by Chris Taylor

The Windows firewall since XP Service Pack 2 does the basics of what is most needed in a computer firewall; allowing all outbound traffic (so you can access web sites, email, Skype with friends, etc.), and blocking all connections from the Internet that you didn’t initiate.

There is a threat that such a one-way firewall can’t protect against. If you have malware on your computer, it almost always connects to the Internet, either to communicate with a command and control server for instructions on what malicious action to do, or to send your data/files to the attacker. Because the traffic is coming from your computer, the Windows firewall will happily allow the traffic.

To respond to such threats, two-way firewalls can not only block the connections from the Internet that you didn’t initiate (as with a one-way firewall) but can additionally block outbound traffic. There are a few freemium two-way firewalls, ZoneAlarm probably being the best known.

A two-way firewall has to allow good outbound traffic or you may as well unplug from the Internet! There are several ways it can decide if outbound traffic should be permitted. The most common is to pop up and ask you if you want program xyz to access the Internet. And therein lies the problem with two-way firewalls – at some point you are going to be asked if something should be allowed to access the Internet and you will have no idea what the right answer is! I hate that.

I recently came across an interesting firewall product called GlassWire. The freemium version is more of a monitoring program. It works with the Windows firewall to provide reporting capabilities. The premium versions can do more. More on that later.

GlassWire can provide a wealth of information. In this example, GlassWire’s Graph option is detailing the following for my selected period of 24 hours; a list of the programs that sent/received data over the network and a graph showing data volume and alerts. The box near the centre shows where I clicked on an alert to get details.

You can pause the scrolling chart; useful for short time intervals such as 5 Minutes. Clicking a program name will change the graph to only display traffic for that program. You can take a snapshot to have a permanent record.

The Usage option shows overall traffic volume, with columns for Apps, Hosts, and Traffic Type. Clicking on a program brings up details; where it is installed, version number, name of the publisher, hosts it has accessed, and more. Clicking on a host shows details of the traffic to/from that host, programs that have accessed it, and its IP address.

All of the above I found to be interesting. But, quite frankly, I am not about to have the GlassWire window open at all times so I can monitor network traffic!

One feature really interested me. When a program first accesses the network, GlassWire pops up a toast notification at the system tray. If you don’t recognize the program, you can investigate to find if it is a normal process or perhaps something malicious.

One problem is that toast notifications disappear after a few seconds so you might miss something important. The system tray icon for GlassWire is badged (numbers are added to the icon), so you can see if there are alerts you may have missed and you can go to GlassWire’s Alerts section to see them. It would be nice if GlassWire could optionally use the Windows 10 Action Centre to keep the alerts front and centre longer. Another option might be to make them available by right-clicking on the system tray icon.

Up to this point, I was still a bit iffy on the usefulness of the program. Alerts might help me find out if I have something malicious on my computer, albeit after the fact. As well, there are times I want to see details about my network traffic. But overall, I thought it required a bit too much of my attention.

Also, it did not fundamentally deal with the problem I mentioned before – the inability to always know if something should be allowed to access the network or not.

For example, GlassWire alerted that Touch User Mode Driver accessed the network for the first time. I never (knowingly) installed something called Touch User Mode Driver. I could Google for it and try to determine if this was something malicious. I had just plugged in my Wacom drawing tablet, so it was probably related to that. GlassWire does make it easier to see some of the details about the program. Clicking on the alert gave the name of the executable, version number, where it’s installed, and the publisher (Wacom Technology Corporation). So, it looked like it should be okay.

Then GlassWire added a killer feature; when programs first access the network, GlassWire can automatically check them at the Google-owned VirusTotal web site, which checks the program with a huge number of anti-malware programs. Try it yourself at http://virustotal.com.

The feature is off by default. To turn it on, click the GlassWire menu in the top left, Settings, then VirusTotal. As you can see in the example, the toast notification told me that Touch User Mode Driver accessed the network for the first time, was checked at VirusTotal, and 0 of 67 antimalware programs found a problem with it.

I may not know what Touch User Mode Driver is, but I’m not particularly worried because none of 67 antimalware programs found it malicious!

One thing I would like to see changed; if even a single antimalware engine at VirusTotal thinks something GlassWire has uploaded is malware, I would like some kind of high-priority alert. As it is, these alerts are treated just like any other informational alert.

GlassWire is a freemium product. It installs as the full Elite product. After 7 days it goes into reduced functionality mode. All the features I have mentioned so far will remain for free. It is a great product even in this reduced functionality mode. But there are some nice additional features you get if you are willing to pay.

When a new program tries to access the network, you can have GlassWire ask you if it should be allowed or not. You can easily flip any program’s status between allowed and blocked. You can even put GlassWire in lock down mode, where all outbound traffic is blocked.

A mini-graph mode lets you have a small window open all the time showing activity. You can size it, set it to always on top, and adjust transparency of the window.

You can see what devices are on your network and be notified as devices join or leave. WiFi Evil Twin notifies you if a new access point shows up with your network name.

If you have limited bandwidth, you can have GlassWire warn you when approaching the limit.

Firewall profiles allow different settings in the program depending on your situation, such as home vs. public WiFi. Or perhaps for a special circumstance, you want to block all but one application.

There are many more alert types available such as while you were away, changes to DNS, suspicious hosts, and much more.

Prices for the premium version range from US$39 for one PC to US$99 for 10 PCs. Higher-priced versions also allow longer history retention.

As I was wrapping up my review I contacted GlassWire with a few questions. I had been using an older version of the product that did not start out with all premium features. They answered my questions and provided me with a complimentary Elite license that permitted me to test the features in the premium offerings. Thank you GlassWire.

Bottom Line:

Originally published: June 2018

top of page