App Review Windows Defender Firewall critique- Part 1

[Andy Ful]

As a comment to the video, I would venture to say that :

• The current Windows default protection would have been "enough" (in a @cruelsister sense) 20 years ago, which will also be true in the next 10 years.
  The cybercriminal industry is developed enough to adjust the weapons and bypass Windows default protection.
• For average users, any usable security on Windows will not be "enough". This is true because on Windows, "usable" means also "convenient" and "widely opened for new stuff". The "enough" default protection can be found on Linux or iOS (not so usable and widely opened).

 

[Decopi]

Interesting, because I remember many years ago during Windows Vista days, I would sometimes pm, in another forum, a firewall expert who said that Windows firewall did an excellent job in terms of the way it handled and inspected packets for abnormalities, better than most 3rd-party firewalls. In fact he was disappointed with the way most application firewalls did so. Too bad he stopped participating in the forum long ago.

Your comment is excellent.

Windows is far from perfect (no software is perfect). But what is wrong, is to criticize Windows (or its firewall), confusing “security” with “usability”. It is not true that Windows is not secure only because of flaws in its programming. Windows is not secure, mainly because its “default” mode is focused on “usability” (average-Joe).

And it is a manipulation to talk about Windows “default” comparing it with third-parties that are blockers or that have settings/configurations not focused on “usability” (it's like comparing tomatoes with bananas). In order to make this comparison, you have to equal the level of the mode of the software (Windows have to be customized for blocking). I repeat, "default" mode of third-party software in not the same "default" mode of Windows.

And Windows in blocking mode has no software that can compete with it. The third-parties software, whether firewall or antivirus, are not better in security than Windows, some are better because they have a user-friendly GUI, or because their default mode is more advanced and manage to automate some protections etc, but for average-Joe, Windows is good enough.

In my case I don't use Windows Defender nor Windows Firewall because I'm not an average user, and because I'm interested in hardware performance. But it would be irresponsible from my side to induce average users to use the software and settings that I use.

 

[lokamoka820]

MS sure made it difficult by forcing store apps to change location with each update. I tried the feedback, but instead of addressing the issue, they attacked me for posting my spam email.

Thank you for this info, now I will choose simplewall over WFC, it was a hard choice for me.

 

[Divine_Barakah]

Regarding Emsisoft, this is what they said after they dripped support for their internet security version and started using WF.

Emsisoft and Windows Firewall: Your questions, answered.

Emsisoft answers your questions concerning Emsisoft Anti-Malware and Windows Firewall. Find out why we believe it to be an excellent solution to protect you from malware threats.

www.emsisoft.com

Now it seems this is no longer applicable for the new version of Emsisoft. I went to Behaviour Blocker component and there is no option to edit the rules except for "Trust, Monitor, or Block". You can't edit custom rules.

 

[Trident]

It is very important to mention that nowadays, the firewall is on your router. The router is one of the “doors” in terms of traffic and attacks, and it is important to invest in a device from a reputable manufacturer.
This is the firewall that will be responsible for dropping packets and connections that are coming unexpectedly, out of the blue and are undesired, uninitiated, and this is the firewall that will attempt to “hide” the network from hackers discovery attempts.

The software firewalls installed in operating systems nowadays plays very minimal role in the overall protection.
The main benefits are:

• Protecting device from internal threats, such as other compromised devices (laptops, desktops, IoT, etc).
• Optionally fully hiding the device from the network, when it is shared (for example, shared accommodation).
• Privacy protection: controlling specific programmes when users want for example, to limit the amount of telemetry being sent.
• Could assist in blocking attacks such as reverse shell attacks coming from the internal network

More important than the firewall and frequently overlooked is, controlling and inspecting the traffic already allowed by firewall, for threats. Blocking connections to malicious domains and IP addresses and using signatures to identify attacks and exploits (IPS).

There is no need to overcomplicate the software firewall, better look at the things mentioned above.

 

[brambedkar59]

Does enabling these settings have any effect against an info stealer?

 

[Shiz]

If the Windows firewall can be disabled so easily, it might not be worth relying on. Many of your security measures become ineffective if a rogue application can simply turn it off. It would be problematic if your antivirus software didn’t catch such threats. To avoid putting all your eggs in one basket, consider using a third-party firewall. While hardware firewalls like OPNSense and FortiGate offer excellent protection, they can be expensive and require advanced configuration skills, which is why most regular users don’t have one at home. Just remember your regular home router is probably not set up or have the capability to block outbound traffic.

 

[zidong]

What's more important is ability to block outbound

Isn't it the opposite? If you have installed a program that you trust, does it matter if it connects outside - video and audio players, games, messengers, torrent clients? If the program is malicious then you are f*ck3d even if all antivirus scanners reports no infection. The first thing I will do is a clean installation, changing passwords and enable 2fa. So who cares for outbound, when your pc is compromised? You'll have to do a clean install anyway and change your passwords.

About the test...are all protection modules turned off except the windows firewall? If yes then this test is more useless than TPSC's tests. I'm interested in prevention, not the other way around.

 

[wat0114]

Isn't it the opposite? If you have installed a program that you trust, does it matter if it connects outside - video and audio players, games, messengers, torrent clients? If the program is malicious then you are f*ck3d even if all antivirus scanners reports no infection.

Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process, thereby at least least preventing exfiltration of your personal data. The key to setting up the firewall is to use: Default-deny. Block all attempts by all programs, and create rules only for safe programs that require outbound comms.

 

[Decopi]

Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process, thereby at least least preventing exfiltration of your personal data. The key to setting up the firewall is to use: Default-deny. Block all attempts by all programs, and create rules only for safe programs that require outbound comms.

In general, I totally agree with your comment.
But comms is just the tip of the iceberg. If the device is infected, firewall can do almost nothing to solve the problem. Here a real modern antivirus/malware is needed.
Also, take the example of Comodo, an abandonware since 2017 + full of unfixed bugs... by default, Comodo Firewall allows comms for "safe files", where "safe files" is just an arbitrary list made by Comodo (last update 15 years ago). Under this category you will find SYSTEM, Windows Services, SVCHOST etc etc etc... I repeat, all allowed by Comodo default. And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms. And considering that Comodo can't customize fiirewall rules for Windows Services, Svchost etc, "default deny" doesn't work here.
Again, I agree with you, I'm just complementing by saying that "default deny" is not the panacea, not for files, nor for comms. And average users have zero chance to deal with "default deny" strategies.

 

[zidong]

Yes for safe applications it's necessary to allow them to connect out when they need to, but for a malicious process, a firewall configured at default-deny can and should block the outbound attempt by the malicious process

if I install program, it means that I trust their author 100%.
if I install malicious program by mistake, then I'm f*ck3d anyway.
in both cases, I doubt that the outbound firewall rules would change something.

 

[TairikuOkami]

If the device is infected, firewall can do almost nothing to solve the problem.

That depends, usually a weak dropper tries to download the payload and that is where the firewall comes in, just blocking port 80 alone blocks majority of malware. Hackers do not take firewall into an account, since 99% users do not block outbound and lately there are hardly any real firewalls left. I only rely on DNS and firewall for malware protection along with some OS hardening.

 

[wat0114]

...and lately there are hardly any real firewalls left.

Completely agree!