App Review Why you shouldn't use Windows Firewall

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
L

Local Host

The malware created an inbound rule. Enabling this option would nullify the rule created by the malware. I always disable inbound connection no matter which Firewall I use since I don't need it nor 99% average users.
View attachment 240940
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Incoming new connections are blocked, but established traffic through outbound will allow the incoming half of that exchange (else you would lose Internet access).

In the case of malware you would be exposed either way (unless you restrict access to the Firewall like I stated, or use a Hardware Firewall), the Firewall is not meant to detect and stop malware running on your machine.
I see. I was about to ask you what do you mean by this?
You can easily stop malware (or any other program for that matter) from creating Firewall Rules without your consent, by changing the permittions on

Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\
How do I change the permission from there?
 
L

Local Host

I see. I was about to ask you what do you mean by this?

How do I change the permission from there?
That is the path in the regedit, you can take ownership and restrict MpsSvc to read-only, or write a script to do it (Set-Acl cmdlet should do).

You can also use SubInACL to do it through CMD (if you not a fan of Powershell).

Even easier than that, is using the WFC.
 
Last edited:

Kamer

Level 1
Nov 6, 2019
13
With outbound protection starting in Vista, third party software firewalls would "increase the attack surface." I'd guess
Microsoft didn't offer simple outbound protection notifications and easy rule-making because of the anti-trust issues.
TPSC is usually good, so I have no idea where this is coming from.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Win10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
 
L

Local Host

Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
The command the malware uses can add, enable and disable rules to both Inbound and Outbound rules without any popups.
 
Last edited:

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
Hi Guys! If you will allow me add something- I think that the essential points of this video are quite valid and shouldn't be overlooked:

1). WF at the default level will not alert one to potentially malicious Outbound connections, and
2). WF can be manipulated by a (potentially) malicious file.

1a). As to the first point, one can bring up the fact that Rules can be added to WF to reduce the risk of any malicious Outbound contact, but such addition of rules can be negated by the second point:
2a). It really isn't a big deal to create a FUD file that can either add/delete WF rules, or even easier disable WF entirely (even on Windows 10). All that is needed is to convert a simple script to run Elevated.

Easy, Easy...

So although there is no great need to stop using WF, it is a Best Practice to add something else that can protect one from nasities like keyloggers or Bankers that must connect out to do the damage.

M
We really miss your testing Cruel Sister .
And especially your great music ;).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top