Why are there no open source Firewall's/HIPS programs for windows?

Discussion in 'privacy technology' started by DavidXanatos, Jun 15, 2018.

  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Why are there no open source Firewall's/HIPS programs for windows?

    In other category of commonly used software there seam to always be at least some open source alternatives, why cant I font any open source Firewall and/or HIPS for windows?
    Wouldn't that be something the world needs?
     
  2. guest

    guest Guest

    HIPS are things of the past, they are almost all dead; too complicated to use and maintain and afford no real security benefits compared to other mechanisms unless you know Windows very well and set them up properly.
    For example, Behavior Blockers have more success because it minimize the user interaction and so the risks of errors. it is why you found them in popular products (Emsisoft, Avast, bit defender, etc...), even Kaspersky's HIPS is tamed down and almost look like a BB. Comodo's one is even put on "sleep mode" by default while its BB and auto-sandbox do all stuff.

    Average Joe just want use his computer while enjoying "silent-do-it-all-and stop-everything" security.
     
  3. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Yea I know HIPS is not for everyone, but the other question still remains why is there no open source firewall for windows?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Windows Firewall is pretty good. As long as you're going to use Windows, what would you gain by using an open-source firewall?
     
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    Being able to block Microsoft that is on default allow in wf?
     
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Windows firewall (as it comes out of the box) is only filters incoming communication, for that one can use a firewall on the router just as well.
    What I expect from a firewall is to manage outgoing connections on per process basis. Blocking port 80 pr 443 on my router or in windows firewall is not a good option as than you can not longer brows the web, but these are e ports all that cloud ware uses o call back to the mothership.
    I can setup windows to just block outgoing connections unless allowed by a rule but that is not very user friendly, it only becomes usable through 3rd party tools like Windows Firewall Control.

    Given how much applications try nowadays to call back to the mothership a good application firewall becomes a necessity for any privacy conscious person.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The problem with behavior blocking is it is conditioned upon reputational status. Current malware developers are increasing using Windows trusted system processes in a malicious manner. Likewise, BB's are ineffective against exploits.
     
  8. guest

    guest Guest

    just for clarity sake, BBs aren't anti-exploit, they are post-exploitation mechanism (they aren't supposed to prevent the exploit itself, despite what say various marketing people; but what the exploited process will try to do).
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, 10 years ago you had a lot of these tools for geeks, but you don't see them anymore because now almost all AV's have implemented behavior blockers and firewall.

    http://www.matousec.com/projects/proactive-security-challenge/product-list.php

    Correct and does the BB in EAM make decisions for the users? That's not really clear to me.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In the earlier versions, it did not. According to their published documentation, the most recent versions now do automatic blocking.
     
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Well What I like is manual Control, also the question at hand is why were there never open source products of this sort?
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's one:http://www.ossec.net/
     
    Last edited: Jun 16, 2018
  13. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    is that an application firewall for windows? the agent component ask for a server and there is a server component only for Linux.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspect you can no longer find what you want, either paid or open source.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    GitHub site is here: https://github.com/ossec/ossec-hids

    Documentation is here: http://www.ossec.net/docs/
    Unfortunately, it appears it has "went the way" other third party HIPS solutions went. That is they "threw in the towel" when Microsoft introduced x(64) kernel patch protection.
     
  16. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,718
    Security software is almost exclusively proprietary software. Why? I suppose it's in the nature of the business itself: security, secrecy, the usual mumbo-jumbo.
    There's pfSense. Not exactly what you asked, but somewhat close.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    If you're up for it, you can run a pfSense VM in Windows, and have all traffic go through it. You bridge the pfSense WAN adapter to the Windows host physical adapter. You attach the pfSense LAN adapter to a host-only virtual adapter in Windows. You configure whatever rules you want in pfSense. You can also add various network security packages. And as I recall, you can also disable the LAN interface in Windows, without affecting the pfSense bridge. Also, you can configure the LAN DHCP server so that Windows itself can't get an IP address.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Huh? I'm pretty sure that Windows Firewall can also block outgoing traffic. At least, I've done that in Windows 7.
     
  19. guest

    guest Guest

    at the beginning EAM was set on Alert Mode by default, which resulted in more prompts (which side effect, resulted in "lower" score in Test labs because the so called "user interaction" orange bar) so people complained...Alert is the best mode to me.
    Then the BB was enhanced and Emsisoft decided to set it to automatic decision, so no prompts, no more orange bar in tests , but more "red" ; and so people still complain...
     
  20. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    226
    I use the free version of Windows 10 Firewall Control by Sphinx Soft, but it's not open source.
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    That is exactly _NOT_ what I want.

    Defining network based rules is useless if you want to keep all applications from using http/https _except_ your web browser.

    All filtering on the network, can only block by port or IP address (on or by deep packet inspection), but what I want, what I need is something that allows me to block based on which process is trying to communicate.
    My web browser going on micro$hit.com is perfectly fine (as long as its not edge) but fir example search_ui.exe accessing anything on the wen especially micro$hit.com must be blocked.

    currently I'm using WFC I even got the premium version, but now I read the developer sold himself to malware bytes so the software may stop being developed. Hence my inquiry if there is something open source with similar functionality.
    I know WFC is not even a proper firewall its just a helper tool to use the windows build in firewall, but that seamed to work well enough.

    Of cause real malware will just inject a dll into my firefox or some thign like this, so a application firewall is not a proper protection against malicious software anyways.

    But its a great protection about all this Cloud ****, and **** Cr4p. Unfortunately there is nowadays to much software out there that you need to use which is not malicious, yet still expresses some malware behavior by trying to communicate with its makers and does no offer you an option to disable that unwanted behavior.

    Hence the need fir an application based firewall.
     
  22. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    456
    Location:
    England
    "With similar functionality to WFC" there is also Simplewall although it is not open source.

    It doesn`t answer your main question but may be something to consider, as I did when I moved away from paid WFC, if you at least want outbound control

    It is NOT a front end for Windows Firewall, it is standalone - although it does use the filtering platform of windows

    (I physically removed the windows firewall so Simplewall certainly does not rely on it`s presence)
     
  23. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I suspect that one of the main reasons is the mandatory drivers signing. In order to build an open source security application (i.e. firewall or HIPS) you need a driver to be able to interact with the processes that are running on a Windows system. And that driver must be signed with a certificate that costs a lot of money for an open source project. And thus nobody has any incentive to start such a project.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so when EAM thinks it's malware, it will auto-block the post execution behavior. The reason why I ask, is because behavior blockers should always auto-block and never let the user make the decision. HIPS on the other hand will alert about all monitored behavior and are geared to expert users who need full control. I believe Kaspersky still offers a user controlled HIPS.

    Good point, on Win XP you didn't have to sign drivers, that's why the rootkit problem was so big.
     
  25. guest

    guest Guest

    yes
    Exact
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.