https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/configure-the-windows-firewall-log https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide Mostly old news, buy I didn't know. The new name is what I'm talking about. Sounds to me like an hybrid, lol.
WD firewall is an enterprise extension of consumer based Win firewall: https://docs.microsoft.com/en-us/wi...ewall-with-advanced-security-deployment-guide As applicable for most corp. native Win security solutions, it is group policy based.
Thought the below was interesting enough to resuscitate this old thread. Windows Defender Firewall critique Part 1 by cruelsister: https://www.youtube.com/watch?v=J8icGPr0YKQ
Nothing really new. Everyone knows that outbound filtering is disabled by default in Windows Firewall. These attempts will be blocked once you enable outbound filtering. How do you know if something was blocked? By checking the Security event log or by using a 3rd party software which adds this functionality (I might know one). The probability that a malware will go ahead and just disable Windows Firewall is pretty low since this is too obvious to the user.
Windows Defender Firewall critique Part 2 by cruelsister: https://www.youtube.com/watch?v=UuNXbhdmHRI
Thanks JR for posting cruelsister's video. I watch everyone of her videos in including the comodo firewall ones, with her settings which I use.
Yes Thanks @JRViejo - Watched and commented. Frankly reminds of watching a Windows XP or Vista onward demonstration of how fast WF CAN go down and become rendered wide open for malicious traffic and all the nefarious goods that go along with it. And more room for the infiltrators to probe.
This second video is very misleading. See that * from the title bar? It means that xplorer2 file manager was executing with elevated privileges. That shortcut DANGER.exe (notice the shortcut overlay) is executed with admin privileges. Evidently, any software with administrative privileges can disable Windows Firewall. This is nothing new, it is the same since Windows Vista. However, this can be prevented by using a 3rd party software which adds this functionality (I might know one). By the way, which command did you use for that shortcut? netsh advfirewall set allprofiles state off ? I do not agree with the conclusion of this video "Much better to use a 3rd party firewall of your choice". If you have administrative privileges, I am pretty sure you could disable any software firewall with much or less effort.
No, Xplorer2 was not run as Administrator. The only reason the file was executed from there in this video was that there are a few on MT that feel that running files from the Desktop is somehow questionable. And the netsh command (by itself) must be run (on Win11) elevated; although with powershell the termination But this attack is certainly nothing new and has been used for years by malware. The point was not to showcase the malware, but to demonstrate that trusting WF is not advised and added Rules to mat not provide the protection assumed.
If you will excuse me @cruelsister i'm sorry that a current gang (not everyone) of MT members seem to delight to scoff at your video demonstrations with overloads of wasted ridicule which they take every chance to marginalize the valuable educational ideas you take pains to present clear and concise as possible, Don't be dissuaded - Those videos do such a lot for anyone/many who makes time to read from the research and hard testing's which are meant to give a clearer picture into what can, or may or may not offer user's the big picture.
I also use xplorer2 and the only time when the * is displayed in the title bar is when I execute it with elevated privileges, otherwise it does not appear. Since this appears in the video, xplorer2 was not executed as a standard user account. What command which does not require elevated privileges did you use to disable Windows Firewall? I was expecting for the second video to see some technique that allows an unprivileged process to disable Windows Firewall, like impersonating a process, injecting code into a process, something similar. It looks that you just executed a shortcut of something which we don't even know what does. Were you able to disable Windows Firewall without elevated privileges? That would be indeed interesting. Thank you.
No, absolutely not. One needs elevation to disable WF; although this can be simply done with powershell, python is more elegant and preferable in coding malware. But the point of the video was NOT the malware (which is unique only in that for the sake of brevity it was compiled to show how WF can be disabled and that obsessing over Rules would not matter/ Although many here are fully aware of these things, even more are not (how often is heard that WF is enough?). Alternatives to WD exist, work well, and are not so readily disabled or targeted. If discussions about these alternatives start, then the video has achieved its goal.
Thanks for that! It is appreciated! But as I noted in a previous video, "The Dogs may Bark, but the Caravan travels on".
So that's how you did it Of the actively developed alternatives I've tested recently, I unfortunately don't like any of them I'd really like to know, sorry I'm not demanding haha, if your test succeeds using Andy Ful's WHHL v1.1.1.1, with SWH "On" and WDAC set to "On", and if that succeeds, then please try with WDAC set to "IAC".
tests are nice, but also a python driven malware has to reach a (my) system. i dont have doubts on the results, but i dont take them for real as it has to bypass several instances first.
Python was just my preferred method to have this file run as Admin There are many, many ways to do this without Windows making a fuss. I didn't bother to utilize UAC in this video as I have done a few past videos about it (eg:hxxps://youtu.be/pBt6GDAUTSk). (From Microsoft :"User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges"). Point being, what was shown in this video wasn't in any way magic, just same old malicious thing.
Another way to disable Win firewall using PowerShell courtesy of Microsoft; Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False Or, just add a firewall rule for your malicious .exe; New-NetFirewallRule -DisplayName "Allow Inbound Telnet" -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow https://learn.microsoft.com/en-us/w...l/configure-with-command-line?tabs=powershell
@EASTER Powershell is not in Constrained Language mode? https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
