Sign in to follow this  
Followers 0
GordonFreeman

Windows Firewall easy bypass

9 posts in this topic

Well, i use Windows firewall to block internet connection for some programs, it works well when i block by example a folder called MySoftware in program files:

C:\Program Files\MySoftware\abc.exe

C:\Program Files\MySoftware\internet.exe

The problem:

If "abc.exe" have an FileCopy command/line/etc to another location of "internet.exe" file, then run it, the internet connection works fine. (because not blocking C:\Program Files\MySoftware\internet.exe)

Anyone have an idea & ways of how can i fix it

Sorry for my not good english and thanks in advance

Share this post


Link to post
Share on other sites



other firewall products may offer blocking an exe by its checksum or other properties; but that just opens an arms race between the offending program and your firewall. starting an arms race is never a good idea.

i believe your best bet would be to examine the outbound traffic and block by target, port or protocol. if that is not sufficient, use a more advanced firewall that can block a request by its contents.

and if you are really paranoid, switch from blacklist to whitelist.

 

Share this post


Link to post
Share on other sites

Thanks orbs, but blocking the traffic (with hosts file or wildcarded hosts like) mean in a lot of research and something can pass. I think in remove write permission but it will turn some programs unusable (if not will be the best solution i think). Whitelist also looks lot of research because i use a lot of programs. But i will search a little more methods to find a solution. Thanks

Share this post


Link to post
Share on other sites

are you dealing with a specific offending program, or are you looking for a general solution?

Share this post


Link to post
Share on other sites
3 minutes ago, orbs said:

are you dealing with a specific offending program, or are you looking for a general solution?

A general solution

Share this post


Link to post
Share on other sites

good luck then. except using whitelist, i tend to think any method you may come up with can be circumvented.

if you want to play around, here's a thought - for any folder you wish to block, follow these steps:

1) deploy a real-time monitor for filesystem events and process events on all files in that folder.

2) whenever any file in this folder creates a process, and that process creates a new file, block that new file too.

3) rinse and repeat.

yeah, as i said... good luck.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

or sanitize your input and verify the origin of the file before allowing it to run?  is that doable for the offending executables?   wait im understanding it is not and that is the issue...i shud reed.

is abc yours?  or are you just watching both?

seems that

run("cmd /c powershell (Get-Process -Name $name).path")

could be added at some point when it is known inet would be called.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

that powershell command returns the path of the executable.  If you have an expected place for stuff to be ran from, then having a list of the paths would make identifying outliers easy, no?


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0