App Review Windows Defender Firewall critique- Part 1

[cruelsister]

Content source

https://youtu.be/J8icGPr0YKQ

How malware can exploit WF in Part 2.

 

[Bot]

Looking forward to the next part. Understanding the vulnerabilities of Windows Defender Firewall is crucial for enhancing security measures.

 

[Andy Ful]

I like this short description:

Windows Firewall vs. Third-Party Firewalls​

Windows Firewall is a robust security feature, but some users may consider using third-party firewalls for enhanced protection. Third-party firewalls offer additional features and customization options that may cater to specific security needs. They often include advanced intrusion detection and prevention systems, application control, and more granular control over network connections.

However, it is worth noting that third-party firewalls can be more complex to set up and manage, requiring additional resources and potentially introducing compatibility issues. Windows Firewall, being integrated into the operating system, offers a seamless and less resource-intensive solution for most users.

In conclusion, Windows Firewall is a capable security feature that provides essential protection against unauthorized access and common network threats. It is a user-friendly solution that is easy to configure and offers a reliable level of security for everyday users. While it may have limitations, such as limited outbound protection and potential conflicts with third-party applications, it remains a valuable asset in defending your computer against network-based threats.

Is Windows Firewall Good Enough

When it comes to protecting your computer from online threats, the question often arises: Is Windows Firewall good enough? Surprisingly, many people may not be aware that Windows Firewall is an in-built security feature that is already present on their devices. With its robust capabilities and...

ms.codes

It is also worth mentioning that Windows Firewall can be enhanced via GlassWire, Windows Firewall Control, Simplewall, etc.
At home, one can also apply the block rules for popular LOLBins.
If one uses Microsoft Defender, the outbound connections via phishing or malicious URLs can be monitored via Network Protection (a part of ASR protection).
If I correctly recall, it is possible to use Windows Firewall with Comodo Firewall, but I am unsure how sensible it could be (using one of them looks more sensible).

 

[wat0114]

Of course Windows Firewall only blocks inbound connections by default. It can be setup to block both inbound and outbound. An easy way to do so as Andy mentioned above:

Windows Firewall Control

Windows Firewall Control is a powerful tool which extends the functionality of Windows Firewall by adding outbound notifications and many other features.

www.binisoft.org

As for malware disabling Windows Firewall, I guess that's where other protections are necessary.

 

[Divine_Barakah]

is also worth mentioning that Windows Firewall can be enhanced via GlassWire, Windows Firewall Control, Simplewall, etc

I also wonder how effective the product the rely on and harden WF, like Trend Micro, F-Secure, Avira and Emsisoft are.

 

[Andy Ful]

I also wonder how effective the product the rely on and harden WF, like Trend Micro, F-Secure, Avira and Emsisoft are.

When looking at the test results of MRG Effitas (Microsoft Defender Enterprise with ASR rules), the protection is similar (slightly better in recent tests) to Avira and Trend Micro.
But, the results for Windows Firewall on default settings will be significantly worse (Network Protection and ASR rules disabled).

 

[Divine_Barakah]

When looking at the test results of MRG Effitas (Microsoft Defender Enterprise with ASR rules), the protection is similar (slightly better in recent tests) to Avira and Trend Micro.
But, the results for Windows Firewall on default settings will be significantly worse (Network Protection and ASR rules disabled).

Regarding Emsisoft, this is what they said after they dripped support for their internet security version and started using WF.

Emsisoft and Windows Firewall: Your questions, answered.

Emsisoft answers your questions concerning Emsisoft Anti-Malware and Windows Firewall. Find out why we believe it to be an excellent solution to protect you from malware threats.

www.emsisoft.com

 

[lokamoka820]

Is Avast Free Firewall better than Windows Firewall or the same?

 

[ErzCrz]

If I correctly recall, it is possible to use Windows Firewall with Comodo Firewall, but I am unsure how sensible it could be (using one of them looks more sensible).

Comodo Firewall doesn't technically disable WF when installed. The security centre just states it as not active but you can still apply WF rules, like your WFH blocking of LOLBins and they will work with CF installed.

Spoiler: WF Enabled with CF installed

 

[Jonny Quest]

Is Avast Free Firewall better than Windows Firewall or the same?

This thread may help to answer that one

Serious Discussion - Avast Free Firewall vs Windows 10/11 Firewall

Hi, a curiosity, if you can help me, but is the Avast Free firewall at the same security level as the Windows 10 or Windows 11 firewall or is it more powerful? Thank you.

malwaretips.com

 

[TairikuOkami]

Out of 10 recommendations (professional or amateur) about using more than one firewall at the same time, 9 unequivocally confirm that NO more than one firewall should ever be used on a system. For people who do not understand this, I respectfully suggest that they should not be selective, and do not seek only those opinions that fit their beliefs, be objective, and inform yourselves by looking for all the correct information.

Majority is not always right, especially when they use the same source. A firewall is not an AV. Everyone literally uses multiple firewalls, like routers and other devices, WF is just the last one.
Even a single firewall is like multiple firewalls, when it filters network packets and then apps, like Comodo Firewall, packet is simply held/blocked till it is inspected by the next firewall/user.

The Windows firewall is 100% customizable, and can block 100% of any kind of IN or OUT connection, there is not the slightest need for a third party firewall.

Yes, it can block anything and any app or malware with admin rights can remove those rules at will. According to MS, it is not a vulnerability, it is by design, it is all about endpoint security.

 

[Andy Ful]

Comodo Firewall doesn't technically disable WF when installed. The security centre just states it as not active but you can still apply WF rules, like your WFH blocking of LOLBins and they will work with CF installed.

Thanks. So, using two firewalls installed in Windows is possible. But, I agree with @Decopi that it is not recommended for most users (we already use 2 firewalls because the basic firewall is in the router).

 

[wat0114]

Routers, at least the type found in homes will only block inbound, which any old firewall will do by default. What's more important is ability to block outbound, and Windows firewall, as well as most 3rd-party firewalls can be configured to do so. Even the simple built-in firewall in Linux can block outbound, but it can not do so for selected applications. The rules apply to all applications seeking outbound access. Still, it's better than just using inbound blocking only.

The problem faced for most people who want to use outbound filtering, is do they know how to set up the rules to restrict applications to:

1. Protocol
2. Remote Port(s)
3. Remote IP address(es)

I would bet that most people allowing an application outbound freedom will simply allow out to: Any, Any, Any. This is obviously not the most restrictive, which would be to allow the selected application to only what is necessary, but at least as long as they have Block and Alert/Don't Alert for any process attempting outbound access that a rule does not exist for is still better than no outbound control at all.

Btw, using a multiple firewall setup consisting of a router and application firewall is perfectly fine, and I'd go so far as to say recommended, as the router will block all kinds of unnecessary Internet "noise" from reaching the application firewall. The router is just separate hardware which has no interaction with the OS. The problem is trying to use two or more application firewalls together. Not a good idea.

 

[TairikuOkami]

I would bet that most people allowing an application outbound freedom will simply allow out to: Any, Any, Any.

MS sure made it difficult by forcing store apps to change location with each update. I tried the feedback, but instead of addressing the issue, they attacked me for posting my spam email.

 

[wat0114]

MS sure made it difficult by forcing store apps to change location with each update. I tried the feedback, but instead of addressing the issue, they attacked me for posting my spam email.

Yes, that is problematic, and something that I find astounding that MS is unable to or most likely unwilling to fix.

 

[wat0114]

But IMHO, these third-party firewalls are NOT better than WF in terms of security,...

Interesting, because I remember many years ago during Windows Vista days, I would sometimes pm, in another forum, a firewall expert who said that Windows firewall did an excellent job in terms of the way it handled and inspected packets for abnormalities, better than most 3rd-party firewalls. In fact he was disappointed with the way most application firewalls did so. Too bad he stopped participating in the forum long ago.

 

[TairikuOkami]

Usability is the focus for average-Joe, and in this case it is NOT recommended to install more than a single firewall + router.

Average Joe has no say here, because he does not even know, if he has AV installed, let alone a firewall.
They usually only care about a firewall to deal with a single issue, like blocking an app, tracking. Like this:

Firewall App Blocker (Fab) v1.9

With Firewall App Blocker (FAB) you can Quickly allow or deny apps access to the internet through Windows Firewall. It is portable freeware

www.sordum.org

 

[Andy Ful]

As a comment to the video, I would venture to say that :

• The current Windows default protection would have been "enough" (in a @cruelsister sense) 20 years ago, which will also be true in the next 10 years.
  The cybercriminal industry is developed enough to adjust the weapons and bypass Windows default protection.
• For average users, any usable security on Windows will not be "enough". This is true because on Windows, "usable" means also "convenient" and "widely opened for new stuff". The "enough" default protection can be found on Linux or iOS (not so usable and widely opened).

 

[lokamoka820]

MS sure made it difficult by forcing store apps to change location with each update. I tried the feedback, but instead of addressing the issue, they attacked me for posting my spam email.

Thank you for this info, now I will choose simplewall over WFC, it was a hard choice for me.

 

[Divine_Barakah]

Regarding Emsisoft, this is what they said after they dripped support for their internet security version and started using WF.

Emsisoft and Windows Firewall: Your questions, answered.

Emsisoft answers your questions concerning Emsisoft Anti-Malware and Windows Firewall. Find out why we believe it to be an excellent solution to protect you from malware threats.

www.emsisoft.com

Now it seems this is no longer applicable for the new version of Emsisoft. I went to Behaviour Blocker component and there is no option to edit the rules except for "Trust, Monitor, or Block". You can't edit custom rules.