Is Glasswire snakeoil?

Tags: #<Tag:0x00007f38a333b110> #<Tag:0x00007f38a333ad78> #<Tag:0x00007f38a333ab98> #<Tag:0x00007f38a333a558>


It's Windows security software, so...

Glasswire is an egress layer 7 filter application for Windows. Like a “personal firewall”. It does a lot of things right, and it also logs traffic statistics for network security awareness on an endpoint. Check it out:

You get usage stats as well, for different time frames. Alerts if applications change or if something “new” wants to connect to the internet. Optionally you can get a small Allow/Deny popup. Latter allows you to block certain telemetry services, for example.

And we all love telemetry in Windows applications, especially if they transmit personal data without encryption, regularly. It’s a bit obscure why Microsoft needs so many different telemetry applications on a single Windows host. Isn’t it. Is that really all from Microsoft? Who knows…

Is that all?

Yes, kind of. One could argue that the free version is fine for the visibility aspects, but that the commercial versions are too expensive. For 50 bucks I get a full security suite from Snakeoil Inc… Which doesn’t work, but at least I feel better. As a user.

The software also promises that it detects the “Webcam/Mic” activity. It does not, when it comes to Malware. Because Malware does not need to use official interfaces, which you can monitor. Also the server monitoring feature is kind of useless, because it’s limited to Windows. Who uses Windows Server? Or no… who uses and monitors a Windows Server. No one.

It says it does AV...

GlassWire works with your antivirus scanner to check for viruses or malware. Did a “New” application just begin accessing the Internet and you don’t know what it is? Click the “scan” button

Ehhh… nice. But I cannot auto-block apps with a VirusTotal rating > 8? That would be a next-gen endpoint protection like feature. The prevention here is manual, and needs two steps. I need to check and I need to evaluate. Not good. It could at least perform the checks automatically. Like Crowdstrike CrowdInstpect… if its Virustotal API integration still worked.

But the VT API of CrowdInspect does not work for now. Too bad.

Summary - nomen est omen

Glasswire is an innovator, which needs to take the next steps. Central management, automation and configuration management. Apart from automation, in regards to blocks, these are enterprise features.

I like the visibility aspects, because this supports security aware users; and not just security experts. The software is very ergonomic and does not block anyone from doing work. Or any Malware. That is a problem. Or an intention. Or both.

The layer 7 filtering can be bypassed, of course. But that doesn’t mean that Glasswire is snakeoil. Having control over egress traffic can be a justified privacy measure. And among all the threats I foresee for 2017, privacy issues are in the top 10. Tools, which create a false sense of security by promising automated features, which in reality do not work, are snakeoil. This one is not. It’s just too simple to be efficient for everyone. It’s not an alibi software, and simple to the core. You filter. Not Glasswire. Nomen est omen.