Quick firewall/malware browser launching question

Discussion in 'malware problems & news' started by pwr, Dec 2, 2008.

Thread Status:
Not open for further replies.
  1. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Hello guise,

    Just a quick question:

    (Let's assume we have IE with several tabs open, and that the only security software we have installed is a good firewall.)

    What would stop malware from using the browser to transmit data? Would one's firewall always pop up with a message similar to: "unknown process is attempting to launch Internet Exploder?". I don't really want to find out the hard way lol =)

    I'm asking this as I am trying to explain the operation of a typical firewall to my dad.

    Thanks in advance for any replies =)
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    This assuming you have malware installed on your machine, yes?
    Mrk
     
  3. pwr

    pwr Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    70
    Yes, but it is a hypothetical question.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It depends on what kind of firewall is involved, whether it's a firewall suite with a HIPS component or strictly an internet firewall. Since most modern firewalls are suites, I'll assume that what's being used and that it's decently configured.

    The answer also depends on what type of malicious code we're talking about. If that code is its own process, a firewall with a HIPS component should detect the malicious process itself as well as its attempt to hook or inject code into Internet Explorer. A separate freestanding HIPS would also do this.

    If the malicious code exploits or runs inside of Internet Explorer or exploits another application that's also allowed to launch Internet Explorer, a firewall or HIPS might not detect this activity. It will depend on where this malicious code is and how it's launched. If the code is contained within a file that's launched by the user (such as an infected document that's opened with an allowed application) or it's contained in a webpage and uses an unpatched vulnerability in IE, these a firewall can miss.

    If you use an alternate browser and have either required Internet Explorer to request internet access or have blocked its access, then the firewall should detect all attempts to connect out with Internet Explorer.
     
Loading...
Thread Status:
Not open for further replies.