software firewalls and malware spread prevention

Im new to security so bare with me, I just want to clear some confusions I have up about it.

Im using Comodo firewall and Ive configured it fairly strictly, I have blocked all outgoing from the 'System', svchost is only allowed to connect to my ISP's dns servers. Beyond that, there are only trusted programs I have given access to.

So, for malware to operate, generally, wouldnt that require that it creates a weird unknown process and then use that to connect to the internet with?

Alternatively, if it co-opted a trusted process, wouldnt it be clear on my network monitor it was connecting to an array of strange sites?

So, generally speaking, if I configured my firewall right in theory, even if I had malware, I could successfully block it from achieving internet/network access?

 

Yep, you got it bro. That's the idea anyway, so long as you don't pickup a rootkit that starts messing with your registry!

What you're asking is the notion behind GRC's Leaktest, if you want to test your FW config. See here: http://www.grc.com/lt/leaktest.htm

 

How would you know if malware installed it's own comm driver and bypassed everything you have?

 

Do firewalls protect against backdoors on port 0 (zero)?
How would you catch if it's not connecting out at all times, what about inbound connections, port knocking?

 

Hi, Searching_ _ _,

Can you point me to some current exploits in the wild that do the above? I would like to have a look.

Thanks,

rich

 

Me too, is why I formed it as a question?
Are these far fetched ideas?

Is there malware that doesn't connect out but waits for a knock at the port to connect to an already trusted process?

No problem,

Searching_ _ _

 

I'm not qualified to speculate on that.

I look at exploits, evaluate the risk, then see if my security is adequate. If not, I make changes!

----
rich