Firewall blocks outbound traffic even if outbound rule exists

Discussion in 'Windows Vista Security' started by Curt, Feb 15, 2007.

  1. Curt

    Curt Guest

    Hello,

    the Microsoft Vista firewall doesn’t block outbound traffic by default. So
    all doors are open for keyloggers. Since there is no alternative firewall at
    this time, I have to use the complicated firewall from Vista. I studied
    diverse internet pages to get handled the Vista firewall. So I found out that
    there exists an extended configuration…

    In this extended configuration I blocked the outbound traffic and added
    rules for some programs that I want to allow outgoing traffic on all ports
    and all profiles. Now those programs can’t access the internet anymore
    although they’re allowed by rules.

    A friend of mine does it the same way like I done with configuration and he
    tells me he can access to internet by browser.

    I don’t know what could be wrong. Does anyone knows a hint? I use Windows
    Vista Ultimate 64-bit with the private profile.

    Here are two pictures that shows my extended configuration of the firewall.
    Sorry for that the text in the pictures is in german.
    Pic1_Overview: http://img508.imageshack.us/img508/1254/01overviewwr0.gif
    Pic2_Outgoing Rules:
    http://img508.imageshack.us/img508/658/02outgoingrulesid3.gif

    Greetings

    Curt
     
    Curt, Feb 15, 2007
    #1
    1. Advertisements

  2. Curt

    Jesper Guest

    the Microsoft Vista firewall doesn’t block outbound traffic by default.

    Incorrrect. It does block outbound traffic by default.
    Outbound blocking hostbased firewalls cannot block keystroke loggers, so,
    yes, your statement is accurate, but applies to all platforms and all
    host-based firewalls.
    I can't speak on behalf of Microsoft, but please accept my apologies for
    their giving you a firewall that actually does a much better job at what a
    firewall can meaningfully do than any other firewall on the market.

    BTW, if you want a much noisier and less useful alternative, OneCare 1.5
    runs on Vista. Its firewall is much noisier, much slower, and much more
    annoying.

    You need to tell us exactly how your firewall is configured if we are to be
    able to help you determine what is going on here. More than likely the
    programs are not identified properly.
    Please do not post pictures. Post a configuration script instead.
     
    Jesper, Feb 15, 2007
    #2
    1. Advertisements

  3. Curt

    Dave R. Guest

    Dave R., Feb 15, 2007
    #3
  4. Curt

    Jesper Guest

    Nope. The OP was wrong. The Vista firewall by default is set to allow all
    outbound connections that are not defined to be blocked. By default it blocks
    outbound connections from many built-in services. This is also all the actual
    blocking security value you can get out of outbound filters.
     
    Jesper, Feb 15, 2007
    #4
  5. Curt

    Dave R. Guest

    We're starting to split hairs here...
    I agree with this, and had you clarified it this way initially I
    wouldn't have disagreed, but the way you responded to the OP made it
    sound like the default was to block all outbound traffic when this
    clearly isn't the case.
    I don't have a Vista machine to look at to confirm, so I'll take your
    word for it.
    Agreed.

    Best Regards,

    Dave
     
    Dave R., Feb 15, 2007
    #5
  6. Curt

    norm Guest

    This article may provide a bit more insight as to what the firewall
    actually does or doesn't do:
    http://www.computerworld.com/action...ewArticleBasic&articleId=9010661&pageNumber=1
    YMMV
     
    norm, Feb 15, 2007
    #6
  7. Curt

    Jesper Guest

    The Vista firewall by default is set to allow all
    Yeah, sorry. I'm getting a bit tired of answering that question a thousand
    times. Especially since most of the questions stem from a bunch of
    misinformed reporters and self-styled security experts declared that their
    version of reality was more correct than what actually is there.
     
    Jesper, Feb 16, 2007
    #7
  8. Curt

    Jesper Guest

    This article may provide a bit more insight as to what the firewall That article skirts reality by stating facts, and then stretching them into
    conclusions that lie somwhere between half-truths, misleading statements, and
    the type of near-lies that has proven so effective in shaping public policy
    and selling copies of magazines.

    Take this statement:
    "In addition, there may be no practical way to use outbound filtering to
    stop all unwanted outbound connections"

    Absolutely true. Except, the author of the article really meant to say that
    "In addition, there may be not practical way to use outbound filtering in the
    Windows Vista firewall to stop all unwanted outbound connections, whereas
    third-party firewalls offer that ability." The original statement is true,
    and applies to all firewalls. What he meant to say is true too, but only up
    to the point of the inserted comma.

    Likewise misleading is the statement that "every outbound rule allows
    outbound connections." Yes, that is correct; as long as you consider only the
    rules you can see in the GUI. If you take into account the rules that you do
    not see, the ones that actually make a difference but that are only available
    using WMI calls, it is untrue. Those are the rules that block services, the
    only thing you can meaningfully restrict from making outbound connections,
    from doing so. The ones you see in the GUI are there to ensure your computer
    does not turn into a boat anchor if you block all outbound connections except
    those that are allowed. By default they make no difference.

    Another great statement is: "Making matters worse, there is no way for an
    individual or IT staffer on his own to create an alll-purpose rule that will
    brlock malware from making outbound connections."

    Shame on Microsoft! How dare they not build that functionality in? I mean,
    how hard could it possibly be to put in a rule like this:

    if software.intent == malicious then
    block traffic
    else
    allow traffic
    end if

    That'd be the simplest thing in the world! The "competing firewalls often
    use built-in intelligence" to handle that task. All you have to do is discern
    what the software is actually intent on doing. If the user goes to eBay to
    buy a legitimate DVD then we would allow the connection, but if they intend
    to buy a bootleg one we would block it. If the software looks up a hostname
    for purposes of doing online chatting we would allow it, but if it is looking
    up a hostname to attack it we block it. Simple!

    I have a better idea: let's just not sell Windows Vista to evil people. That
    way we don't need any firewalls at all!

    So, sarcasm aside for a few seconds: yes, the statement is correct, and yet
    the meaning of it is so amazingly incorrect. In reality, what the competing
    software is doing is going on patterns; patterns that almost invariable boil
    down to a software signature that identifies malicious software and attempts
    to block all known bad things. Now you just have to know all the known bad
    things and you're home free.

    About the only really true part of that article is the comment on the
    schizophrenic approach taken by the oneCare team, which does provide outbound
    filtering. It is as noisy, annoying, and meaningless as the outbound
    filtering provided by all the other vendors.

    I'm going to leave now and go move the moon a few degrees because it is
    shining in my window and annoying me. That should be a simple task, sort of
    like making outbound filtering stop malware that is already executing on my
    computer from doing malicious things. While I am at it I think I'll go down
    to the convenience store on the corner and ask the burglars there to just be
    nice, sit still, and not steal anything until the Anti-Burglar patrol has an
    updated set of signatures to detect them.
     
    Jesper, Feb 16, 2007
    #8
  9. Curt

    norm Guest

    All sarcasm aside, are you saying that other than for appearances, the
    vista outbound firewall has no user controlled functionality that is
    worth bothering with? If so, then why bother with a user interface at
    all (meaning the user enabled rules vs the default of no rules)? If the
    user cannot be expected to figure out what is good or bad, then why give
    him the choice? Are all existing outgoing firewalls prior to the vista
    incarnation just smoke and mirrors in the way they provide for user input?
     
    norm, Feb 16, 2007
    #9
  10. Curt

    Jesper Guest

    All sarcasm aside

    What would be the fun in putting all the sarcasm aside? :)

    Glad you got that much of it was overly sarcastic though.
    No, that is not at all what I am saying. What I am saying is four things:

    1) By default, the Windows Vista firewall provides a sane set of rules that
    are reasonable for many environments. There are many pre-defined rules that
    have an impact by default. Many (most) services, for instance, are heavily
    restricted.

    2) The functionality provided by the Windows Vista firewall provides simple
    (relatively speaking) centralized management ability of the types of
    protection that is meaningful for a host-based firewall to provide. In fact,
    building a meaningful rule-set that implements host isolation is simpler with
    the Windows Vista firewall than with any prior product, at least that I have
    used.

    3) Yes, all prior existing outbound filtering host based firewalls are
    purely smoke and mirrors. They provide no meaningful protection against
    arbitrary malicious applications already running on the host. The fundamental
    infrastructure to do so (integrity labels, User Account Control, and service
    SIDs) does not exist in operating systems prior to Windows Vista.

    4) The popular press has, played and continues to play, a crucial role in
    steering customer perception away from things that actually help protect
    people, and toward the smoke and mirrors functionality provided by the
    after-market firewalls, including OneCare. I do not know why that is,
    although I am conjecturing that it is because complaining about Microsoft
    sells magazines, and actually stating that Microsoft did something right gets
    you branded as a sell-out.

    If so, then why bother with a user interface at
     
    Jesper, Feb 16, 2007
    #10
  11. Curt

    norm Guest

    It may be that points 1 and 2 accurately reflect the vista firewall
    capability. I don't know, as I have not spent any time working with the
    firewall. Point 3, however, leaves me wondering. Prior to ms entering
    the outgoing firewall market, I don't recall that many previously
    existing outgoing firewalls were described by nor accused by the
    knowledgeable community of being smoke and mirrors. IOW, they did the
    advertised job they were intended to do, and had they not, it would have
    been reported as so. Now there seems to be a suggested paradigm shift
    due to ms being in the market. As to point 4, ms has done many things
    "right", but just as importantly, it has done some things "not so
    right". I believe there is more to the reporting than only "it is
    because complaining about Microsoft sells magazines". On any level, what
    is different in substantiation as to what the magazines report vs the
    statement you made earlier in the thread; "I can't speak on behalf of
    Microsoft, but please accept my apologies for their giving you a
    firewall that actually does a much better job at what a firewall can
    meaningfully do than any other firewall on the market". I believe the
    jury on both sides of the discussion is still out.
     
    norm, Feb 16, 2007
    #11
  12. Curt

    Jesper Guest

    Point 3, however, leaves me wondering. Prior to ms entering
    There has been a small part of the community that has made that claim for a
    long time. You may also recall that at one point Microsoft made the same
    claim (when XP first came out, and again when XP SP2 came out).
    No, they did not. They never stopped malware from connecting out. If they
    had the adware/spyware problem would never have been. Look back at what
    happened. The vendors claimed that they would stop attackers. Yet, people got
    themselves infested with spyware. Somehow the firewall vendors managed to pin
    that one on MS, even though they kept making claims that they were solving
    it.

    The most they could do was stop things like Blaster from communicating out,
    although I can't recall anyone ever being saved by that since the service
    that Blaster attacked had a legitimate need to connect out and therefore
    could not be stopped from doing so on most systems.
    I think they jury has gone home, personally. As for what is different in
    substantiation, I have done some amount of research on the competition. Here
    is what I have discovered:
    1. Firewalls that ask the user each time they connect out quickly end up
    having that functionality either turned off, or turned into a fast-clicking
    exercise. Users do not understand the decisions they are asked to make and
    make the only one they do understand: "Do you want this dialog to go away?"

    2. The Windows Vista firewall (like the one in Windows XP SP2) is one of the
    few that protects the system at boot. Most others do not. During the Blaster
    epidemic machines would get infected one reboot in 12 even if they had the
    firewall running. Protection at boot has proven FAR more important than
    outbound filtering.

    3. Manageability is critical. Network administrators must be able to define
    a firewall policy and roll it out to a network with some assurance that
    computers actually honor it.

    4. Users should be users, not administrators. Decisions about unblocking
    applications are administrative decisions that are either granted to users
    (making them some form of administrator) or all users are made administrators
    to enable them to answer pop-ups they do not understand.

    5. The third-party firewalls make unsubstantiated claims they cannot
    possibly live up to. The latest version of Symantec's product now claims it
    "blocks online identity theft." McAfee's latest product allows you to "surf
    the Web, shop, bank, e-mail and instant message safely and securely." Sorry,
    but software cannot possibly ever do that. It can help you reach that goald,
    but by itself, it cannot.
     
    Jesper, Feb 16, 2007
    #12
  13. Curt

    Curt Guest

    By the side - what about the problem I mentioned. ;-)

    I don't know how to extract the configuration script of the firewall. But I
    can try to explain the way I configurated it.

    In extended configuration outbound traffic was set to "block" for all three
    profiles. Then rules was made for outgoing traffic. The english naming could
    deviate:

    1) "New rule" [NEXT]
    2) "Program" [NEXT]
    3) The path of program was set [NEXT]
    (e.g. %ProgramFiles%\Internet Explorer\iexplore.exe)
    (e.g. %ProgramFiles%\Mozilla Firefox\firefox.exe)
    4) "Allow connection" [NEXT]
    5) All profiles was checked [NEXT]
    6) The name of the rule was set

    Last but not least . . .
    7) Testing Internet Explorer: It can't connect to Internet anymore.
    8) Testing Mozilla Firefox: It can't connect to Internet anymore.

    So I have to reset outgoing traffic in private profile to "allow". Otherwise
    I can't browse the Internet anymore.

    Vista Ultimate 64-bit was installed a few days ago. Beside the gaming
    software "Steam" I've installed Avast!AntiVirus. There's no software
    installed that could cause of the problem. And finally the problem is
    activated by the Vista Firewall.

    What the f... Do I have to reinstall Vista? I guess the problem will appear
    again after reinstalling.


    At the end answers to replies that aren't part of the question:

    That can't be right. Every software that I use is able to send data to
    internet. In the extended configuration of outgoing connections "allow" is
    default. Its even named "allow (default)". This fact is confirmed by several
    discussions I found in Internet, confirmed by seriously technical periodicals
    and also confirmed by these Microsoft discussion groups, too. It's a clearly
    fact.

    This is not right! I have some experiences with keyloggers and I know that
    Software Firewalls block the intention of keyloggers to send logfiles through
    internet. With an open outbound traffic every software can send everything.
    But perhaps it's even intended by microsoft. It wouldn't be a surprise.
     
    Curt, Feb 16, 2007
    #13
  14. Curt

    norm Guest

    Hmmm. I wonder what recent ms security feature has been said to have the
    same cause and effect issue? ;
    I disagree. Obviously, one would want to stop any malware from ever
    infecting a machine. But the whole purpose of an outbound firewall
    should be to stop any outgoing traffic not ok by the user, or the
    firewall defaults. Certainly if one does manage to get infected, and
    that infector needs to call home or do whatever it must, then an
    outbound firewall is the last means of protection.
    As far as your statement of admins being admins and users being users,
    don't users still have the option to set rules over and above the
    default settings for outgoing traffic with vista? What suddenly makes
    the user smart enough to do such a thing now vs when he was deluged with
    popups on the old, ineffective firewalls you describe as smoke and mirrors?
    Inserting "ms" in place of "mcafee", the following looks like this:
    Microsoft's latest product allows you to "surf the Web, shop, bank,
    e-mail and instant message safely and securely." Look somewhat familiar?
    Actually, one could insert just about any virus/malware prevention
    provider name in place of mcafee and the statement could define what
    they promise. And finally, what, before this vista firewall security
    breakthrough, did you use for outgoing protection? Or did you just now
    become convinced that, finally, an app has appeared that will provide
    ultimate protection and you can now use one? I still say the jury is out.
     
    norm, Feb 16, 2007
    #14
  15. Curt

    Curt Guest

    No hints? :-(

    I've asked Microsoft by phone - but they asked me if I bought the OEM
    version ...then I have to call an expensive phone number. I guess If I call
    this number I have costs but no solution.
     
    Curt, Feb 21, 2007
    #15

  16. Check out these trialware software from Symantec. If any of them meet your
    needs you can purchase it. If not, just uninstall it. Make sure you do a
    complete backup of your system before you install any of these products as
    the removal of trial software from Symantec is not that great.


    http://shop.symantecstore.com/store...ge/ThemeID.106300/Software/categoryID.6272000
     
    Captain Roberts, Feb 21, 2007
    #16
  17. Correction on my last post. You can only pick NIS 2007 as the others are not
    Vista compatible.
     
    Captain Roberts, Feb 21, 2007
    #17
  18. Curt

    Rock Guest

    What problem?
     
    Rock, Feb 21, 2007
    #18
  19. Curt

    Curt Guest

    Hello,

    you can read the description of the problem in the first post.

    Short: Outgoing traffic was blocked in extended configuration for all
    profiles. Rules was defined for all profiles to allow iExplorer and Mozilla
    outgoing traffic. So it should work - but it doesn't work. Browsers can't
    communicate through firewall. So I have to leave all outgoing traffic open.
     
    Curt, Feb 23, 2007
    #19
  20. Curt

    Rock Guest

    You are using the awful web interface. Many people, including me, use a
    newsreader to access what are actually Usenet newsgroups. We only download
    the latest posts, so the previous messages might not be visible. It is
    standard protocol to quote at least a portion of the message to which you
    reply to keep the context. Sorry I don't have a resolution for your issue.
     
    Rock, Feb 23, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.