Outbound connections

Discussion in 'other firewalls' started by moredhelfinland, Sep 14, 2017.

  1. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    33
    Hello,
    How effective basic windows firewall is to block outbound connections? There are several ways to connect to internet by process injection etc. Does it block, for example, powershell script attempts or process injection techniques to get TCP out?
    -MF
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    First, don't expect a Firewall to be the main defense of your system, a FW shouldn't be the first to react to an infection, it it does it means your security strategy (AV, etc...) failed.
    As you mentioned if a malicious code injection was made in to a legit process, Windows Firewall (and most home users FW without IDS/IPS or some sort of packet analysis) won't see it and let the connection out.
    What 3rd party FWs do are outbound connections control, warning you about processes/programs going out via a prompt (Windows FW doesn't).
    I didn't use any 3rd Party FW since Win8 , only using WinFW , maling it block all outgoing conenctions by default then creating outbound-allowed rules on the fly if needed.
     
  3. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    33
    But it does not block injection TCP out connections? Many sophisticated malwares uses several techniques to get an TCP/UDP connection outside.
    So if your security setup relys on the basic windows firewall driver and not on the dedicated one like some security systems does.
     
  4. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    All 3rd party firewalls uses the Windows Filtering Platform, what most of them offer are the outbound controls that WinFW lacks.

    Home users will rarely encounter those sophisticated malware, however businesses does and they surely will use hardware FWs or IDS/IPS.
     
  5. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    33
    "Home users will rarely encounter those sophisticated malware"
    So im happy with basic WFP and not third party firewall that use its own firewall driver aka TDI to filter in/out traffic?
    ESET and Comodo are only ones that does not rely WFP, instead they use their own filter driver, which is good for protection side.
     
  6. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    119

    ?... since Vista, ALL antivirus and GUI firewall use WFP ( Windows filtering platform ).
     
  7. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    33
    Never ever use firewall that uses WFP. Use a firewall software that does not rely on the WFP.
    Like famous firewall tests shows, there are several ways to connect outside if using standard WFP.
    Eset, Comodo and ZA are the ones that uses their own fw drivers, so like hidden ICMP etc outgoing technicues are blocked.
     
  8. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    119

    " REDWOOD CITY, CALIF. - June 15, 2007 – Check Point® Software Technologies Ltd. (Nasdaq: CHKP), the worldwide leader in securing the Internet, today announced the availability of ZoneAlarm Internet Security Suite 7.1 for the Microsoft Windows Vista operating system. ZoneAlarm Antivirus and the free ZoneAlarm firewall were also made available today for Vista.

    Check Point is the first major security vendor to utilize the next generation Windows Filtering Platform application programming interface (API) for Microsoft Vista. This also marks the first time that ZoneAlarm’s exclusive Operating System Firewall protection has been made available for Microsoft Vista. By leveraging these and other leading technologies, ZoneAlarm Internet Security Suite delivers superior levels of protection and reliability. "


    https://forums.comodo.com/install-setup-configuration-help-cis-b137.0/-t45645.0.html

    " Does the Comodo Firewall use the windows filtering platform on vista and windows 7?

    Hi Dirks,
    Yes it does, from version 3.8 and higher. "


    Awake ?
     
    Last edited: Sep 20, 2017
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Eset switched to the WFP (Windows Filtering Platform) driver with the release of their version 10, or version 9 products. I'm not sure which version it was when they switched (it was either 9, or 10), but they are using the WFP now.
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,323
    you surely have a lot of proofs for this statements?
     
  11. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    524
    Location:
    USA
    I think someone must still be running Windows XP. ;)
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,425
    HOW do you do it without alerts?
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    Only connections i deem necessary are allowed, so when i install a software, i check if it needs internet connection or not for its job or updates, if yes , i create a rule for it.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    You can also routinely scroll through Event Viewer Security logs and look for blocked connections (Event 5157) to see exactly what is trying to connect and how it's trying including: direction, protocol, source and destination ports, and source and destination addresses. Example below is svchost.exe attempting outbound connection to port 443 to Google. You can decide if it's necessary to allow it and create an appropriate rule(s) for it. I don't require this of svchost so I leave it be.

    Code:
    The Windows Filtering Platform has blocked a connection.
    
    Application Information:
        Process ID:        112
        Application Name:    \device\harddiskvolume1\windows\system32\svchost.exe
    
    Network Information:
        Direction:        Outbound
        Source Address:        192.168.1.70
        Source Port:        51088
        Destination Address:    172.217.3.174
        Destination Port:        443
        Protocol:        6
    Protocol 6 is TCP, 17 is UDP. If for example you were trying to update Chrome browser but it's being blocked, you could simply scroll the Security logs and you would find that %ProgramFiles% (x86)\Google\Update\GoogleUpdate.exe was being blocked. I created a rule to allow it to: TCP, Remote ports 80, 443, Remote address Any. Yes this is slower than a 3rd-party fw generating pop-ups for you but then you are using what's already built into Windows without the potential buggy and system crippling code added by the 3rd-party software.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Very simply, just use Windows Firewall Control. It will auto-block all apps/processes from making outbound connections and it will let you easily make rules for apps who truly need to connect out. Keep in mind that it's not a third party firewall but makes use of the Windows Firewall itself.

    https://www.binisoft.org/wfc.php
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Sure but it's still 3rd-party software. With no intent whatsoever on coming across as critical, the 20 Fixes in the past 5 months alone is, for me at least, cause for concern.
     
  17. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    817
    Windows has updates once per month at least with multiple fixes. How concerned does that make you?
    You should at least check the changelog and see what kind of fixes are being made and it would have been obvious that most are for usability.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Apples to oranges; One is an operating system containing massive quantities of code while the other is a program microscopic in comparison that runs on the O/S. At any rate my statement is just my take on what I see in the changelogs, and not an attack on the program itself.
     
  19. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    Windows firewall allows some Windows services to bypass it, and due to some restrictions on applying firewall rules to services it is not possible to block them individually.
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    What are the services that bypass it?
     
  21. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    764
    If that's the case, then why does Comodo FW disable Windows FW? ....
     
  22. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    423
    Location:
    Italy
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,425
    This may clarify the confusion because of the naming conventions.
    Windows Filtering platform (aka Base filtering engine BFE) is NOT the same thing as Windows Firewall which can be turned off or on.

    See this excellent picture
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx
    and more details
    https://msdn.microsoft.com/en-us/library/windows/desktop/aa363967(v=vs.85).aspx
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    All the ones that windows won't allow you to apply an SID to.
    You can block svchost instances but when they are also hosting services required for internet connectivity it defeats the purpose.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,094
    Location:
    Canada
    Using the Advanced Security settings, I'm having a hard time finding any one specific service I can't block outright or allow with specific parameters, and that includes all those spawned by svchost.exe as well as all others found under process explorer, but perhaps I'm missing something.
     
Loading...