Sometime ago there was a debate on 4sysops about the use of outbound filtering for personal firewalls. Some argued that once malware got started on the desktop, it is already too late to stop it with a personal firewall. I recently tested the outbound filter of Vista's firewall. In my view, it makes sense for standard users to use it, but not, probably, for administrators.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
The argument against the use of personal firewalls is that malware can disable the personal firewall or leverage another program to access the internet. Malware often uses the Internet Explorer to phone home since it is usually allowed to access the internet.
In my view, both arguments are wrong with regards to standard users in the case of Vista's desktop firewall. The first argument can easily be refuted. If users don't have administrator privileges on their desktops (which I strongly recommend), then the malware will simply not have enough rights to disable Windows Firewall or to change its setting.
However, if you logged on as admin, it is indeed possible for malware to change the settings. The strange thing is that in my test this could be done without getting User Account Control (UAC) involved. I configured the Windows Firewall with the Local Security Policy tool (just enter the name on the Program Search Prompt). When I start this tool, I didn't get an UAC prompt. I tried the same on another machine which belongs to a Windows domain and there I got an UAC pop-up.
Anyway, if you logged on as an Administrator and the malware is smart enough to change the firewall settings before connecting to the internet, then it could indeed be possible that Windows Firewall is useless in this case.
To investigate the second argument, which assumes that malware always can use another program to access the internet, I installed the IE Tab add-on for Firefox. This plug-in allows you to use Internet Explorer to load web pages within Firefox.
First, I changed the policy for outbound filtering for the Windows Firewall. You can do this by right clicking on "Windows Firewall" in the Local Security Policy tool (or Group Policy Editor) There, you can set outbound filtering to "block" for the different profiles (domain, private, public). Then, I added an outbound rule allowing IE to access the internet.
I was able to load web pages when I started IE, but internet access was blocked when I started IE within Firefox. This doesn't prove that IE can't be leveraged by malware to access the internet, but it shows, at least, that it wont be easy.
Next, I wanted to know if it is possible to trick Windows Firewall by exchanging exe files. In my test, I allowed Firefox to access the internet, then exchanged firefox.exe with putty.exe. I was indeed able to establish an internet connection with putty afterwards. Well, this is really disappointing. Most personal firewalls use hash codes to identify applications. Windows Firewall only uses file name and path.
Subscribe to 4sysops newsletter!
Now, you might argue, what is the use of outbound filtering if it can be outsmarted so easily. The point is, standard users are not allowed to make any changes with the Program Files folder. So if a user starts a malware program, it won't be able to use this trick. I, therefore, conclude that outbound filtering with Windows Firewalls makes sense for standard users, but not for administrators.