This video shouldn't be *misinterpreted as advice not to use any firewall* especially if you're using a laptop and connecting to random Wifi networks. Also, since everyone is asking why I ran the sample in a Win 7 environment (yes, this happens the same way in Windows 8/10). The purpose here isn't to bash Windows Firewall. It is a demonstration of the problem with a security model relying on the firewall on the same system the malware is executing from a cybersecurity perspective with real backdoor example.

You should do a video on the best Firewalls available.

please make more videos about malware analytics techniques , and it will be much better if you make a series from beginner to advanced. your channel is really great thank you

UAC was supposed to protect against that. But people kept complaining about annoying prompts so Windows made the default security level for never OSes "medium" which doesn't ask about built-in programs running with Admin priviledges. Instead they now use safe screen stuff that looks a program trying to run on up on the internet to determine if it should display an additional prompt. Basically just turn UAC to high first thing on a new PC and never have an issue like the one displayed.

Don’t run as a administrator. A limited user can’t change firewall settings. Thus the script won’t be able to either.

Shouldnt windows always ask you when a program tries to add a rule on the firewall?

You are testing your assertion using Windows 7 32-bit, which has entered end-of-life Jan-2020 and has not been receiving any meaningful updates for quite some time. It would have been more relevant if you run this experiment on an up to date Windows 10. Then see that the assertion you make does not hold true, at least for this test.

Someone clearly has a rather limited knowledge about firewalls and security in general. As an IT security guy for over 17 years this was quite painful to watch.

Since more and more people are running smartphone devices, I was just wondering if you could make in the future a video about Antivirus software for Android/iOS?

So, I've just never heard of that site until this video. It's very interesting to see what it can do. Are there any other sites of this type that you are aware of? Maybe you could do a video on such sites which you think are beneficial to people interested in cyber security. Thanks.

"Download his friends and have a party on your system" 🤣 Well so what should we use?

Can you do a video on how to get a router level firewall? I know it would be different for each router but it would be helpful.

Try it on Windows 10...

If you are someone who use the Windows Firewall at least in a corporate environment, one other thing you can do is use a GPO to control the Windows Firewall and tell the firewall to ignore any locally made rules. Is not a guarantee obviously but would provide some minor to moderate additional resistance to this attack. Ideally though, ya you want a hardware firewall that can actually scan into the packets and an IPS on the host that will run hashs against executables.

Doesn't f-secure use a modified windows firewall?

so how does this malware obtein premissions to change firewall settings? doesn't that need admin perms?

A list of good firewalls would be nice. Also what kind of system do you use to test these? What Linux distro do you like?

I use Private Firewall on my laptop. It lets nothing through that's not part of the operating system and lets you know if something is trying to get onto your system. It's a learning curve to use it.

Why would you do this test on WIndows 7?

Title: You shouldn't use Windows Firewall. Me: He said nothing about Windows Firewall with Advanced Security.

In theory, would UAC settings and/or running the OS on a non admin account prevent the malware from using cmd to add the rules?

Why not using windows 10?

How will this work against Windows 10 Firewall?

"Why you shouldn't just use Windows Firewall". Does this post also apply to [Windows 10 Firewall]?

Excuse me but isn't this, assuming we run a malicious file first manually right?

Now why don't you try using an Operating System that isn't discontinued. Windows 7 isn't supported anymore.

I use "Windows Firewall Control" from Malwarebytes. is it good for something?

Couldn't you just... set up a standard user account and use that for everything and require separate admin credentials? That said, I have glasswire on my desktop. It uses the Windows Firewall, but you can set it to ask to connect. So it blocks by default requiring your input to accept. It also provides a quick snip of where the application is connecting and its rating with Virustotal. It's kind of hands on at first, but once you figure it out it is pretty helpful at identifying shady programs. It does a whole lot of other things but I mainly like it because it makes managing the Windows Firewall possible.

Doesn't netsh command require admin privileges?

Why is this so misleading? Executing the "netsh advfirewall firewall add rule" requires elevation, so unless you disabled UAC you will be perfectly protected by Windows firewall. Also it seems that in order to execute the Fire.exe you would need to disable the AV as well.

I see you’re using Windows 7 in the virtual machine. You probably shouldn’t use this at this point as it is no longer supported. You may get a different result in Windows 10 defender/firewall. I use MacOS so this won’t happen to me. Saying another software firewall might’ve worked isn’t saying much unless you show it working. As well as router firewalls which I believe I have. What is the likelihood of this happening if you avoid sketchy sites I would say don’t lose any sleep over it.

That video is misleading, you skipped the vector part which can be easily blocked by the firewall.

There is a software (more like a gui) called Windows Firewall Control. It has an option called Secure Profile that deletes or disable any firewall rule that was not created using that software, even if created using cmd running as admin. But I'm not sure if it is that secure. It's now owened by Malwarebytes too. And I double down on asking you to do a video about good firewalls =)

I didn't care to check what channel. I thought, hey this guy sound like Leo. Keep it up, this channel is awesome!

Use TinyWall, its a free and light firewall controller that uses Windows Firewall but prevents rule changes outside of its own dashboard.

1:30 *SERIOUSLY WTF!!!???* Why doesn't that command AT LEAST require some kind of password to execute!? (as a parameter or a separate popup window or something.)

The end say not trying to bash Windows Firewall. But that is not even a question when it comes to objective reporting. The question is whether or not users should simply disable it and use something else.

I set "outbound" to default to "blocked" in order to deal with spyware like windows. I know that if infected spyware could easily disable this. I want to find a solution where the PC tells an external firewall the name of the process for each outbound connection attempt.

You should make a video of how to configure your firewall.

Well obviously you use an anti virus software preferably with a firewall or one that modifies the Windows one, but you are right a firewall in the router would be the better idea, some internet providers also have firewalls at their base which seems to become more and more widepsread. I would really like to see you explore more GNU Linux safety aspects etc, interesting to see which are really more secure, with or without AV.

Tip: use linux, you need a root/admin password to do rules in firewalls

Honestly I don't see the point of this video. Most users setups don't need a firewall (software or otherwise), because their behind a router doing NAT for them, so unless the malware can open ports in the router they are protected. There uPnP of course, but the whole premise of the video is wierd. It's not whether your firewall is good or not, it's about running untrusted software and the correct use of UAC.

Im a bit lost. Does it like completely bypass UAC as well and any permissions settings? obviously if you run it as a local admin it would run rampant, but does it do the same even if you separate the user account and the local admin?

1:02, This wasn’t fair. Windows 7 is EoL. Please do a test on 11/10 for fair!

Is the firewall on Win10 any different?

The good thing about default windows firewall is to block remote code execution vulnerabilitis. in my opinion, directly bind connections are denied, but the problem is when the connection is from inside to outside, windows firewall will just look and says "ok"

So, one edge case where your system needs to already be compromised means that Windows Firewall is useless?

Leo, i have bitdefender antivirus plus edition which doesnt have firewall, i dont want to use windows firewall, any recomendation for firewall that can installed with bitdefender antivirus plus?,P.S.: sorry for bad english

Iobit Malware Fighter 8 rc just came out. Would love to see some Iobit software tests.

What's the program you're using there to simulate this stuff?

Malwarebytes Windows firewall control has something called a secure profile and secure rules, no idea how effective it is though.

Shouldn't you get a notification tell new Defender is off and the settings were changed

It took me until now to realise that the ISP supplied router does not seem to have a built in firewall, at least as far as i can tell The router which i am using as an access point does have a firewall though, although because i had it in access point mode, the firewall was automatically turned off (since in access point mode the WAN port becomes another LAN port) Just now i switched a few Ethernet cables around so everything is now connected through the router that i was using as an access point, and changed the router back over to router mode, so now the ISP supplied router is basically being used as a modem All the devices i have were already either connected to Ethernet, or the router which i used to have set up as an access point, this router is upstairs, while the ISP supplied router is in the kitchen, the WiFi signal of the ISP supplied router drops out in certain areas of the living room, and does not reach upstairs, whereas the router i have upstairs covers all parts of the house except for the kitchen, but this doesn’t bother me, as I don’t have any devices in the kitchen that connect to WiFi

Hm.. I think this problem happens only if you use administrative windows account. AFAIK simple user account, unless asked to so, does not allow changing system settings, firewall rules included. It is not a problem of a windows firewall, the problem is in windows itself, because some programs required administrative environment to run properly.

what's the difference between registered and non registered domain with PAGE NOT FOUND 404 message? can you explain I can't find the info, how to distinguish them?

Windows Firewall + Simplewall works great!! Older versios allowed you to disable Windows Frewall, but now they coexist and you can block all telematry as well. Nothing is allowed unkess you approve it.

My firewall: windows firewall has blocked some of the features of this app Me: oh- WELL AT LEAST MY FIREWALL IS WORKING 😃

So what Windows firewall payed package is worth buying to the competition. This is if I have too sercumstance of being cheaper likely.

Back in the day, I used ZoneAlarm. Currently, I don't run a firewall. As I actually forgot how important they are

I'm not really sure how effective firewalls are to stopping an established malware that's already installed itself. Unless you set the firewall to block outbound traffic by default, the malware can just initiate an outbound request to the malware server (which probably won't be blocked) and the response is automatically allowed back in through the firewall. And let's face it, most users don't setup firewalls to block by default and if they were already dumb enough to open the malware in the first place they will probably just allow it out through the firewall too.

5:03 I really don't get this feature of virustotal. I mean, every file I drop into it ends up looking like this once it's expanded. Is everything on my system compromised?

How come you are not using private settings on the firewall.

This only happened if the malware can pass defender antivirus for windows right?

While hardware firewall is very good, when on the go, it is difficult to use a hardware firewall on, say, public transport. Relying on tech to protect people from doing shady behaviours online is just not going to go well. With all that being said, some recommendations other than using hardware firewall would be nice.

Please consider doing a video on this particular threat against Komodo firewall. Thanks. Great channel! 👍

How do I stop it from blocking my game bruh

This is not a Windows Firewall issue at all. This is an issue that could apply to any software firewall if running Windows as an Administrator. It could also apply to MacOS or Linux if you are stupid enough to operate as the Root account and run a malicious script.

Subscribed to your channel! You have amazing information!

If you add the "Windows Firewall Control" add-on, this should improve the situation of protecting the network from malicious activity. Kettles will boil from add-on requests for creating rules for each network action, but this will be effective to limit the actions of the malware and legitimate programs that should not have access to the network.

I use Private Firewall, It is not being updated any more since 2015 I believe, but I don't see any need for it to be updated. I would love to see The PC Security Channel test it against Ransomware, like he did with the Comodo Firewall...PLEEEEEEESE?!?!

Really interesting and so well explained with the demonstration.

Quick question, what happens if you are using an AV product that uses the Windows Firewall? Sophos I know uses Windows Firewall, so would this than be on the AV product to pick up on the trojan?

1. Can you differentiate between Windows Firewall, Windows Defender, and Microsoft Security Essentials in Windows 7? 2. Is Microsoft Security Essentials adequate when used in Windows 10?

What's the best alternative then? How do we put a firewall at the appropriate level for protection?

why is the audio so low?

Hello,Leo. Interesting point it is which you mentioned. But i have a question: Not only windows firewall is protecting the system if we choose windows protection, also windows defender antivirus is protecting the system when we enable it. Those backdoor malwares will be able to bypass windows av? so that your scenario will be accomplished. This looks like just a possibility to accomplish. This won't mean %100 success for trojan to be successfull in comppromising system. There is not only firewall side ,also av side there is.. Thanks...

Trust MS to call their paperwall a firewall.

Just a question - shouldn't your antivirus block the malware before it makes changes anyways? I'm not too familiar with how this works especially backdoors. I've been using ESET Antivirus + Windows Firewall for almost 10 years already because of how lightweight it is. Haven't had a single problem. I also appreciate the cheaper cost vs the Internet Security version. I used the whatever version it was that had the firewall prior to that. Didn't notice any difference as a regular user who don't fiddle with firewall rules and all that. Just considering it again if Windows Firewall really is that bad

I can’t really say that I would agree with the title and conclusion. The WF is z a great addition to Windows and can do multiple levels of authentication. What you demonstrated is a local infection that connects to an external source, it could do that by utilizing a session and skip any host based fw. I do agree on net network based fw. BTW, in a corporate environment always set the firewall to enable and manage it.

Well, the malware can in this case kill any antivirus you have running using Command lines. So, the moment you give admin rights, you're screwed regardless.

Microsoft used to apply a similar poor firewall policy on the Small Business Server line! They had to change the technical guidance once people explained how ineffective the firewall was.

So do we need a firewall on a desktop PC that is always connected to a safe network?

Since i use a pirated version of Windows 8.1 pro, i have granted firewall control to Avast free anti-virus. It is a good or bad decision bro ?

would the addition of Tinywall make sense? It is supposed to block apps from disabling the Windows Firewall, aside from its whitelist policy

Bro waht if i use windows firewall to prevent the game from trying to go online

cmd.exe needs administrative privilege to run firewall commands, so never disable UAC.

I wonder wheter Win 11 firewall behaves the same

Are you saying don't use windows defender even if you have another anti-virus/firewall program like Sophos Home 3.0? I have both running at the moment.

Wouldn’t a separate hardware firewall have to be manually configured for every application you run? Otherwise it would rely on UPnP which is pretty easy for malware to abuse? I’m no expert though. I do have an external firewall but it is UPnP based so not sure it does much.

I thought the default config for a router firewall is to deny unsolicited incoming connections and allow outgoing connections. I don't see how that is better, unless you have a default-deny policy for outgoing connections and you are obsessively white-listing domains you visit in your router. This is fine if you're in a corporate setting, but I don't want my wife nagging me 20 times a day to add new domains to the whitelist while she's shopping online for nicnacks and dodads.

What do I do if I don't have alternative Firewalls available at the moment? Do I turn off windows firewall systems regardless? Please elaborate.

Great video, have been looking for something along these lines for sometime, also caught your video on Win11 and agree with the concerns you posed. Because of the risks of using Windows Firewall I installed Norton 360 and use that instead about five years ago. One feature I liked about Norton was the ease at which you could block out bound traffic from specific apps. And for a while I thought I had plugged most of the holes that Windows Telemetry was using. But nearly two years ago I noticed NF was not logging blocked traffic on the Window Telemetry settings I had entered, and wondered if MS had moved telemetry services deeper into the OS in order to bypass any firewall. But my knowledge doesn't take many any further than that, so I'm not sure what MS is doing now, but I do know the amount telemetry being collected has only increased. And you can't disable it any longer either. So, if you could add some suggestions on alternative firewalls, preferably hardware ones, that would allow someone to block outbound traffic, that would be great. Keep up the work and I'll share the links.

The content of this videos actually makes no sense to me. When you or any malware tries to add a Windows Firewall rule, a UAC dialog will pop-up. It can't do that without it. In case you confirm that dialog, no firewall would be able to protect you anymore. Malware can shutdown any firewall with ZwTerminateProcess.

actually windows 10 as well as windows server 2003 have basically the same firewall and most malware that affected server 2003 surprise works in windows 10 i highly recommend another firewall program as well as anti malware and anti virus as well

I have my firewall/IPS running on a UDM from Ubiquiti and also have Norton Internet Security running on all of my machines. According to my IPS threat management it blocked a suspicious connection attempt made by someone Canada and Norway and more recently someone in the US. Its crazy to think that if routers didn't have firewalls built in, lots of people would be infected without even realising.

Any reason why you are using a non supported OS? Windows 7 stopped being supported Jan 14 2020 or so I believe. Wasn't the Windows 10 firewall made more robust? Just asking.

Why are you testing Windows 7? It has been EOL’d. This would be more relevant if you tested with Win 10.

i was using kaspersky total fiewall before.. no detections... clean system now using mcafee total firewall... i get many warning - blocked unsafce connection is it true that kaspersky failed to detect or mcafee is false signals 🙄

You mentioned not using windows firewall but suggested like a hardware firewall is there any you would suggest. General consumer routers that we get from the ISP are pretty bad for blocking software. So if you could suggest some that would be great thanks

Does this affect people who use standard account with admin separated? Can this get past UAC?