I have used the free version of kerio personal firewall in the past and recently decided to reinstall it. Unfortunately, kerio seems to have a problem with just about everything I do and I can't figure out why. I loaded it with default options in "advanced" mode and I have told it to allow all of the connection attempts that it has alerted me to, but it insists on blocking almost all of my applications without any notifications.

When I look at the active connections, it even lists the applications that it is not allowing to connect. So far, the only way to get anything working is to completely disable the network security module, which makes it pretty much useless as a firewall....

I have tried reinstalling kerio, including regediting all of its keys out and removing any folder that it left behind. I'd really like to make this work and there is no reason I can see that it shouldn't. Anyone have ideas for me?

I forgot to say...I'm running a fully updated install of windows xp pro.

You said Windows is fully updated... are you running the Windows Firewall too?

well I run Personal Firewall2
the latest is 4, and its slightly different I gather

Id do this
RClick the taskbar icon > administration > Firewall tab > should be set to ask me first > advanced > review the applications that have been blocked > either enable them or in doubt remove them altogether and write new rules as they occur

As far as the first response goes, I am not running the windows firewall.

In response to Ice Czar, my version of the firewall does not have the same options, but when I check the roughly analogous area it shows that the applications its blocking are connected.

I tried to do a system restore since this is really pissing me off at this point but it errored out...just my luck. Any more suggestions? I feel very confident that I do not have any viruses because my drive scanned clean with kaspersky antivirus, mcafee 9, and the trend micro online scan.

well, there are always rootkits :p

a rootkit will hide a virus from any scan

[H]ardNews 2nd Edition Saturday April 16th

Rooting around Windows:
Rootkits in a Windows environment stealth more vicious code, like worms, viruses or spyware and are becoming pretty common in the later. If your scanner can't see it, it can't remove it. In all the excitement of patch day, many may have missed that Microsoft's Malicious Software Removal Tool (http://www.eweek.com/article2/0,1759,1785621,00.asp) has a new update for rootkits.

"It is the first time Redmond has added rootkit detection capabilities to the free Malicious Software Removal Tool, a move that underscores the increased prevalence of stealth rootkits on Windows machines.
In all, Toulouse said four child variants of the stealth rootkit will be detected. Hacker Defender (Win32/Hackdef) is a family of backdoor Trojans capable of creating, changing and hiding Windows system resources on a computer that it has infected."


Rooting the Finnish Way
F-Secure has a new beta rookit detection tool that is free to use until May 1st, F-Secure BlackLight Beta (http://www.f-secure.com/blacklight/).
As well a specific malware freeware removal tools, including the popular F-Secure Anti-Virus for DOS.

"The rootkit itself does'nt typically cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit. The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat."


Pro Rooting
Sysinternals RootRevealer (http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml) is another freeware rootkit tool thats has a bit more advanced interface and compares the highest level of the Windows API and the lowest level of the raw contents of a file system volume or Registry hive and looks for discrepancies.

"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing will be seen."


thats not to say it is an infection only that you havent definatively ruled it out (in fact without a sniffer \ IDS monitoring traffic from the box its damn hard to ever be sure a box is clean other than a fresh reformat and then the first freeware ap installed that doesnt have a comparative checksum with it brings it back into question, hows that for paranoid? :p )

a software conflict is still a more probable explaination, but Im up to date on my Windows patches and havent had any issues, Id recommend going offline and reinstalling the firewall then approving each ap that wants access, Id couple that with the freeware version of ProcessGuard (http://www.diamondcs.com.au/processguard/) at the same time
(with the current version you need to take it out of learning mode and then remove all the entries its already learned) that will give you a clean slate to start from and you get to approve each and every process, ideal for disrupting any infection, but then you need to have internet access at the same time from a different box to research those processes.

Firewall and AntiVirus issues are always suspicious since they are the favored targets of malware, generally though they just mask activity but poorly coded malware could mess up the firewall while its trying to do that, tipping its hand.

also might help
http://www.dslreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW
http://www.dslreports.com/forum/remark,8023708~mode=flat

I loaded up process guard and it did not show me anything suspicious at all. I also ran the f-secure rootkit tool and came up empty. I think I might just give up on kerio, though it really bugs me that I can't figure this out.

yeh certainly sounds like a software conflict with something
and those are a bear when your reduced to a process of elimination
adding and removing programs in an effort to find what it is can scramble the regisrty up what with left over dlls, and aps not fully uninstalling it can often hash up an install and make matters worse instead of better (dll hell (http://www.ssw.com.au/SSW/Database/DLLHell.aspx))
at which point unless your Ranma_Sao or other OS guru you give up and start over

its strange the restore didnt work
(thats also what made me a bit suspicious)

I win! I win godamnit! I downloaded and ran "regsupreme" and it de-screwed whatever registry entry was creating my problem.

cogratz and a virtual beer for The Bryophyte :D