App Review Why you shouldn't use Windows Firewall

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
L

Local Host

SeriousHoax said:
The malware created an inbound rule. Enabling this option would nullify the rule created by the malware. I always disable inbound connection no matter which Firewall I use since I don't need it nor 99% average users.
View attachment 240940
Click to expand...
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
 
  • Like
Reactions: harlan4096, roger_m, Protomartyr and 4 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Local Host said:
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
Click to expand...
I see. I was about to ask you what do you mean by this?
You can easily stop malware (or any other program for that matter) from creating Firewall Rules without your consent, by changing the permittions on

Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\
Click to expand...
How do I change the permission from there?
 
  • Like
Reactions: Protomartyr, Dave Russo and bayasdev
L

Local Host

SeriousHoax said:
I see. I was about to ask you what do you mean by this?

How do I change the permission from there?
Click to expand...
That is the path in the regedit, you can take ownership and restrict MpsSvc to read-only, or write a script to do it (Set-Acl cmdlet should do).

You can also use SubInACL to do it through CMD (if you not a fan of Powershell).

Even easier than that, is using the WFC.
 
Last edited:
  • Like
Reactions: harlan4096, Protomartyr, Dave Russo and 2 others
K

Kamer

Level 1
Nov 6, 2019
13
With outbound protection starting in Vista, third party software firewalls would "increase the attack surface." I'd guess
Microsoft didn't offer simple outbound protection notifications and easy rule-making because of the anti-trust issues.
TPSC is usually good, so I have no idea where this is coming from.
 
  • Like
Reactions: harlan4096, upnorth, Dave Russo and 1 other person
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Win10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
 
  • Like
  • +Reputation
Reactions: VladDracul, Tutman, vaccineboy and 17 others
L

Local Host

cruelsister said:
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
Click to expand...
The command the malware uses can add, enable and disable rules to both Inbound and Outbound rules without any popups.
 
Last edited:
  • Like
Reactions: harlan4096, Dave Russo and Protomartyr
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,363
cruelsister said:
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
Click to expand...
We really miss your testing Cruel Sister .
And especially your great music ;).
 
  • Like
Reactions: Tutman, harlan4096, Brahman and 8 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,310
Video Reviews - Security and Privacy
tofargone
tofargone
NB InfoTech
    • Like
App Review Is it worth to use G Data Antivirus? | G Data Antivirus Review | G Data Antivirus Test | 2024
Replies
4
Views
479
Video Reviews - Security and Privacy
mlnevese
mlnevese
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,260
Video Reviews - Security and Privacy
lokamoka820
lokamoka820

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top