Jump to content

Windows Firewall easy bypass


GordonFreeman
 Share

Recommended Posts

Well, i use Windows firewall to block internet connection for some programs, it works well when i block by example a folder called MySoftware in program files:

C:\Program Files\MySoftware\abc.exe

C:\Program Files\MySoftware\internet.exe

The problem:

If "abc.exe" have an FileCopy command/line/etc to another location of "internet.exe" file, then run it, the internet connection works fine. (because not blocking C:\Program Files\MySoftware\internet.exe)

Anyone have an idea & ways of how can i fix it

Sorry for my not good english and thanks in advance

Link to comment
Share on other sites

other firewall products may offer blocking an exe by its checksum or other properties; but that just opens an arms race between the offending program and your firewall. starting an arms race is never a good idea.

i believe your best bet would be to examine the outbound traffic and block by target, port or protocol. if that is not sufficient, use a more advanced firewall that can block a request by its contents.

and if you are really paranoid, switch from blacklist to whitelist.

 

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

 

Link to comment
Share on other sites

Thanks orbs, but blocking the traffic (with hosts file or wildcarded hosts like) mean in a lot of research and something can pass. I think in remove write permission but it will turn some programs unusable (if not will be the best solution i think). Whitelist also looks lot of research because i use a lot of programs. But i will search a little more methods to find a solution. Thanks

Link to comment
Share on other sites

are you dealing with a specific offending program, or are you looking for a general solution?

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

 

Link to comment
Share on other sites

good luck then. except using whitelist, i tend to think any method you may come up with can be circumvented.

if you want to play around, here's a thought - for any folder you wish to block, follow these steps:

1) deploy a real-time monitor for filesystem events and process events on all files in that folder.

2) whenever any file in this folder creates a process, and that process creates a new file, block that new file too.

3) rinse and repeat.

yeah, as i said... good luck.

Signature - my forum contributions:

Spoiler

UDF:

LFN - support for long file names (over 260 characters)

InputImpose - impose valid characters in an input control

TimeConvert - convert UTC to/from local time and/or reformat the string representation

AMF - accept multiple files from Windows Explorer context menu

DateDuration -  literal description of the difference between given dates

Apps:

Touch - set the "modified" timestamp of a file to current time

Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes

SPDiff - Single-Pane Text Diff

 

Link to comment
Share on other sites

or sanitize your input and verify the origin of the file before allowing it to run?  is that doable for the offending executables?   wait im understanding it is not and that is the issue...i shud reed.

is abc yours?  or are you just watching both?

seems that

run("cmd /c powershell (Get-Process -Name $name).path")

could be added at some point when it is known inet would be called.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

that powershell command returns the path of the executable.  If you have an expected place for stuff to be ran from, then having a list of the paths would make identifying outliers easy, no?

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...