Blocking outbound traffic with XP Firewall

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

Is it possible to setup Windows Firewall to block suspicious outbound
traffic?

I want to use it as last line of defense against Trojans which have got
around my av scanner and are trying to dial out.

Thanks

Karl
 
The built-in firewall in Windows XP cannot block
outgoing traffic. Perhaps you should consider purchasing
a good internet security suite.

Internet Firewalls: Frequently asked questions
http://www.microsoft.com/athome/security/protect/firewall.mspx

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| Hi,
|
| Is it possible to setup Windows Firewall to block suspicious outbound
| traffic?
|
| I want to use it as last line of defense against Trojans which have got
| around my av scanner and are trying to dial out.
|
| Thanks
|
| Karl
 
That's a shame, but thanks for the tip.

I've just been reading Paul Thurrot's site and he says:

"Windows Firewall doesn't prevent outbound, application-initiated
communications"

Can you tell me what he means by "application initiated" - he means an
application on the PC right, not one from outside making a call on a program
residing on the firewalled PC?

Are there non-application-initiated outbound communications that ICF doesn't
block?

Many Thanks

Karl
 
You should also read the section called Leak Test at www.grc.com

You will be amazed how it is for Trojan horses to even slip through many
software firewalls, like wolves in sheep's clothing, masquerading as
legitimate programs, such as Internet Explorer, Outlook, or explore.exe
 
You are wise to be concerned about malicious outbound communication, a
direction that most uninformed PC users never think about.

Here are 3 tools I have found very helpful regarding malicious outbound
communication:

http://www.mvps.org/winhelp2002/hosts.htm
is great, free, and uses no resources (CPU, memory, etc.)

Most anti-virus programs do a poor job of catching Trojans because they
do not specialize in Trojans. It's just a side job for many AV
programs, like the carpenter who performs pet surgery on the side.
Trojan Hunter and Ewido specialize in catching and removing Trojans.

You can set ZoneAlarm to either block selected programs from attempting
outbound communication, or pause them to ask you a question like,
"Do you want @#$%&.exe to access the internet ?" where @#$%&.exe
represents a program you either know about already, or don't know about
yet. It's easy when you get the hang of it. Just be sure to speak up
and ask again, if you start using ZoneAlarm, and have a question like
"What about Generic Host Processor for Win32 ?"
 
Thank you very much all three of you! I will get stuck in to those articles
over the weekend. Very much appreciated.
 
You're right.

Since Firefox is neither an anti-spyware program nor a software firewall
(I believe the point of the thread was blocking outbound communication),
then the obvious logical conclusion would be that Trojans and spyware
would slip through Firefox without Firefox detecting them as infections.
 
You can create ipsec filters to manage outbound traffic but they do not care
about the application and will either allow or block all traffic as per
ipsec filter. Though ipsec filters can be effective it is much easier to use
a firewall like Zone Alarm instead or a firewall device that can have a
block all default rule for outbound connections and then you define the
allowed exceptions which is what I do with my Netscreen 5XP which are
available on Ebay used for well under $100. The link below explains the
basics on creating an ipsec filter using block and allow filter
ions. --- Steve

http://www.securityfocus.com/infocus/1559 --- applies to Windows XP also
 
To try to mitigate such it is best to use a software firewall that can use
MD5 hashes of applications allowed to access the internet so that other
programs can not pass as them though some malware can simply disable the
software firewall. In addition a hardware firewall device can be used that
can block all outbound access other than approved ports/protocols/IP
addresses though that will not totally stop processes that can use
legitimate ports such as 80/443. --- Steve
 
Karl said:
Hi,

Is it possible to setup Windows Firewall to block suspicious outbound
traffic?


No.


I want to use it as last line of defense against Trojans which have got
around my av scanner and are trying to dial out.
Click to expand...


WinXP's built-in firewall is adequate at stopping incoming attacks,
and hiding your ports from probes. What WinXP SP2's firewall does not
do, is provide an important additional layer of protection by informing
you about any Trojans or spyware that you (or someone else using your
computer) might download and install inadvertently. It doesn't monitor
out-going network traffic at all, other than to check for IP-spoofing,
much less block (or at even ask you about) the bad or the questionable
out-going signals. It assumes that any application you have on your
hard drive is there because you want it there, and therefore has your
"permission" to access the Internet. Further, because the Windows
Firewall is a "stateful" firewall, it will also assume that any incoming
traffic that's a direct response to a Trojan's or spyware's out-going
signal is also authorized.

ZoneAlarm or Kerio are much better than WinXP's built-in firewall,
in that they do provide that extra layer of protection, are much more
easily configured, and have free versions readily available for
downloading. Even the commercially available Symantec's Norton Personal
Firewall provides superior protection, although it does take a heavier
toll of system performance then do ZoneAlarm or Kerio.



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Is life so dear or peace so sweet as to be purchased at the price of
chains and slavery? .... I know not what course others may take, but as
for me, give me liberty, or give me death! -Patrick Henry
 
Back
Top