Gripes About the Sunbelt Kerio Personal Firewall

September 15, 2006. Free edition version 4.3.268.0. running on Windows XP Professional.

With a single firewall icon in the system tray, the firewall doesn't work. That is, it doesn't do the main thing a firewall is supposed to do. I configured it to ask me any time a new application wanted to make an outbound connection to either the Internet zone or the trusted zone. It didn't do this. Even when I told it to stop all traffic, I was still able to get to web sites.

Third Go Round

August 10, 2006. I tried this firewall a third time. Environment: Firewall version 4.3.268.0. Windows XP Pro with all current bug fixes applied. No other firewalls were installed, in fact, no other firewalls had ever been installed. The machine has no antivirus software and no anti-Spyware software.

When you install the program you are asked to chose a default behavior. As before, the explanation of each is too short.

After the program is installed, the user is shown the readme file. In fairness, many programs work this way. Still, it's wrong, stupid and disgraceful. The readme file has information that the user needs to know before installing the product.

I chose to install the firewall to a folder under Program Files that was not the default. I don't like programs that are filed away under the software vendor's name as I can't always remember which company made which software. Despite this, the program was installed to its default folder:

Filled in a tech support request on Sunbelt's web site on August 13, 2006. They emailed back the next day. However, it was a boiler plate response. The text of my message was not read at all. I say this based on four comments in the response. The worst was that I was requested to take a screen shot of the Overview tab -> License window. This despite the fact that the problem is the firewall won't start up at all.

When I pointed this out, I got another response in a matter of hours. As per Sunbelt's suggestion, I uninstalled the firewall in the usual manner, re-downloaded it and re-installed it. Again I pointed it to a non-default installation directory and opted for advanced mode not simple mode.

Exactly as before. The firewall installed itself into its desired default directory and ignored my requested directory. It also failed to initialize again.

Sent Sunbelt all the logs. Tried to install using the default folder, but it made no difference; same error at system startup.

August 15, 2006. Again, Sunbelt responded quickly. They are aware of the problem of the firewall not installing itself in the non-default folder. They also offered a suggestion and provided a total un-install utility. Ball is in my court . . .

August 15, 2006: For unrelated reasons I created a totally new Windows XP userid. The firewall service was set to manual startup since it wasn't starting up anyway. Just for the heck of it, I tried to run the firewall. It worked! Go figure.

There is no Help -> About. Once the firewall is running, there doesn't seem to be any way to determine which version it it.

August 16, 2006. With the Kerio firewall running, I start NetMeeting. The firewall does not warn me that NetMeeting is asking for server rights. ZoneAlarm does. Did it grant those rights? I'm not sure, but NetMeeting was not able to share applications on this machine. I've used NetMeeting a lot to share applications and this was never a problem before. I suspect it is somehow related to the firewall.

Simple Mode

January 14, 2006. Sunbelt Kerio Personal Firewall version 4.2.3 (dated Dec 12, 2005) on Windows 2000 SP4 with all bug fixes as of January 2006.

The free version is said to be free, forever. Yet on the License tab it says I'm running a 30 day trial.

Also on the License tab, when I clicked on the link for the homepage of the firewall, it started a whole new instance of Firefox 1.0.7, the default browser. That is, Firefox was working as if it had never been run before. It asked about importing bookmarks and the UI was the default. This despite the fact that Firefox was a well worn application at the time with many customizations.

At dilbert.com, the Firewall blocked an ad. I didn't ask it to do this and it never told me it was blocking ads. How is this turned off? The obvious place to look is the Preference tab, but there is nothing there about turning ad blocking on or off. (Its controlled with the Web button -> Ad-blocking).

Also, I find the logs for ad-blocking confusing. What is the "value" column? What does a subject of "referer" mean? It blocks many JavaScript scripts that it thinks are ad related. Time will tell if this causes problems.

It blocked this gif, which is not an ad because the path included the word "banner". There does not seem to be a way to tell it keep blocking images with the word "banner" in their URL, but not to do it for this one GIF or not for this one web site. The exceptions that you can define for a web site (Web -> Site Exceptions Tab) control cookies, ActiveX and more, but not ad blocking.

I could not use the surpluscomputers.com web site with the default cookie blocking mode. Defining the site as an allowable exception was not hard.

I turned on outbound protection with Network Security -> Applications -> Any Other Application.

After a while the firewall said that the Mozilla Thunderbird email program was trying to make an outbound HTTPS connection. I assume this was Thunderbird checking for updates to itself. When I said to permit it (just this once), BLUE SCREEN OF DEATH, yet again!! (updated Sept 5, 2006)

Specifically, IRQL_NOT_LESS_OR_EQUAL. The error codes (in hex with leading zeros suppressed) were: D1, 610083, 02, 00, BF21D703.

After un-installing it, this folder remains:
C:\Program Files\Sunbelt Software\Personal Firewall 4

It's not very big, but it does seem to contain a bunch of log files. I contacted Sunbelt via their web site to tell them of the BSOD and offer to upload the log files. They replied very quickly. The support person knew of one BSOD problem and offered the following solution for it. I gave them a copy of the leftover logs.

Out of Box Experience - Advanced Mode

December 21, 2005. Sunbelt Kerio Personal Firewall version 4.2.3 (dated Dec 12, 2005) on Windows 2000 SP4 with all bug fixes as of July 2005 running in a VMware workstation virtual machine.

When you first install the firewall, you have to chose between Simple and Advanced mode. The difference between them could be explained better. An article in PC magazine noted that the firewall actually has three modes of operation, not two. I opted for Advanced mode because simple mode sounded like it did not offer any outbound protection. If this is true, then it seems useless for Windows XP SP2 users.

This is further confused by the fact that there is both a free and paid version of the Sunbelt Kerio firewall. So, a new user, with no documentation (except that shown in the initial dialog at the right) has to chose between two (really three) modes of operation and just the features in the free version or also the additional features in the paid version. How these things mix and match is impossible to figure out with the Sunbelt/Kerio firewall. ZoneAlarm does this much better. When you start to install ZoneAlarm it asks if you want to enable the advanced features in the paid version for a brief trial period. Simple and clear. Also, ZoneAlarm doesn't add the extra complexity and confusion of "modes" of operations that are not well explained. Instead it just has a range of configuration options that you can change at will. And, it's defaults are pretty well chosen.

For both products, is it too much to ask that when the user downloads the free version, that's all they get? Apparently so.

Effect of installation on Windows:

A new auto-started service is created. It's called the "Sunbelt Kerio Personal Firewall 4" and invokes program kpf4ss.exe. The service is set to do nothing if it fails. It might be more secure if it was set to re-start itself after a failure.
No new programs were added to the auto-start list.
In addition to program kpf4ss.exe there are two other firewall processes that show up in Task Manager. Interestingly they both are program kpf4gui.exe running from "C:\Program Files\Sunbelt Software\Personal Firewall 4". One instance was created with "-g 11" as parameters, the other one with "-g 10 s".

Note that the effects shown above are the same for both simple mode and advanced mode.

When the firewall was installed there were no live network connections. The computer was on a LAN but the network interface was disabled. After the firewall was installed and the system re-started, I enabled the network connection. This generated another question (see picture at right): "New network interface or network IP address". Is this a trusted network?

Yes and No. And that's the gripe.

In my case, the entire subnet is not trusted, only part of it is. There is no such option however, you have to trust or not trust the entire subnet. For example, with ZoneAlarm you can chose to trust just 192.168.1.1 thru 192.168.1.9 and not trust the rest of the 192.168.1.x subnet. With the Kerio firewall a subnet seems to be all or nothing.

Before I could do anything else, the firewall generated an Incoming Connection Alert. Right under the red warning it says "Sunbelt Kerio Personal Firewall". It's not clear if this means the firewall caught the incoming tap on the shoulder or created it itself.

The remote IP address is referred to as a remote "point". Why? This is unnecessarily confusing.

The firewall offers to create a rule for this. What rule? That it doesn't bother explaining. Not incoming attempts at all? Nothing incoming from this IP address only? Nothing incoming from this IP address and port number only? ZoneAlarm is far better at this. By default, it denies everything coming in that was not requested. No need to ask the user anything.

I denied it.

Then another, I deny it too. And another. This time I say to make a rule and don't ask me again. What rule did it make ...

What did it log about these incoming connection attempts? Nothing! Zippo. Nada. Zilch. This is a disgrace. There are five types of logs - five tabs along the bottom of the log reporting section. They were all empty.

So I "X" out of the application. And it's still running. This is probably a good thing, but the documentation on it is shameful. Windows applications shut themselves down when you click on the "X" in the top right corner. Everyone knows that and is conditioned to it. Violating this rule may be the right behavior for a firewall, ZoneAlarm also does not shut itself down when you "X" out of it. However, ZoneAlarm warns you about this unusual behavior the first time it happens and you can tell it not to warn you again. Score one for ZoneAlarm.

Now for the first web page:

The first time Internet Explorer goes out to the Internet, the firewall nags you about whether to allow it or not. Not very user friendly. ZoneAlarm gives IE a free pass which seems, to me, a much better default.

It also asks whether to create a rule for this "communication" and not to ask again. What is the rule? Let everything out? Let IE always go out? Let IE only go to the current IP address? Only to the current port? Only using the current protocol? It don't say. In contrast, ZoneAlarm is very clear about what it's asking you.

(Update: May 1, 2006. I'm told, by someone whose system wasn't brought to its knees by the SKPF, that it means IE can make outbound connections to the Net. To restriction IE by port, IP address or protocol, you are supposed to select IE in the list and click Packet Filter.)

I say to permit it.

That's not enough! Give me a break. A second alert asks about letting Internet Explorer go to the "Trusted Area". Heck, if it's trusted, why am I being asked about it? I said IE could access the un-trusted Internet, that should be enough.

Even worse, the remote "point" (I hate that term) is IP address 127.0.0.1. Every nerd in existence knows what this IP address is. How come the Kerio programmers don't? It is a reserved IP address that always refers to your computer. Your computer is also known as "localhost". One time, the alert just asked about the IP address, another time it asked about "localhost 127.0.0.1".

Above the green stripe, this alert windows says "An application is trying to communicate with a remote computer". Not true. I am always 127.0.0.1. It is never ever a remote computer.

And UDP? Where did this come from? IE uses TCP to access web sites. Not to mention that only computer nerds have any idea what UDP even is.

Would a Help button be too much to ask? Must be. ZoneAlarm has a help button. It's often useless, but at least they made the effort.

I say to permit it.

Another Outgoing Connection alert! Give me a big break. This is truly disgraceful compared to ZoneAlarm. The remote "point" (there's that word again) is p24.www.re2.yahoo.com. Say what? I want "www.yahoo.com". I permit this.

And yet another Outgoing Connection alert! Let's see, it's now four alerts for Kerio/Sunbelt vs. none for ZoneAlarm. Adding insult to injury, this alert is to the same p24.www.re2.yahoo.com that I just permitted a few seconds ago.

And yet another Outgoing Connection alert. :-( This one is to "point" 68.142.226.33. I permit it.

And yet another Outgoing Connection alert. I'm not writing down any more "points". I'm just permitting everything. There were ten more alerts! I think that's fifteen.

And all for naught. The Yahoo home page failed to load in IE. Maybe I took too long responding to the above alerts. Talk about first impressions.

ZoneAlarm does this much better. When you give one-time permission to a program for outbound connections to the Internet, ZoneAlarm takes this to mean the program can make outbound connections all day. Tomorrow you'll be asked again (technically, the next time ZoneAlarm starts up you'll be asked again). This is much preferable to the way the Sunbelt Kerio firewall works, where one time permission has a lifespan of nanoseconds.

I try to go to www.yahoo.com again. The page starts to load. Lots more Outgoing Connection alerts. I permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. And permit. Twenty alerts.

And then death by Blue Screen.

And this was my second BSOD. The first time I installed the firewall in the same virtual machine, it also caused a BSOD, after which I rolled back the virtual machine and started all over. I didn't mention this first go-round because the virtual machine had the Sygate personal firewall v5.5 installed. It was not running, but might have interfered. So I un-installed the Sygate firewall, took a checkpoint on the virtual machine and started all over again.

In My Network places I have an FTP entry that looks like ftp://userid:pswd@mydomain.com When this is opened Windows Explorer takes me to the FTP server for the domain and logs me in and lists all the files. It saves having to install an FTP client.

The first time I installed the firewall, I tried to use this network place just after the initial IE web page failed to load. At first, the firewall warns that explorer.exe wants to make an outgoing connection. Fine. I permit it. Then it warns twice more that explorer wants to make an outbound connection. Permit. Permit. And then the Blue Screen of Death.

FYI

On the upside, the Sunbelt/Kerio firewall does one thing better than ZoneAlarm - it reports the full path to the program making the outbound request. An example of this is shown here at the right where Internet Explorer was making an outbound request.

Before the BSOD my first time around, I ran the System Information utility. This too caused an alert: Application is launching another application. Is this a good thing? Click the image at the right for a full sized copy.

It can block ActiveX, JavaScript and VBScript globally with exceptions you can define for certain web sites.

Best combination seems to be to install in simple mode, then get outbound protection with Network Security -> Applications -> Any Other Application.

Coming: defining the trusted local LAN and killing the processes and service with Task Manager.

The Kerio Personal Firewall 4 was reviewed in PC Magazine September 28, 2005. They loved it.

The bulletin board for the firewall is at www.castlecops.com/f208-Sunbelt_Kerio.html

I also have gripes about ZoneAlarm.

Sunbelt Kerio Personal Firewall Gripes

More Gripes

Third Go Round

Simple Mode

Out of Box Experience - Advanced Mode

FYI