Hello, How effective basic windows firewall is to block outbound connections? There are several ways to connect to internet by process injection etc. Does it block, for example, powershell script attempts or process injection techniques to get TCP out? -MF
First, don't expect a Firewall to be the main defense of your system, a FW shouldn't be the first to react to an infection, it it does it means your security strategy (AV, etc...) failed. As you mentioned if a malicious code injection was made in to a legit process, Windows Firewall (and most home users FW without IDS/IPS or some sort of packet analysis) won't see it and let the connection out. What 3rd party FWs do are outbound connections control, warning you about processes/programs going out via a prompt (Windows FW doesn't). I didn't use any 3rd Party FW since Win8 , only using WinFW , maling it block all outgoing conenctions by default then creating outbound-allowed rules on the fly if needed.
But it does not block injection TCP out connections? Many sophisticated malwares uses several techniques to get an TCP/UDP connection outside. So if your security setup relys on the basic windows firewall driver and not on the dedicated one like some security systems does.
All 3rd party firewalls uses the Windows Filtering Platform, what most of them offer are the outbound controls that WinFW lacks. Home users will rarely encounter those sophisticated malware, however businesses does and they surely will use hardware FWs or IDS/IPS.
"Home users will rarely encounter those sophisticated malware" So im happy with basic WFP and not third party firewall that use its own firewall driver aka TDI to filter in/out traffic? ESET and Comodo are only ones that does not rely WFP, instead they use their own filter driver, which is good for protection side.
Never ever use firewall that uses WFP. Use a firewall software that does not rely on the WFP. Like famous firewall tests shows, there are several ways to connect outside if using standard WFP. Eset, Comodo and ZA are the ones that uses their own fw drivers, so like hidden ICMP etc outgoing technicues are blocked.
" REDWOOD CITY, CALIF. - June 15, 2007 – Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced the availability of ZoneAlarm Internet Security Suite 7.1 for the Microsoft Windows Vista operating system. ZoneAlarm Antivirus and the free ZoneAlarm firewall were also made available today for Vista. Check Point is the first major security vendor to utilize the next generation Windows Filtering Platform application programming interface (API) for Microsoft Vista. This also marks the first time that ZoneAlarm’s exclusive Operating System Firewall protection has been made available for Microsoft Vista. By leveraging these and other leading technologies, ZoneAlarm Internet Security Suite delivers superior levels of protection and reliability. " https://forums.comodo.com/install-setup-configuration-help-cis-b137.0/-t45645.0.html " Does the Comodo Firewall use the windows filtering platform on vista and windows 7? Hi Dirks, Yes it does, from version 3.8 and higher. " Awake ?
Eset switched to the WFP (Windows Filtering Platform) driver with the release of their version 10, or version 9 products. I'm not sure which version it was when they switched (it was either 9, or 10), but they are using the WFP now.
Only connections i deem necessary are allowed, so when i install a software, i check if it needs internet connection or not for its job or updates, if yes , i create a rule for it.
You can also routinely scroll through Event Viewer Security logs and look for blocked connections (Event 5157) to see exactly what is trying to connect and how it's trying including: direction, protocol, source and destination ports, and source and destination addresses. Example below is svchost.exe attempting outbound connection to port 443 to Google. You can decide if it's necessary to allow it and create an appropriate rule(s) for it. I don't require this of svchost so I leave it be. Code: The Windows Filtering Platform has blocked a connection. Application Information: Process ID: 112 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 192.168.1.70 Source Port: 51088 Destination Address: 172.217.3.174 Destination Port: 443 Protocol: 6 Protocol 6 is TCP, 17 is UDP. If for example you were trying to update Chrome browser but it's being blocked, you could simply scroll the Security logs and you would find that %ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe was being blocked. I created a rule to allow it to: TCP, Remote ports 80, 443, Remote address Any. Yes this is slower than a 3rd-party fw generating pop-ups for you but then you are using what's already built into Windows without the potential buggy and system crippling code added by the 3rd-party software.
Very simply, just use Windows Firewall Control. It will auto-block all apps/processes from making outbound connections and it will let you easily make rules for apps who truly need to connect out. Keep in mind that it's not a third party firewall but makes use of the Windows Firewall itself. https://www.binisoft.org/wfc.php
Sure but it's still 3rd-party software. With no intent whatsoever on coming across as critical, the 20 Fixes in the past 5 months alone is, for me at least, cause for concern.
Apples to oranges; One is an operating system containing massive quantities of code while the other is a program microscopic in comparison that runs on the O/S. At any rate my statement is just my take on what I see in the changelogs, and not an attack on the program itself.
Windows firewall allows some Windows services to bypass it, and due to some restrictions on applying firewall rules to services it is not possible to block them individually.
Now I think it doesn't https://forums.comodo.com/news-anno...6-released-t120847.0.html;msg867880#msg867880 Reply #25
This may clarify the confusion because of the naming conventions. Windows Filtering platform (aka Base filtering engine BFE) is NOT the same thing as Windows Firewall which can be turned off or on. See this excellent picture https://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx and more details https://msdn.microsoft.com/en-us/library/windows/desktop/aa363967(v=vs.85).aspx
All the ones that windows won't allow you to apply an SID to. You can block svchost instances but when they are also hosting services required for internet connectivity it defeats the purpose.
Using the Advanced Security settings, I'm having a hard time finding any one specific service I can't block outright or allow with specific parameters, and that includes all those spawned by svchost.exe as well as all others found under process explorer, but perhaps I'm missing something.
The settings you're talking about will appear to let you create service specific rules but they won't actually do anything unless the service has an SID set to restricted or unrestricted. Many have their SID set to none. Read the discussion I had about this with the developer of Windows Firewall Control here. Then scroll down the same page to the post by syrinx. Those posts contain very important info for anyone using Windows Firewall.