Down to One: Windows Software Firewall Evaluation

It’s taking forever to kick the door closed on the long-term Windows software firewall evaluation. In the last installment of the series, Windows Software Firewalls Evaluation Rolls On, I wrote about issues with Comodo 2.4 that Scot’s Newsletter readers have reported — and which the Comodo folks graciously owned up to. With a rearchitected version of the firewall on the way, I decided to hold out to see whether the new product would get the job done with fewer issues.

A couple of days ago, Comodo released what some have dubbed Comodo 3.0 Beta 3 (version With this new rendition of the code, for the first time you get the sense of what the company expects the user experience to be. The product relies heavily on user prompts to warn you of possible threatening actions, but you can tell it to remember your answers and make specific programs “trusted applications,” which effectively silences future prompts. The user experience is pretty good, overall, but it’s way too early to determine whether the product will perform without bugginess on some desktops.

I ran Comodo Beta 3 through the standard battery of outbound leaktests performed by sites like Firewall Leak Tester and Matousec, which I’ve referred you to many times in the past. Some of these tests really mean very little, but some are quite good. Like its predecessor, Comodo 2.4, the new 3.0 product offers excellent outbound protection — the factor that I’ve identified as the Holy Grail of this long-term review. (For more on the leaktests I’m using, see the ZoneAlarm review in More on Software Firewalls for Windows.) Comodo passed every single test I threw at it.

It’s not time yet to do a full review on this product, which supports XP and Vista, but Comodo 3 is promising. Even so, there’s one aspect of the all-new Comodo I’m not in love with: the redesigned user controls, logs, and settings interface. It’s pretty, but not really well designed. It’s difficult to know whether items you’re clicking into give you a way to configure or just a window for viewing historical data. I’d like a single place to review the decisions I’ve made about specific programs. While your actions are recorded, there’s no place to review and change them. Seems like something this product definitely needs.

The addition of the HIPS technology (host intrusion prevention system) adds a layer of defense without overly complicating the operation of the software firewall. That’s a key advantage of Comodo 3. But the extra layer of protections and settings does make for a far more complex set of controls and settings dialogs. It’s easy to get lost in Comodo 3’s rabbit warren of options.

Although I don’t have the latest word from Comodo yet, judging from this version of the product, the company is six to eight weeks away from shipping Comodo 3. There are still a few missing features. With security software, I like to see it ship before I recommend it. So hang in there. It may be a few more months before I can tell you whether to adopt this firewall.

If you’re thinking about testing Comodo too, be sure to uninstall any previous software on your system before installing this one — including Comodo 2.4 or any of the Comodo 3 betas. After you install it and reboot it, the best way to train it is to launch every program installed on your system that you use regularly, one after the other, making selections in Comod’s pop-up prompts. Definitely use the Remember check box, and setting programs you use frequently as trusted applications (from the drop-down menu) will eliminate future Comodo pop-ups.

Once you’ve had a chance to try it out, send me a note about your experiences. This is a beta product, so you may run into bugs and issues. Making a backup of your entire drive before you install beta software is always a shrewd thing to do.

Eset’s Firewall — and Updated Nod32 Antivirus Program
Meanwhile, the Best Antivirus Product of 2007, as named by yours truly, Eset’s Nod32 2.7, is being reworked by the company into a new 3.0 version. Eset has two flavors of its new product line: the antivirus/anti-malware-only product and the new Eset Smart Security, a suite product that adds a firewall and an antispam option.

I’ll be retesting Eset’s forthcoming Nod32 3.0 when it finally ships. My initial impressions are quite positive. For now, Scot’s Newsletter continues to recommend Nod32 2.7.

But I’ve made a decision in the opposite direction about Eset Smart Security suite. Take a pass on this one. The firewall seems very pedestrian; it’s able to handle only three of the leaktests on my list of 17. And what’s with the antispam module? That doesn’t belong in a package like this. The best thing about Eset Smart Security is Nod32 3.0 and the fact that you can turn the other two modules off.

What If?
So, where does that leave things? If Comodo 3 winds up having issues, we’ll be back at square one. And what that should mean for you is a solid hardware firewall/router just behind your connection to the Internet with WPA Personal encryption for any wireless networking you have on your network. For more information about the hardware side of the equation, please see Kicking Off a Software Firewall Comparo from June of 2006. Many experienced users are content with this level of protection.

Previous Installments in the Software Firewall Series:

9 Responses to “Down to One: Windows Software Firewall Evaluation”

  1. BJB Says:

    I looked back at your prior article on hardware firewalls with SPI and NAT from last year. I am currently in the market for one (8 port as my old SMC can’t keep up with my broadband) and was surprised how few in a reasonable price range had SPI. Lots of NAT routers but the SMC Barricades are long gone. And many others I saw just had NAT. Anyway, the two 8 port routers I found with a firewall/SPI are the D-Link DIR-130 and the Netgear Prosafe VPN firewall FVS338. The FVS338 has not had great reviews and the initial firmware of the DIR-130 locks you out of the interface without rebooting after an hour. So waiting until they ship it with the new firmware as upgrading the firmware has also been an adventure. Am I missing a lot of different options somewhere? There are of course enterprise level firewalls but that is overkill for my needs. Perhaps a refresh article on hardwire firewalls is in order????Thanks, BJB

  2. Scot Says:

    Hi, I’ve been using the D-Link products the last few years. But I bought one a few months ago that kept dropping off. They may have fixed the firmware, but it’s definitely an issue.

    Does the Linksys firewall router not have SPI (stateful packet inspection)? It used to, I know. I agree with your thinking, fwiw. I’m still using an older D-Link firewall/router, it’s a four port. I have it connected to a 24-port gigabit switch — so that’s another option for you. Buy a router that works and then get a separate high-quality switch.

    Hope that helps. A refresh article is a good idea.

  3. evan Says:

    Disappointed that eset’s offering hasn’t passed muster. Hopefully by the time it comes out of beta it’ll be up to snuff.

    Another important aspect I’ve found regarding firewalls is the delay it can produce in starting programs. I use a POSIX (UNIX-like) environment called Cygwin, and being UNIX-like, has lots of small programs that do one thing and does it well – so a shell script can run a dozen or more little programs to do little tasks.

    I found Zone Alarm when I was last using it to cause a noticeable and unacceptable slowing of scripts run time. Sunbelt/Kerio was okay with this – although you wanted to turn off the checking of programs spawning other programs (which seemed of limited usefulness and would be confusing for the uninitiated I think).

    Comodo so far seems good in this department.

    Yet another metric…

  4. BJB Says:

    Yes, the Linksys router does still have SPI but I was looking for an all-in-one solution before reading your post.
    You now have me thinking about going the “separates” route. I also am now thinking it would be shortsighted to not get gigabit ethernet capability for future-proofing my network. That rules out almost all the firewalls I was looking at as they would not keep up.

    I found the D-link FVS124G that is a 4 port gigabit firewall/switch. I would have to get another gigabit switch for expansion off it it as you did. Do I understand correctly if I went this route that all of my port forwarding, port ranges, etc. would just be set on the firwall and then the additional switch would just do HDCP (if needed for certain devices) on the added ports? So I really would not have to “manage/log into” that additional switch? I assume a DMZ (which I don’t use) would have to go right off the firewall but the other ports would all share my range/trigger settings made on the firewall?

    I am really glad I did not jump on the first solution I saw….

  5. BJB Says:

    Sorry, the FVS124G is a Netgear piecenot D-Link

  6. ronc Says:

    Is it possible to install just the firewall part of the ZoneAlarm Pro or Internet Serurity Suite instead of the whole program? Emailed ZA asking the same question and they avoided the question by saying just download the FREE firewall. Also any problems reported about COMODO firewall hanging or freezing up and you can’t even turn off the computer without turning off power? Thanks.

  7. evan Says:

    Now that eset’s ESS has been officially released have you had a chance to take another look at it?

    They will shortly be offering free upgrades to current Nod32 2.7 customers – is it worthwhile upgrading to ESS, or just to Nod32 3.0?

    Would you consider ESS better than nothing?

  8. Scot Says:

    Evan, funny you should ask. I’m in the midst of one last post right now before I send the next newsletter notification email. I have not fully tested the new 3.0 version of Nod32. I looked pretty extensively at Eset Smart Security in late beta, and I don’t think much of the firewall at all. Plus I have no use for Eset’s antispam solution. So I am definitely recommending *against* Eset Smart Security (ESS).

    However, I did like Nod32 3.0, also contained in ESS, and that product is also now available as a standalone upgrade to Nod32 2.7. I have not had a chance to test the 3.0 version standalone product yet. I’ve been focused on the firewalls. But testing Nod32 3.0 is very high on my list. From my look at ESS beta, I don’t anticipate any serious criticism of Nod32 3.0. I like the UI a little better. I didn’t see anything I didn’t like. But I still have to test it to be sure.

    I don’t write final security reviews before I’m sure about the product. So depending on the complexities I encounter when I test Nod32 v.3, it could be 4 – 8 weeks before I’ll give you a definitive answer. If you’re forced to make a decision before that, I would currently characterize Nod32 3.0 as a good bet.

    Hope this helps.

  9. Scot Says:

    Ronc: To my knowledge, the ZoneAlarm products do not allow separate install of various components. It’s all or nothing. If you most use a ZoneAlarm product, the only one I can come close to recommending is ZoneAlarm Pro, the simplest suite product. Do NOT go with the free firewall. It does not adequately protect outbound. It’s hobbled in that direction.

Leave a Reply

You must be logged in to post a comment.