smart move, even so. It gives Microsoft a ready answer to the software compatibility issues that Vista faced. I’d like to see the same type of creativity applied to hardware support.

Hands-on RC1

The Win7 RC1 experience has been, well, uneventful for me. I clean installed the product on my 64-bit Sony Vaio notebook, and there’s really very little to note. With one exception, everything I’ve tried — including networking — is working at least a little bit better than Beta 1 did. The installation process is still the best one Microsoft has ever devised. It’s not really fast, IMO, but it has been designed to minimize user input and run automatically all the way through once that input has been entered. I’d have to rank the Windows 7 installation process as easier and better than that of Apple’s OS X 10.5 operating system, which requires far too much user input.

The one sticking point I’ve had is with the hardware pack. For whatever reason, Windows 7 doesn’t properly recognize and install drivers that support power management functions specific to my Sony Vaio’s chipset. The computer runs fine without this driver. And in Beta 1, I was eventually able to get Windows 7 to find and install the right driver from Windows Update (though this took several days). After more than a week, Windows 7′s Troubleshoot control panel was finally able to detect the problem and identify the name of the Sony support driver that I needed to download and install. Unfortunately, Sony’s support drivers block installation on anything but the OS they were originally designed to work with — in this case, 64-bit Windows Vista Home Premium. I tried using Windows 7′s OS-version spoofing tools (right-click the file to be run or installed and choose Troubleshoot Compatibility) but Sony’s installer wasn’t fooled. In fact, the entire proprietary system hardware pack that Sony offers with this Vista-based Vaio will not install under Windows 7. I was willing to risk a toasted Windows 7 installation. Sony was not willing to let me. This isn’t Microsoft’s fault. But why doesn’t the driver pack have this basic stuff in it? Sony is a top-tier PC maker.

This is the kind of stuff that Microsoft needs to get right in Windows 7. Beta 1 was able to solve the same problem without my having to download anything from Sony; RC1 was not. Preston Gralla experienced a similar backslip of hardware support on a video driver. On the flip side, Windows 7 is pre-release software, so I can’t be too hard on Microsoft for a relatively minor hiccup. The reason I’m making a point of it is that the theme of hardware becoming less well supported in the late phases of the development cycles has occurred in every version of Windows since Windows 98 Second Edition. Hardware support gets worse, not better. That was certainly true of Windows Vista.

But with that, you have my sole criticism of Windows 7 RC1. And I suspect that Sony will eventually resolve the issue in my case by releasing Windows 7 versions of its drivers and software utilities.

My assessment of Windows 7′s ability to get Microsoft back in the game remains the same as it was when I assessed Beta 1: On 64-bit Vista hardware with 3GB or 4GB of RAM, thumbs up! When I compare XP on fast XP hardware and Windows 7 on 64-bit Vista hardware with more than 2GB of RAM, I would take Windows 7 over XP. What remains to be seen is whether I would buy a copy of Windows 7 for decently equipped XP hardware. I made the decision to skip Vista as a general upgrade to all systems on that hardware. I was not in favor of Windows 7 Beta 1 on my circa-2006 Dell Inspiron with an Intel Core Duo processor, 2GB of RAM, and a video subsystem that has no problem displaying Aero. Beta 1 did not seem noticeably faster than Vista to me, and XP is the clearly the better option. But will RC1 change that outcome?

More on that to come when I’ve had a chance to do the requisite research.

Question:

I haven’t used Firefox in a while because of a problem I’ve been having. It won’t let me gather any apps. This is the error message:

Could not initialize the application’s security component. The most likely cause is problems with files in your application’s profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features.

Is there any help you can offer me? Thanks.

Answer:

I’m not clear on what you mean when you say “it won’t let me gather apps,” but more than likely you have a corrupt Firefox user profile. To solve the problem, you’ll need to delete every file in your Mozilla installation and do a clean install of the latest version of the browser. Some of these files hide in places you might not think to look, so it’s important to follow directions on how to fully remove profile.

If you’re concerned about losing your bookmarks, etc., I recommend installing Foxmarks (if Firefox will let you install it). Foxmarks synchronizes bookmarks and Web-related logins and passwords among different browsers on one machine as well as on browsers installed on multiple machines. The product and its server-based service, is currently free. And it supports Firefox, Safari, and Internet Explorer. By using Firefox to back up your bookmarks and other user info, you should be able to reinstate that information on your cleanly installed Firefox installation.

Here’s a summary of steps you should take to solve your Firefox problem. This solution will work with Windows, Macintosh, and Linux installations of Firefox:

1. Install Foxmarks and synchronize your user data with the Foxmarks server. You might also want to explore synchronizing your bookmarks with other browsers on your machine or other machines you use. Foxmarks is about to undergo a major upgrade. The product and service is in the process of being renamed Xmarks, with new features and functionality.

2. Download the latest version of Firefox (3.0.7 at this writing) and then uninstall Firefox from your computer.

3. Follow these MozillaZine instructions for removing your Firefox user profile and fully uninstalling the browser.

4. Windows users should restart their machines.

5. Install the new version of Firefox.

6. Install Foxmarks in the new Firefox installation, and use it to resynchronize your bookmarks, ensuring that you use the server-based bookmarks to overwrite your local Firefox bookmarks.

This should solve your problem, and may also make Firefox run faster and/or begin performing other functions that may have also stopped working.

To avoid experiencing a corrupt user profile again, I recommend that you cleanly install every major version of Firefox. In other words, when Firefox 4.0 is released, follow these steps again. You can allow upgrade installations of incremental releases, such as the forthcoming Firefox 3.5 — unless, of course, Mozilla recommends otherwise.

What browser is Scot using?

For those of you keeping score, I reviewed Firefox 3.0 from a Macintosh perspective in this Computerworld story: Firefox 3 for Mac: Is it time to switch from Safari? Among other things, the article didn’t reach a hard conclusion about whether I’d be switching from Safari to Firefox on the Mac. (On Windows, I remain a confirmed Firefox user.) I also talked about why bookmark synchronization was important, and I didn’t select Foxmarks at that time, since it didn’t support Safari at that time.

So let me update those two points:

Safari vs. Firefox: These words from the earlier Computerworld story are the salient ones; they sum up the reason why I have remained a Safari user on the Mac:

There is one downside to Firefox 3, however. The first time you launch it after starting up OS X, Firefox 3 takes 5.5 seconds to open a blank page. By contrast, Safari 3.1.1 takes about half a second for the same task. It’s a noticeable difference.

Bookmark synchronization: Foxmarks offers some of the features of Apple’s MobileMe, and it works with IE, Firefox, and Safari on Windows, Mac, and Linux. MobileMe is a Mac-specific synchronization tool that works very well. It’s also able to synchronize a long list of data on Macs, such as the calendar and address book. I’m a MobileMe subscriber, and I will continue to be. But Foxmarks lets me extend bookmark synchronization to all my Windows machines. For that reason, it is installed on at least half a dozen of my computers. I recommend it highly to anyone who works with multiple computers. It may also be a valuable took to those who regularly use multiple browsers on the same computer.

One feature that might make Foxmarks more useful to some users would be the ability to specify specific parts of your bookmarks to synchronize. It is designed to synchronize all bookmarks. Whoops, I stand corrected. The Profiles feature, which works in conjunction with MyFoxmarks — the server-based version of your bookmarks — does allow you to assign specific bookmarks or bookmark folders to different profile names so as to exclude synchronization of personal bookmarks to your work computer for example, or vice versa. The MyFoxmarks instance of your bookmarks will have the superset of all your bookmarks from all profiles. Thanks to reader Evano for pointing this out.

In an earlier first impression post about Windows 7 Beta 1, I called Microsoft’s new HomeGroup feature brain dead. Well, after further review, I’m standing by that assessment. HomeGroup isn’t working here. The feature feels only partly implemented to me. And, normally I’d forgive Microsoft that foible, given this is Beta 1, except that Microsoft’s top dog for Windows 7 Engineering, Steven Sinofsky, just confirmed that Windows 7 will move straight to a release candidate build, skipping any other betas.

So, why do I say that when so many other reviewers are raving about HomeGroup? Well, here’s my experience.

I started by creating a HomeGroup on my Windows 7 test machine. Then I thoroughly tested networking with several other computers on my network, including a Vista machine, an XP machine, and two Macs. I had no trouble with either Vista or XP, networking the way any Windows user would on a peer network. In that mode, Windows 7 networks exactly like Vista does. All computers, even the Macs, are using the same workgroup name. My Vista and XP machines can file-share back and forth with the Macs quite easily. The Windows 7 machine could not. The Macs can connect to Windows 7 without trouble. Windows 7 sees the Macs but issues a path error when I try to force it to connect to them. I had run into this same Mac problem with my earlier test of Win 7 Beta 1 and the November release of Win 7. Networking is often dicey with beta versions of Windows, so this Mac issue wasn’t a huge surprise.

The only way to test the HomeGroup feature is with two Windows machines running Win 7. Unfortunately, I don’t have another PC available and suitable to be a Windows 7 test machine. So I downloaded Sun’s freely distributed VirtualBox software for the Mac. The hardest part about setting up VirtualBox was locating its Guest Additions (add-on drivers specific to your guest OS). It wasn’t where Sun’s documentation said it was. But there were several variations on the installation directions, and one of them worked. In all other regards, VirtualBox is an impressive product. Anyone who has used either VMware or the Parallels virtualization tools will recognize similarities.

VirtualBox has a pre-configured Windows 7 guest-OS mode, and that made set up easy. It took me only a little over an hour to rig up both VirtualBox and Windows 7 on one of my MacBook Pros.

With the two Windows 7 installations running, I expected to have no problems with HomeGroup. Even though there’s clearly some sort of issue with Windows 7 and Mac networking, the fact that the Macs could connect with Windows 7 left me feeling confident. It’s actually not uncommon for the Mac to have an issue networking with a Windows box while the virtual machine of Windows running on the same Mac has no problems connecting. But if you’re inclined to discount my experience with HomeGroup, this would be the best thing to hang your hat on.

So, with Windows 7 running on the Mac, I proceeded to try HomeGroup. You’re supposed to create your HomeGroup on one machine and then from all other Windows 7 machines, use the Join HomeGroup function. But no matter how hard I tried, the two Windows 7 installations were unable to connect to one another. The Join HomeGroup dialog wouldn’t appear. I tried it in both directions. I also tried creating HomeGroups on both machines and making them use the same password. No go.

Note: It’s possible to change the HomeGroup password after the fact from the Network and Sharing Center or Control Panel. It’s not possible to change the Windows 7-assigned HomeGroup password while you’re initiating HomeGroup.

I probably would have put off posting my less-than-stellar experience with HomeGroup except that I decided to go looking for other people’s experiences, and it was not difficult to find other people having the exact same problems with HomeGroup that I was.

I’m sure that Microsoft will straighten out HomeGroup in most people’s Win 7 installations by the time the operating system ships. I’m sure I will get it to work, too. Although I still sort of doubt that this Windows Networking Wizard on minor steroids will truly obviate the need to fully understand the ins and outs of Windows networking.

One final note: For those of you who read my previous post on Windows 7 and disagreed with me about performance, my MacBook Pro-hosted virtual machine Windows 7 installation seems no faster or slower to me than the other one. Windows 7 feels like Vista to me.

Maybe it just feels faster because you’re not constantly being bombarded with those annoying UAC prompts?

For those of you who downloaded the new Windows 7 beta, try launching two Windows at once or loading two Internet Explorer windows. Try deleting one large folder of files, and then while that’s taking forever to delete, try deleting another. Or really anything that involves walking and chewing bubble gum. Like Windows Vista before it, Windows 7 Beta 1 is sluggish, glitchy, and inconsistent. It may be fast for a while, here and there, but as soon as you really press it, performance folds up like a house of cards.

It took me 30 minutes to figure out how to avoid using the brain-dead “HomeGroup” feature to share files and folders on a wireless network. Windows 7 kept telling me that it was sharing the files on the “domain” that was the workstation name of my Windows 7 computer, not the workgroup name on my network (you know, like, “Workgroup”). In fact, there’s no place that I can find within the Network and Sharing Center to create or change the workgroup name. In other words, Microsoft removed this ability in Windows 7, since Vista’s Network and Sharing Center had it. Eventually, I just rebooted Windows 7 and it started recognizing the workgroup name of the other computers connected to it (I wanted to see whether the incorrect workgroup name was a bug or a feature — it was a bug). Yes, you can still change the workgroup name several levels deep under the System Control Panel, but that’s not even slightly intuitive for the uninitiated.

I suppose I should score something in Windows 7′s favor because I was at least able to network with Beta 1, something I gave up on with the Alpha version. Microsoft still doesn’t get networking. In trying to make it more and more a wizard process, it has needlessly complicated it for people who already know what they’re doing. It comes down to this, if the only way we’re being given tools to network requires us to use the HomeGroup, the new name for the Windows Networking Wizard, something is awry. HomeGroup assigns you a cryptic password which you must “write down” to remember, and every computer on your network has to use it. You can’t change this password. And, as with the Alpha version, I don’t see a way to network using HomeGroup with a Linux or Mac machine. (For additional information on the operation of Homegroup, please see the more recent post, Windows 7 Homegroup not so hot in Beta 1.)

The new taskbar, missing from the Alpha code, wasn’t worth the wait. It’s not special. The windows-management features first shown in the Alpha are pretty cool. But the new taskbar is a pale imitation of the Mac’s Dock feature. I suppose that if you’ve never used the Mac’s Dock, you’ll find this innovative. But if you have, you’ll recognize the fact that Microsoft hasn’t improved on it in any meaningful way.

For pictures of the new Windows 7 Beta 1 features, including the new taskbar, see the image gallery for Preston’s Gralla’s Computerworld review of Windows 7 Beta 1.

Other new features include Jump Lists (prettier context menus with new functions) and Aero Peek (yet another way to look behind opened windows). But let me expose this for what it is: Fluffy UI stuff to help make you feel good about a warmed over version of Windows Vista with a new name. Taken as a whole, the changes so far shown in Windows 7 are minor.

In Beta 1, I continue to be happy with total gag order Microsoft gave User Account Control (UAC) by default. It makes using Windows 7 far less annoying. But taking away a bad idea also isn’t that big a deal. You could turn off UAC in Vista too.

Yes, Windows 7 Beta 1 is better than Vista, but if Microsoft doesn’t do serious work on the next version of Windows’ ability to run tasks simultaneously, on software quality, on adding that feeling of effortlessness that the Alpha displayed, I won’t be likely to recommend it. Microsoft needs to do well with this version of Windows. It needs to change the perception of what it’s like to use Windows. Beta 1 is not confidence inspiring in that direction. And for those of you wondering, I clean installed these new Windows 7 bits on the same machine I used for my Alpha review. While no barn burner, it’s a respectable 2.0 GHz Core Duo with a decent graphics subsystem. I purchased it in 2006 to evaluate Windows Vista’s Media Center functionality.

Beta 1 is a prerelease version of Windows 7, so I’m not drawing conclusions this early. But having reviewed every beta and gold release of Windows since Windows 3.0, I’m seeing the beginning of a pattern I’ve seen before: Windows gets slower and less responsive as it gets closer to being released.

At some point you have to just say no to more features and services that build unsustainable overhead. When you use other operating systems — such as Linux and OS X — it becomes clear that Microsoft and its OEM PC manufacturers really don’t care about the fact that Windows is perennially overtaxed.

There are many reasons why I’ve selected Online Armor (OA) as the best software firewall for Windows users; the rest of this story delivers the details. But boiled down to a single thought, the most important reason is this: Online Armor offers the best blend of a high degree of protection with a high level of usability.

That may sound simplistic, but in this software category such a balance is the toughest thing for a software development company to achieve. It’s very easy to throw up a blizzard of pop-up user-prompts. You can make your system so secure that you’ll never want to use it again. It’s also easy to dumb down the security so much that you’ll rarely, if ever, see a pop up — and in the process, render the firewall ineffective. The trick is to offer solid protection with minimal user interruptions. OA 2.1 is the only firewall software I’ve tested that delivers a near-perfect balance.

Online Armor firewall comes in two editions: free and paid. Version number 2.1.0.112 was the latest one tested for both editions. [Editor's Note: As of 4/19/2008, Online Armor's latest version is 2.1.0.131.] Tall Emu updates the product frequently; to check on the latest versions of OA and read the release notes, see this Tall Emu support-forum post. In addition to the two different editions of Online Armor, Tall Emu also packages it with an antivirus module. For information about the differences among Online Armor Free, Online Armor (paid), and Online Armor AV+, see Tall Emu’s Online Armor Comparison page.

This review is specific to the paid version of Online Armor, which costs about $40. I’ve extensively tested both the free and the paid versions, and both work well. But it’s the paid version that I prefer and recommend (for reasons I’ll detail further along). Online Armor AV+ has not been tested for this evaluation. It contains the Kaspersky antivirus engine, which, while a good product, is not as good as Eset’s NOD32 2.7. Because I named NOD32 2.7 the Best Antivirus Product of 2007, I have tested Online Armor extensively with NOD32 running. I’ve experienced zero incompatibility issues between OA and NOD32 2.7. (Note: I’m still using and recommending NOD32 version 2.7, not the newer 3.0 version. Version 2.7 is still available from Eset.)

The second place Comodo Firewall Pro 3.0 software from the Comodo Group is also a very good product. The latest version tested for this review was 3.0.020.320. If your overriding concern is security, security, security, and you don’t mind a less-than-ideal user experience, Comodo is worthy of consideration. Its superb security ratings and great configurability make it well suited to more experienced users who prefer a belt-and-suspenders approach. This is not, though, the firewall to install on your mother’s PC. Comodo also comes in both 32-bit and 64-bit Vista versions. Comodo Firewall Pro is free. The Comodo Group is working on several features and functionalities that it believes will markedly improve Comodo usability, so this is also a product to keep an eye on.

Security Testing and Gating Criteria

This evaluation kicked off in September 2006 as a series review (long-term testing with progress reports). I have written many firewall articles during this period about my gating criteria, interim findings, products I tested, and reasons why specific products were eliminated from the running. To review that information, please visit SNB’s Firewall category archive page. By scrolling, you’ll find every installment I’ve written for the Best Firewall series over the past 19 months. Among other things, you’ll discover the reasons why I eliminated Outpost, ZoneAlarm, Sunbelt Personal Firewall (a.k.a. Kerio), and Kaspersky’s firewall (part of a suite). Each of these firewalls was a strong contender, but each had a fatal flaw that eliminated it from contention. The companies that make them could rectify those issues, but have not done so to date.

When it was first established, this evaluation used the results of FirewallLeakTester.com’s tests as a method of screening out lesser-performing firewalls. Later in the process, I switched to Matousec’s more in-depth and more regularly updated results. Matousec has recently updated its test results; Comodo gets the highest score, with Online Armor placing second. Corroborating my test results of past year, Matousec scores Eset Smart Security’s leak-protection level as “none.”

I have also performed a set of my own security tests on Online Armor 2.1, Comodo 3, and some of the other firewalls I considered along the way. The latest versions of Online Armor 2.1 and Comodo 3 offer superb protection when used properly. (Most importantly: In both products, the HIPS module must be enabled.) Both firewalls have received significant security improvements over the past six months, too. Earlier versions were not as secure.

Most of my research, however, has focused on usability, company support, stability, compatibility, and bug resolution. These are the areas that make the difference between a security product that you rely on and one you use until you find something better. Too many people are in limbo with products like this, just tolerating them at best. The goal of this research has from the start been selecting security products that you can live with, perhaps even love.

Why Programs Were or Weren’t Tested

The impetus for this review came after more than a decade of using and reviewing multifaceted, everything-but-the-kitchen-sink security suites such as Norton Internet Security. When I kicked that habit, I looked around for something better and realized that most mainstream computer publications were for the most part reviewing only the big-name, large-footprint products. It was clear to me that there was a better way that involved selecting a small set of best-of-breed security products that work well together. So my first determination was that fat security-suite products need not apply. Many of the other gating criteria spring from that decision.

This evaluation assumes that the software firewall is running behind a hardware router or broadband “modem” that offers network address translation (NAT) and stateful packet inspection (SPI), or in other words, a hardware firewall. For home use, consumer-class wired or wireless hardware firewall routers are available from D-Link, Linksys, and Netgear that are for security purposes comparable. Even if you do not have a network, I recommend that you purchase this low-cost hardware. If you have a wireless network, you should also be running password-enabled WPA encryption with a password that isn’t easy to guess.

Finally, over the long term of this evaluation, many new firewall products emerged. It was not possible to test all of them, and in some cases I relied on the input of Scot’s Newsletter readers to help me vet products. The review was also closed to new entrants late last year while I focused on the two finalists: Online Armor 2.1 and Comodo 3.0.

With those points in mind, these are the gating criteria used to determine the Best Firewall Software of 2008:

• Very low system overhead with a strong preference for stand-alone software — no full-blown security suites
• Full compatibility with effective third-party stand-alone security products from other software categories
• Excellent inbound and outbound security protection with an emphasis on solid leak protection, as prescreened by Matousec.com
• A simple, informative, configurable, and highly usable user interface
• Software that is reliable and as bug-free as possible
• Backed by a software development company that is stable, communicative, responsive to customer issues, and actively developing the product. As with any security product, the company behind it should have something to lose — its reputation — if it doesn’t properly stand behind and update the product. It also needs a strong, responsive development team whose development process emphasizes bug fixing and customer experience, not hurrying the product out the door to meet arbitrary deadlines.
• Quiet operation; alerts you when there are real problems. Excessive or repetitive warnings or pop-ups aren’t acceptable.
• Protects but doesn’t cause intermittent problems with Windows local-area network functionality
• A feature that lets users rapidly shut down all inbound and outbound activity
• Vista support, while not mandatory, is preferred. (Note: Online Armor does not yet have a Vista version, but it’s under development.)

Comodo 3: The Next-Best Thing

Comodo Firewall, from the Comodo Group, is a full-fledged software firewall that is free to download and use. Comodo has strong pluses and minuses. The 3.0 upgrade was highly ambitious and was not adequately beta tested. The result was a long series of incremental updates following the release of Comodo 3 — at least six updates over the past six months or so. For details about the releases, including what’s in them, check out Comodo’s Release Notes page. The good news is that Comodo is being actively updated.

The Comodo 3 software has a lot to offer. It comes with a server-based whitelist for its HIPS (host-intrusion-prevention system) module, called Defense+, whose purpose is to cut back on pop-ups. The product also offers an operational mode called Clean PC that, at your option, scans all your current applications and then registers them as safe. That means fewer pop-ups for you, especially in the early going. I also prefer the functionality of Comodo’s “install mode” to those of most other firewalls. It is capable of disabling several types of pop-ups for about 15 minutes in an attempt to let you complete a new program installation in peace. When the 15 minutes expire, it prompts you to turn off the install mode to reinstate full protection. The only problem with Comodo’s install mode is that figuring out how turn it on may not be immediately obvious to the average Comodo user.

At its core, Comodo 3 is a highly protective software firewall that takes itself seriously. Its primary design criterion appears to be that great security requires the program to ask the user to approve or deny any and all actions that might possibly be caused by something malicious. I can’t disagree with that thinking in principle — assuming the people running computers know enough to make the right decisions. Because many of them don’t, Comodo is trying very hard to minimize pop-ups with its whitelist, install mode, and initial hard drive scan. The company also has other features in the works (not evident in this build of its software) that aim to improve usability by reducing pop-ups and improving the software’s ability to detect threats.

Even so, Comodo 3′s Defense+ experience is not ideal. In the kind of usage scenario where several programs are downloaded each week, Comodo users are likely to experience a lot of pop-ups. If you don’t install new applications very often, my personal experience has been that Comodo settles in and the operation of the HIPS becomes less intrusive. It is, though, noticeably noisier than Online Armor’s HIPS protection. It also doesn’t appear to remember user inputs quite as well as the OA HIPS does.

The Main Difference

The primary reason why Comodo Firewall didn’t take top honors in this review is that it errs on the side of protection at the expense of usability. Comodo’s protection takes it a bit beyond the bounds of acceptable usability — a subjective determination on my part. In a nutshell, it has too many pop-ups in this release. And even though it is able to “learn” to have fewer pop-ups and can also be controlled by settings, both the initial and the long-term user experiences are diminished by this behavior.

For example, I was recently confronted with over a dozen pop-ups when I left Comodo running in memory while choosing to uninstall it from the Add or Remove Programs control panel. At least one user prompt is requisite in this scenario because otherwise, a malware routine could be written to uninstall or disable the firewall. You must approve anything that disables your firewall, even when you initiate that action yourself. From a security perspective, there’s a sound argument to be made for more than one pop-up, since most software products are made up of multiple modules that might be selectively turned off to create specific vulnerabilities. But a dozen pop-ups is well beyond the tolerable level in my book.

In another instance, when I directed Windows to install a single Windows Update patch, I was immediately faced with a pop-up — an acceptable experience. I did everything I could in that first prompt window to make Comodo trust the process that was running. But the software firewall nevertheless prompted me with 11 additional pop-ups before that one patch was installed. Windows Update (update.exe) should be a trusted app. I realize that the executable might be spoofed, but if a user validates it, Comodo should learn to be quiet after that trust is confirmed — without having to figure out Install Mode.

It may sound counterintuitive that I’m preferring a balance of usability and security over pedal-to-the-metal security. There’s an important reason for that: When pop-ups are too repetitive or too frequent, it’s only human nature for a large segment of the user base to start ignoring them. That behavior leads to a severe loss of security.

Software Quality

The build of Comodo I tested to wrap up this review, 3.0.20.320, has benefitted from the the long series of bug-fix updates since 3.0 was introduced. According to the company, most of the initial incremental updates were aimed at solving unexpected problems when running Comodo 3 on Vista, support for which was added for the first time in Comodo 3. But many Scot’s Newsletter Blog readers who use Windows XP also emailed me descriptions of problems with the first three incremental updates to Comodo 3.

Meanwhile, even though Comodo 2.4 was something of a cult favorite, it’s absolutely true that a wide range of people experienced significant trouble with that firewall too. So for a period of time, Comodo users were stuck between a rock and a hard place. Many of them tried version 3 and returned to version 2.4. Others wrote me that they left for other firewalls. But the period of disturbance settled down, and I’m no longer receiving email after email with tales of woe.

What that tells me is that Comodo 3 is a good firewall product, potentially a great one, that quite possibly was shipped to end users without adequate QA testing. As is always the case with free, publicly available software, some early adopters were ill-equipped to handle the problems they encountered. Most of those issues appear to have been fixed now. Comodo 3 was also an ambitious release, and bugs happen. But this kind of management of a development process does not inspire confidence — especially when it’s the type of product that can wreak havoc on your computer.

If the Comodo team can focus on software quality, and if it can add additional functionality that pares back on pop-ups, future updates of Comodo 3 could improve the overall usability of the firewall markedly. Solid protection plus good usability is a winning combination. For now, Comodo 3 misses on the usability front — the main reason it has come in second in this review. But because Vista compatibility is a Comodo 3 strength, for the time being at least, it’s the firewall I recommend to Vista users.

The Top Dog: Online Armor 2.1

Online Armor was the late entrant in this evaluation. A bevy of readers suggested it last fall after Matousec gave it a 100% security rating in an earlier version of its test suite. (Comodo received the same top score.) Since I began testing it and calling for input on it, the most common sentiment I’ve heard from people who try it is: “I like it.” Even people who’ve had issues with it have said that. And that’s been my reaction too.

Online Armor’s user experience is on par with ZoneAlarm Free and Sunbelt Personal Firewall — the two firewalls I’ve pointed to in the past as having the best user interfaces in this field. It’s also a relatively young product that is being intensively developed by its makers. OA’s basic UI is very solid, very easy to figure out without help. But the simple interface sometimes lures you away from finding some of the power that lies beneath. OA relies a little too heavily on context menus for access to power features. As you use this product, try right-clicking things. Somewhere down the road Tall Emu should add a column to many of its config screens with a link reading something like “options” or “configure” that opens the context menu. That would be more discoverable. Still, this is a minor issue. All in all, I’m very happy with OA 2.1′s usability.

Several new features debuted in the significant Online Armor 2.1.0.85 update released February 19, 2008, including a resizable main program window, improved on-demand system scan, install mode, and multiple network detection and management.

Version 2.1.0.85 also added a useful convenience feature to the Run Safer capability of OA’s Program Guard. Run Safer let’s you force Internet-connected programs — such as your Web browser, email, and IM package — to run with reduced Windows user-account rights, giving you added protection from malware. The new feature is a context-menu item that lets you temporarily run a Run-Safer-restricted program in a normal (or admin-level) mode.

The OA facility called Autoruns (Startup Items), which gives you a user interface for managing and controlling applications and services that launch automatically on Windows boot, has also been extended to watch additional aspects of the operating system.

The firewall’s Computers tab offers a network-access monitor that shows all the computers connected to your machine via your network. Available details include IP address, MAC address, computer name, and gateway IP address. You can right-click any of the other computers you see and direct the firewall not to trust it.

Probably the most improved aspect of Online Armor beginning with its 2.1.0.85 version is the online-accessible database of program information, which Tall Emu calls OASIS (Online Armor Software Information Service). The company has committed additional resources to keeping this database updated. As it has grown and become more fleshed out over the past several weeks, OASIS has become more useful. The main benefit of the online app database is evident on OA pop-up windows that display the “More…” link. By clicking this link, you’ll get useful information that identifies the program or process that initiated the pop-up — which can be a big help in deciding whether to block or allow the action. You can also get this information by working the context menus in the Programs area, which displays all the programs on your system. And Tall Emu expects to surface this data in other ways too.

The single most important point of failure with most firewalls is user error — usually involving the wrong decision on a pop-up dialog. It’s absolutely essential for firewalls to help educate users about programs running on their PCs. The time has long since past when firewall makers could reasonably expect users to already possess the knowledge to make these decisions. So it was an excellent decision by Tall Emu to make this change.

Tall Emu offers this list of product features on its website that will help you get up to speed on the program. This list doesn’t cover some of the recent improvements.

Inspiring Trust

One of Online Armor’s very best attributes isn’t a feature or functionality; it’s the people behind the product. Tall Emu’s CEO, Mike Nash, is the most visible person behind OA. He posts frequently in the OA support forums. What’s especially impressive about the talk and actions emanating from Australia-based Tall Emu is a strong corporate culture that values communication, honesty, a willingness to talk openly about problems, a responsive attitude, open-mindedness, and respect. I’m not sure how to say this, but I trust Tall Emu to do the right thing. I can’t remember the last time I felt that way about a software company in the post-Microsoft-antitrust era.

Getting back to the tangible, for the last month or two I’ve been directly aware — from emails written to me by SNB readers, OA forum posts, and emails from Mike Nash — of two or three serious issues with the most recent major Online Armor release (initially 2.1.0.85). Most bugs happen to only a small percentage of the overall users of a software product. I didn’t experience any of these more notable issues — in fact, probably most people didn’t. The point I’m trying to get at is this: I’ve been impressed with the transparency and alacrity with which Tall Emu attacks and resolves such problems. This nastier class of bugs, the worst of which is an occasional but recurring crash of Windows Explorer, have all been identified and fixed. (The fix for the Windows Explorer bug is being tested and should be released shortly.)

No product is perfect, and that’s probably more true of software firewalls than many other types of software. Online Armor has bugs just like all of its competitors. It’s what happens when problems are identified that distinguishes development teams. What I’ve seen from Tall Emu is that they do it the right way.

Parting Thoughts

What about the free version of Online Armor? It’s very good. The most important aspects of firewall and HIPS protection are in there. But the paid version offers several additional security layers that are easily worth the $39.95 price of admission.

There’s also a somewhat controversial limitation of the free version: It doesn’t automatically update with new versions of Online Armor. In other words, to install a new version of Online Armor Free you must uninstall the old version and then install the new version. No big deal you say? Not quite. That also means you should go through the initial setup wizard and then, to get through all the pain, launch and trust your most-often-used applications.

Online Armor (paid) can automatically download and install version updates. So, yes, this is something Tall Emu has done purposely to incent you to pay for the full version.

This decade has seen a dramatic rise of free software, but people don’t dedicate themselves full-time to a project like Online Armor without having to eat and do other expensive things. I urge all those of you who can afford the $40 to pay it — in fact, I urge you pay for all the “free” programs you use regularly.

Finally, for Vista users, a new version of Online Armor developed for Vista is very close to being released in an initial public beta test. It could take a couple of months, or longer, for Tall Emu to work through the bugs and deliver a final Vista version. As I wrote earlier in this story, use Comodo until then. When Online Armor for Vista ships, I will give it a look and post something about it.

Online Armor 2.1 .0.112 (the paid version) is the best firewall I’ve ever tested, offering a blend of usability and hard-wired security that’s near-ideal for maximizing protection and ensuring a good user experience. A great firewall doesn’t have to be, and shouldn’t be, a chore to use. Online Armor isn’t.

A year and a half after launching this quest, naming OA the Best Firewall Software of 2008 came naturally. The very best products have a way of standing out.

Now that Vista SP1 is on its way to you, and some people may have been offered it via Windows Update, here are my recommendations:

1. You don’t need this thing right away. If you’ve kept up with Vista security patches, then you’re fine. There’s no need to rush into it.

2. On the other hand, the biggest pain you’re likely to encounter with SP1 is driver issues during or after installation. The driver problem is so acute, though, that Microsoft has taken the unusual step of preventing machines whose hardware profiles include components for which Vista SP1 doesn’t have an adequate driver from offering SP1 via Windows Update or via Automatic Updates. For more detail on this, and a specific example of the kind of driver problem you might encounter, check this Preston Gralla blog entry: My Nightmare Trying to Upgrade to Vista SP1.

Unless you’re strongly SP1-curious, and actually enjoy futzing with drivers (with the knowledge that you might have to back out of the install because the drivers you need just don’t exist), why put yourself through it? You might want to wait until your PC’s maker delivers full support for Vista SP1. Of course, there’s no guarantee your PC maker will do that. I have mainstream PCs from Lenovo and Dell that still don’t have full Vista support, never mind Vista SP1 support.

Still planning to do it? Check this Microsoft knowledgebase article first: Why Service Pack 1 is not offered for installation from Windows Update.

This is my last attempt: Unless you have to install Vista SP1, I’d at least wait for the dust to settle. Vista SP1 has only one true reason for being — to help Microsoft sell Vista to enterprise customers, among whom the conventional wisdom has been “wait for the first service pack.” What’s actually new and not available separately is, to my perception, more marketing hype than reality. There’s nothing wrong with SP1, but there’s absolutely nothing compelling about it either.

Scot’s Newsletter readers who use Windows should be aware that their best source of timely, detailed, experienced insight and hands-on advice about Windows can be found at Computerworld. Gregg Keizer and Eric Lai are the industry’s foremost Microsoft reporters, and our new Windows Editor, Preston Gralla, offers a first-rate blog called “Seeing Through Windows.” For the details you need to know about Vista SP1, start here:

• Angry Vista Users Vent over SP1 Driver Issues – Gregg Keizer, Computerworld
• My Nightmare Trying to Upgrade to Vista SP1 – Preston Gralla, Computerworld
• What to Expect from Vista SP1 – Preston Gralla, Computerworld
• Hands-On Vista SP1: Better but Slower? – Preston Gralla, Computerworld
• FAQ: How to Get Vista SP1 – Gregg Keizer, Computerworld
• Windows Vista SP1 Released to Windows Update – Microsoft’s Vista Blog

Here’s the list of new features in OA 2.1.0.85 as published in the Online Armor forums:

General
- Resizeable GUI
- Remove Spamshield
- Multiple Desktop Support
- Fixed bug with uninstall protection
- Added hotkeys disable option
- Autoruns Enhancement – The scope of protection has been significantly enhanced in Online Armor – (Thanks to Tony Klein)
- Additional scan during SCW added (folders where start menu items reside).

Safety Check Wizard
- Realtime update during Safety Check Wizard
- Faster Saving
- Deeper, more thorough scan

OASIS
OASIS (Online Armor Software Information Service) has been significantly updated. OASIS is our files database and in previous versions of Online Armor it was woefully out of date because it relied almost completely on manual effort – including updating the servers. OASIS2 provides the users with this data whether or not the file has been assessed, information about what the program does, how many users have seen it and some information about what it does. This is accessible as a search on the website (all users).

When a program runs that is unknown – you can click the “more” button to get the OASIS results for it. This might help the user decide what to do as it provides aggregate information about what the other users did.
You can also right click inside programs —> File Information —> More to get information out of OASIS.

Firewall
Optimized Performance for Torrents – users complained that when using bittorrent, firewall processing created slowdowns. This issue has been comprehensively corrected. You should not see slowdowns caused by Online Armor Firewall.

Automatic Network Identification(Interfaces) – previously all interfaces were lumped in as one. Now, OA will allow interfaces to be selectively trusted/not trusted. This caters for the case of the road warrior that may plug into trusted/public networks. This now also includes VPN interfaces.

Computers Tab – Computers on the network are automatically detected and listed. It is possible to override on a computer by computer basis the trust status. For example, you could have an untrusted network – with two computers plugged into it that you trust. (or vice versa)

Manage Windows Firewall during OA Install – If the windows firewall is active, it will be disabled. If Online Armor firewall is removed, Windows Firewall will be reactivated.

- Added firewall log viewer
- Block network connection on boot (optional)
- Firewall Logs are defaulted to “Off”
- Bug fix: ICMP traffic is now blockable per application

Program Guard
- Install Mode added
- Allow blocking of trusted programs

Run Safer: Added the ability for the user “Safer” program normally, or a normal program “Safer” from inside program guard (rather than have them force the setting change, if for example, they want to use a program temporarily with admin rights)

CPU limiter added to control runaway processes; CPU Affinity control to show which processor a program may use.

For the time being you have to manually download the new version instead of using the automatic-update facility in the program. It’s not connected to Tall Emu’s auto-update server because of an issue they’re working on that, according to ceo Mike Nash, should be corrected in a day or two.

I recently security tested Comodo 3.0.15.277 (“Advanced Install”) and a late beta of a new version of Online Armor that I believe will arrive shortly. Both products came through with flying colors — passing every test I threw at them. So I can confirm that newer versions of both products continue to test as well as the somewhat older versions tested by Matousec.com.

For those of you following last month’s dramatic public clash between Comodo’s ceo, Melih Abdulhayoglu, and myself — it’s my hope that’s a thing of the past. Melih and I have had several constructive email exchanges. I made some tweaks to my Jan. 20th post urging Scot’s Newsletter readers who might have opted for Comodo 3′s “Basic Firewall” installation option not to use it. And in version 3.0.16.295, Comodo has refined the language on the installation dialog box that I had concerns about; it now looks like this:

[Update on February 16: Since this message was posted six days ago, Comodo released yet another slipstream update, version 3.0.17.304. That version's installation option dialog is identical to that of v.3.0.16.295.]

The wording change does a better job of keeping people from making the less-protective choice. Melih also showed me a picture of the comparable screen for a future version of Comodo 3 that will offer three installation options. The company expects to add a third installation mode that turns off the full blown Defense+ HIPS module but continues to offer leak protection, apparently at a level similar to Comodo version 2.4. That’s an even better change. I haven’t been given access to that version of the Comodo firewall nor do I have any idea when it might arrive, but I’ll be interested to test it when it becomes available. (For more information about changes delivered in Comodo 3.0.16.295 and 3.0.17.304, see the company’s public release notes.)

I test computer products, not people. Some readers have suggested I drop my evaluation of Comodo because of things Comodo’s ceo posted in his company’s forums. Thanks, but that’s not my style. Comodo Firewall is an excellent product, so I will continue to test it until I’ve made a decision.

In the meantime, I’ve recently been testing the last two versions of Comodo under Vista. I’ve seen no anomalies on that OS. I don’t formally test products for Vista, an operating system I have recommended against using. What I can pass along is that, for the time being, I’ve adopted Comodo 3 (version 3.0.16.295 or later with Defense+ enabled) on all my Vista machines.

In other Vista-related news, Tall Emu’s Mike Nash, the ceo behind Online Armor, says his development team hopes to enter public beta testing by roughly the end of the month on Online Armor for Vista.

Having tested pre-release builds of the next Windows XP-version of Online Armor, I’m intrigued by several promising new features. I’ll go into more detail once the product ships and I’ve had time to test it thoroughly.

At one point over the last year I began to wonder whether I’d find a software firewall worthy of my recommendation. But both of these products offer full-fledged protection and are easy to use. Both run on Windows with small footprints. Both are fully compatible with other software security products, including NOD32, the antivirus/anti-malware product I continue to use and recommend. Choices are good.

In the Jan. 20th post, I explained that because Comodo 3′s “Basic Firewall” installation option does not offer full-fledged leak protection, and because my first impressions of Basic Firewall’s user-interface were favorable, I needed to make a statement to my readers that:

a) Comodo 3 Basic Firewall installation mode is no longer under consideration in my review (see my firewall review criteria).

b) My recommendation would be to use Comodo 3 Advanced or some other software firewall (such as Online Armor, the only other software firewall I’ve had a favorable reaction to).

At the urgent request of Comodo’s marketing department, I even made some tweaks early today to the Jan. 20th post to make doubly sure that people would understand I was talking about one mode of Comodo 3, not the entire product.

Abdulhayoglu took me to task for everything from my terminology to my advice to SNB readers to my understanding of what his company has communicated to me over the last week. Nothing he writes in his diatribe changes my mind one iota about my recommendation to my readers. Do not use Comodo 3 Basic Firewall. It does not provide leak protection. The Advanced installation mode does offer leak protection, which helps protect you from threats that might, for example, cause your personal data to be accessed.

Now, as to the facts. Abdulhayoglu claims that I misunderstood information that Comodo imparted to me. Well here is that information, which was written by Comodo senior research scientist Egemen Tas and relayed to me in a lead-up email prior to our meeting last Thursday by Comodo vice president of marketing Judy Shapiro:

CFP 3 BASIC vs CFP 2.4

CFP 3 BASIC New Features
—————————————–
1 – CFP 3 consumes 2/3 of the memory of 2.4(7 MB vs 22 MB), consumes less CPU time
2 – CFP 3 has many user interface enhancements over 2.4
3 – CFP 3 introduces Predefined Rule Sets(e.g. Email Clients/Web Browsers etc)
4 – CFP 3 does not require the users to create manual firewall rules. For example, to make CFP 2.4 work with P2P applications (to get a high ID), the users had to create network security rules. CFP 3 shows popup alerts for incoming connections (CFP 2.4 did not have this functionality)
5 – CFP 3 has the defense against Layer 2 attacks (ARP spoofing)
6 – CFP 3 rules interface is much more flexible and powerful
7 – CFP 3 has a unique feature called “application grouping” i.e. File Groups. For example in CFP 3, more than one applications can be grouped together and treated as 1 application. For example: “Windows System Applications” etc. And CFP 3 supports wildcard characters and environment variables (e.g. %windir%, *, ?)
8 – CFP 3 automatically detects the new networks and can create a trusted zones on the fly
9 – CFP 3 has a Training mode for GAMERS and GAMING friendly
10 – CFP 3 BASIC can detect 70%(According to our local analysis) of unknown viruses with a unique static heuristic analysis algorithm. This is not related to Defense+ or any behavior analysis. When an application tries to connect the internet, CFP FIREWALL alert can show a clear virus warning.
11 – CFP 3 supports Vista and x64 processors
12 – CFP 3 current does not have an Anti-Leak mode similar to CFP 2.4. If Defense+ is disabled, unless it is detected as a virus, leaking is possible.(3.1 or 3.2 will have an anti leak mode)
13 – CFP 3 has a blocked IP addresses/hosts list e.g. spyware sites etc(My Blocked Network Zones)
14 – CFP 3 has 1-Click stop all activities feature.
CFP 2.4 does not have a hips i.e. does not prevent the harm however it can detect known leak techniques and show an alert if there is an internet connection attempt.

There are some user transparent features in CFP 3:

1 – A new enterprise strength stateful inspection engine,
2 – It can be managed remotely
3 – It performs stateful layer 2 inspection
4 – It detects routers, switches and optimizes MTU in slow networks

I asked Shapiro for a clarification on point #12 above. Here is her response from Monday of last week:

As far your question around whether 3.0 “Basic” is less “protective” . Not sure how to answer that. 3.0 is meant o run with Defense + running but it would be accurate to say that Defense + module is needed to protect against “leaks”

Abdulhayoglu, in his forum post, never directly comes out and admits that Comodo 3 Basic Firewall doesn’t have anti-leak protection. That’s part of the problem! My readers weren’t aware that this was the case because I wasn’t aware until SNB commenters drew my attention to it. I then asked Comodo for verification of that fact — and got it.

At this writing, I am unable to find a document on the Comodo Web site that provides a features/functionality comparison of Comodo 2.4, Comodo 3.0 Basic Firewall, and Comodo 3.0 Advanced. Without that information, Comodo’s users are left to guess.

My concern was that my readers might guess that they had protection with Comodo 3 Basic Firewall that they do not, in fact, have. So I moved to make that point clear. I just wish I had made the point sooner.

My only responsibilities are to the interests of my readers and to being as accurate as I can be. I believe I’ve met both goals.

– Scot

Added on January 23, a picture of the Comodo 3 installation screen that offers the choice between the Advanced Firewall and the Basic Firewall:

Microsoft released a revision of Windows XP Service Pack 2 called Windows XP SP2C recently. The media for SP2C is not interchangeable with previous versions (SP2B, SP2, SP1, and XP original). You used to be able to take a PC that came with any Windows XP PC and use any of the same class (home or pro) media to do a fresh install and still use that code on the COA (certificate of authority) on the side of the case. Not any more. The codes that come with SP2C media only work with SP2C media and vice versa — forcing people to buy new copies of Windows XP in order to get the latest update.

Adding to the confusion is the fact that there are no distinguishing marks on the new OEM XP SP2C CD. As a system builder used to ripping open three or 30 packs of OEM media and just installing them, I missed the critical printed note with the new media informing me of the change in the first box of SP2C media I opened.

I did a network-based preinstall as I always do using an image built with Windows XP SP2B. I was building three machines for a guy. I happened to use my last SP2B product code on one of them and two new SP2C codes on the others. All went well until I tried to pre-activate the copies for my client. After reboot, the two machines with SP2C codes went into a lockout state telling me I must activate before continuing. The same thing I had done hundreds of times before no longer worked! So I called Microsoft and after an hour of useless blab, it was clear the support guy was totally clueless. I finally told him I had to go. Microsoft’s support never did figure it out. Finally, I happened to stumble across the note in the box informing me of the change. I wound up having to update the images on my server and, for that job, deploy two separate images instead of being able to use one and blow it across all three machines.

Dan McCoy
Micro Enterprises LLC
VAR/Technology Solutions Consultant

http://www.microent.net/

Note: I have not personally tested Dan McCoy’s information to verify it. I thought it more important to get the message out expediently to save other people frustration. Dan’s an expert in this area and a reliable source.

Save Windows XP
As long as we’re on this subject, I’d like to point out that the creative folks at InfoWorld have launched a campaign to Save XP from retail extinction. I was one of the earliest signers of the petition. I’m not sure it will do any good, but it can’t hurt.

Note: This story has been updated for clarity on 1/22/2008 and 2/2/2008. Nothing has changed about my recommendation.

Because I have written in the recent past with an initially positive reaction to Comodo 3′s “Basic Firewall” installation option, I am honor-bound to post this quick message.

I have learned directly from Comodo executives that the Basic Firewall installation option of Comodo 3 offers only marginal outbound leak protection, not up to the levels of Comodo 2.4 or 3.0. The company may add that protection in a future version of Comodo 3.x. The Basic Firewall option turns off Comodo 3′s Defense+ HIPS module (which constitutes the “Advanced” default installation mode). Defense+ provides the leak protection for Comodo 3.

The previous generation of Comodo, version 2.4, provided anti-leak protection without the new HIPS module.

Not only does this mean that Comodo 3′s optional Basic Firewall mode is no longer a contender in this blog’s firewall evaluation, but if you’re relying on the Basic Firewall mode of Comodo 3 for your firewall protection, you should stop doing so. Windows XP users should switch to Online Armor Free version 2.1.0.31 (or newer) and Vista users should uninstall Comodo 3 and reinstall it, choosing the “Advanced” installation option.

[Note: Since I wrote that last sentence, Comodo has pointed out that you don’t have to uninstall and reinstall Comodo to switch to the Advanced mode but can instead do so by turning on the Defense+ HIPS module. The steps for making the change aren't immediately obvious, however, so here's how to do it: Open the Comodo 3 program window. Click the Defense+ icon near its upper right corner. On the left side of the window, click the Advanced button. Click the the last icon, Defense+ Settings. At the bottom of the next configuration screen, remove the check in the box beside "Deactivate the Defense+ permanently." Comodo will prompt you to restart your computer. You must do so to enable full protection.]

Comodo 3′s “Advanced” default installation mode remains under consideration in my ongoing software firewall evaluation process.

More details will follow in the near future.

– Scot

• Very low system overhead with a strong preference for standalone software — no full-blown security suites
• Full compatibility with popular third-party standalone software from other security application categories
• Excellent outbound security protection, as pre-screened by Matousec.com
• Simple, informative, and highly usable user interface
• Reliability
• Works quietly, alerts you when there are real problems not for the heck of it
• Strong, responsive development team behind the product that is actively developing the product in a rational manner
• A feature that lets users rapidly shutdown all inbound and outbound activity
• Protects but doesn’t cause intermittent problems with Windows local-area network functionality.

Another specification is that the firewall support Windows XP (at least) and Windows Vista. (At the moment, Online Armor does not support Vista. Tall Emu plans to add that support in a forthcoming though possibly not imminent release.)

This post is a sneak peek into my current testing and research on software firewalls for Windows since I last wrote about this topic six weeks ago. In that article, I admitted Online Armor as a last-minute entry into the comparison to give Comodo 3 one last run for the money.

Over the last month and a half, I have received scores of helpful messages from Scot’s Newsletter readers detailing their experiences with Online Armor 2 and Comodo 3. I have also tested the paid version of Online Armor. My research has not concluded yet. I’m waiting for the next version of Online Armor because of a handful of issues with the product (installation mode doesn’t work that well and the documentation for the paid version is very spotty). Overall, however, people testing Online Armor who’ve written to me about it are very positive about it. Few people are reporting serious problems. The same cannot be said for Comodo 3, whose makers have released three or more iterations of Comodo 3 because of several bugs, crashes, and errors.

When you install Comodo 3 in its Basic Firewall installation mode — which doesn’t install the HIPS (host-intrusion-prevention system) — it’s a much more reliable and usable product. But it’s also potentially less protective than Online Armor’s built-in HIPS protection. I’m also beginning to become disillusioned with Comodo’s approach to software development. The company culture appears to favor hurry and time to market over testing and polish. I realize the product is entirely free. But when you experience a serious problem as some people have with Comodo 3, it becomes your time and frustration.

I have to stress the point that I have not had trouble with Comodo 3. It works pretty well for me (except for a bug related to its Help facility that caused a crash in the first release of Comodo 3). But I have had numerous emails from readers about their problems with Comodo 3. Many of those people have gone back to Comodo 2.4 or switched to some other firewall.

So, at this juncture, I’m leaning toward Online Armor, which has been 100% trouble free for me. I still have to perform security tests on Online Armor. Plus I need more time with it. And I’m waiting for an update to the product to see whether a few areas improve. Online Armor is a relatively young product. Its makers are still adding significant new functionality.

I’m still looking for your input on the latest versions of these two products. If you’re using Comodo 3 or Online Armor 3 (or both), please take a moment to send me your experiences, positive or negative, with the two software firewalls:

• My Online Armor 2 Experiences
• My Comodo 3 Experiences

Or you can post them right here as a comment to this blog entry.

Stay tuned for a final software firewall recommendation. For more information on Windows software firewalls, check out the entire software firewall evaluation series.

Windows XP or Windows Vista?

The recent news that testers at Devil Mountain Software found Microsoft’s beta of Windows XP Service Pack 3 to be 10% faster than XP SP2 has pushed me over the edge.

I honestly find no advantage to Windows Vista, and there are some downsides. For example, no matter what Vista advocates say, Vista requires Vista-level hardware. Pentium M/Centrino single-core notebook hardware just doesn’t run it well. Pentium 4 desktop hardware runs it better, but usually that class of hardware needs a video upgrade. I’ve personally seen instabilities with the shipping version of the Vista code: applications freezing, Windows services slowing to a crawl, even OS crashes. I’m not saying everyone is having these problems, but I see no real improvement over Windows XP. While the architecture of Vista is a little better, Vista adds a lot of overhead to support quite a bit of new and sometimes questionable functionality. Vista is a lot more complex than Windows XP. It’s probably more secure, but it still needs a raft of third-party security software and hardware. I don’t trust its anti-malware protection or its firewall. And it doesn’t have an onboard antivirus product.

I have five Windows Vista installations. I’m reducing that number to two, one of which will be in a dual-boot with XP. The Windows Vista installation I have on my main Windows machine was a Vista upgrade install, and it’s the least stable. That’s why it’s getting fresh dual-boot clean installs. The other Vista machine I’m keeping stays in the office, where I don’t use it frequently. If I need other Vista boxes for testing, I’ll set them up as I need them.

The rest of my Windows hardware will shortly revert to pristine Windows XP installations. Windows XP is a mature operating system that’s not trying to be something that it’s not. The user experience is better than Vista’s. There’s no “reduced functionality mode” that will inadvertently trip when Microsoft’s WGA/SPP servers have an outage again.

I hope to test a later release of Windows Vista Service Pack 1, but based on my hands-on use of the first widely distributed beta code and performance testing also conducted by Devil Mountain Software, Vista SP1 is no faster than the original shipping version of the OS. Devil Mountain’s report of XP SP3 being faster than SP2 is very intriguing, though. I’ve been using XP for more than six years, and I’d be perfectly happy to continue using it for another six if Microsoft continued to support it properly.

Until they build something better than Windows XP, I see no reason to switch. As it is packaged today, Windows Vista is not that OS.

Microsoft needs to release a new version of Vista that doesn’t stratify the features (why does CD and DVD burning happen only on the Home versions of the OS, for example?). It needs to unload some of the crap it padded Vista with. And it needs to rethink the user experience with respect to functionalities like UAC and SPP. Enterprises aren’t buying Vista because it offers very little advantage for them, and end users aren’t clamoring for it. Of all companies, Microsoft should know that end-user desire for an OS has a huge effect on how rapidly it’s adopted. The company seems to have forgotten its roots.

I have no doubt that Microsoft could turn Vista around if it wanted to. But it would have to own up to the idea that, with its Vista product and business strategy, it’s been wrong-headed in a number of ways. I’m not so sure that the current management, as Bill Gates continues to edge toward the door, has the technical vision to make the right choices.

Update: Vista SP1 Dumping the ‘Kill Switch’

Microsoft is showing one or two small signs of coming around. First it admitted that the WGA breakdown last August that caused thousands of Vista users to wind up being pegged as software pirates when they couldn’t activate their copies of Vista was, in fact, an “outage.” The company had denied that terminology earlier. Now, Microsoft is eliminating reduced functionality mode — more commonly referred to as Vista’s “Kill Switch.” This change will be implemented by Vista Service Pack 1, which is expected to ship in the first quarter of next year.

Bottom line, though, this is a welcome change, but it doesn’t materially change the user experience at all. Most of us will hopefully never come face to face with reduced functionality mode. And until we actually test what Vista does instead of the kill switch, I’m not prepared to embrace. The Windows Vista RC1 that I’m looking at now still has the kill switch in it.

However, my preliminary impression of Nod32 3.0, also contained in ESS, was quite positive. That product is available as a standalone upgrade to Nod32 2.7 for $40 (one user, one year).

I have not had a chance to fully test the 3.0 standalone product yet. I’ve been focused on the firewalls. But testing Nod32 3.0 is very high on my list. From my look at the ESS beta, I don’t anticipate any serious criticism of Nod32 3.0. I like the UI a little better. I didn’t see anything I didn’t like. I didn’t have any problems with it. But I still have to test it fully to be sure. I’ll be looking at it on both Vista and XP.

I don’t write final security reviews before I’m sure about a product. So depending on the complexities I encounter when I test Nod32 v.3, it could be four to eight weeks before I give you a definitive answer.

If you’re forced to make a decision before that, I would currently characterize Nod32 3.0 as a good bet. And, again, I would recommend separate firewall and antispam solutions instead of ESS.

If you’re using Nod32 3.0, I would be interested in your experiences with and impressions of it. Please send your thoughts to me. Thanks!

Alternatively, you can also post your experiences as a comment to this post if you prefer.

1. There aren’t many good software firewalls out there right now.

2. My focus has been on outbound protection, since anyone sitting behind a firewall router has very good inbound protection.

Although I’ll be running tests on the final round of firewalls, I’ve been relying on the independent security software site, Matousec.com Firewall Ratings, to help winnow out the less impressive products. In recent testing, Matousec has named two new software firewalls “Excellent,” Agnitum’s Outpost Firewall Pro 2008 version 6.0 (a suite product that doesn’t quite fit the target profile of this ongoing review) and a little-known freeware product called Online Armor Personal Firewall v.2 by Tall Emu.

First Run of Online Armor v2.1.0.31

Online Armor Personal Firewall comes in a limited free version, a $39.95 paid version, and a $69.95 OA firewall plus Kaspersky antivirus engine version. (For more information on what each version of OA offers, see Tall Emu’s Online Armor comparison chart.) Tall Emu’s pricing offers both multiple licenses and multiple years of upgrades.

The free version of Online Armor aced the Matousec leak tests — blocking every leak Matousec threw it in its default configuration. So even though its a “limited” free firewall, it’s still a very useful product. Upgrading to the paid version adds 11 major features, including much better keylogger protection, DNS spoofing protection, phishing filter, and Web shield.

The free firewall focuses on two main areas: firewall and application control. It also minds startup programs and services, IE add-ons, and HOSTS file. The UI is simple and effective (Comodo could learn a thing or two). Online Armor is literally a joy to use. But the best part is that, for me, at any rate, it’s been extremely quiet. I’ve seen only about five pop-ups in about 10 hours of direct use. The product has been running on one of my test machines for about two weeks.

Online Armor has a very good chance of waltzing in and stealing top honors as the Scot’s Newsletter Best Software Firewall of 2008. But I need your help. If you’ve used this product, or if you use it after reading about it here, please take a few moments to send me a description of your experiences. Be sure to let me know whether you’re using the paid or free version. Please note, also: The current version is 2.1.0.31. Tall Emu has continued to squeeze bugs out of its product as they’ve been identified. Each time it squashes one, it releases a new minor version. So if you’ve run into problems before, you should download the latest version, uninstall your previous version of OA, and install the new version.

It’s pretty difficult to find much to complain about with Online Armor. But there are two issues that Tall Emu should address in future versions of the product (based on my use of the free version):

1. Because the Online Armor program window is fixed in size, when you look at the log listings screens, you’re not able to widen the window to read the details but are, instead, forced to scroll side to side.

2. Online Armor lacks the ability to automatically detect, name, and save LANs by location the way ZoneAlarm and Comodo do. I’ve said in the past that all software firewalls need this feature. So far, though, Online Armor has not interfered at all with my networking functionality, unlike so many other firewalls.

Lastly, it should be noted that Online Armor supports Windows NT/2000/XP but not Vista yet.

In the near future, I’ll test and report on the paid version of Online Armor.

Comodo 3 Hits the Streets

Meanwhile, Comodo finally released its free Comodo Personal Firewall v3. This new version has been out less than a week.

Visible for the first time late in the beta cycle, the Comodo engineering team added a wrinkle to version 3.0 that makes it like two programs in one. There’s a much simpler “Basic Firewall” installation option that eliminates the host-intrusion-prevention system (HIPS). By choosing this option, you disable the malware protection that Comodo offers, but in my tests the result was a nearly silent, well-behaved software firewall.

With its “Advanced” installation option in vogue, Comodo 3 adds the kind of protection used by business-class security products, though it’s probably not for average users. To make it easier to manage, the Comodo engineers added a predefined list of safe applications, with the ability for both you and Comodo to add to that list to make the product easier to use over time.

Comodo 3 is a major new version of the Comodo firewall product line. In addition to the HIPS module, the new version adds:

1. A clean PC mode that profiles all applications on your PC and registers them as safe, blocking others from installing without your approval.

2. An advanced network firewall engine that stops exposure of confidential data by stopping malicious programs from connecting to the Internet

3. Application-behavior analysis that detects suspicious activity before allowing Internet access.

4. Smart pop-alerts with multiple preset actions and an advice area.

5. A whitelist with one million trusted applications maintained by Comodo that cuts back on the number of pop-ups you’ll see related to the HIPS.

6. Support for 32-bit Windows XP and Vista as well as 64-bit Windows XP and Vista.

For more details on the Comodo 3 feature set, see this Comodo page.

I’ve been testing Comodo 3 for only a few days — not long enough yet to make a final pronouncement. In fact, I welcome your input on Comodo 3. Send me an email and let me know about your experiences. Be sure to let me know whether you opted for the Basic Firewall or Advanced (default) installation option.

In my testing so far, though, I’ve been very pleased with Comodo 3. The harsher experiences of the Comodo 3 betas have been largely eliminated in the final version of the product. I’m not seeing the blizzard of pop-ups that its predecessor, version 2.4, sometimes issued. The product is mostly well designed and easy to use.

Note: I have not yet tested Comodo’s outbound protection (something I plan to do in the next month or so), and Matousec has not tested it either. So the Comodo 3.0′s protection must be verified.

A Few Comodo 3 Shortcomings

In the early going, I did run into two separate problems with Comodo 3. I downloaded and installed Apple’s QuickTime and iTunes software, which apparently weren’t on the predefined whitelist of safe programs. I set them to be considered safe in Comodo, and then opted to upload them to the Comodo servers for the company’s analysis. For unknown reasons, every time Comodo attempted to send the files home, my Internet connection died and I received a network error message from Comodo.

Comodo contains a very simple wizard that automatically detects existing LANs and lets you name and save them, as well as giving you the option to be visible to all local networks. I’ve repeatedly suggested that all software firewall apps should work this way. Comodo does an excellent job of it. That’s why I know the network error was probably not caused by Comodo blocking the network. Both Internet access and file sharing on my local-area network worked perfectly.

After several hours during which Comodo repeatedly tried and failed to send the install files back home, I finally just deleted the chore to spare myself the interruption.

The other problem had to do with my FTP program, CuteFTP. When I initiated an FTP connection, a Comodo pop-up opened. I chose the option to treat CuteFTP like an “FTP program.” Seemed logically enough. Only problem was, CuteFTP was not able to connect with an FTP server. I had to manually create a rule to unblock CuteFTP at that point. There was no way (that I could find) to go back and change the “FTP program” security setting to something like “trusted application,” which is a bit more open setting. This example occurred both on the Basic and Advanced installations of Comodo 3.

Comodo 3 includes solid wizards called Define a Trusted Application and Define a Blocked Application, but it doesn’t offer you a way to see a list of blocked or trusted apps you’ve created in the past. So you can’t modify them. and the Network Security Policy module, buried in the Firewall > Advanced area, lets you see and modify all the previous decisions you’ve made in Comodo pop-up dialogs. This is a very important piece of functionality in Comodo 3. I’d like to see it become much more prominent, easier to use (too many clicks), and it should offer built-in help that makes it easier for people to revise their settings smartly.

One of the things I find frustrating about many software firewalls is that they provide you with detailed logs of blocked connections or exceptions, but there’s no way to act on these logged lists. Software firewalls need a UI structure that makes it easier for people to create, edit, and delete their own firewall rules. Comodo has the basics, but it doesn’t go far enough. Online Armor does a better job on that score.

[Note: Thanks to redr for the comment on this story that points out an error I had made. The strikethroughs in the two paragraphs above and some added text aim to correct my mistake. -- S.F.]

Where’s It All Headed?

The 11th-hour addition of Online Armor makes this comparo a two-horse race. My focus is now on making a decision between Online Armor and Comodo 3. My current instinct is that you’ll probably be in good stead with either option. Both products work fine with Nod32 v2.7, the product I’m currently recommending for antivirus/anti-malware protection. Interestingly, both of these firewalls also add anti-malware protection.

So I think we’re finally getting closer to a final decision. As soon as I verify that there are no widespread reliability or bugginess problems with either Online Armor and Comodo, and after I have run some security tests on them, I hope to announce a winner.

Footnote: I’ve looked at two new firewalls since I last wrote on this topic. In addition to Online Armor, I examined Webroot’s Webroot Desktop Firewall, which the company is currently offering for free. It’s a pretty nice product that Webroot apparently licensed from Privacyware, whose Privatefirewall 5.0 garnered “very good” scores in Matousec’s tests. Still, very good isn’t as good as excellent. Plus the UI in the Webroot product is good, but not great. So I’ve crossed the Webroot Desktop Firewall off the list.