Q&A Windows 11: What processes necessarily need connection or access to the network?

Decopi

Level 3
Thread author
Oct 29, 2017
146
If someone needs more insight - I am happy to help. :D

@valvaris , please a question:

Let's focus only at firewall functions.
But let's separate PRIVACY from SECURITY firewall functions.
And let's focus only at SECURITY firewall functions (or security benefits etc).

In this context, considering that 90% of security issues come from internet connections (mainly browsing + webpages), and considering that browsing + webpages have free "IN" & "OUT" firewall connections, and considering that only specific software (antivirus, blocker extensions/add-ons, blocked downloads etc) are capable of monitoring browsing + webpages (from security point of view)... in this specific context, seems to me that firewall functions are useless... am I wrong? For example, without security software (antivirus, blockers, hardened browser settings etc), firewalls are totally useless against danger javascript or malicious scripts (inside webpages).

If I'm right, in terms of security, firewalls are almost useless.
I say "almost" because firewalls can block app, program, macro, cmd or powershell etc "OUT/IN" connections, avoiding/blocking tons of threats. But the real danger remains on browsing + webpages, which is the source of 90% of security problems. and where firewalls are almost useless.

Am I wrong?
 
Last edited:

valvaris

Level 5
Verified
Well-known
Jul 26, 2015
243
@valvaris , please a question:

Let's focus only at firewall functions.
But let's separate PRIVACY from SECURITY firewall functions.
And let's focus only at SECURITY firewall functions (or security benefits etc).

In this context, considering that 90% of security issues come from internet connections (mainly browsing + webpages), and considering that browsing + webpages have free "IN" & "OUT" firewall connections, and considering that only specific software (antivirus, blocker extensions/add-ons, blocked downloads etc) are capable of monitoring browsing + webpages (from security point of view)... in this specific context, seems to me that firewall functions are useless... am I wrong? For example, without security software (antivirus, blockers, hardened browser settings etc), firewalls are totally useless against danger javascript or malicious scripts (inside webpages).

If I'm right, in terms of security, firewalls are almost useless.
I say "almost" because firewalls can block app, program, macro, cmd or powershell etc "OUT/IN" connections, avoiding/blocking tons of threats. But the real danger remains on browsing + webpages, which is the source of 90% of security problems. and where firewalls are almost useless.

Am I wrong?
Hello @Decopi

There is a stark difference in terms of Firewalls!
============ Network Protection ====================
---------------- Basic SPI Firewall ------------ (Layer 3 - 4) --- Depends On Manufacturer and or License!
Stateful Packet Inspection
Wiki -> Stateful firewall - Wikipedia

--------------- NG Firewall ------------------ (Layer 3 - 7) --- Depends On Manufacturer and or License!
Next Generation Firewall
Uses DPI - SSL Inspection
Wiki -> Next-generation firewall - Wikipedia
=================================================

============= Client Protection =====================
Only Works if PC is ON!
---------------- OS Firewall [Windows] ---------- (Layer 4 - 7)
Application Firewall
Also Depends on what Software you use others work with Windows Firewall and others install Drivers to forward traffic to their own engine.
=================================================

A good Hardware Firewall is the first line of defense! [Also Called an Edge Device!]
Because it sits at the Edge of the Network Connecting your Network with the World Wide Web (LAN - WAN)
Depends on the Network Admin and Manufacturer of the device.

WAN to LAN
The first default rule is: Deny all incoming traffic! - Already there nobody can connect to any of your devices.

LAN to WAN
The second rule is a TEST Rule with Logging: To see what is needed for the network to be productive.
Otherwise, it can be done with strict rules!!!
Allow only HTTP, HTTPS, DNS and NTP - Everything else that is blocked can be opened by the Admin if necessary!!!

NOW the NG tech. comes into play and that is where an enormous difference comes in to Firewalling at the Edge!
Because now we can look inside SSL Traffic and depends on the manufacturer - DPI - ATP - IPS and so on... can be implemented.
And YES a NG Firewall can identify bad traffic from the network and block that!
Example: If Command and Control traffic is seen by the NG Firewall it will kill that session and could isolate the device.
Also, it is capable to Scan for Malware before the Download even hits the PC and much more...

The first line of defense also needs a second line where it can work together and that is Endpoint Protection.
The best example I have is Sophos:

Sophos XGS Firewall (Hardware) ---> [Endpoint/Client/Server] Sophos Intercept X Adv. (With XDR or MTR) Depends on the Costumer

This setup will for example do a heartbeat to the firewall security system and Sophos central services and if something goes bad the firewall will isolate that system and the infected system will try to clean itself. If all goes well then it can rejoin the network.

For the home user what does that mean?!
---- Anti-Virus Suite (I cannot recommend one for home users!) [Why? Bloatware - VPN - FileShredder - and so on...]
---- The ISP Router or Gamer Router (To be honest a PFsense Community Edition or OPNsense must have!!!) <- Lots more transparent what is going on in your home network.

To answer your question in a short way: A Hardware Firewall Appliance gives you way more security if configured correctly!

Best regards
Val.
 
Last edited:

Decopi

Level 3
Thread author
Oct 29, 2017
146
To answer your question in a short way: No even a Hardware Firewall Appliance gives you way more security if configured correctly!

Thank you @valvaris.

I apologize because I wasn't clear in my previous message. My question was specific about what you call "Client Protection" (I was referring only to firewall as software: Windows Firewall, third-party firewalls etc installed on client/user computers). I know the different types of firewall (that you kindly described in your last post). But again, my question was specifically about firewalls installed as software on client/user computers.

Anyway, your final sentence answered my question. In short, in a hypothetical scenario where there is only a firewall (software) as a SECURITY measure on the client/user computer, browsing/webpage protection is almost nil. Firewall (as software installed on the client/user computer) serves only to improve PRIVACY (blocking telemetry), and in best scenario serves for SECURITY only for some apps and programs (blocking "IN/OUT" connections).

Browsing/webpages, which is the major source of threats, requires another type of SECURITY measure. For example, if in the firewall (software) the svchost.exe process has the "IN/OUT" enabled for ports 80, 443, 123 and 53 (required for browsers and basic Windows functions), then any (browsing/webpage) malware or malicious script can find a way to use these ports. Firewall (as software installed on the client/user computer) can't monitor Internet traffic that was allowed/enabled for other processes.
 
Last edited:

valvaris

Level 5
Verified
Well-known
Jul 26, 2015
243
Thank you @valvaris.

I apologize because I wasn't clear in my previous message. My question was specific about what you call "Client Protection" (I was referring only to firewall as software: Windows Firewall, third-party firewalls etc installed on client/user computers). I know the different types of firewall (that you kindly described in your last post). But again, my question was specifically about firewalls installed as software on client/user computers.

Anyway, your final sentence answered my question. In short, in a hypothetical scenario where there is only a firewall (software) as a SECURITY measure on the client/user computer, browsing/webpage protection is almost nil. Firewall (as software installed on the client/user computer) serves only to improve PRIVACY (blocking telemetry), and in best scenario serves for SECURITY only for some apps and programs (blocking "IN/OUT" connections).

Browsing/webpages, which is the major source of threats, requires another type of SECURITY measure. For example, if in the firewall (software) the svchost.exe process has the "IN/OUT" enabled for ports 80, 443, 123 and 53 (required for browsers and basic Windows functions), then any (browsing/webpage) malware or malicious script can find a way to use these ports. Firewall (as software installed on the client/user computer) can't monitor Internet traffic that was allowed/enabled for other processes.
You are Welcome @Decopi

on that part a Yes and No - Why both?

We talk about client mitigation and what you could do to harden your OS - [Windows Centric]

Configure Windows Defender with GPO and Settings - To Mitigate against rogue software or even remote execution.

Effortless way to do that is -> Hard_Configurator - Windows Hardening Configurator


HUGE MENTION: @Andy Ful <- Makes Live with Windows build in tools a hundred times easier :D

In terms of traffic analysis - Huntress could help but only is available for SMB and up...

A tool where you can Monitor Traffic with Analytics - I do not know a tool that does that in a meaningful way! - Hope someone here at the MalwareTips-Community has an Idea I for sure would jump to evaluate that out some more... ^^

One App I have been looking into that has an incredibly detailed Realtime connection monitoring is from Safing Portmaster -> Safing Portmaster
[WARNING Software is in Alpha!]

Hope it gives you more incentive to look deeper in the rabbit hole. ^^

Best regards
Val.
 

Decopi

Level 3
Thread author
Oct 29, 2017
146

Thanks again @valvaris.

Yeap, I know that firewall (software) can be hardened. But the firewall (software) itself can't be hardened when processes are IN/OUT enabled, which is the case of svchost.exe or browsers using ports (80, 443, 53, 123 etc). Once enabled, firewall (software) can't monitor IN/OUT traffic over these processes/ports.

And I totally understand that firewall is just a layer, it never will be the whole privacy/security solution.
As a layer, firewall always will need other layers (or hardened settings like GPO etc).
And I do value firewall (software) layer as a PRIVACY protection (blocking telemetry) and apps/programs SECURITY protection (blocking IN/OUT).
But all my questions to you were focused on trying to understand firewall (software) limitations for enabled IN/OUT processes/ports.

I know some firewall (software) where svchost.exe can be allowed only for specific processes (Windows Update, NTP, DNS, browsers etc). But what I learnt from different forums (where I asked for help) is that malwares/malicious scripts can use any process/port already enabled in the firewall (software, including third-party firewall software). Even if svchost/browsers have hardened firewall settings... malwares/malicious scripts can find a way to have IN/OUT connection.
My intention was to understand if a firewall (software) can monitor/control enabled IN/OUT processes/ports by blocking malware/malicious connections.
 

valvaris

Level 5
Verified
Well-known
Jul 26, 2015
243
None that I know of in the consumer space.

I just know of one solution Sophos Intercept X Advanced (Corp. Only SMB and up...) - It uses multiple technologies to investigate traffic and manages Windows Firewall.
- Web-Protection
- Web-Control
- Malicious Traffic Detection for all non-Browser Applications
- ML ML-PUA Reputation
- Download Reputation
- and lots more...

Sophos Intercept X Advanced with XDR for even more Control, Monitoring and Reporting.

But that stuff is in theory total overkill but also should be a part of Home PC Security! The thing is that such software is not built for high performance where for example a gamer would scream "Where are my FPS".

You will have to compromise: Usability - Security - Cost

I use for example: F-Secure "With Secure" EPP for computer. (Gives nice insight on the windows firewall and you can configure it more granularly)

Sincerely
Val.
 
  • Like
Reactions: Decopi

Decopi

Level 3
Thread author
Oct 29, 2017
146
None that I know of in the consumer space.

@valvaris, as usual, great explanations and great help. Thank you, always.

For long time CF (comodo firewall) @cruel settings was a kind of solution for me (not perfect nor complete, but more than enough for me).
However, unfortunately Comodo became an abandonware, two years accumulating lot of bugs, and no signal of hope for the future.

As a replacement, I'm testing WiseVector, which recently added a firewall function.
As antivirus/antimalware, IMHO WV is a very solid option. But the firewall, nah, too basic. Also, WV firewall functions are not independent (which is very bad), so other WV settings may affect firewall tasks.

I'm not ignoring all the other external privacy/security layers you described in your messages.
But I'm not focused on myself, I'm interested in software that average users can install + friendly use + no hurting computer/device performance + freeware if possible + offering the maximum privacy/security protection. That's the reason I'm focusing on software like WV, CF etc.

Recently I discovered Safing PortMaster (Safing Portmaster): 1) It's open source; 2) Freeware; 3) It works at kernel level; 4) It supports wildcards; 5) It supports filter-lists; 6) It's incredibly granular; 7) It's very lightweight, without visible performance impact; 8) DNS encryption; 9) VPN on steroids; 10) Etc (other benefits).
CF still has the sandbox (Containment) as a big plus. But IMHO PortMaster has the potential to become a CF replacement.

None of the software mentioned above solve the enabled IN/OUT processes/ports problem I was talking about.
But for average users + freeware + lightweight + etc, compared to other similar software, perhaps WV + PortMaster might be a good combo.
 
Last edited: