Firewall: Targeting Tricky Programs Regarding Online Access


  1. Posts : 89
    7 64
       #1

    Firewall: Targeting Tricky Programs Regarding Online Access


    Originally posted in Security, but I think this is more of a general help question.

    Some programs manage to get online despite my setting up firewall rules designed to prevent it. My method was to scan their programs folder and appdata folder for any .EXEs, and block those, but this hasn't worked. Where should I be looking & what should I be blocking?

    I realize a third party firewall can be employed, but I am asking specifically about going the manual route using the native 7 firewall.

    Thanks
      My Computer


  2. Posts : 2,465
    Windows 7 Ultimate x64
       #2

    First of all I must ask, how do you know that some program managed to escape your blocks? What behavior are you noticing?
    Then, what rules exactly are you adding?

    Have a look at enabling the firewall logs, it can show what connections where denied/allowed and pinpoint the root cause. Also you could run a network monitor tool (Process Hacker has one and I think Process Explorer too) to see in realtime the active network connections and its associated processes.

    Rogue programs can bypass firewalls in a number of ways. Some add their own rules during their installation, others call some other (allowed) program to do the dirty work for them (Internet Explorer is a prime target for this, as it's almost always installed in a well-known location, and rarely secured). Having a kernel-mode driver is also possible. And of course, if the rogue program is run as administrator, it can tamper the firewall in real time.

    I need to add that your approach is the wrong one. Instead of selectively blocking programs you want to prevent, do it the other way around. Block everything by default, and selectively let some programs to connect. that way, if you miss something, software cannot access the network unless you add them latter. While more work, this is the way you get the most out of the firewall. In security, always prefer to whitelist instead to blacklist.
      My Computer


  3. Posts : 89
    7 64
    Thread Starter
       #3

    That was very helpful, thanks. Are you using the native firewall on block all out then?
      My Computer


  4. Posts : 2,465
    Windows 7 Ultimate x64
       #4

    Yes, block everything by default. At first that means you'll lose all network connectivity, but then you allow those programs you know need network access and add exceptions for them. Everything else will be blocked, even if you forgot.

    Note that the Windows Firewall does this only for inbound connections (and by default has a bunch of rules that add exceptions for virtually everything) and for outgoing connections it allows them all by default. You'll get the most protection from the outgoing ones rather than inbound actually.
      My Computer


  5. Posts : 89
    7 64
    Thread Starter
       #5

    Right, thanks again. I was just curious if you yourself have stayed with the native FW only, but I understand if you'd rather not comment.
      My Computer


  6. Posts : 2,465
    Windows 7 Ultimate x64
       #6

    I still use the built-in Windows Firewall, and for most simple purposes I can recommend it (since Vista and later, not the one in XP). Not a great secret really and neither though it would matter what do I use
    I find it adequately good, not quite impressive but certainly good enough for me and many other things.

    Of course, most things I said about its configuration and the like applies equally to any other firewall and even other OSs, if anyone wants to try something different.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:17.
Find Us