Firewalls of today not loading their drivers fast enough ?!

I've found enabling Windows Firewall with default deny and using Binisoft Windows Firewall Control with notifications (paid donation) is effective. This combination renders 3rd party firewalls unnecessary on my PCs.

 

As Outpost firewall has received version 9.1 i have installed it to check if anything has changed.This time in a machine with avast as antivirus.

Same thing i am encountering with Outpost latest as per thread.

In Block ALL policy ,connections are made very early at start up ,prior to windows 7 desktop load , in spite of the BLOCK ALL naming ,as described with previous Outpost versions.In Block ALL policy no connectivity should happen at any moment.

The strange thing is that when Block MOST(the blue one) policy is loaded ,the connections logged by Wireshark ,on the gateway machine ,are made later in the boot process ,so in Block Most the firewall is less permissive at start up ,connections occur when the welcome blue screen shows ,prior to desktop load.

In Block All mode the connectivity occurs right after the Windows 7 flag on black background starts moving.In BLOCK ALL there should be NO connectivity whatsoever at any moment

The fact that DNS calls are made successfully is observable via the task bar connection icon as well ,as those small little monitors show connectivity as valid until you try a browser and fails to connect.

For the people that read this first time this is what i am doing ,it s quite simple.

Install firewall on the real machine ,finish the installation ,start wireshark on the gateway machine ,thru which the traffic goes ,then set the firewall in BLOCK ALL policy -black icon in taskbar (it should block ALL TRAFFIC),restart PC ,watch the connections in the wireshark window for the Outpost based PC (when it is booting).
Look in same time at the visual of the Windows loading screen to compare this policy with the other policies to see when connectivity to outside world occurs.
I can do this as the gateway is practically a HTPC outputing to a TV and routing in same time.

 

You have a valid concern. I sure would like an answer.
Did so-called support every give you one?

It would be to the advantage (more sales, and trust) of Agnitum (Outpost Firewall) to have a representative responding to these forums, especially the "Outpost users forum".

 

I agree with the Orginal Poster "Sm3K3R"

Outpost Firewall in Block All Policy should have blocked all traffic at Windows boot, local or wide area network.

According to the Posters test, the Microsoft Windows built in firewall blocks all traffic at Windows boot.
Also, according to the Posters test, so does ZoneAlarm, except for PING and ARP within Local Area Network.

Although the contents of Post #4 by Member "kronckew" in regards to Outpost Firewall allowing the traffic at
Windows boot [after] the Outpost Firewall rules allow the action, is correct, the explamation is nil!
Block All means Block All!

And finally, as stated in Post #33 by Member "kronckew" the consencus of the Moderators here at Wilders Security
Forums is that in Outpost Firewall v8.1.2 there is no cause for concern over this issue.

I also fully agree with the Moderators consencus.

Although Outpost Firewall loads an sandbox driver very early in the computers startup preventing any exploites,
BLOCK ALL MEANS BLOCK ALL.

The administrator of any said network may have some administrative reason to Block All Traffic at any one client
computer within the network. Outpost Firewall allowing network connections at Windows boot both LAN and WAN while
in Block All Policy is an low level security breach.



HKEY1952

 

Perhaps, just perhaps, it is the firewalls themselves which use this msfncsi.com connection to see what exists, what changed,etc.
This is an interesting reference:
http://technet.microsoft.com/en-us/library/ee126135(WS.10).aspx

The only way to test this idea is to totally uninstall a firewall in question and look at the traffic logs like Sm3K3R does or maybe router logs (post#32 ). Because, here, this traffic happens after firewall drivers load and initialize.
Unless Sm3K3R already did this and reported and I missed it in this thread. Or my thinking is all wrong.

 

Just a thought: a lot of current Ethernet cards have DHCP clients built into the firmware, for doing PXE installs, booting from network shares, that sort of thing. I don't know networking that well, but if you see network traffic from a PC before the OS brings up ethernet, my first guess would be that it's NIC firmware, doing its thing before the OS takes over.

(OTOH, I would also expect that to happen only if the machine were set to attempt a network boot. So YMMV.)

 

Get your hands on an old PC put in 2 NIC-s install something like OpenSuse that has WIreshark in it and look at what happens at boot.

Wireshark will show you what kind of traffic it is and you will identify it easily as the packages show up.

What i ve observed i ve stated here as an "amateur" and it s subjective by all means as i am not a robot ,but i think it s a good idea to never take vendors seriously and check for yourselves if you want to of course ,
Thus you can make the right decision in a world where marketing is more than the product by itself.

From what i ve observed on a SSD everything in the boot process regarding Windows boot happens much faster than with a normal HDD.So depending in the HDD boot up speed you may have various results ,regarding what traffic you see.

 

Sm3K3R - What is the possibility of testing the firewall found in Kaspersky Internet Security? They have a free trial that can be used.

An additional thought - A Dell computer was seen to partially start wherein the NIC was checking for a network call and this was in a computer that was set not to Wake on LAN.

In any case thank you for all the work and enlightenment.

 

"Get your hands on an old PC put in 2 NIC-s install something like OpenSuse that has WIreshark in it and look at what happens at boot."


Opensuse (Linux) is your router?... his firewall is enabled?

Buy a router. No problems with a french "box".

 

What was meant to be said was that Dell Desktop computer while off kept partially starting and stopping (long before the full BIOS loads) as if to check for any activity on the LAN.

 

I know this thread is a bit old, but when reading this thread about SphinxSoft's Windows 10 Firewall Control (which is separate from Windows built-in firewall, but uses WFP/BFE for app/packet filtering), a post by @Brummelchen caught my attention

@Sm3K3R - If you have any free time to test, I would be curious if this statement is in-fact correct, in that no traffic is allowed during boot phase.

 

Salut,


- Nom du journal :System
Source : Microsoft-Windows-Kernel-General
Date : 24/08/2015 08:00:27
Description :
Le système d’exploitation a démarré à l’heure système ‎2015‎-‎08‎-‎24T06:00:27.359600000Z.

- Nom du journal :System
Source : Microsoft-Windows-Dhcp-Client
Date : 24/08/2015 08:00:54
Description :
Le service client DHCPv4 est démarré

- 08:00:56 Outpost Firewall Pro service a démarré (version 9.1.4652.16323)
- 08:01:00 Bloquer OUT IGMP 192.168.1.11 224.0.0.22 Block IGMP