Advice Request Why some vendors tend to rely on Windows Firewall?

[509322]

The vast majority of home users don't know how to respond to any firewall alert - and that makes outbound notifications irrelevant except for security soft geeks.

Average Joe will likely select "Allow." So a firewall notification is pointless.

Microsoft does not care what security soft geeks think. It never has. And it never will. Microsoft does not care about what anyone thinks - most of all developers.

 

[Azure]

For those interested Syshardener can add some rules to Windows Firewall

 

[spaceoctopus]

Probably because,

It costs a lot of money to maintain

It's not practical for most users due to technicalities

And they try to compensate the absence of a third party firewall with some good malware and behavioral blocking detection. If you block a malware and prevent it from connecting to the internet, the job is already done. If you have a nice third party firewall, your anti-malware fails to block a malware, and you click ''Allow'' when the devious program wants internet connection...well, the firewall is useless.

 

[spaceoctopus]

Comodo Firewall is just named wrongly, it should be like Comodo Box or something. Think about many who reads that WF isn't enough, fires up in google firewall replacement, end up on Comodo's page, and download CF, oh boy.. from that point new users better be assure they have another device with internet access to google for help why Comodo disabled internet adapter, PC threw out BSOD, etc.. all Joe wanted was to better secure hes system

Comodo products are excellent when you know how to use them, but a nightmare for the average user.

 

[Deleted member 178]

It costs a lot of money to maintain

It's not practical for most users due to technicalities

Exactly, most SecGeeks bashing vendors because they choose the simple way are ignorants; if they worked for them or were "repair guys" , they would know that most home users can't even handle Windows basic options/features, so don't hope they can handle firewalls even with notifications.

If you block a malware and prevent it from connecting to the internet, the job is already done. If you have a nice third party firewall, your anti-malware fails to block a malware, and you click ''Allow'' when the devious program wants internet connection...well, the firewall is useless.

That the whole point, and let say the malware use a Windows legit process, to connect out , all 3rd party FW have a whitelist of processes that need to connect out so Windows can work properly; so considering a firewall as a mandatory security feature is obsolete, this idea was from the last decades when malware were unable to perform process hollowing or inject code in other legit processes...
And i don't even mention about integrity levels...

 

[DeepWeb]

I think most people are protected by their gateway hardware firewalls which are enabled out of the box. So fortunately most people may never know how bad Windows' software firewall really is.

 

[Deleted Member 3a5v73x]

There are still millions of users using just 12$ TP-Link at home. More important talk is how good or bad Windows Firewall is in public hotspots when you take your laptop with you, I actually never seen any regular user making sure profile is set to Public once connected or using a VPN.

 

[Deleted member 178]

I think most people are protected by their gateway hardware firewalls which are enabled out of the box. So fortunately most people may never know how bad Windows' software firewall really is.

depend the box, by default most allow all outbound connections.
The real question here is not if WF is good or bad, but do the outbound monitoring ability of FWs are considered a primordial aspect of a security setup for classic home users?
My answer: no, it never was and will never be. However for geeks it is another story...

 

[Deleted member 178]

I actually never seen any regular user making sure profile is set to Public once connected or using a VPN.

i never seen regular users even knowing where to go to manage WF...

 

[509322]

More important talk is how good or bad Windows Firewall is in public hotspots when you take your laptop with you...

If set to Public it will prevent intrusion. This has been tested much in the past and published in tests.

I actually never seen any regular user making sure profile is set to Public once connected or using a VPN.

Of course not. Public firewall profile... what is that ? VPN... wut ?

 

[509322]

i never seen regular users even knowing where to go to manage WF...

User asks "Where can I find Wifi where I don't need password... can you tell me ?"

 

[TairikuOkami]

i dont care if the malware is making outbound connections, it is already too late

A firewall is not unpenetrable, but it has its merits, like preventing DNS hijacking, etc. People usually get infected with trojan downloaders, which have to download payload first, they are harmless without it. Malware authors do not take a firewall into the account, since 99% are not using any these days. So injecting other processes sounds cool, but most just do not do it, since interfering with other processes could trigger AV/behaviour blocker.

 

[spaceoctopus]

There are some "in-betweens" or methods in this firewall debate.
Some products such as Trend Micro or F-secure will "reinforce" the WF in some ways.Adding for example some advanced HIPS or behavioral functions.

Others such as Emsisoft, which has a mature and very effective BB, will concentrate on blocking attempts to temper with WF settings and registry keys.

Products such as Panda, Norton or Mcafee use a lot of cloud and have a kind of ''Lite firewall". For example Mcafee firewall has some advanced exploit protection combine with their Netguard function.Which actively blocks dangerous ips when you browse(rather than passively waiting for blocking attacks). But the McAfee firewall has nothing to do with the advanced and granular settings of the Comodo or Zonealarm firewall.

Added to that it depends on the user. What he needs for example, depending on his knowledge and what he is doing with his PC.

 

[LDogg]

Still think WF isn;t enough for me whatsoever. It's like having a translucent window covering up packets. Deffo may install TinyWall!

~LDogg

 

[Al-Faqir]

There are still millions of users using just 12$ TP-Link at home. More important talk is how good or bad Windows Firewall is in public hotspots when you take your laptop with you, I actually never seen any regular user making sure profile is set to Public once connected or using a VPN.

Spoiler: A public network

 

[Eddie Morra]

no self-protection

You can't do anything to Windows Firewall with standard rights; you'll need administrator rights which will involve user-interaction to grant it or a an LPE.

They cannot rootkit up Windows and make Windows Firewall invincible because Windows is designed for administrators to be able to overrule and make changes... therefore what they've done is perfectly logical.

That being said, if you have administrator rights then you can have SeLoadDriverPrivilege, allowing you to load a signed vulnerable driver of your choice and then abuse it to attack any other third-party AV on the environment - and there are plenty of vulnerable drivers from genuine software which can be abused (just look at VirtualBox, Process Hacker, CPU-Z or even an old (?) Zemana driver). Therefore, it isn't like Windows Defender/Firewall being "defeatable" when an attacker has administrator rights is any different compared to how it is with other third-party solutions.

If you submit a SP vulnerability to an AV vendor, 99% chance they are going to be rejected if it is not standard rights and thus requires additional privileges like administrative rights.

 

[TairikuOkami]

That being said, if you have administrator rights then you can have SeLoadDriverPrivilege

Admin rights are one thing, but the total lack of control is another. Security software is usually protected from exes/scripts terminating it or changing its settings, even with admin rights, you just can not do it. SeLoadDriverPrivilege is a bit extreme example, WF is not protected by anything at all.