Bundaburra

How to configure the Windows Firewall?

Recommended Posts

Now that the EIS firewall has gone and we are left to rely on the Windows Firewall, it would be nice to know how to configure it.  The Windows Firewall interface seems to be very complicated, with a myriad of different settings - some of which are difficult to understand.  It would be great if Emsisoft could provide a list of recommended settings, and how to use it.  In particular, how to configure inbound and outbound connections for maximum protection.

Share this post


Link to post
Share on other sites

I would also like to know about this.

I knew that EIS was moving over to using the Windows Firewall, but I assumed EIS would provide an interface for it - something existing users are familiar with - rather than simply removing the Firewall from the list of Protection configuration options.

Is the latest version of EmsiSoft's product without firewall support?

Share this post


Link to post
Share on other sites

Emsisoft can help on specific case but no to teach all Windows Firewall possibility. About an Emsisoft interface for Windows firewall, they say no but you can raise your voice if you want to pay for that.

Share this post


Link to post
Share on other sites
6 hours ago, Bundaburra said:

Now that the EIS firewall has gone and we are left to rely on the Windows Firewall, it would be nice to know how to configure it.  The Windows Firewall interface seems to be very complicated, with a myriad of different settings - some of which are difficult to understand.  It would be great if Emsisoft could provide a list of recommended settings, and how to use it.  In particular, how to configure inbound and outbound connections for maximum protection.

We have noted your suggestion :) 

For your information, There isn't really a "maximum protection"  with Windows Firewall like you have with 3rd party products; the "maximum" would be to block all inbound and outbound connections in all profiles and make Allow rules "on-the-fly"... which may be arduous for people not familiar with it.

Windows Firewall is already configured by default for most users (block inbound and allow outbound connections), so you have nothing particular to do unless you want to block legitimate and safe programs/processes to access the internet.

However, the latest version of Emsisoft Anti-Malware's will prevent malicious programs to abuse the Windows Firewall (creating unwanted rules, etc...) via it's Fortification feature.

  • Upvote 1

Share this post


Link to post
Share on other sites

I have Anti-Malware on four computers and using Windows Firewall Control on each. Shows better info than the Windows firewall and easier control. I have them in 'learning' mode, but will change that when I feel the time is right. I purchased a key and the price is right for multiple computers. $10 !

  • Like 1

Share this post


Link to post
Share on other sites

I don't understand why the default for all outbound connections is "allow".  If there is a rogue program on my PC which wants to send out personal details, how does that work?  Sure, the rogue program should not be there in the first place if EAM has done its job, but what if it is?  I would have thought that when such a program attempts to send its data, I should see a message asking to allow or block, and the response would then become a rule for that program.  I can't find anything like that in the Windows Firewall -  am I missing something? 

I have tried with all outbound connections blocked. in the expectation that when a legitimate program tries to connect, I would see a similar message, but no - the legitimate program just gets an error, such as  "Socket error" or "cannot connect to server".  So it appears to be all or nothing, which I am not too happy about.  Advice would be welcomed.   

  • Like 1

Share this post


Link to post
Share on other sites
37 minutes ago, Bundaburra said:

I don't understand why the default for all outbound connections is "allow". 

Hello, 

I guess because Windows always "assumed" that you install only safe programs. So if they were installed by you, means you know they are safe (and at least did some researches), hence no reason to block them to connect to the internet. (telemetry isn't  considered  as bad ).

Quote

If there is a rogue program on my PC which wants to send out personal details, how does that work?  Sure, the rogue program should not be there in the first place if EAM has done its job, but what if it is? 

As you said EAM should block them before they do any damages, and in the case one manage to escape, Windows 10  has  several built-in mechanisms implemented to check that malicious programs can't run on the system (Windows Defender that can be set as periodic scan, Smartscreen, etc...). 

 

Quote

I would have thought that when such a program attempts to send its data, I should see a message asking to allow or block, and the response would then become a rule for that program.  I can't find anything like that in the Windows Firewall -  am I missing something? I have tried with all outbound connections blocked. in the expectation that when a legitimate program tries to connect, I would see a similar message, but no - the legitimate program just gets an error, such as  "Socket error" or "cannot connect to server".  So it appears to be all or nothing, which I am not too happy about.  Advice would be welcomed.   

Indeed Windows Firewall doesn't alert for outgoing connection, only for inbound one and if you set it to "Block ", you will have to manually create "Allow" rules on the fly for every program that doesn't have already a rule. 

Fortunately, several Windows Firewall "extension" exist, like Binisoft Windows Firewall Control that will ease the process by prompting you (only donation version).

Share this post


Link to post
Share on other sites

@Bundaburra - the situation is worse than that!  For very many programs you install, at some point they'll check to see if an updated version of themselves exists.  And if you allow that to occur, you grant them access to the internet.  And they'll be allowed access to the internet whatever they're using that permission for, not necessarily just checking if a new version is available.   Also, probably the 'allow' rule that gets created, may allow all types of traffic when - strictly - it only needs eg http...  

So even someone who thinks they've set up allow rules carefully may in fact have granted significantly freer access than they thought. 

One (paranoid?) way around this is to define a rule that's tightly specified for the type of access required, then disable it.  And later on, enable it only just long enough for a program to do an 'update check' when you tell it to check, rather than when it decides to do it.  Then disable the rule again.  Or, never let programs have access to the internet - just check their author's website yourself every so often... 

Share this post


Link to post
Share on other sites

This was my point about being able to control access. With the EmsiSoft firewall known good programs were allowed access, or you could configure it to ask. No such luck with controlling the Windows Firewall. Much as I like EmsiSofts products (and I have been using them for many years), I think this is a step backwards. I have read the FAQ article, where it is stated that one of the disadvantages is the way the outbound rules function, and while EAM will detect tampering of the firewall, the outbound connection from a zero-day threat will not be stopped, which it would have been under previous versions because EIS would have displayed a notification that an unknown process was attempting to connect to xxx.

Share this post


Link to post
Share on other sites

You can configure the Windows Firewall to disallow programs for which there are no specific allow rules from making access.   With eg Binisoft's WFC you can get told it happened (as far as I understand this - it's the direction I'm going in though haven't set it up yet), and then investigate that, which is nearly as good though not as friendly as access being paused while you answer a question.

Share this post


Link to post
Share on other sites
13 hours ago, Bundaburra said:

I don't understand why the default for all outbound connections is "allow".

That's generally done so that your computer doesn't break. Monitoring inbound traffic is generally more important for a firewall than monitoring outbound traffic.

Keep in mind that the Behavior Blocker in Emsisoft Anti-Malware does monitor for unknown programs trying to send data, and will block it (or quarantine the program in question) when a program's safety can't be established.

  • Like 1

Share this post


Link to post
Share on other sites
8 hours ago, GT500 said:

...

Keep in mind that the Behavior Blocker in Emsisoft Anti-Malware does monitor for unknown programs trying to send data, and will block it (or quarantine the program in question) when a program's safety can't be established.

Ah! Thanks. I think I must have been confused about how each operated. That's reassuring.

Share this post


Link to post
Share on other sites

You're welcome.

Note that monitoring for outbound connections has been a feature of the Behavior Blocker in EAM for a long time, and the existence (and subsequent discontinuation of) EIS didn't change that. ;)

Share this post


Link to post
Share on other sites

I'm sorry to be a pain, but further explanation is required.  I have a legitimate program which uses an outbound connection - call it Program X.  When I run X with outbound connections disabled in the Windows Firewall it will not connect and gets an error - no prompt or warning.So I re-enabled outbound connections and looked at how it works in the Behaviour Blocker, which appears in EAM under "Protection".   Under "Protection", and then under the "Behaviour Blocker" tab, program X does not appear unless it is running at the time.   When I exit from it, X disappears from the list.  Under the "Application Rules" tab, X is not listed at all, even with fully trusted applications unhidden and with the program running, so there is evidently no Rule for it.  The entry under "Behaviour Blocker",  when X is running,  shows "Monitored Yes" and "Reputation Unknown".  If the reputation is unknown, should I be asked to allow it or not, thereby creating an Application Rule?  That doesn't happen, it just runs and connects, even though its reputation is unknown.  I assume that the monitoring would pick up any suspicious behaviour and then ask the question, but it seems strange for an "unknown" program.     

Share this post


Link to post
Share on other sites

I have decided to use the Binsoft WFC,in "Medium Filtering" mode, which bans all outward connections except for those which are specifically allowed.  There's a bit of initial setting up, to allow programs such as Outlook, Firefox, EAM, but then it's just a matter of noting any failed connections and allowing them if they are OK, and keeping an eye on the log.  Working well so far.

  • Upvote 1

Share this post


Link to post
Share on other sites
On 10/6/2017 at 5:47 PM, Bundaburra said:

Under "Protection", and then under the "Behaviour Blocker" tab, program X does not appear unless it is running at the time.

That is correct. It's basically a list of running processes, and whether or not they are monitored and whether or not they are verified to be safe.

 

On 10/6/2017 at 5:47 PM, Bundaburra said:

When I exit from it, X disappears from the list.  Under the "Application Rules" tab, X is not listed at all, even with fully trusted applications unhidden and with the program running, so there is evidently no Rule for it.

Rules are only created automatically when an unknown program tries to perform some sort of behavior that Emsisoft Anti-Malware monitors for, and only if you click a button in the notification to allow it. If there's no need for the Behavior Blocker to take an action other than the default action, then there's no need for an Application Rule.

 

On 10/6/2017 at 5:47 PM, Bundaburra said:

If the reputation is unknown, should I be asked to allow it or not, thereby creating an Application Rule?

Only if the application in question is unknown (an in its safety can't be established either by its digital signature or by our Anti-Malware Network), and only if it performs some sort of behavior that Emsisoft Anti-Malware monitors for. If the program does nothing suspicious, then there's no need for protection to take any sort of action.

 

On 10/6/2017 at 5:47 PM, Bundaburra said:

... it just runs and connects, even though its reputation is unknown.  I assume that the monitoring would pick up any suspicious behaviour and then ask the question, but it seems strange for an "unknown" program.

If the program displays a UI when it opens a connection, then the Behavior Blocker wouldn't consider that suspicious.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.