App Review Windows Defender Firewall Critique Part 2

[oldschool]

There are zero click malware like those NSO and iSoon make.

Of course, but how many encounter these with safe surfing habits, etc.?

 

[Trident]

Of course, but how many encounter these with safe surfing habits, etc.?

Zero, these zero-click exploits are not designed for you, me and the MalwareTips audience, they are expensive, take whole teams working for prolonged period of times to develop and are used where they should be. This is, where the exfiltrated information will have the necessary value. Usually, in state-sponsored attacks against businesses and famous persons. It is pointless to even add these into the mix, they are not relevant.

 

[Divine_Barakah]

Thanks for the test, but I have one point to share. The video clearly recommends using a 3rd party firewall. Why? Some products claim that they can protect WF from being tampered with (such as Emsisoft). Why would I use a 3rd party firewall in this case?

 

[bazang]

the video in this thread is totally fake, it's not showing any Windows security issue. Windows by default is focused on "usability".

You are literally stating what @cruelsister shows in the video... that "Windows by default is focused on 'usability' [and is insecure]."

The main manipulation of the video in this thread (and several comments), comes from omitting this fact, not informing the reader that it is 100% possible to configure Windows so that both Windows Defender and Firewall cannot be disabled.

There is no manipulation in the video "by omission." If every POC, pentest demo, or video creator had to "inform the viewer" of all the technical infos, of all the exceptions to what they are showing - then nobody in the industry would do the work. The video is in a format that is standard industry practice. Besides, the video is targeted to an audience that understands what is being shown. If they do not understand, then it is on them to put in the effort to figure it all out.

And in real life, it's possible to find thousand of cases where virus/malware hijacked all these "safe files" allowed by Comodo, and managed to have comms.

Really? Please provide a few links to evidence that corroborate this statement. What you need to provide is documented proof that a single pentester executed a malware, and that malware was able to manipulate, tamper with, and hijack "a safe Windows process" outside of containment to establish comms.

When you do that everybody here will shut up forever. We will wait...

Why would I use a 3rd party firewall in this case?

Because it can be configured to generate outbound connection alerts.

For average users, Windows Defender + Firewall default settings are part of that right equation.

Didn't you just say "Windows by default is insecure because it is configured for usability"? Yeah. You did say that. Not exactly in those words but you did say it multiple times. So not only are you saying default Windows is insecure, that the insecure Windows defaults are the right configuration for average users.

You do realize that hundreds and hundreds of millions of people do stuff that infects their Windows OS every year, right?

The prevailing, widely-accepted fact in the IT security industry is that Windows, by default, is highly insecure and that is not good for anyone. You do know that, right? You just choose to ignore it because it suits your agenda.

Indeed, nefarious actors can do anything once they have access to Windows OS, but that is dependent on the user, e.g clicking malicious links, etc. So for all intent and purposes this "critique" is simply video clickbait. Entertaining? Enlightening? Maybe. Stay safe, not paranoid. Word.

It is just a demo video. Nothing more. Nothing less. It is representative of something that is regularly seen at BlackHat, DefCon, Wild West Hackin' Fest, or even a local BSides meeting.

People that keep reading nefarious or manipulative intent on @cruelsister 's part... well, all anybody can say about that is that it is more about the person's interpretation of the video than it is about the video author.

 

[bazang]

Readers should take care,

Windows is not focused on security.

Exactly the unspoken point made in the video so whether you realize it or not, you are agreeing with @cruelsister . That it is so insecure by default is all the more reason that people are better served by using any of a number of security solutions with Comodo being just one of them.

 

[simmerskool]

Thanks for the test, but I have one point to share. The video clearly recommends using a 3rd party firewall. Why? Some products claim that they can protect WF from being tampered with (such as Emsisoft). Why would I use a 3rd party firewall in this case?

I think in the case of Emsisoft, it hardens and controls the Windows Firewall -- it is in some sense the 3d-party firewall.
PS ZoneAlarm firewall only works with MS Defender and info I read says it not compatible with 3d-party AV.

 

[Divine_Barakah]

I think in the case of Emsisoft, it hardens and controls the Windows Firewall -- it is in some sense the 3d-party firewall.
PS ZoneAlarm firewall only works with MS Defender and info I read says it not compatible with 3d-party AV.

Emsisoft said they harden WF with their BB. Trend Micro has WF Booster. F-Secure too relies on WF and I believe their BB protects WF.

 

[monkeylove]

Maybe one is better off just getting a third-party security program that works well with the built-in firewall or provide its own.

Given that, for free, there's probably Avast, and for paid, I think you can get Kaspersky Standard cheap by buying serial numbers from stores offering promos or discounts.

 

[i7ii]

WFC comes with this option:

 

[bazang]

Of course, but how many encounter these with safe surfing habits, etc.?

If one resides in nations such as Egypt or Iran, it is within the realm of possibility as those governments heavily surveille their own citizens. The only thing keeping those programs limited to the usual targeting of activists, dissidents, and perceived political enemies are the lack of personnel and resources. Otherwise something like half of all nations would stick agents in their citizens' underwear.

But you are correct for the typical netizen.

 

[Sunshine-boy]

Windows Firewall is broken, but any third-party tool that utilizes WFP is good. SimpleWall comes to mind.

 

[monkeylove]

If one resides in nations such as Egypt or Iran, it is within the realm of possibility as those governments heavily surveille their own citizens. The only thing keeping those programs limited to the usual targeting of activists, dissidents, and perceived political enemies are the lack of personnel and resources. Otherwise something like half of all nations would stick agents in their citizens' underwear.

But you are correct for the typical netizen.

Probably also "eyes" nations.

 

[Andy Ful]

The main assumption in this thread is the ability to run malware with high privileges. It is true that under this assumption, one can dismantle Windows Firewall, but also any software Firewall, AV drivers, and services. There are well-known methods to do it.

Most InfoStealers inject the code into system processes (like Svchost) - they can hardly be controlled (at home) by manually adding the firewall rules. The practical method is applying Network Protection with a blacklist of malicious domains and C2 servers. Unfortunately, the Windows built-in default protection does not include Network Protection.

Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.

Of course, some 3rd party Firewalls can provide stronger protection without much tweaking, but they can also cause more problems than the default Windows Firewall.
A nice comparison for business AVs can be found in the MRG Effitas "360° Assessment & Certification" tests, in the sections "Real Botnet" and "Banking Simulator" (Eset and Malwarebytes on top).

 

[oldschool]

The main assumption in this thread is the ability to run malware with high privileges. It is true that under this assumption, one can dismantle Windows Firewall, but also any software Firewall, AV drivers, and services. There are well-known methods to do it.

Generally, all Firewalls (in reasonable settings) from home AVs are insufficient to protect users against info stealers. Even the Comodo Firewall is insufficient without applying auto containment, and such a setup is very similar to the protection based on the file reputation where the untrusted files are simply blocked. The main protection here is file reputation (or file whitelisting) and not the Firewall.

Enough said. Bravo!

 

[simmerskool]

slightly off topic: "untrusted files are simply blocked." I'm running AppGuard 6.7 again, this time successfully -- just needed to get comfortable with it. As Shadowra mentioned in recent video test, blocks everything (paraphrase) but whatever should be running is running -- fwiw my current experience.

 

[Andy Ful]

No, not at all. FirewallHardening will indeed add a bunch of Rules for various things (probably one of the best would be a block on PowerShell Outbound requests). However, as in the video, if WF is disabled FIRST it does not matter what rules are in place (oh, and WFH does not include a rule for this malware).

Yes and No.
The test was done without the first infection stage (malware delivery). So there are two possible scenarios:
Yes: FirewallHardening cannot help when the initial malware is downloaded by the user and the attack does not abuse outbound connections of LOLBins.
No: FirewallHardening can prevent the malware (from the video) if it is delivered as a payload via the outbound connections using LOLBins.

 

[Andy Ful]

slightly off topic: "untrusted files are simply blocked." I'm running AppGuard 6.7 again, this time successfully -- just needed to get comfortable with it. As Shadowra mentioned in recent video test, blocks everything (paraphrase) but whatever should be running is running -- fwiw my current experience.

AppGuard can block the particular malware from the video. However, it can be bypassed on the default settings when using shortcuts and scripting methods. You must restrict popular LOLBins for more protection.

 

[oldschool]

The test was done without the first infection stage (malware delivery).

A common failing of tests like this.

 

[simmerskool]

AppGuard can block the particular malware from the video. However, it can be bypassed on the default settings when using shortcuts and scripting methods. You must restrict popular LOLBins for more protection.

thanks! & you have a very good app for that.

 

[bazang]

A common failing of tests like this.

In India and SE Asia, infections from USB flash drive sharing is rampant.

Not all infections or attacks happen via a file download from a network and execution. That is a real-world fact.

How malware is delivered is a moot point in testing unless the objective is to show how a solution protects at the delivery stage. Default deny solutions predominantly act to block execution or interrupt the malicious run sequence within the post-download or post-exploit environment.