Firewall boot-stage protection

[sepik]

Hello all,
I've always been interested, how early can software(or driver of it) start during the boot up stage? I know kernel drivers, ring 0/1 stages etc, just a words for me.
Many AV/suites starts at a low level. Some malwares does that too. Some 3rd party firewalls not depending on Windows on firewall driver starts way before windows own firewall driver. So actually this is confusing for me. Now comes funny sentence "how low you can go"
Is there any softwares that can analyze which processes in order starts at boot up? Race-conditions between malware and firewall during boot-up? Zonealarm and Comodo firewalls is famous that you cant actually disable them during boot up stage. Sophisticated malware can connect to the internet way before windows firewall is loaded?
-sepik

 

[ForgottenSeer 823865]

Doesn't really matter, which start first, you can be compromised by malware not even on your system but on your hardware. Windows8 introduced Secureboot to prevent unwanted drivers to run, some AVs use ELAM, but all become useless if you get hit by kernel exploits.
It is why i promote solid lockdown strategies to prevent such malware to even being dropped on the system, because whatever how powerful is a malware, its entry points never change.

 

[DeepWeb]

I noticed recently that my wifi does not connect until my AV finished booting up. So there you have your firewall protection. In almost all cases, the AV is long awake before your PC can even establish a connection. Unless you have those controversial Intel vPro CPUs that can do whatever they want no matter what the user does, thanks to Intel Management Engine.
If you really really care about that, get a Chromebook. It checks all of the code at boot and if something is foul, it boots the last normal backup. Everything at boot is signed by Google and the 3rd party drivers that they have vetted. Google is in full control over the boot process until you sign in.

 

[sepik]

I've tested several firewalls. Was quite interesting to see Zonealarm firewall log files. During boot-up ZA blocked many connections to google servers and microsoft servers. Maybe those connections are for google update and windows update OR some telemetry things?
Comodo firewall logs does not show anything compared to Zonealarm.
Years ago some member at wilderssecurity tested this with wireshark. Was kinda interesting to see how connections are made before windows own firewall is even started. Malware can do the same and you're not even aware of that. That's why i don't like software firewalls that rely on windows own firewall driver.

Kindest regards,
-sepik

 

[oldschool]

That's why i don't like software firewalls that rely on windows own firewall driver.

The new TinyWall beta is based on the Windows Filtering Platform and can be used with or without Windows Firewall. I think the latter method is temporary until he releases the new version. I haven't used it for stability reasons but you may read more here

TinyWall Firewall

I still don't fully understand. If WF is disabled, then you would think that TinyWall doesn't have to worry about the Win Firewall anymore? No matter...

www.wilderssecurity.com

 

[Rijndael]

Some 3rd party firewalls not depending on Windows on firewall driver

I think there are no firewalls written from scratch for Windows now. All popular firewall are build on top of WFP (Windows Filtering Platform) - User Mode and Kernel Mode.

 

[Dave Russo]

Doesn't really matter, which start first, you can be compromised by malware not even on your system but on your hardware. Windows8 introduced Secureboot to prevent unwanted drivers to run, some AVs use ELAM, but all become useless if you get hit by kernel exploits.
It is why i promote solid lockdown strategies to prevent such malware to even being dropped on the system, because whatever how powerful is a malware, its entry points never change.

What is you solid lockdown strategies? sounds good ,but is it simple enough for a not so technical guy like me?

 

[SeriousHoax]

I use SimpleWall beta with Windows Defender which is based on Windows Filtering Platform (WFP) and it has a feature called "Boot-time-filters" which does what the name suggests. Any program that you haven't allowed in SimpleWall to access internet won't be able to create any connection even before the actual program runs on your system after booting up. This program itself starts pretty late after windows log on and I tested by running other programs right after booting up that weren't allowed in SimpleWall and they weren't able to create any connection.
Maybe it does what you're looking for but I'm not fully sure. Anyway, it's a great little program.

 

[TairikuOkami]

I've tested several firewalls. Was quite interesting to see Zonealarm firewall log files. During boot-up ZA blocked many connections to google servers and microsoft servers. Maybe those connections are for google update and windows update OR some telemetry things?
Comodo firewall logs does not show anything compared to Zonealarm.

Comodo automatical allows trusted processes/connections, sometimes it is hard to disable, I never liked this nuisance in security products.

Years ago some member at wilderssecurity tested this with wireshark. Was kinda interesting to see how connections are made before windows own firewall is even started. Malware can do the same and you're not even aware of that. That's why i don't like software firewalls that rely on windows own firewall driver.

I believe this was changed with the mandatory secure boot (has to be disabled via BIOS)? Firewall driver is loaded before the network is initialized?

Secure the Windows boot process - Windows Security

This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.

docs.microsoft.com

 

[Rijndael]

Secure Boot was designed with the aim of stop rootkits.
How it works is based on checking the bootloader signature and loading it if it is trusted.
Right now the only way that a malware can infect the MBR or BIOS of a PC with UEFI is by exploiting a vulnerability.
So It's very difficult for someone to get infected with a virus that is able to start before the OS or Firewall.

However, Rootkits Drivers remain a dangerous threat. Even with Patch Guard and Driver Signature Enforcement, malware writers continue to infect PCs with rootkits. One of its strategies is to search the internet for software that uses drivers in Kernel Mode (signed drivers) and analyze them for vulnerabilities.
When they find a vulnerable driver they load the driver on the victim's PC and use the vulnerability to execude malicious code in Kernel Mode

Firewall driver is loaded before the network is initialized?

Yes, firewall driver is loaded when System Drivers are loaded, network drivers are loaded later (when 3rd Party Drivers are loaded).

 

[Dave Russo]

Option to block all traffic before Firewall starts and until firewall ends,is allowed,but not default on Symantec Endpoint protection any reason not to use this option?

 

[Vitali Ortzi]

Option to block all traffic before Firewall starts and until firewall ends,is allowed,but not default on Symantec Endpoint protection any reason not to use this option?

It can't work before windows was called by the boot manager/bootloader.
Any bootkit would bypass it .
Anyway the wireless firmware aka baseband can be rewritten and hidden from SEP .
And the bad guy will write it in memory if the firmware is read-only(probably a better way to hide it aka fileless).
But anyway I would recommend using the option you mentioned above to force programs to use the policies you applied.
Anyway a better solution would be a gateway based security as it is mostly the "gateway for malware as well".
And something like SEP as an added IPS layer but it's mostly optional especially with good deafult deny policies and good vlan as a base security posture.

 

[sepik]

Hello,
I don't still understand, how "bootkit" can take your internet connection during bootup? Is it wise to check system integrity files(hash) during boot-up or somehting like that. Personally, i disabled most of the script interpreters via local group policy. If some program wants to use wscript, csript, powershell, there will be a pop-up for that. So i always know, if some programs wants to run .vbs, jar, ps1, hta etc...

Kind regards,
-sepik