- Apr 13, 2013
- 3,224
Windows Defender Firewall Critique Part 2
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,364
Thanks for sharing this video! It provides a great visual aid for understanding Windows Defender Firewall's features and limitations. Let's discuss the points raised in the video.
As usual, another manipulative video.
As explained so many times, Windows default settings are focused on “usability” of the average user. But Windows is extremely customizable, and can become a “blocker”. In this sense, any advanced user who wants to, can easily manually create customizations in Windows, both to specifically prevent changes in the firewall, as well as to create IN/OUT rules in the firewall.
This video not only is a conceptual mistake, but it is also a manipulation which tries to present hypothetical security flaws in Windows, when in fact Windows allows these hypothetical security "holes/breaches" to be closed. The video purposely confuses “security” with “usability”, omitting the fact that Windows default focuses on “usability”.
Blockers are from the stone age, they emerged 20 years ago when there were no modern technologies like the ones that exist today to detect and remove viruses/malware. Blockers today are totally inefficient/ineffective, both because the final decision to “allow” or “block” stuff always depends 100% on the user. And considering that today there are many free, modern software, with excellent technologies to detect/remove viruses/malware... it does not make any sense for the average user to use a blocker or blocking settings.
As explained so many times, Windows default settings are focused on “usability” of the average user. But Windows is extremely customizable, and can become a “blocker”. In this sense, any advanced user who wants to, can easily manually create customizations in Windows, both to specifically prevent changes in the firewall, as well as to create IN/OUT rules in the firewall.
This video not only is a conceptual mistake, but it is also a manipulation which tries to present hypothetical security flaws in Windows, when in fact Windows allows these hypothetical security "holes/breaches" to be closed. The video purposely confuses “security” with “usability”, omitting the fact that Windows default focuses on “usability”.
Blockers are from the stone age, they emerged 20 years ago when there were no modern technologies like the ones that exist today to detect and remove viruses/malware. Blockers today are totally inefficient/ineffective, both because the final decision to “allow” or “block” stuff always depends 100% on the user. And considering that today there are many free, modern software, with excellent technologies to detect/remove viruses/malware... it does not make any sense for the average user to use a blocker or blocking settings.
bazang
Level 6
- Jul 3, 2024
- 298
It is not "manipulative." You're the only one, and perhaps one or two other people here at MT, that say such nonsense.
The video demonstrates a fact about Windows Firewall that is common knowledge among the IT security industry.
When such videos are made, it is not the responsibility of the video author to provide a long, detailed explanation about all the technical details and permutations possible. Such vids are intended for a targeted audience that understands what is going on. For those that do not know it is their responsibility to become informed so they can understand. This is standard industry practice.
And yet you and others criticize Comodo because "it needs to be tweaked."
Since 99% of Windows users leave the Windows Firewall configuration and the other security features at defaults, the video is applicable to the 99%.
It is not hypothetical. There are in-the-wild malware that do the very same thing to Windows. Leading security practitioners have been critical of Microsoft not implementing tamper protection for Windows Firewall for decades. They would not advocate for such increased protection of Windows Firewall if they did not observe in daily practice the very same thing that @cruelsister shows in the video.
You do realize that Microsoft deliberately lowers security as the default configuration to provide usability to "users that want to use stuff," right?
Usability on Windows comes at the expense of decreased security. That has always been a fact of the default configuration of Windows. The fact that Windows can be tweaked and hardened is moot as, once again, the insecure Windows OS defaults are what the 99% use. The capability to harden Windows to make it more secure is irrelevant. It's nice that Microsoft makes it possible, but the masses don't know how to do it nor do they have the inclination to do it.
That's not an accurate group of statements at all. If "Blockers" - as you call them - keep a system clean, then that is all that matters. It makes no difference if that is achieved using buggy Comodo or the latest & greatest "modern [security] software." All that matters is the end result - a clean system - and not the bugs and other perceived "security flaws" of Comodo.
And, uhm, CS configuration requires no decision-making on the part of the user.
Most every government in the world uses at least one form of "Blocker" technology. And why is that? Because they are the most effective method to slow down or prevent nation-state threat actors from pivoting horizontally or vertically in their networks. No government would use "Blocker" technologies if they were not effective and did not add a valuable layer to Defense-in-Depth.
Last edited:
- Apr 16, 2017
- 2,599
Last comment in the video "better to use 3d-party firewall of your choice" > Is Windows Firewall Control (WFC) (binisoft -- malwarebytes) in that category of 3d-party firewall, or just an overlay of Windows firewall?
- Jul 14, 2015
- 773
What about FirewallHardening tool from Andy ??? Does it make things better ?
- Apr 13, 2013
- 3,224
No, not at all. FirewallHardening will indeed add a bunch of Rules for various things (probably one of the best would be a block on PowerShell Outbound requests). However, as in the video, if WF is disabled FIRST it does not matter what rules are in place (oh, and WFH does not include a rule for this malware).
Also the desire to attempt to add further Rules to WF is normally done on a Reactive Basis (once a bypass has occurred on someone's system; and trying to add rules for other possible malware types can be viewed as Rule-Whack-A-Mole as there will always be something that one does not consider adding.
Not only that it is not hypothetical, but it is barely an inconvenience to code malware in this way. (God did I LOVE your post...).
You can hardening Windows almost in every way you want, including the firewall.
Also, you can use dozens of great hardening Windows settings software (updated/upgraded), including the great Andy software.
But it's not a matter of "making things better". Windows is far from being perfect, but the video in this thread is totally fake, it's not showing any Windows security issue. Windows by default is focused on "usability". If you or any advanced user wants to hardening or to convert Windows in a blocker, no problem at all!, Windows allows that.
- Apr 5, 2021
- 620
@cruelsister,
does the malicious executable leverage any other process(es) such as powershell or cmd(.)exe, for example, to gain elevated privileges to disable the firewall, or does it do it all on its own, maybe such as jumptoSys() in the code?
does the malicious executable leverage any other process(es) such as powershell or cmd(.)exe, for example, to gain elevated privileges to disable the firewall, or does it do it all on its own, maybe such as jumptoSys() in the code?
bazang
Level 6
- Jul 3, 2024
- 298
Hardening Windows is a completely different thing than protecting Windows Firewall against tampering or being disabled.
It is not possible to prevent Windows Firewall from being disabled. At least not in the sense that you are saying.
Even using the Windows 11 Tamper Protection, or using Microsoft Endpoint Manager to force Tamper Protection, using Windows hardening scripts deployed by Intune, or Group Policy Objects - there are ways to disable Windows Firewall.
All that hardening capability is moot whenever the default Windows OS configuration used by the 99% makes it trivial to disable Windows Firewall.
All a threat actor need do is send a malicious link, the user clicks on the link, the malware script downloads and executes in the background, that malicious script can disable Windows Firewall without admin privileges or equally as bad it can create a service (server) that Windows Firewall allows despite a ton of added "hardening" rules (the hardening rules are irrelevant). There are ways to create the service without admin privileges or invoking UAC and displaying the elevation alert to the user - who would likely select "Allow" in the case that it would be generated. This example has been a routine demo with hundreds of variants displayed at BlackHat and other conferences since Windows Vista.
Last edited:
- May 26, 2014
- 1,130
As I am seeking advice(I want to continue with Microsoft Defender via Defender UI),what standalone firewall is recommended, that would resolve Cruel sisters finding? Or once you add other firewall Defender UI is compromised?
Readers should take care, because not only is the video posted in this thread manipulative, but also the comments in this thread are manipulative too, false, or in the best of intentions contain mistakes:
Windows is not focused on security.
Windows default settings are focused on “usability”, for two main reasons:
1. 99.99% of users have an average profile, therefore they require average settings;
2. In modern times of hyper-connectivity and synchronization of various devices, it is simply a catastrophe to think of settings that block functions.
That said, the video and comments posted in this thread fallaciously presume contexts, omitting the fact that those contexts can be blocked (avoided), either by manual Windows hardening, manual firewall hardening, or by using third-party (upgraded/updated) software.
Such hardening, manual or by software, perfectly includes the possibility to block any attempt to disable both Windows Defender and Windows Firewall. The main manipulation of the video in this thread (and several comments), comes from omitting this fact, not informing the reader that it is 100% possible to configure Windows so that both Windows Defender and Firewall cannot be disabled.
Again and again we are forced to repeat that Windows is incredibly customizable, and can be transformed into a blocker. And in a customized Windows, the assumptions of the video in this thread are ridiculous, since both Windows Defender and Firewall could not be disabled or altered.
Last but not least, this video and the comments are fakes, also because they tacitly presuppose an incentive for the use of blockers, a stone-age strategy, used 20 years ago.
Few conclusions:
1. The conditions presupposed by the test performed in the video, are unrealistic in a Windows with hardened settings. And it makes no sense to test Windows with default settings, because the focus is not security, it is “usability”. That said, while it is true that Windows Firewall can be disabled with simple commands, even with Windows default settings the chances of Windows Defender (untouched) preventing a virus/malware from disabling the firewall are very high;
2. Both Windows Defender and firewall settings can be manually customized to transform Windows into a blocker (which includes blocking any attempt to disable Windows Defender/Firewall);
3. That blocking strategy is not used in Windows because it is inefficient and ineffective for 99.99% of users.
PS: It is irresponsible and immoral to induce users with manipulations and falsehoods.
Windows is not focused on security.
Windows default settings are focused on “usability”, for two main reasons:
1. 99.99% of users have an average profile, therefore they require average settings;
2. In modern times of hyper-connectivity and synchronization of various devices, it is simply a catastrophe to think of settings that block functions.
That said, the video and comments posted in this thread fallaciously presume contexts, omitting the fact that those contexts can be blocked (avoided), either by manual Windows hardening, manual firewall hardening, or by using third-party (upgraded/updated) software.
Such hardening, manual or by software, perfectly includes the possibility to block any attempt to disable both Windows Defender and Windows Firewall. The main manipulation of the video in this thread (and several comments), comes from omitting this fact, not informing the reader that it is 100% possible to configure Windows so that both Windows Defender and Firewall cannot be disabled.
Again and again we are forced to repeat that Windows is incredibly customizable, and can be transformed into a blocker. And in a customized Windows, the assumptions of the video in this thread are ridiculous, since both Windows Defender and Firewall could not be disabled or altered.
Last but not least, this video and the comments are fakes, also because they tacitly presuppose an incentive for the use of blockers, a stone-age strategy, used 20 years ago.
Few conclusions:
1. The conditions presupposed by the test performed in the video, are unrealistic in a Windows with hardened settings. And it makes no sense to test Windows with default settings, because the focus is not security, it is “usability”. That said, while it is true that Windows Firewall can be disabled with simple commands, even with Windows default settings the chances of Windows Defender (untouched) preventing a virus/malware from disabling the firewall are very high;
2. Both Windows Defender and firewall settings can be manually customized to transform Windows into a blocker (which includes blocking any attempt to disable Windows Defender/Firewall);
3. That blocking strategy is not used in Windows because it is inefficient and ineffective for 99.99% of users.
PS: It is irresponsible and immoral to induce users with manipulations and falsehoods.
- May 9, 2017
- 159
Obliterated scoffers- Plain simple FACTS well said. 
Years ago, and not that many, as a malware fighter hovering incognito in various RAT and malware makers cove's, i can tell beyond any doubt that in-the-wild AND coordinated malware projects are as determined and continuously pick up new forms of infiltrating Windows that they make it look easy. And that was years ago!
Popping out the WF and evading AV's is their craft.
This is a useful Part 2 Video presentation and one could argue, timely, due to the current rash of just these types of flash snatch-n-grab tactics. Ouch
Years ago, and not that many, as a malware fighter hovering incognito in various RAT and malware makers cove's, i can tell beyond any doubt that in-the-wild AND coordinated malware projects are as determined and continuously pick up new forms of infiltrating Windows that they make it look easy. And that was years ago!
Popping out the WF and evading AV's is their craft.
This is a useful Part 2 Video presentation and one could argue, timely, due to the current rash of just these types of flash snatch-n-grab tactics. Ouch
- May 26, 2014
- 1,130
Hi @Dave Russo
The only safe firewall is the external one.
For internal purposes, Windows Firewall will be more than enough for 99,99% of the users. Same logic if you prefer any other third-party firewall (like AVAST), no real need, no real great protection, but any internal firewall will be enough (except Comodo, which is an abandonware since 2017, full of dangerous unfixed bugs).
That said, if you are an advanced user, Windows Firewall hasn't a friendly GUI, and if you like to customize or to hardening your (security/privacy) rules, then a third-party firewall will be useful.
Also, if you don't like to hardening your Windows (Windows Defender + Windows Firewall), a third-party firewall will help you. In the example of AVAST, if you have Windows with default settings, it'll be very difficult for any virus/malware to disable your AVAST.
- Apr 13, 2013
- 3,224
Although that could be done, it would be really bulky (and I dislike code bulk). Both the privilege elevation are done just before the BG drop using tried and true methods.
- Apr 16, 2017
- 2,599
Zone Alarm has a free and Pro firewall. I have not used ZA enough to recommend. TinyWall & Comodo popup in search.
Best firewall software of 2024
Free and paid options for the best firewall software to stay protected online
- May 26, 2014
- 1,130
I have decided to stay with Defender UI /Cyberlock ... I put Avast on ahhh (blocks sport site ), Bitdefender slowww, have backup and hope I stay safe not paranoid(Thanks Old School
- Mar 29, 2018
- 7,606
Indeed, nefarious actors can do anything once they have access to Windows OS, but that is dependent on the user, e.g clicking malicious links, etc. So for all intent and purposes this "critique" is simply video clickbait. Entertaining? Enlightening? Maybe. Stay safe, not paranoid. Word.
- Apr 5, 2021
- 620
The only issue I have is that the firewall is setup as Default-allow, and create rules for malicious processes. This would be an exercise in futility because there are thousands if not millions of malicious processes in existence. Is it not better to setup as Default-deny, and create rules for safe applications that require outbound comms? This way nothing is allowed, except for those applications/processes installed on the device that are deemed safe. So much easier to manage.
That said, Defender firewall without some sort of functionality interface such as Windows Firewall Control is a cumbersome joke to configure. Also, it has a terrible limitation in that it can't handle wildcards in path rules.
The Defender firewall being terminated is concerning, especially as it seems, correct me if I'm wrong, the DANGER(.)exe was launched without elevated privileges. But @oldschool has sound advice as usual Somehow preventative measures must be put in place to prevent the malicious process from launching in the first place.
That said, Defender firewall without some sort of functionality interface such as Windows Firewall Control is a cumbersome joke to configure. Also, it has a terrible limitation in that it can't handle wildcards in path rules.
The Defender firewall being terminated is concerning, especially as it seems, correct me if I'm wrong, the DANGER(.)exe was launched without elevated privileges. But @oldschool has sound advice as usual
Somehow preventative measures must be put in place to prevent the malicious process from launching in the first place.Similar threads
