does windows Firewall block "outgoing" traffics?

[cfman]

Can I prevent some unrecognized network communications which are originated
from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are making
outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Ideally, if I set an option to block all outgoing traffic, whenever there is
a software that wants to make outgoing traffice, the blocker will raise an
alarm and let me know so I will be able to know where do these programs
hide...

 

[Shenan Stanley]

Can I prevent some unrecognized network communications which are
originated from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are
making outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Ideally, if I set an option to block all outgoing traffic, whenever
there is a software that wants to make outgoing traffice, the
blocker will raise an alarm and let me know so I will be able to
know where do these programs hide...

Not innately.

 

[Ken Blake, MVP]

Can I prevent some unrecognized network communications which are
originated from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are
making outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Yes, but not with the built-in Windows firewall. That it can not do this is
probably its biggest disadvantage.

Almost any third-party can do this, and is therefore a better choice.

 

[Pennywise]

Can I prevent some unrecognized network communications which are originated
from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are making
outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Ideally, if I set an option to block all outgoing traffic, whenever there is
a software that wants to make outgoing traffice, the blocker will raise an
alarm and let me know so I will be able to know where do these programs
hide...

Use Leaktest to test your firewall program (and don't use windows
firewall) http://www.grc.com/lt/leaktest.htm

Just a small file that phones home - see if your firewall can stop it.

 

[Bruce Chambers]

Can I prevent some unrecognized network communications which are originated
from my PC from being initiated?

Certainly. Simply install and properly configure a personal firewall.

I am suspecting that some hidden malicious programs in my PC are making
outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Again, simply install and properly configure a persoanl firewall.

Ideally, if I set an option to block all outgoing traffic, whenever there is
a software that wants to make outgoing traffice, the blocker will raise an
alarm and let me know so I will be able to know where do these programs
hide...

To answer the question misplaced in the subject line:

WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is provide an important additional layer of protection by informing
you about any Trojans or spyware that you (or someone else using your
computer) might download and install inadvertently. It doesn't monitor
out-going network traffic at all, other than to check for IP-spoofing,
much less block (or at even ask you about) the bad or the questionable
out-going signals. It assumes that any application you have on your
hard drive is there because you want it there, and therefore has your
"permission" to access the Internet. Further, because the Windows
Firewall is a "stateful" firewall, it will also assume that any incoming
traffic that's a direct response to a Trojan's or spyware's out-going
signal is also authorized.

ZoneAlarm or Kerio are much better than WinXP's built-in firewall,
in that they do provide that extra layer of protection, are much more
easily configured, and have free versions readily available for
downloading. Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.

Firewalls and anti-virus applications, which should always be used
and should always be running, are important components of "safe hex,"
but they cannot, and should not be expected to, protect the computer
user from him/herself. Ultimately, it is incumbent upon each and every
computer user to learn how to secure his/her own computer.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrum Russell

 

[Joe]

You can also check out a handy utility built into XP called netstat.

Go to start, run, cmd
netstat /? and hit enter

More information here...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true

 

[B. Nice]

Use Leaktest to test your firewall program (and don't use windows
firewall) http://www.grc.com/lt/leaktest.htm

Just a small file that phones home - see if your firewall can stop it.

You can also take a look at
http://www.firewallleaktester.com/tests_overview.php - press the "view
results" button at the bottom to see how personal firewalls in
general perform as far as controlling outbound connections is
concerned. It's not very reliable.

It's better to install a good anti-virus software to stop the malware
before it is allowed to run. Trying to control a malware that is
already allowed to run does not work.

 

[Pennywise]

You can also take a look at
http://www.firewallleaktester.com/tests_overview.php -

Nice link to various leaktesters
http://www.firewallleaktester.com/leaktest9.htm

press the "view
results" button at the bottom to see how personal firewalls in
general perform as far as controlling outbound connections is
concerned. It's not very reliable.

Windows Firewall kinda sucks huh

It's better to install a good anti-virus software to stop the malware
before it is allowed to run. Trying to control a malware that is
already allowed to run does not work.

NOD32, it's got a thing called IMON (internet monitor) going for it.
I can't download any malware files from http://vx.netlux.org/ (my
virus checker checking site); NOD32 catches them still zip'd

 

[B. Nice]

Windows Firewall kinda sucks huh

Actually not. The XP SP2 firewall does a very good job at controlling
inbound traffic. At least as good or even better than any personal
firewall. And outbound checking was left out intentionally - knowing
that it cannot be done reliably within a windows environment anyway.
There are simply too many ways for malware to circumvent it.

NOD32, it's got a thing called IMON (internet monitor) going for it.

I agree. NOD32 is among the best. But again, antivirus software is'nt
something you should rely too much on either. The best hard-/software
appliance available is your brain ;-)

I can't download any malware files from http://vx.netlux.org/ (my
virus checker checking site); NOD32 catches them still zip'd

Good

 

[karl levinson, mvp]

Actually not. The XP SP2 firewall does a very good job at controlling
inbound traffic. At least as good or even better than any personal
firewall. And outbound checking was left out intentionally - knowing
that it cannot be done reliably within a windows environment anyway.
There are simply too many ways for malware to circumvent it.

That's what I hate about those "leak test" sites. People who don't know
what the results mean conclude that good firewall products are not good.

Leak test sites test what happens once malware is on the computer. But
malware on a computer [with System or Administrator privileges] can do just
about anything it wants to, including disable just about every firewall out
there. Also, once malware is on your computer, you've usually got bigger
problems than whether your personal firewall software is blocking outbound
traffic. So then what good is a leak test? I think leak tests are more
useful to security experts, by demonstrating largely academic security
issues, and less useful to the general public.

 

[B. Nice]

That's what I hate about those "leak test" sites. People who don't know
what the results mean conclude that good firewall products are not good.

Which would be the correct conclusion (as far as outbound control is
concerned).

Leak test sites test what happens once malware is on the computer. But
malware on a computer [with System or Administrator privileges] can do just
about anything it wants to, including disable just about every firewall out
there.

Very true. But still the vendors claim to be able to provide complete
internet protection - and to be able to stop malware from connecting,
right?

You must however also realise that some of the leaktests also work
perfectly even when run under restricted rights. And malware needs
only one possible way to get out to do so. Therefore you cannot even
look at which ones block most leak tests. In the end that does'nt make
much difference for clever malware.

Also, once malware is on your computer, you've usually got bigger
problems than whether your personal firewall software is blocking outbound
traffic.

Precisely. That's one of the reasons why "controlling outbound" is a
broken concept.

So then what good is a leak test?

Hopefully leaktests can help people realise that outbound protection
is unreliable and should not be considered a security meassure.

Furthermore the so-called "phoning home" issue is highly overrated and
lead to users preventing legitimate programs from checking for updates
- thereby leaving them vulnerable instead of more secure.

I think leak tests are more
useful to security experts, by demonstrating largely academic security
issues, and less useful to the general public.

Wrong. It's about time users start to realise that "outbound
connection control" is a broken concept. Just look at the leak test
site. Would you accept if your software got a similar rating at
ShieldsUp"? - No. You would be screaming and yealling and posting to
newsgroups until you got each and every little dot turned green

 

[MikeR]

Can I prevent some unrecognized network communications which are originated
from my PC from being initiated?

I am suspecting that some hidden malicious programs in my PC are making
outgoing or outbound network communications.

Can I prevent any such network traffic from happening?

Ideally, if I set an option to block all outgoing traffic, whenever there is
a software that wants to make outgoing traffice, the blocker will raise an
alarm and let me know so I will be able to know where do these programs
hide...

The new Windows Live OneCare blocks outgoing traffic. It's very chatty tho,
which I don't care for.
MikeR

 

[karl levinson, mvp]

Which would be the correct conclusion (as far as outbound control is
concerned).

Precisely. That's one of the reasons why "controlling outbound" is a
broken concept.

I agree with you, sort of. Like almost all security countermeasures,
"controlling outbound" [via personal firewall software] is never going to be
100% effective. That doesn't make it useless or broken. "Controlling
outbound" raises the bar, by blocking at least some bad things, and making
you aware of the existence of some other bad things. The opposite of
"controlling outbound" is to allow all traffic out without any monitoring or
logging. Given a choice, I'd take a security countermeasure with some
vulnerabilities over no countermeasure at all, especially if the
countermeasure is inexpensive. And throwing in an external firewall device,
proxy server, etc., makes "controlling outbound" alerting and blocking not
so broken.

Unfortunately, most leak test sites are part of the problem, not part of the
solution. Correct me if I'm wrong, but instead of suggesting that
"controlling outbound" is a broken concept, I think most leak test sites
suggest that "controlling outbound" is an important concept. Those sites
suggest that you can and should 1) buy the right firewall or 2) complain to
your firewall vendor, and then you'll be secure. I think that could lead
the user to having a false sense of security, which is a dangerous thing.
Most people reading those web sites are going to conclude that "controlling
outbound" is an important test and that it is an important factor they
should consider when choosing a product. As a result, some otherwise good
products might not be purchased.

 

[B. Nice]

Which would be the correct conclusion (as far as outbound control is
concerned).

Precisely. That's one of the reasons why "controlling outbound" is a
broken concept.

I agree with you, sort of. Like almost all security countermeasures,
"controlling outbound" [via personal firewall software] is never going to be
100% effective.

Right. Not even close. Controlling inbound has proven to be possible
and reliable to a certain high degree. Controlling outbound (with a
personal firewall) has'nt - and never will. And therefore should'nt be
considered a security meassure.

That doesn't make it useless or broken.

The idea itself is silly (if meant as a security meassure against
malware trying to make outbound connecion) since you are trying to
control malware that is already allowed to run. Malware is something
you stop at the gate (for example with a good anti-virus product or
simply by using your own common sense), not something you allow in and
try to control. It's not called malware for nothing

"Controlling outbound" raises the bar,
by blocking at least some bad things, and making
you aware of the existence of some other bad things.

By being able to stop a few things that don't mind being stopped leads
to users believing that it works reliably and therefore poses a false
sense of security on them. And users should NOT feel secure. Only
providers of security software want users to feel secure. Well, a user
should'nt feel unsecure either. But a user should be constantly aware
of what he/she is doing.

The opposite of "controlling outbound" is to allow all traffic out without any monitoring or
logging. Given a choice, I'd take a security countermeasure with some
vulnerabilities over no countermeasure at all, especially if the
countermeasure is inexpensive.

That's your choice. And you are free to do that, as long as you
understand the limitations. But for reasons mentioned before, I find
it a bad idea in most cases.

And throwing in an external firewall device,
proxy server, etc., makes "controlling outbound" alerting and blocking not
so broken.

I fully agree. I am only objecting to outbound control of "firewalls"
running on the same machine as it is supposed to protect.

Unfortunately, most leak test sites are part of the problem, not part of the
solution.

I disagree. It is important that users know what the real capabilities
of the products they are using are. Especially since the topic is
security. Normal users have no other possibilities than to believe
what consultants or even worse, the software vendors, tell them. And
that info is, to be polite, very unreliable.

Correct me if I'm wrong, but instead of suggesting that
"controlling outbound" is a broken concept, I think most leak test sites
suggest that "controlling outbound" is an important concept. Those sites
suggest that you can and should 1) buy the right firewall or 2) complain to
your firewall vendor, and then you'll be secure. I think that could lead
the user to having a false sense of security, which is a dangerous thing.

I agree that a false sense of security is a dangerous thing. But I'm
not sure I fully understand what you are trying to say here.

Most people reading those web sites are going to conclude that "controlling
outbound" is an important test and that it is an important factor they
should consider when choosing a product. As a result, some otherwise good
products might not be purchased.

That's true to some extent. For example, one may be lead to believe
that the windows firewall is crap, while it is actually quite good.

But in the end, it does'nt make much difference how many leaktests a
firewall product can pass. Clever malware needs only one hole to get
through. Therefore my point is that it should be used to get an idea
of how personal firewalls in general perform - not for making
descisions on which one to use. If that was also the point you were
trying to make, then we agree.

 

[karl levinson, mvp]

I agree that a false sense of security is a dangerous thing. But I'm
not sure I fully understand what you are trying to say here.

I believe most leak test sites lead the user to believe that you should buy
the firewall that does the best at "blocking outbound." Leak test sites
often don't make it clear that once malware is on the computer, your
personal firewall is toast. Personal firewalls can't block malware on your
system, but leak test sites tend to make users think that the right ones
can.

On the other hand, personal firewalls can alert you to the existence of
spyware, adware and some malware like viruses. Things like antivirus,
network IDS, SSL, SSH, PGP, DEP execution prevention, etc. aren't 100%
foolproof, they can be evaded and fooled. And yet they are frequently used,
because they help reduce your risk. Most security countermeasures only
reduce risk, not eliminate risk. That doesn't make them worthless.

 

[B. Nice]

I believe most leak test sites lead the user to believe that you should buy
the firewall that does the best at "blocking outbound."

Agreed. As we also agree that this is not a correct conclusion.

Leak test sites often don't make it clear that once malware is on the computer, your
personal firewall is toast.
Ack.

Personal firewalls can't block malware on your system, but leak test sites tend to make
users think that the right ones can.

Yes, that's bad.

On the other hand, personal firewalls can alert you to the existence of
spyware, adware and some malware like viruses.

It can detect a few non-clever ones, yes. But as you also said: "Once
malware is in, your computer is toast". And catching these few ones
lead to a false sense of security for novices - and that's dangerous.

Things like antivirus, network IDS, SSL, SSH, PGP, DEP execution prevention,
etc. aren't 100% foolproof, they can be evaded and fooled. And yet they
are frequently used, because they help reduce your risk.

Yes, but well knowing that things like IDS and anti-virus products are
also not too reliable, at least they are trying to stop things before
they do any harm. Trying to control malware that is already running is
just plain stupid. And users should know that.

Most security countermeasures only reduce risk, not eliminate risk.

True to some extent. There is however something about security. One
can gain 100% security against a specific threat. Let's say a
vulnerability is found in a specific network service. If you stop
running that service you are 100% protected against that threat. And
IMO for something to be considered a security meassure it has to at
least be reliable to a certain high degree (like inbound control can
be for example). Outbound control is not worthy of being considered a
security meassure, IMHO.

That doesn't make them worthless.

Nearly. And dangerous, because novices are led to believe they are
protected - fooled by the product vendors marketing departments.

Some products are even dangerous because they add new vulnerabilities
to your computer that you would not have without them.

Examples:

* The witty worm - targeting only computers running a specific PFW.

* The SelfDoS attack - targeting only computers running specific PFW's
with a faulty IDS implementation.

* Bad design - some PFW's have severe design errors by not following
MS's most basic recommendations for windows security - thereby
allowing restricted users to gain administrative rights. And since
this is by design, it is not something that can be fixed without
rewriting. Specific PFW's have, for example had this error for several
years - making it completely useless within a coorporate environment.
And, in principle, allowing malware to gain administrative rights by
itself, leading to a complete compromise - even though I am not aware
of any actual reports about that - yet.

There are many other examples. Just go google for personal firewall
vulnerability - you may be surprised.

If these were just ordinary applications I would'nt make much fuss
about it, but these companies claim to be in the security business.
They better start proving themselves worthy.

 

[karl levinson, mvp]

Nearly. And dangerous, because novices are led to believe they are
protected - fooled by the product vendors marketing departments.

I agree that a false sense of security is dangerous, I also think that
novices are just often going to be uninformed and largely untrainable about
security issues. Novices are also prone to the opposite problem, an
unnecessary panic when warned about security issues, which can lead them to
make rash or unnecessary decisions, which should also be avoided. Security
awareness and training programs for home and corporate users generally pick
just a few of the most important take-home points and really dumb them down,
hoping they'll stick. We still haven't succeeded in getting all home users
to patch, use an AV, and use a firewall. The technical vulnerabilities of
firewalls is useful for some more moderately technical users to know, but is
too much info for other users.

Some products are even dangerous because they add new vulnerabilities
to your computer that you would not have without them.

Examples:

* The witty worm - targeting only computers running a specific PFW.

Yes, but the Witty worm was not that widespread or common an occurrence, and
people who were affected had neither the firewall update nor the antivirus
update that would have prevented Witty infections. You'd want to compare
the risk of using a firewall versus the risk of not using one, and choose
the better of the two. In most environments, you usually have less risk by
using some form of TCP/IP filtering on the workstation than not. I'm not a
fan of Windows IPSec filtering rules on workstations, because the logging is
not really good enough. So that pretty much leaves you with the Windows XP
firewall, a third party software firewall, or a firewall device of some
sort.

 

[B. Nice]

Yes, but not with the built-in Windows firewall. That it can not do this is
probably its biggest disadvantage.

Almost any third-party can do this, and is therefore a better choice.

Staying with the windows firewall has some solid advantages. And
installing a third-party firewall provides both advantages and
disadvantages, so you cannot just conclude like you did.

 

[B. Nice]

I agree that a false sense of security is dangerous, I also think that
novices are just often going to be uninformed and largely untrainable about
security issues.

I don't think so. At least I will give it a try

Novices are also prone to the opposite problem, an
unnecessary panic when warned about security issues, which can lead them to
make rash or unnecessary decisions, which should also be avoided.

True. "A false sense of insecurity".

Security awareness and training programs for home and corporate users generally pick
just a few of the most important take-home points and really dumb them down,
hoping they'll stick.

Way better than nothing. Simple things like "install the updates",
"use a good anti-virus product", "use another browser than IE",
"don't use Outlook or Outlook Express for e-mails" and "control your
curiousity" make a big difference if followed IMHO.

We still haven't succeeded in getting all home users to patch, use an AV,
and use a firewall.

I'm not sure I would agree to that. My experience is, that users are
starting to be aware that they need to consider security. That does'nt
mean they know how to manage a firewall though.

The technical vulnerabilities of firewalls is useful for some more
moderately technical users to know, but is too much info for other users.

Vulnerabilities, yes. But if users can interpret the colourful ratings
at ShieldsUp they can also understand the colourful ratings at
firewallleaktester.com.

Yes, but the Witty worm was not that widespread or common an occurrence, and
people who were affected had neither the firewall update nor the antivirus
update that would have prevented Witty infections.

It was just one of many examples of vulnerabilities of firewalls.
Google is your friend.

You'd want to compare the risk of using a firewall versus the risk of not using one,
and choose the better of the two.

Not fully correct. You'd need to consider the pros as well as the cons
of both options.

In most environments, you usually have less risk by using some form of TCP/IP filtering
on the workstation than not. I'm not a fan of Windows IPSec filtering rules on workstations,
because the logging is not really good enough.

Then there is something like this http://wipfw.sourceforge.net/ -
small, simple and reliable - as an alternative to IPSec rules. Or if
you want something bigger (and more IPSec rules alike) with a nice GUI
there is something like CHX-I from http://www.idrci.net/
Both alternatives come with stateful inspection / dynamic rules - and
logging.

So that pretty much leaves you with the Windows XP
firewall, a third party software firewall, or a firewall device of some
sort.

Or: The windows firewall (or another good packet filter), a good
anti-virus product and common sense.