Of course, but how many encounter these with safe surfing habits, etc.?
Windows Defender Firewall Critique Part 2
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Zero, these zero-click exploits are not designed for you, me and the MalwareTips audience, they are expensive, take whole teams working for prolonged period of times to develop and are used where they should be. This is, where the exfiltrated information will have the necessary value. Usually, in state-sponsored attacks against businesses and famous persons. It is pointless to even add these into the mix, they are not relevant.
Thanks for the test, but I have one point to share. The video clearly recommends using a 3rd party firewall. Why? Some products claim that they can protect WF from being tampered with (such as Emsisoft). Why would I use a 3rd party firewall in this case?
You are literally stating what @cruelsister shows in the video... that "Windows by default is focused on 'usability' [and is insecure]."
There is no manipulation in the video "by omission." If every POC, pentest demo, or video creator had to "inform the viewer" of all the technical infos, of all the exceptions to what they are showing - then nobody in the industry would do the work. The video is in a format that is standard industry practice. Besides, the video is targeted to an audience that understands what is being shown. If they do not understand, then it is on them to put in the effort to figure it all out.
Really? Please provide a few links to evidence that corroborate this statement. What you need to provide is documented proof that a single pentester executed a malware, and that malware was able to manipulate, tamper with, and hijack "a safe Windows process" outside of containment to establish comms.
When you do that everybody here will shut up forever. We will wait...
Because it can be configured to generate outbound connection alerts.
Didn't you just say "Windows by default is insecure because it is configured for usability"? Yeah. You did say that. Not exactly in those words but you did say it multiple times. So not only are you saying default Windows is insecure, that the insecure Windows defaults are the right configuration for average users.
You do realize that hundreds and hundreds of millions of people do stuff that infects their Windows OS every year, right?
The prevailing, widely-accepted fact in the IT security industry is that Windows, by default, is highly insecure and that is not good for anyone. You do know that, right? You just choose to ignore it because it suits your agenda.
It is just a demo video. Nothing more. Nothing less. It is representative of something that is regularly seen at BlackHat, DefCon, Wild West Hackin' Fest, or even a local BSides meeting.
People that keep reading nefarious or manipulative intent on @cruelsister 's part... well, all anybody can say about that is that it is more about the person's interpretation of the video than it is about the video author.
Exactly the unspoken point made in the video so whether you realize it or not, you are agreeing with @cruelsister . That it is so insecure by default is all the more reason that people are better served by using any of a number of security solutions with Comodo being just one of them.
I think in the case of Emsisoft, it hardens and controls the Windows Firewall -- it is in some sense the 3d-party firewall.
PS ZoneAlarm firewall only works with MS Defender and info I read says it not compatible with 3d-party AV.
Emsisoft said they harden WF with their BB. Trend Micro has WF Booster. F-Secure too relies on WF and I believe their BB protects WF.
Maybe one is better off just getting a third-party security program that works well with the built-in firewall or provide its own.
Given that, for free, there's probably Avast, and for paid, I think you can get Kaspersky Standard cheap by buying serial numbers from stores offering promos or discounts.
Given that, for free, there's probably Avast, and for paid, I think you can get Kaspersky Standard cheap by buying serial numbers from stores offering promos or discounts.
If one resides in nations such as Egypt or Iran, it is within the realm of possibility as those governments heavily surveille their own citizens. The only thing keeping those programs limited to the usual targeting of activists, dissidents, and perceived political enemies are the lack of personnel and resources. Otherwise something like half of all nations would stick agents in their citizens' underwear.
But you are correct for the typical netizen.
Windows Firewall is broken, but any third-party tool that utilizes WFP is good. SimpleWall comes to mind.
The main assumption in this thread is the ability to run malware with high privileges. It is true that under this assumption, one can dismantle Windows Firewall, but also any software Firewall, AV drivers, and services. There are well-known methods to do it.
Most InfoStealers inject the code into system processes (like Svchost) - they can hardly be controlled (at home) by manually adding the firewall rules. The practical method is applying Network Protection with a blacklist of malicious domains and C2 servers. Unfortunately, the Windows built-in default protection does not include Network Protection.
Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.
Of course, some 3rd party Firewalls can provide stronger protection without much tweaking, but they can also cause more problems than the default Windows Firewall.
A nice comparison for business AVs can be found in the MRG Effitas "360° Assessment & Certification" tests, in the sections "Real Botnet" and "Banking Simulator" (Eset and Malwarebytes on top).
Most InfoStealers inject the code into system processes (like Svchost) - they can hardly be controlled (at home) by manually adding the firewall rules. The practical method is applying Network Protection with a blacklist of malicious domains and C2 servers. Unfortunately, the Windows built-in default protection does not include Network Protection.
Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.
Of course, some 3rd party Firewalls can provide stronger protection without much tweaking, but they can also cause more problems than the default Windows Firewall.
A nice comparison for business AVs can be found in the MRG Effitas "360° Assessment & Certification" tests, in the sections "Real Botnet" and "Banking Simulator" (Eset and Malwarebytes on top).
Last edited:
slightly off topic: "untrusted files are simply blocked." I'm running AppGuard 6.7 again, this time successfully -- just needed to get comfortable with it. As Shadowra mentioned in recent video test, blocks everything (paraphrase) but whatever should be running is running -- fwiw my current experience.
Yes and No.
The test was done without the first infection stage (malware delivery). So there are two possible scenarios:
Yes: FirewallHardening cannot help when the initial malware is downloaded by the user and the attack does not abuse outbound connections of LOLBins.
No: FirewallHardening can prevent the malware (from the video) if it is delivered as a payload via the outbound connections using LOLBins.
AppGuard can block the particular malware from the video. However, it can be bypassed on the default settings when using shortcuts and scripting methods. You must restrict popular LOLBins for more protection.
thanks! & you have a very good app for that.AppGuard can block the particular malware from the video. However, it can be bypassed on the default settings when using shortcuts and scripting methods. You must restrict popular LOLBins for more protection.
In India and SE Asia, infections from USB flash drive sharing is rampant.
Not all infections or attacks happen via a file download from a network and execution. That is a real-world fact.
How malware is delivered is a moot point in testing unless the objective is to show how a solution protects at the delivery stage. Default deny solutions predominantly act to block execution or interrupt the malicious run sequence within the post-download or post-exploit environment.
You may also like...
-
Microsoft Defender Antivirus feat AI Defender- Started by Shadowra
- Replies: 13
-
-
The biggest risk with Windows: LOLBINS- Started by monkeylove
- Replies: 227
-
Windows Defender Firewall critique- Part 1
- Started by cruelsister
- Replies: 27
-
Video... Windows Hardening Guide 2025 Edition- Started by annaegorov
- Replies: 3