App Review Windows Defender Firewall Critique Part 2

[cruelsister]

Content source

https://youtu.be/UuNXbhdmHRI

 

[Bot]

Thanks for sharing this video! It provides a great visual aid for understanding Windows Defender Firewall's features and limitations. Let's discuss the points raised in the video.

 

[bazang]

As usual, another manipulative video.

It is not "manipulative." You're the only one, and perhaps one or two other people here at MT, that say such nonsense.

The video demonstrates a fact about Windows Firewall that is common knowledge among the IT security industry.

When such videos are made, it is not the responsibility of the video author to provide a long, detailed explanation about all the technical details and permutations possible. Such vids are intended for a targeted audience that understands what is going on. For those that do not know it is their responsibility to become informed so they can understand. This is standard industry practice.

As explained so many times, Windows default settings are focused on “usability” of the average user. But Windows is extremely customizable, and can become a “blocker”. In this sense, any advanced user who wants to, can easily manually create customizations in Windows, both to specifically prevent changes in the firewall, as well as to create IN/OUT rules in the firewall.

And yet you and others criticize Comodo because "it needs to be tweaked."

Since 99% of Windows users leave the Windows Firewall configuration and the other security features at defaults, the video is applicable to the 99%.

This video not only is a conceptual mistake, but it is also a manipulation which tries to present hypothetical security flaws in Windows, when in fact Windows allows these hypothetical security "holes/breaches" to be closed. The video purposely confuses “security” with “usability”, omitting the fact that Windows default focuses on “usability”.

It is not hypothetical. There are in-the-wild malware that do the very same thing to Windows. Leading security practitioners have been critical of Microsoft not implementing tamper protection for Windows Firewall for decades. They would not advocate for such increased protection of Windows Firewall if they did not observe in daily practice the very same thing that @cruelsister shows in the video.

You do realize that Microsoft deliberately lowers security as the default configuration to provide usability to "users that want to use stuff," right?

Usability on Windows comes at the expense of decreased security. That has always been a fact of the default configuration of Windows. The fact that Windows can be tweaked and hardened is moot as, once again, the insecure Windows OS defaults are what the 99% use. The capability to harden Windows to make it more secure is irrelevant. It's nice that Microsoft makes it possible, but the masses don't know how to do it nor do they have the inclination to do it.

Blockers are from the stone age, they emerged 20 years ago when there were no modern technologies like the ones that exist today to detect and remove viruses/malware. Blockers today are totally inefficient/ineffective, both because the final decision to “allow” or “block” stuff always depends 100% on the user. And considering that today there are many free, modern software, with excellent technologies to detect/remove viruses/malware... it does not make any sense for the average user to use a blocker or blocking settings.

That's not an accurate group of statements at all. If "Blockers" - as you call them - keep a system clean, then that is all that matters. It makes no difference if that is achieved using buggy Comodo or the latest & greatest "modern [security] software." All that matters is the end result - a clean system - and not the bugs and other perceived "security flaws" of Comodo.

And, uhm, CS configuration requires no decision-making on the part of the user.

Most every government in the world uses at least one form of "Blocker" technology. And why is that? Because they are the most effective method to slow down or prevent nation-state threat actors from pivoting horizontally or vertically in their networks. No government would use "Blocker" technologies if they were not effective and did not add a valuable layer to Defense-in-Depth.

 

[simmerskool]

Last comment in the video "better to use 3d-party firewall of your choice" > Is Windows Firewall Control (WFC) (binisoft -- malwarebytes) in that category of 3d-party firewall, or just an overlay of Windows firewall?

 

[Pat MacKnife]

What about FirewallHardening tool from Andy ??? Does it make things better ?

 

[cruelsister]

What about FirewallHardening tool from Andy ??? Does it make things better ?

No, not at all. FirewallHardening will indeed add a bunch of Rules for various things (probably one of the best would be a block on PowerShell Outbound requests). However, as in the video, if WF is disabled FIRST it does not matter what rules are in place (oh, and WFH does not include a rule for this malware).

Also the desire to attempt to add further Rules to WF is normally done on a Reactive Basis (once a bypass has occurred on someone's system; and trying to add rules for other possible malware types can be viewed as Rule-Whack-A-Mole as there will always be something that one does not consider adding.

It is not hypothetical. There are in-the-wild malware that do the very same thing to Windows. Leading security practitioners have been critical of Microsoft not implementing tamper protection for Windows Firewall for decades

Not only that it is not hypothetical, but it is barely an inconvenience to code malware in this way. (God did I LOVE your post...).

 

[wat0114]

@cruelsister,

does the malicious executable leverage any other process(es) such as powershell or cmd(.)exe, for example, to gain elevated privileges to disable the firewall, or does it do it all on its own, maybe such as jumptoSys() in the code?

 

[bazang]

You can hardening Windows almost in every way you want, including the firewall.

Hardening Windows is a completely different thing than protecting Windows Firewall against tampering or being disabled.

It is not possible to prevent Windows Firewall from being disabled. At least not in the sense that you are saying.

Even using the Windows 11 Tamper Protection, or using Microsoft Endpoint Manager to force Tamper Protection, using Windows hardening scripts deployed by Intune, or Group Policy Objects - there are ways to disable Windows Firewall.

All that hardening capability is moot whenever the default Windows OS configuration used by the 99% makes it trivial to disable Windows Firewall.

All a threat actor need do is send a malicious link, the user clicks on the link, the malware script downloads and executes in the background, that malicious script can disable Windows Firewall without admin privileges or equally as bad it can create a service (server) that Windows Firewall allows despite a ton of added "hardening" rules (the hardening rules are irrelevant). There are ways to create the service without admin privileges or invoking UAC and displaying the elevation alert to the user - who would likely select "Allow" in the case that it would be generated. This example has been a routine demo with hundreds of variants displayed at BlackHat and other conferences since Windows Vista.

 

[Dave Russo]

As I am seeking advice(I want to continue with Microsoft Defender via Defender UI),what standalone firewall is recommended, that would resolve Cruel sisters finding? Or once you add other firewall Defender UI is compromised?

 

[EASTER]

Obliterated scoffers- Plain simple FACTS well said.

Years ago, and not that many, as a malware fighter hovering incognito in various RAT and malware makers cove's, i can tell beyond any doubt that in-the-wild AND coordinated malware projects are as determined and continuously pick up new forms of infiltrating Windows that they make it look easy. And that was years ago!

Popping out the WF and evading AV's is their craft.

This is a useful Part 2 Video presentation and one could argue, timely, due to the current rash of just these types of flash snatch-n-grab tactics. Ouch

bazang said:
It is not hypothetical. There are in-the-wild malware that do the very same thing to Windows. Leading security practitioners have been critical of Microsoft not implementing tamper protection for Windows Firewall for decades

 

[Dave Russo]

Going to use a Avast activation I have, without its web protection, VPN or cleanup utility or anti-tract for the sake of a (better firewall??)

 

[cruelsister]

does the malicious executable leverage any other process(es) such as powershell or cmd(.)exe, for example, to gain elevated privileges to disable the firewall, or does it do it all on its own

Although that could be done, it would be really bulky (and I dislike code bulk). Both the privilege elevation are done just before the BG drop using tried and true methods.

 

[simmerskool]

As I am seeking advice(I want to continue with Microsoft Defender via Defender UI),what standalone firewall is recommended, that would resolve Cruel sisters finding? Or once you add other firewall Defender UI is compromised?

Zone Alarm has a free and Pro firewall. I have not used ZA enough to recommend. TinyWall & Comodo popup in search.

Best firewall software of 2024

Free and paid options for the best firewall software to stay protected online

www.techradar.com

 

[Dave Russo]

I have decided to stay with Defender UI /Cyberlock ... I put Avast on ahhh (blocks sport site ), Bitdefender slowww, have backup and hope I stay safe not paranoid(Thanks Old School

 

[oldschool]

Indeed, nefarious actors can do anything once they have access to Windows OS, but that is dependent on the user, e.g clicking malicious links, etc. So for all intent and purposes this "critique" is simply video clickbait. Entertaining? Enlightening? Maybe. Stay safe, not paranoid. Word.

 

[wat0114]

The only issue I have is that the firewall is setup as Default-allow, and create rules for malicious processes. This would be an exercise in futility because there are thousands if not millions of malicious processes in existence. Is it not better to setup as Default-deny, and create rules for safe applications that require outbound comms? This way nothing is allowed, except for those applications/processes installed on the device that are deemed safe. So much easier to manage.

That said, Defender firewall without some sort of functionality interface such as Windows Firewall Control is a cumbersome joke to configure. Also, it has a terrible limitation in that it can't handle wildcards in path rules.

The Defender firewall being terminated is concerning, especially as it seems, correct me if I'm wrong, the DANGER(.)exe was launched without elevated privileges. But @oldschool has sound advice as usual Somehow preventative measures must be put in place to prevent the malicious process from launching in the first place.

 

[wat0114]

And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms.

Good point and no doubt any 3rd-party firewall could be bypassed this way. If svchost and other Windows processes can be configured to connect to only specific and necessary IP ranges, then maybe this bypass can be mitigated. Not really sure though. I've done this some years ago with 3rd-party and even Windows firewall but it's plenty of time consuming work. In the end I lost interest.

 

[Trident]

There some good firewall software out there allowing to customize rules for 100% of the files (no "safe list", total "default deny")... but Man, it demands tons and tons of work, not just a "one time job", it's a constant work. IMHO, in real life we need a balance between "security", "privacy" and "usability"... and "usability" should not be taken out of the equation. As other participants said: "Stay safe, not paranoid.". For average users, Windows Defender + Firewall default settings are part of that right equation. And for advanced users, hardening Windows or a modern third-party antivirus/malware with automatic action (no "default deny") is more than enough.

There are also many high-quality third-party solutions. It’s not just one. There are many firewalls. The market offers options, for everyone to choose what they want. Some of them are free, others are cheap.

 

[Digmor Crusher]

I have decided to stay with Defender UI /Cyberlock ... I put Avast on ahhh (blocks sport site ), Bitdefender slowww, have backup and hope I stay safe not paranoid(Thanks Old School

Defender with DefenderUI or Configure Defender is as good as any.
Secondary protection consisting of Cyberlock or SImple Windows Hardening Light is as good as any.
You'll be fine. I try not to change my protection because of any video, doing so would result in constant change.

 

[Sunshine-boy]

but that is dependent on the user, e.g clicking malicious links

There are zero click malware like those NSO and iSoon make.