sepik

Level 3
Hello all,
I've always been interested, how early can software(or driver of it) start during the boot up stage? I know kernel drivers, ring 0/1 stages etc, just a words for me.
Many AV/suites starts at a low level. Some malwares does that too. Some 3rd party firewalls not depending on Windows on firewall driver starts way before windows own firewall driver. So actually this is confusing for me. Now comes funny sentence "how low you can go" :D
Is there any softwares that can analyze which processes in order starts at boot up? Race-conditions between malware and firewall during boot-up? Zonealarm and Comodo firewalls is famous that you cant actually disable them during boot up stage. Sophisticated malware can connect to the internet way before windows firewall is loaded?
-sepik
 

Umbra

Level 11
Verified
Doesn't really matter, which start first, you can be compromised by malware not even on your system but on your hardware. Windows8 introduced Secureboot to prevent unwanted drivers to run, some AVs use ELAM, but all become useless if you get hit by kernel exploits.
It is why i promote solid lockdown strategies to prevent such malware to even being dropped on the system, because whatever how powerful is a malware, its entry points never change.
 

DeepWeb

Level 25
Verified
I noticed recently that my wifi does not connect until my AV finished booting up. So there you have your firewall protection. In almost all cases, the AV is long awake before your PC can even establish a connection. Unless you have those controversial Intel vPro CPUs that can do whatever they want no matter what the user does, thanks to Intel Management Engine.
If you really really care about that, get a Chromebook. It checks all of the code at boot and if something is foul, it boots the last normal backup. Everything at boot is signed by Google and the 3rd party drivers that they have vetted. Google is in full control over the boot process until you sign in.
 

sepik

Level 3
I've tested several firewalls. Was quite interesting to see Zonealarm firewall log files. During boot-up ZA blocked many connections to google servers and microsoft servers. Maybe those connections are for google update and windows update OR some telemetry things?
Comodo firewall logs does not show anything compared to Zonealarm.
Years ago some member at wilderssecurity tested this with wireshark. Was kinda interesting to see how connections are made before windows own firewall is even started. Malware can do the same and you're not even aware of that. That's why i don't like software firewalls that rely on windows own firewall driver.

Kindest regards,
-sepik
 

oldschool

Level 37
Verified
That's why i don't like software firewalls that rely on windows own firewall driver.
The new TinyWall beta is based on the Windows Filtering Platform and can be used with or without Windows Firewall. I think the latter method is temporary until he releases the new version. I haven't used it for stability reasons but you may read more here
 

Dave Russo

Level 9
Verified
Doesn't really matter, which start first, you can be compromised by malware not even on your system but on your hardware. Windows8 introduced Secureboot to prevent unwanted drivers to run, some AVs use ELAM, but all become useless if you get hit by kernel exploits.
It is why i promote solid lockdown strategies to prevent such malware to even being dropped on the system, because whatever how powerful is a malware, its entry points never change.
What is you solid lockdown strategies? sounds good ,but is it simple enough for a not so technical guy like me?
 
  • Like
Reactions: venustus

SeriousHoax

Level 11
Verified
Malware Tester
I use SimpleWall beta with Windows Defender which is based on Windows Filtering Platform (WFP) and it has a feature called "Boot-time-filters" which does what the name suggests. Any program that you haven't allowed in SimpleWall to access internet won't be able to create any connection even before the actual program runs on your system after booting up. This program itself starts pretty late after windows log on and I tested by running other programs right after booting up that weren't allowed in SimpleWall and they weren't able to create any connection.
Maybe it does what you're looking for but I'm not fully sure. Anyway, it's a great little program.
 

TairikuOkami

Level 23
Verified
Content Creator
I've tested several firewalls. Was quite interesting to see Zonealarm firewall log files. During boot-up ZA blocked many connections to google servers and microsoft servers. Maybe those connections are for google update and windows update OR some telemetry things?
Comodo firewall logs does not show anything compared to Zonealarm.
Comodo automatical allows trusted processes/connections, sometimes it is hard to disable, I never liked this nuisance in security products.

Years ago some member at wilderssecurity tested this with wireshark. Was kinda interesting to see how connections are made before windows own firewall is even started. Malware can do the same and you're not even aware of that. That's why i don't like software firewalls that rely on windows own firewall driver.
I believe this was changed with the mandatory secure boot (has to be disabled via BIOS)? Firewall driver is loaded before the network is initialized?
capture_10182019_164806.jpg
 

Rijndael

Level 1
Secure Boot was designed with the aim of stop rootkits.
How it works is based on checking the bootloader signature and loading it if it is trusted.
Right now the only way that a malware can infect the MBR or BIOS of a PC with UEFI is by exploiting a vulnerability.
So It's very difficult for someone to get infected with a virus that is able to start before the OS or Firewall.

However, Rootkits Drivers remain a dangerous threat. Even with Patch Guard and Driver Signature Enforcement, malware writers continue to infect PCs with rootkits. One of its strategies is to search the internet for software that uses drivers in Kernel Mode (signed drivers) and analyze them for vulnerabilities.
When they find a vulnerable driver they load the driver on the victim's PC and use the vulnerability to execude malicious code in Kernel Mode

Firewall driver is loaded before the network is initialized?
Yes, firewall driver is loaded when System Drivers are loaded, network drivers are loaded later (when 3rd Party Drivers are loaded).
 
Last edited:

Dave Russo

Level 9
Verified
Option to block all traffic before Firewall starts and until firewall ends,is allowed,but not default on Symantec Endpoint protection any reason not to use this option?
 
Last edited:
  • Like
Reactions: venustus