What exactly does a FW stop going "out"?

Discussion in 'other firewalls' started by tonyseeking, Apr 18, 2009.

Thread Status:
Not open for further replies.
  1. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    I am really confused, and would love to get educated by everyone here and to gain some clarity.

    At the moment I am using Vista Firewall.

    But I have heard that it doesn't contain 2 way protection and doesn't contain HIPS. So I installed the FREE Sphinx Vista Firewall Control, only to learn that it doesn't support scvhost and core protection. So I uninstalled it.

    But then I thought to myself... I don't even understand what all that means?

    Can someone explain to me please, in basic layman terms.... what exactly am I at risk of happening by using the Vista Firewall? What exactly can happen to the core, kernel and scvhost? What exactly can "go out" of Vista that Vista Firewall will not stop?

    Thanks so much. :thumb:
     
  2. progress

    progress Guest

    As far as I know Vista FW also has outbound protection, no reason to worry :) XP FW only has inbound protection ...

    HIPS?

    :doubt:
     
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    Vista FW has outbound IF u configure it right, u need to unlock some special settings that arent in the same section where the FW is.

    and quite honestly 1 way is still good enuff, what are u worried is getting out if nothing gets in, in the first place?
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    There are many varying degrees of protection when it comes to outbound traffic (as opposed to inbound), ranging all the way from simple as in something like Kerio 2 or ZA Free, all the way to advanced like Comodo, which includes HIPS like features. The level of protection or control you want depends on what you think you will need. How are your internet habits? Do you consider yourself a risky user, etc. Many like just a basic packet filtering firewall without all the extra protection, leaving most of the risk up to the user and his/her intelligent use of the PC. Others prefer to try to catch anything and everything that moves on the PC, so they use things like Comodo, as annoying as it is. Thing is, once something like malware gets on your PC and executes, it's too late anyway, and all you're doing with your fancy HIPS and features is trying to catch it. The mess will still be there though, and you'll have to clean it up or reformat or restore an image. Also be aware that nothing is 100%, and even though you run Comodo and think you're covered, it's always possible for malware to get by it in theory and in practice. You ask what can go out that Vista FW can't cover or control, truth is, well written malware can almost always "go out" past anything you run. That's the reality of it all. So rather than go nuts trying to catch anything and everything that might go out, just use some common sense as a user, and keep the malware off your system to begin with.

    Vista Firewall may not be as simple and easy as you'd like it. If I were you I might consider one of the basic firewalls that's easy to use and that gets the job done covering basic inbound and outbound traffic, without going crazy with it all. Then the rest is up to you. :)
     
  5. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Thank you Kerodo for the wise advice and words.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Microsofts built in firewalls control the traffic to/from installed applications. It does not control or monitor traffic from operating system components. An OS component can "call home" without the firewall stopping it. SVCHOST is a part of the services that run on NT systems. A service can use SVCHOST to gain internet access. As before, the Windows firewall doesn't control this traffic. Malicious code that exploits SVCHOST does exist. How much of it works on Vista at present, I don't know.

    The Windows firewall gives you no control over "legitimate" traffic from the operating system, aka calling home. If that control is important to you, get a 3rd party firewall. Most installed software firewalls will control the traffic to/from OS components like SVCHOST. Assuming the firewall is decently configurable, you can specify what IP addresses a component can connect to, the protocols it's allowed to use, and the port numbers it can and can't use. Most internet services use specific ports for specific functions. By specifying the port(s) SVCHOST can/can't connect through, a software firewall can control the internet access of specific services, even though they all connect out using the same process (SVCHOST).

    A conventional 3rd party firewall controls the direct internet access of individual executables, both applications and OS components. HIPS software performs different functions. HIPS controls the executables themselves. A classic HIPS like SSM allows the user to
    • specify what executables can run,
    • specify what other processes each one can start (parent) or be started by (child)
    • which processes can hook or inject code into another process,
    • perform low level disk access, memory access, and many other functions
    The standard practice of security vendors is to combine these into one package, a security suite. Separate applications are just as good if not better.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    The firewall in Vista does filter the system applications.

    I know a number of Vendors put forward that their own applications need to be given hard_coded rules, so for example, their application can make updates, or make reverse DNS lookups, etc, etc, whatever. With Vista, you can block any/all system applications from making direct internet connections, and even cause windows updates to be blocked.

    I have been monitoring Vista, and I have seen nothing to make me even think that Vista is "calling home" or not filtering any system application.

    One fact in the firewall, that I still have to make further checks, is that for example: svchost, when creating rules for this services host, you can bind the service, such as windows updates, to the rule. So where in most firewalls you would give svchost outbound to remote ports 80, 443 for windows updates, that would then also allow svchost to make any outbound to those ports, even if not for windows updates. With a binding of the service to the rule, then only that specific service will use the rule.

    I have finished most of the testing that I wanted to do on the Vista firewall, so I can now build a thread to help show how to use/setup the Vista firewall.

    - Stem
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I stand corrected, and very surprised.
     
  9. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    your post was a waste of space mate :p It didn't address a single question I asked.
     
  10. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    why is my post getting hijacked? This is also off-topic and doesn't address my questions at all :(
     
  11. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    His post didn't answer me either.

    What exactly can happen to the core, kernel and scvhost?

    What exactly can "go out" of Vista that Vista Firewall will not stop?

    In other words... lets assume the worse scenario, and I get infected with something... What exactly happens? Does some program scan my HD and then send every text file to another person somewhere else in the world? And they hope that some text file contains personal information? Is that right?

    What exactly can happen? For example, I have a text file on my desktop called "info.txt" and in that file I have some personal data. Is that what can happen, it can get copied and sent to another server :eek:ut there:?

    What exactly is the firewall outbound protection stopping?
     
  12. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    And what exactly can this Malicious code do? What does it do exactly? Scan my PC for what? And then sends what to someone else "out there"?
     
  13. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Awesome Stem.. When and where? :)
     
  14. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    actually i did, u asked what are u risking and i answered u by saying ur not risking anything really long as u just keep ur proactive security strong.

    and i corrected u by saying it does u just gotta know how to get it working

    so u dont seem to understand then maybe u shuld just take in the info instead of saying i didnt answer ur question at all or getting hijacked or being off topic...
     
  15. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    If one gets a Trojan on their computer it may gather personal information (or any other information that is on your computer like sites visited etc.) and send it out to the recipient for their illegal use. Vista firewall has not been proven completely able to foil all attempts to by-pass it.
     
  16. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    1. What would I need to do to be infected with a trojan? Download and install what exactly?

    2. I daily use MAM and SAS, will they detect all the latest Trojans?

    3. I only ever download and install software from well known websites. Doesn't that cover me well?
     
  17. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    and the same goes for EVERY software FW so ye...
     
  18. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    In some drive-by downloads a computer could get compromised under certain conditions and the compromise may contain an encrypted Trojan that has been packaged for use at a later time. As to the abilities of particular software - one would need to contact one's vendors for that information and ask them for third-party tests to back what they promote about their abilities.

    Some very good security software can catch things like that to which you refer most of the time. No conclusive tests have been done nor can they be done to "prove" thoroughness due to new exploits being introduced very often. The best one can hope for is a claim of a group of software (layered approach) that has been rigorously third-party tested and stays on top of their game at each new test.

    The very best insurance, though, is operator training and how not to be taken advantage of on for instance spoofed sites.
     
  19. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    1. launching infected .exe files or possibly drive-by's

    2. they will detect most, but nothing is 100%

    3. that does cover u well, but not 100%, thers always a chance of the site being hijacked etc.
     
  20. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    Oh you misinterepted my statement.
    I fully appreciate the statement by Kerodo.
    These questions you pose are bascially what he meant..use less and be further ahead.... probably the limited user account and an updated antivirus and these concerns for 'what ifs' will never happen or enter the picture.
    12fw
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    SVCHOST is just the means by which the malware would gain internet access. The default rules for many firewalls give SVCHOST almost unrestricted internet access, as does the automatic rule creation used by some other firewalls. The most common type of malicious code that does this would be trojans, which includes keyloggers and ones that steal passwords and financial data. The malware can do just about anything the coder wants it to, within the limits of what the OS and the rest of the security package will permit.
    1, All the usual infection vectors apply. Infected e-mail, malicious links, compromised websites, code that exploits unpatched browsers, malicous code embedded in files from other infected PCs, social engineering aka the art of tricking the user into opening or clicking on something malicious. Don't underestimate the last one. The malicious code can be made to look like any file type the writer chooses. Most all types of files can be malicious, not just executables. Even text files can be malicious if the file extension is right.

    2, Those are good apps, but nothing catches everything. With kits that build custom malware easily available, it's a simple matter to build a trojan that will slip past all of them, at least for a short time. No user is infallible either, no matter how security conscious they are. I really wonder how big of a botnet I could build using a custom rootkit made with one of those malware kits with posted links to it in places like this, describing it as a new firewall leaktest.

    3, That helps, but known sites also get compromised. In the last year, we've also seen attacks on the infrastructure of the internet itself, the DNS servers for one. The problem is the design of the system itself. As far as I know, that problem has been patched to make it harder to attack but the design vulnerability is still there. There's malware that attacks the DNS components in the PC. I believe there's even been successful attacks on DNS in routers under certain circumstances. While this might seem off topic, consider one thought. If a successful attack on any one of these can result in your going to a site other than the one you intended, can there be such a thing as a trusted site? IMO, all of the internet should be treated as untrusted and your defenses set up with that in mind.
     
  22. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    So no firewall at all can stop unauthorized "outgoing" information?
     
  23. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Define "drive-by's"
     
  24. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    no, its not that they cant stop any outbound, but a software FW can be bypassed just as Vista FW could. i was just replying to the other guy who posted that Vista FW can be bypassed.
     
  25. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    invisible background downloads while surfing the net is the main way u get them. most AV's should protect u tho
     
Loading...
Thread Status:
Not open for further replies.