WF doesn't seem to be affected by @itman's snippet since powershell Full Language AND AS Admin is also up. Windows 11 Just yesterday cleared and reset AppLocker after conducting some successful tests. Double Checked the registry under the HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2 key to be sure. All yesterday
I'll play with that snippet later to find out why. But Powershell on this Windows 11 even has a separate OPEN POWESHELL HERE AS ADMIN in addition to my custom context menu Elevated Powershell
I run a test check. It's elevated with Admin. In fact i have code to elevate to SYSTEM when necessary. AS i said i will toy with that line later to see what is what why it doesn't run.
Hi @EASTER I launched powershell as administrator as seen in screen shots and easily disabled Windows Security Firewall profiles. I'm just running Windows Security with Andy Ful's WHHL tool on Windows 11, 23H2. EDIT maybe you need the path: C:\Windows\System32> ? Edit #2 Also worked using powershell x64
I will also add that creating a script to run Powershell as Admin silently is tricky but I am sure the malware creator's have one. Best way might be via .Net.
I haven't followed all of the discussion, but just to clarify, this will also bypass WFC's Secure Rules and Secure Profile settings?
@itman- Looks like @alexandrud's answer to @Rasheed187's Q on THAT is also another useful block Simple, plain communicating. And Security best of all. Another reason WFC is been time tested with my systems.
No. The solution is quite simple: Password Protected User Interface. It's 2024 and Microsoft still fails at the most basic logic behind "Administrative Privileges" as in "Password Protection". You have the option to use a password while Signing-in - but beyond that - one can easily execute and access any app with Admin Privileges. Really don't get why they didn't borrowed - such a simple practice from Linux Distros. That being said - devs can still protect their apps by implementing Password Protection - while accessing the UI. Since obviously, Admin privileges - can not bypass that. One would need a pretty complicated malware - to be able to brute-force the password as well.
1. If any program can run as Admin on your system, then the system is not secure. 2. MS refuses security issues due to Admin rights. As you can disable Windows Firewall with Admin rights, so you also can disable/uninstall/etc Comodo Firewall too.
The way you put it - makes sense if you used only Linux up to this point and never seen a Windows System beyond a corporate environment or a public domain (like a school). Point being... when you buy a System with Windows (be it Desktop or Portable) - comes set-up with Admin account out of the box (obviously). Tho, the owner of this new systems could be a 81 years old grandpa, a 6 year old nephew or anyone in between (not just lacking basic Windows knowledge - which doesn't say much - but even the mental capability to follow some common sense rules). That being said - and taking the majority of Windows users into account - Microsoft devs deemed Windows Firewall as a lost cause (one of the least improved/updated features - or more like... "better than nothing"). Security wise - most of their resources are reserved for all the other security features - as a preventive measure against unwanted intruders (like a Trojan Malware exploiting some vulnerability and running as Admin). If those fail, it is what it is - as far as M$ is concerned. This days and for quite some time now (close to two decades) - tons of 3rd party security apps emerged trying to fill that gap (well, competition wise - it's Microsoft who struggles to compete with 3rd party security apps - not the other way around). And yet... most devs seem to follow the same principal (as if fond of risk taking) - by not including a basic yet common sense feature (especially for a security app) like a "Password Protected User Interface". Most but not all... among 3rd party Firewalls - EVORIM understood this part (implementing a Password Protected User Interface for Free Firewall). Which i find quite baffling... seeing that all the big boys (most popular) - couldn't think of something so obvious. Anyway, the best implementation of this feature - can be found in a password manager: KeePassXC (which requires a password to access the database - same as KeePass - but it's also including a Windows Security Feature - where beyond the password - it also needs the Login Pin).
I mainly use only Windows. And top security rules for Windows: 1. Do not work as Admin. 2. Set UAC to max level. Because, if malware can run as Admin, then game is over. At least malware can format your disks, so no passwords are required.)
Yes, malware can also be have a destructive purpose - but most commonly - it's a combination of malware + spyware - where the main purpose of the malware is to gain unauthorized access - and inject the spyware in question. Chaos/Destructive malware - was primarily devolved by children (immature individuals) - just having fun by spreading chaos or aiming to become infamous black hat hackers. But that was more common back in the old days - when online currencies or even using a credit card (let alone Crypto-Currency) - was still a new thing. This days (and for quite some time now) - malware is developed by cyber-criminals (or even kids who have such intent). Unless it's some corporate move or some type of sabotage - where destruction of data is the desired outcome - it's less likely to bump into that type of malware. While at the same time, there's probably quite a lot of individuals - with silent/passive malware (+ spyware) - which stays hidden (even design to leave a minimal digital footprint) - residing on infected systems for months if not years. Until, accidentally discovered by some 3rd party security app or an updated security update for Windows. Maybe even injected at Kernel Level. As mentioned in the other post, most common accounts for Windows - are Admin accounts. Only the corporate/bossiness world has strict user account policies as a standard - and same goes for schooling environments. This is just a common sense policy - adopted by local Administrators - to make their job easier. Tho, Deep Freeze Windows Snapshots was preferable - if endorsed by upper management.
OK cool, so WFC actively blocks malware (no matter if they run with admin access), from disabling the Windows Firewall, pretty cool. This is not true, it doesn't matter if malware runs as admin, because behavior blockers can still block them from stuff like code injection, modifying registry, modifying files, keylogging. A good anti-malware solution will protect itself from being terminated.
@itman - Tested your script on Windows 10 IoT Enterprise and sure enough brought down the firewall in a flash. I added True to the same scipt to re-enable. So yes it works- Is there a way to BLOCK it from knocking it out even if Powershell forces that little snipper to turn it off? MS obviously shows no provisions against such a simple snippet that can put it out of commission
@itman-Using Secure Profile in @alexandrud's WFC shuts that snippet OFF! As he pointed out https://www.wilderssecurity.com/threads/windows-defender-firewall.397148/#post-3207215
