Can spyware bypass software firewalls?

Discussion in 'other firewalls' started by guysmilie, Apr 1, 2007.

Thread Status:
Not open for further replies.
  1. guysmilie

    guysmilie Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    8
    Ok. I know the best thing is not to allow your machine to become infected in the first place.

    BUT...If well written spyware was installed on a computer, can it easily bypass a well configured software firewall? I use an advanced ruleset with my software firewall to block all internet access to all ip's, then selectively allow access where needed, and only to/from specific ip's.

    However I am wondering if well written spyware can still bypass my firewall, perhaps by patching the kernel or something like that.

    Any input is appreciated,

    Guy.
     
  2. ASpace

    ASpace Guest

    Well , it depends on the firewall but my experience with ZA shows YES , malware (trojan/spyware) can bypass soft firewall
     
  3. guysmilie

    guysmilie Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    8
    Can you tell me how this would be accomplished? Is there anyway to detect/prevent this?

    Thanks for any advice you can offer,

    Guy.
     
  4. ASpace

    ASpace Guest

    Well , in a recent case , I remember , a trojan's DLL got injected into Windows Explorer . ZoneAlarm automatically (without asking) allows access to Windows Explorer . The trojan is free to work :) (this is very simple example)

    It would be similar to spyware ;)
    That's why you need to rely on your firewall to protect you against hackers/intruders . You can't rely on firewall to protect your from malicious code . That's why people have created antivirus/antispyware programs
     
    Last edited by a moderator: Apr 1, 2007
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Check out the numerous leaktests that are available. Malware can use these same techniques to get around firewalls.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Rustock.B
     
  7. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Nothing is 100% secure, so it can be possible, but require skills...
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Not on my mahine it doesn't! I don't even allow Explorer to ask - I simply block access for it.

    However by default Explorer, along with other problematic apps, does have automatic permission, so it is a question of how you configure it. In general terms though, leapfrogging on the back of legit progs is a way malware might defeat a FW. Even if you expend a lot of time and energy creating expert rules, there is no guarantee they won't be beaten.

    This is why it may be better just to create basic access rules (of the type offered by SSM) and spend most effort in preventing malware from getting in and running on your ststem in the first place.
     
  9. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Paid versions of ZA stops this kind of leaks since they contain HIPS through their OSFirewall so ZA would be able to stop most if not all spyware from reaching out to the internet.
     
  10. guysmilie

    guysmilie Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    8
    Thanks all for the info. Just one thing.

    As I said in my original post I use the advanced rules in ZA pro to block access to all IPs then selectively allow access to/from trusted IPs. I think this would prevent malware from using programs/services that are allowed by default.

    But is there another, more advanced way, that well written spyware could bypass your firewall regardless of settings, by making changes to the windows kernel, altering the firewall files or some other way?

    If you want really good OUTBOUND protection and filtering what are some of the better methods of accomplishing this?

    Thanks for any and all input,

    Guy.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Outbound control is tricky:

    - Something running on your machine can have partial or full control of the kernel, which means you cannot ever be sure about any internal outbound control.
    - You may falsely assume the software is trusted.

    If something is allowed system-wide access then you should assume that you CANNOT control it and game over. This means you must TRUST that software before you allow it to run.

    Controlling outbound for unknown processes is simple - limited user, software restriction policies and such, namely disallowing unknown thingies to touch the heart of the OS.

    Outbound should be used:

    -To restrict process that you trust and know what they do - yet you do not wish to do but still want to use the program; example MS processes.
    - To monitor system behavior for the purpose of network utilization.

    It all comes down to one thing: not sure? do NOT click.

    Mrk
     
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, guysmilie

    Ask TX Maxx and their so called Administrators. :eek:

    Take Care,
    TheQuest :cool:
     
Loading...
Thread Status:
Not open for further replies.