App Review Windows Defender Firewall critique- Part 1

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Ophelia

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,545
As a comment to the video, I would venture to say that :
  • The current Windows default protection would have been "enough" (in a @cruelsister sense) 20 years ago, which will also be true in the next 10 years.
    The cybercriminal industry is developed enough to adjust the weapons and bypass Windows default protection.
  • For average users, any usable security on Windows will not be "enough". This is true because on Windows, "usable" means also "convenient" and "widely opened for new stuff". The "enough" default protection can be found on Linux or iOS (not so usable and widely opened).
 
Last edited:

Decopi

Level 8
Verified
Oct 29, 2017
361
Interesting, because I remember many years ago during Windows Vista days, I would sometimes pm, in another forum, a firewall expert who said that Windows firewall did an excellent job in terms of the way it handled and inspected packets for abnormalities, better than most 3rd-party firewalls. In fact he was disappointed with the way most application firewalls did so. Too bad he stopped participating in the forum long ago.

Your comment is excellent.

Windows is far from perfect (no software is perfect). But what is wrong, is to criticize Windows (or its firewall), confusing “security” with “usability”. It is not true that Windows is not secure only because of flaws in its programming. Windows is not secure, mainly because its “default” mode is focused on “usability” (average-Joe).

And it is a manipulation to talk about Windows “default” comparing it with third-parties that are blockers or that have settings/configurations not focused on “usability” (it's like comparing tomatoes with bananas). In order to make this comparison, you have to equal the level of the mode of the software (Windows have to be customized for blocking). I repeat, "default" mode of third-party software in not the same "default" mode of Windows.

And Windows in blocking mode has no software that can compete with it. The third-parties software, whether firewall or antivirus, are not better in security than Windows, some are better because they have a user-friendly GUI, or because their default mode is more advanced and manage to automate some protections etc, but for average-Joe, Windows is good enough.

In my case I don't use Windows Defender nor Windows Firewall because I'm not an average user, and because I'm interested in hardware performance. But it would be irresponsible from my side to induce average users to use the software and settings that I use.
 

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Regarding Emsisoft, this is what they said after they dripped support for their internet security version and started using WF.

Now it seems this is no longer applicable for the new version of Emsisoft. I went to Behaviour Blocker component and there is no option to edit the rules except for "Trust, Monitor, or Block". You can't edit custom rules.

Screenshot 2024-08-25 212929.png
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
It is very important to mention that nowadays, the firewall is on your router. The router is one of the “doors” in terms of traffic and attacks, and it is important to invest in a device from a reputable manufacturer.
This is the firewall that will be responsible for dropping packets and connections that are coming unexpectedly, out of the blue and are undesired, uninitiated, and this is the firewall that will attempt to “hide” the network from hackers discovery attempts.

The software firewalls installed in operating systems nowadays plays very minimal role in the overall protection.
The main benefits are:
  • Protecting device from internal threats, such as other compromised devices (laptops, desktops, IoT, etc).
  • Optionally fully hiding the device from the network, when it is shared (for example, shared accommodation).
  • Privacy protection: controlling specific programmes when users want for example, to limit the amount of telemetry being sent.
  • Could assist in blocking attacks such as reverse shell attacks coming from the internal network
More important than the firewall and frequently overlooked is, controlling and inspecting the traffic already allowed by firewall, for threats. Blocking connections to malicious domains and IP addresses and using signatures to identify attacks and exploits (IPS).

There is no need to overcomplicate the software firewall, better look at the things mentioned above.
 

Shiz

Level 2
Verified
Nov 16, 2018
53
If the Windows firewall can be disabled so easily, it might not be worth relying on. Many of your security measures become ineffective if a rogue application can simply turn it off. It would be problematic if your antivirus software didn’t catch such threats. To avoid putting all your eggs in one basket, consider using a third-party firewall. While hardware firewalls like OPNSense and FortiGate offer excellent protection, they can be expensive and require advanced configuration skills, which is why most regular users don’t have one at home. Just remember your regular home router is probably not set up or have the capability to block outbound traffic.
 

zidong

Level 2
Jul 15, 2024
67
What's more important is ability to block outbound
Isn't it the opposite? If you have installed a program that you trust, does it matter if it connects outside - video and audio players, games, messengers, torrent clients? If the program is malicious then you are f*ck3d even if all antivirus scanners reports no infection. The first thing I will do is a clean installation, changing passwords and enable 2fa. So who cares for outbound, when your pc is compromised? You'll have to do a clean install anyway and change your passwords.

About the test...are all protection modules turned off except the windows firewall? If yes then this test is more useless than TPSC's tests. I'm interested in prevention, not the other way around.
 
  • Like
Reactions: Decopi

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Isn't it the opposite? If you have installed a program that you trust, does it matter if it connects outside - video and audio players, games, messengers, torrent clients? If the program is malicious then you are f*ck3d even if all antivirus scanners reports no infection.

Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process, thereby at least least preventing exfiltration of your personal data. The key to setting up the firewall is to use: Default-deny. Block all attempts by all programs, and create rules only for safe programs that require outbound comms.
 
  • Like
Reactions: Decopi

Decopi

Level 8
Verified
Oct 29, 2017
361
Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process, thereby at least least preventing exfiltration of your personal data. The key to setting up the firewall is to use: Default-deny. Block all attempts by all programs, and create rules only for safe programs that require outbound comms.

In general, I totally agree with your comment.
But comms is just the tip of the iceberg. If the device is infected, firewall can do almost nothing to solve the problem. Here a real modern antivirus/malware is needed.
Also, take the example of Comodo, an abandonware since 2017 + full of unfixed bugs... by default, Comodo Firewall allows comms for "safe files", where "safe files" is just an arbitrary list made by Comodo (last update 15 years ago). Under this category you will find SYSTEM, Windows Services, SVCHOST etc etc etc... I repeat, all allowed by Comodo default. And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms. And considering that Comodo can't customize fiirewall rules for Windows Services, Svchost etc, "default deny" doesn't work here.
Again, I agree with you, I'm just complementing by saying that "default deny" is not the panacea, not for files, nor for comms. And average users have zero chance to deal with "default deny" strategies.
 
  • Like
  • +Reputation
Reactions: wat0114 and Trident

zidong

Level 2
Jul 15, 2024
67
Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process
if I install program, it means that I trust their author 100%.
if I install malicious program by mistake, then I'm f*ck3d anyway.
in both cases, I doubt that the outbound firewall rules would change something.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,672
If the device is infected, firewall can do almost nothing to solve the problem.
That depends, usually a weak dropper tries to download the payload and that is where the firewall comes in, just blocking port 80 alone blocks majority of malware. Hackers do not take firewall into an account, since 99% users do not block outbound and lately there are hardly any real firewalls left. I only rely on DNS and firewall for malware protection along with some OS hardening.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top