Can spyware bypass software firewalls?

Ok. I know the best thing is not to allow your machine to become infected in the first place.

BUT...If well written spyware was installed on a computer, can it easily bypass a well configured software firewall? I use an advanced ruleset with my software firewall to block all internet access to all ip's, then selectively allow access where needed, and only to/from specific ip's.

However I am wondering if well written spyware can still bypass my firewall, perhaps by patching the kernel or something like that.

Any input is appreciated,

Guy.

 

Well , it depends on the firewall but my experience with ZA shows YES , malware (trojan/spyware) can bypass soft firewall

 

Can you tell me how this would be accomplished? Is there anyway to detect/prevent this?

Thanks for any advice you can offer,

Guy.

 

Well , in a recent case , I remember , a trojan's DLL got injected into Windows Explorer . ZoneAlarm automatically (without asking) allows access to Windows Explorer . The trojan is free to work (this is very simple example)

It would be similar to spyware
That's why you need to rely on your firewall to protect you against hackers/intruders . You can't rely on firewall to protect your from malicious code . That's why people have created antivirus/antispyware programs

 

Check out the numerous leaktests that are available. Malware can use these same techniques to get around firewalls.

 

Rustock.B

 

Nothing is 100% secure, so it can be possible, but require skills...

 

Not on my mahine it doesn't! I don't even allow Explorer to ask - I simply block access for it.

However by default Explorer, along with other problematic apps, does have automatic permission, so it is a question of how you configure it. In general terms though, leapfrogging on the back of legit progs is a way malware might defeat a FW. Even if you expend a lot of time and energy creating expert rules, there is no guarantee they won't be beaten.

This is why it may be better just to create basic access rules (of the type offered by SSM) and spend most effort in preventing malware from getting in and running on your ststem in the first place.

 

Paid versions of ZA stops this kind of leaks since they contain HIPS through their OSFirewall so ZA would be able to stop most if not all spyware from reaching out to the internet.

 

Thanks all for the info. Just one thing.

As I said in my original post I use the advanced rules in ZA pro to block access to all IPs then selectively allow access to/from trusted IPs. I think this would prevent malware from using programs/services that are allowed by default.

But is there another, more advanced way, that well written spyware could bypass your firewall regardless of settings, by making changes to the windows kernel, altering the firewall files or some other way?

If you want really good OUTBOUND protection and filtering what are some of the better methods of accomplishing this?

Thanks for any and all input,

Guy.

 

Hello,

Outbound control is tricky:

- Something running on your machine can have partial or full control of the kernel, which means you cannot ever be sure about any internal outbound control.
- You may falsely assume the software is trusted.

If something is allowed system-wide access then you should assume that you CANNOT control it and game over. This means you must TRUST that software before you allow it to run.

Controlling outbound for unknown processes is simple - limited user, software restriction policies and such, namely disallowing unknown thingies to touch the heart of the OS.

Outbound should be used:

-To restrict process that you trust and know what they do - yet you do not wish to do but still want to use the program; example MS processes.
- To monitor system behavior for the purpose of network utilization.

It all comes down to one thing: not sure? do NOT click.

Mrk

 

Hi, guysmilie

Ask TX Maxx and their so called Administrators.

Take Care,
TheQuest