App Review Windows Defender Firewall Critique Part 2

[Decopi]

The only issue I have is that the firewall is setup as Default-allow, and create rules for malicious processes. This would be an exercise in futility because there are thousands if not millions of malicious processes in existence. Is it not better to setup as Default-deny, and create rules for safe applications that require outbound comms? This way nothing is allowed, except for those applications/processes installed on the device that are deemed safe. So much easier to manage.

That said, Defender firewall without some sort of functionality interface such as Windows Firewall Control is a cumbersome joke to configure. Also, it has a terrible limitation in that it can't handle wildcards in path rules.

The Defender firewall being terminated is concerning, especially as it seems, correct me if I'm wrong, the DANGER(.)exe was launched without elevated privileges. But @oldschool has sound advice as usual Somehow preventative measures must be put in place to prevent the malicious process from launching in the first place.

Please, allow me to paste the same comment I made to your other similar post:
In general, I totally agree with your comment.
But comms is just the tip of the iceberg. If the device is infected, firewall can do almost nothing to solve the problem. Here a real modern antivirus/malware is needed.
Also, take the example of Comodo, an abandonware since 2017 + full of unfixed bugs... by default, Comodo Firewall allows comms for "safe files", where "safe files" is just an arbitrary list made by Comodo (last update 15 years ago). Under this category you will find SYSTEM, Windows Services, SVCHOST etc etc etc... I repeat, all allowed by Comodo default. And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms. And considering that Comodo can't customize fiirewall rules for Windows Services, Svchost etc, "default deny" doesn't work here.
Again, I agree with you, I'm just complementing by saying that "default deny" is not the panacea, not for files, nor for comms. And average users have zero chance to deal with "default deny" strategies.

 

[wat0114]

And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms.

Good point and no doubt any 3rd-party firewall could be bypassed this way. If svchost and other Windows processes can be configured to connect to only specific and necessary IP ranges, then maybe this bypass can be mitigated. Not really sure though. I've done this some years ago with 3rd-party and even Windows firewall but it's plenty of time consuming work. In the end I lost interest.

 

[Decopi]

Good point and no doubt any 3rd-party firewall could be bypassed this way. If svchost and other Windows processes can be configured to connect to only specific and necessary IP ranges, then maybe this bypass can be mitigated. Not really sure though. I've done this some years ago with 3rd-party and even Windows firewall but it's plenty of time consuming work. In the end I lost interest.

There some good firewall software out there allowing to customize rules for 100% of the files (no "safe list", total "default deny")... but Man, it demands tons and tons of work, not just a "one time job", it's a constant work. IMHO, in real life we need a balance between "security", "privacy" and "usability"... and "usability" should not be taken out of the equation. As other participants said: "Stay safe, not paranoid.". For average users, Windows Defender + Firewall default settings are part of that right equation. And for advanced users, hardening Windows or a modern third-party antivirus/malware with automatic action (no "default deny") is more than enough.

 

[Trident]

There some good firewall software out there allowing to customize rules for 100% of the files (no "safe list", total "default deny")... but Man, it demands tons and tons of work, not just a "one time job", it's a constant work. IMHO, in real life we need a balance between "security", "privacy" and "usability"... and "usability" should not be taken out of the equation. As other participants said: "Stay safe, not paranoid.". For average users, Windows Defender + Firewall default settings are part of that right equation. And for advanced users, hardening Windows or a modern third-party antivirus/malware with automatic action (no "default deny") is more than enough.

There are also many high-quality third-party solutions. It’s not just one. There are many firewalls. The market offers options, for everyone to choose what they want. Some of them are free, others are cheap.

 

[Digmor Crusher]

I have decided to stay with Defender UI /Cyberlock ... I put Avast on ahhh (blocks sport site ), Bitdefender slowww, have backup and hope I stay safe not paranoid(Thanks Old School

Defender with DefenderUI or Configure Defender is as good as any.
Secondary protection consisting of Cyberlock or SImple Windows Hardening Light is as good as any.
You'll be fine. I try not to change my protection because of any video, doing so would result in constant change.

 

[Sunshine-boy]

but that is dependent on the user, e.g clicking malicious links

There are zero click malware like those NSO and iSoon make.

 

[oldschool]

There are zero click malware like those NSO and iSoon make.

Of course, but how many encounter these with safe surfing habits, etc.?

 

[Trident]

Of course, but how many encounter these with safe surfing habits, etc.?

Zero, these zero-click exploits are not designed for you, me and the MalwareTips audience, they are expensive, take whole teams working for prolonged period of times to develop and are used where they should be. This is, where the exfiltrated information will have the necessary value. Usually, in state-sponsored attacks against businesses and famous persons. It is pointless to even add these into the mix, they are not relevant.

 

[Divine_Barakah]

Thanks for the test, but I have one point to share. The video clearly recommends using a 3rd party firewall. Why? Some products claim that they can protect WF from being tampered with (such as Emsisoft). Why would I use a 3rd party firewall in this case?

 

[bazang]

the video in this thread is totally fake, it's not showing any Windows security issue. Windows by default is focused on "usability".

You are literally stating what @cruelsister shows in the video... that "Windows by default is focused on 'usability' [and is insecure]."

The main manipulation of the video in this thread (and several comments), comes from omitting this fact, not informing the reader that it is 100% possible to configure Windows so that both Windows Defender and Firewall cannot be disabled.

There is no manipulation in the video "by omission." If every POC, pentest demo, or video creator had to "inform the viewer" of all the technical infos, of all the exceptions to what they are showing - then nobody in the industry would do the work. The video is in a format that is standard industry practice. Besides, the video is targeted to an audience that understands what is being shown. If they do not understand, then it is on them to put in the effort to figure it all out.

And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms.

Really? Please provide a few links to evidence that corroborate this statement. What you need to provide is documented proof that a single pentester executed a malware, and that malware was able to manipulate, tamper with, and hijack "a safe Windows process" outside of containment to establish comms.

When you do that everybody here will shut up forever. We will wait...

Why would I use a 3rd party firewall in this case?

Because it can be configured to generate outbound connection alerts.

For average users, Windows Defender + Firewall default settings are part of that right equation.

Didn't you just say "Windows by default is insecure because it is configured for usability"? Yeah. You did say that. Not exactly in those words but you did say it multiple times. So not only are you saying default Windows is insecure, that the insecure Windows defaults are the right configuration for average users.

You do realize that hundreds and hundreds of millions of people do stuff that infects their Windows OS every year, right?

The prevailing, widely-accepted fact in the IT security industry is that Windows, by default, is highly insecure and that is not good for anyone. You do know that, right? You just choose to ignore it because it suits your agenda.

Indeed, nefarious actors can do anything once they have access to Windows OS, but that is dependent on the user, e.g clicking malicious links, etc. So for all intent and purposes this "critique" is simply video clickbait. Entertaining? Enlightening? Maybe. Stay safe, not paranoid. Word.

It is just a demo video. Nothing more. Nothing less. It is representative of something that is regularly seen at BlackHat, DefCon, Wild West Hackin' Fest, or even a local BSides meeting.

People that keep reading nefarious or manipulative intent on @cruelsister 's part... well, all anybody can say about that is that it is more about the person's interpretation of the video than it is about the video author.

 

[bazang]

Readers should take care,

Windows is not focused on security.

Exactly the unspoken point made in the video so whether you realize it or not, you are agreeing with @cruelsister . That it is so insecure by default is all the more reason that people are better served by using any of a number of security solutions with Comodo being just one of them.

 

[simmerskool]

Thanks for the test, but I have one point to share. The video clearly recommends using a 3rd party firewall. Why? Some products claim that they can protect WF from being tampered with (such as Emsisoft). Why would I use a 3rd party firewall in this case?

I think in the case of Emsisoft, it hardens and controls the Windows Firewall -- it is in some sense the 3d-party firewall.
PS ZoneAlarm firewall only works with MS Defender and info I read says it not compatible with 3d-party AV.

 

[Divine_Barakah]

I think in the case of Emsisoft, it hardens and controls the Windows Firewall -- it is in some sense the 3d-party firewall.
PS ZoneAlarm firewall only works with MS Defender and info I read says it not compatible with 3d-party AV.

Emsisoft said they harden WF with their BB. Trend Micro has WF Booster. F-Secure too relies on WF and I believe their BB protects WF.

 

[monkeylove]

Maybe one is better off just getting a third-party security program that works well with the built-in firewall or provide its own.

Given that, for free, there's probably Avast, and for paid, I think you can get Kaspersky Standard cheap by buying serial numbers from stores offering promos or discounts.

 

[i7ii]

WFC comes with this option:

 

[bazang]

Of course, but how many encounter these with safe surfing habits, etc.?

If one resides in nations such as Egypt or Iran, it is within the realm of possibility as those governments heavily surveille their own citizens. The only thing keeping those programs limited to the usual targeting of activists, dissidents, and perceived political enemies are the lack of personnel and resources. Otherwise something like half of all nations would stick agents in their citizens' underwear.

But you are correct for the typical netizen.

 

[Sunshine-boy]

Windows Firewall is broken, but any third-party tool that utilizes WFP is good. SimpleWall comes to mind.

 

[monkeylove]

If one resides in nations such as Egypt or Iran, it is within the realm of possibility as those governments heavily surveille their own citizens. The only thing keeping those programs limited to the usual targeting of activists, dissidents, and perceived political enemies are the lack of personnel and resources. Otherwise something like half of all nations would stick agents in their citizens' underwear.

But you are correct for the typical netizen.

Probably also "eyes" nations.

 

[Andy Ful]

The main assumption in this thread is the ability to run malware with high privileges. It is true that under this assumption, one can dismantle Windows Firewall, but also any software Firewall, AV drivers, and services. There are well-known methods to do it.

Most InfoStealers inject the code into system processes (like Svchost) - they can hardly be controlled (at home) by manually adding the firewall rules. The practical method is applying Network Protection with a blacklist of malicious domains and C2 servers. Unfortunately, the Windows built-in default protection does not include Network Protection.

Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.

Of course, some 3rd party Firewalls can provide stronger protection without much tweaking, but they can also cause more problems than the default Windows Firewall.
A nice comparison for business AVs can be found in the MRG Effitas "360° Assessment & Certification" tests, in the sections "Real Botnet" and "Banking Simulator" (Eset and Malwarebytes on top).

 

[oldschool]

The main assumption in this thread is the ability to run malware with high privileges. It is true that under this assumption, one can dismantle Windows Firewall, but also any software Firewall, AV drivers, and services. There are well-known methods to do it.

Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.

Enough said. Bravo!