Local Host

Level 21
Verified
The malware created an inbound rule. Enabling this option would nullify the rule created by the malware. I always disable inbound connection no matter which Firewall I use since I don't need it nor 99% average users.
View attachment 240940
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
 

SeriousHoax

Level 26
Verified
Malware Tester
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
I see. I was about to ask you what do you mean by this?
You can easily stop malware (or any other program for that matter) from creating Firewall Rules without your consent, by changing the permittions on

Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\
How do I change the permission from there?
 

Local Host

Level 21
Verified
I see. I was about to ask you what do you mean by this?

How do I change the permission from there?
That is the path in the regedit, you can take ownership and restrict MpsSvc to read-only, or write a script to do it (Set-Acl cmdlet should do).

You can also use SubInACL to do it through CMD (if you not a fan of Powershell).

Even easier than that, is using the WFC.
 
Last edited:

Kamer

New Member
With outbound protection starting in Vista, third party software firewalls would "increase the attack surface." I'd guess
Microsoft didn't offer simple outbound protection notifications and easy rule-making because of the anti-trust issues.
TPSC is usually good, so I have no idea where this is coming from.
 

cruelsister

Level 36
Verified
Trusted
Content Creator
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
 

Local Host

Level 21
Verified
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
The command the malware uses can add, enable and disable rules to both Inbound and Outbound rules without any popups.
 
Last edited:

Vitali Ortzi

Level 13
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
We really miss your testing Cruel Sister .
And especially your great music ;).
 
Top